On 08/03/2015 04:08 PM, Reshetova, Elena wrote: > Hi, > > > > We would like to ask opinions if people find it valuable to include a > cve-check-tool into the OpenStack continuous integration process? > > A tool can be run against the package and module dependencies of OpenStack > components and detect any CVEs (in future there are also plans to integrate > more functionality to the tool, such as scanning of other vulnerability > databases and etc.). It would not only provide fast detection of new > vulnerabilities that are being released for existing dependencies, but also > control that people are not introducing new vulnerable dependencies. > > > > The tool is located here: https://github.com/ikeydoherty/cve-check-tool > > > > I am attaching an example of a very simple Python wrapper for the tool, > which is able to process formats like: > http://git.openstack.org/cgit/openstack/requirements/tree/upper-constraints. > txt > > and an example of html output if you would be running it for the python > module requests 2.2.1 version (which is vulnerable to 3 CVEs). > > > > Best Regards, > Elena. > > > > > > > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > As a packager I love this :D
-- -- Matthew Thode (prometheanfire)
signature.asc
Description: OpenPGP digital signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev