On 2015-08-04 18:17:13 +0000 (+0000), Clark, Robert Graham wrote: [...] > As I write this I’ve realised that there would be an interesting > possibility in the former case (putting this in the upstream > OpenStack gates). It would be interesting to see something running > that regularly checks for CVE’s in the libraries that _could_ be > included in OpenStack, (library requirements within OpenStack > often include more than one version) and bumps the version to the > next safest and submits a change request for manual verification > etc.
On a separate (private) E-mail thread where I recommended restarting this discussion here in public, that was more or less the intent. We have a mechanism for the openstack/requirements repo presently which resolves the current highest versions of all dependencies (including all their transitive dependencies) declared in the global-requirements.txt file and updates a file called upper-constraints.txt with the result. The proposed check tool could, in theory, consume this upper-constraints.txt and so run and report periodically on the state of package versions declared in that file. To take things a step further, when someone proposes a change to global-requirements.txt, a check job could generate the new upper-constraints.txt which would result from that and feed it into this CVE tool, reporting back on whether that proposed change would bring in any known-vulnerable versions of packages. This would most likely operate only in an advisory fashion, providing information to reviewers of requirements changes and any other interested parties, since I can envision circumstances under which its results would need to be temporarily ignored/overridden. All that is to say, I think the infrastructure integration for this is pretty straightforward. What I'd rather see first is people trying out the tool, finding out what it tells us about the present state of our requirements list, whether it's reliable or needs further work, whether its featureset is already sufficient, et cetera. -- Jeremy Stanley
signature.asc
Description: Digital signature
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
