Hi Elena, the tool looks very interesting. Maybe try to spread out this proposal also through openstack-security@ ML. BTW, I can't find the wrapper mentioned - am I missing something?
Regards, Adam On Mon, Aug 3, 2015 at 11:08 PM, Reshetova, Elena <elena.reshet...@intel.com > wrote: > Hi, > > > > We would like to ask opinions if people find it valuable to include a > cve-check-tool into the OpenStack continuous integration process? > > A tool can be run against the package and module dependencies of OpenStack > components and detect any CVEs (in future there are also plans to integrate > more functionality to the tool, such as scanning of other vulnerability > databases and etc.). It would not only provide fast detection of new > vulnerabilities that are being released for existing dependencies, but also > control that people are not introducing new vulnerable dependencies. > > > > The tool is located here: https://github.com/ikeydoherty/cve-check-tool > > > > I am attaching an example of a very simple Python wrapper for the tool, > which is able to process formats like: > http://git.openstack.org/cgit/openstack/requirements/tree/upper-constraints.txt > > and an example of html output if you would be running it for the python > module requests 2.2.1 version (which is vulnerable to 3 CVEs). > > > > Best Regards, > Elena. > > > > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -- Adam Heczko Security Engineer @ Mirantis Inc.
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
