[8] Better vulnerabilities data (CVEs) for Python

[jpopelka]

Description

When implementing security scans for Python, we chose the easiest solution, which was using the same tool, that we'd already been using for Maven packages, i.e. OWASP Dependency Check.

It has an experimental Python Analyzer which we currently use. However the number of false-positives is quite high, see https://github.com/fabric8-analytics/fabric8-analytics-worker/issues/131 for existing fabric8-analytics-worker issue.

We should either fix it or find another source of vulnerabilities data for Python ecosystem.

Other possible candidates:

• pyup's safety-db for basic info + https://nvd.nist.gov or http://www.cvedetails.com for more CVE details
• scrape all data from http://www.cvedetails.com

Acceptance criteria

• [x] document describing pros and cons of all evaluated sources is created; it also contains reasoning behind the final decision
• [x] CVE data in S3 are coming from the new source
• [x] code runs in production

[jpopelka]

Results of my experiments with www.cvedetails.com and pyupio/safety-db are described in this document: https://docs.google.com/a/redhat.com/document/d/1ScTu7BlGu9nzbSnOPb_eyiKU1ZPwjfMo1xe76YzD8Q4/edit?usp=sharing

[fridex]

I missed this card. As posted on ML, candidates: https://github.com/pyupio/safety-db, https://pypi.python.org/pypi/safety (I see it on waiting list :) )

[jpopelka]

Document has been created. I decided to fix the issues we are seeing with OWASP Dependency Check rather than using other source of data. Marking as completed as the code runs in production.