diff --git a/reports/2024-07-18-Q2-report.md b/reports/2024-07-18-Q2-report.md new file mode 100644 index 00000000..0a12435b --- /dev/null +++ b/reports/2024-07-18-Q2-report.md @@ -0,0 +1,192 @@ +# Haskell Security Response Team - 2024 April–June report + +The Haskell Security Response Team (SRT) is a volunteer organization +within the Haskell Foundation that is building tools and processes +to aid the entire Haskell ecosystem in assessing and responding to +security risks. In particular, we maintain a [database][repo] of +security advisories that can serve as a data source for security +tooling. + +This report details the SRT activities from April through June +2024. + +The SRT is: + +- Casey Mattingly +- Fraser Tweedale +- Gautier Di Folco +- Mihai Maruseac +- Tristan de Cacqueray + + +## How to contact the SRT + +For assistance in coordinating a security response to newly +discovered, high impact vulnerabilities, contact +`security-advisories@haskell.org`. Due to limited resources, we can +only coordinate embargoed disclosures for high impact +vulnerabilities affecting current versions of core Haskell tools and +libraries, or in other exceptional cases. + +You can submit lower-impact or historical vulnerabilities to the +advisory database via a pull request to our [GitHub +repository][repo]. + +You can also contact the SRT about non-advisory/security-response +topics. We prefer public communication where possible. In most +cases, [GitHub issues][gh-new-issue] are an appropriate forum. But +the mail address is there if no other appropriate channel exists. + +[gh-new-issue]: https://github.com/haskell/security-advisories/issues/new/choose + + +## Growing the SRT + +Following discussions at the 2024 Haskell Ecosystem Workshop, we +have decided to grow the SRT. This is in recognition of the +expanding scope of the SRT's work. For example, we would like to +improve security tooling for Haskell developers, but we are limited +by our volunteer members' capacity. There are several high-impact +projects awaiting attention. Growing the team will enable us to +address more of these, while (hopefully) reserving some capacity to +address urgent security issues when they arise. + +Additionally, Casey Mattingly has decided to retire from the SRT. +Casey, thank you for your significant contributions during the SRT's +first year. + +The SRT will put out a new Call for Volunteers soon. Keep an eye +out for it, and we look forward to welcoming new members soon! + + +## Advisory database + +1 contemporary advisory was published during the reporting period. + +0 historical advisories were added during the reporting period. + +2 HSEC IDs (HSEC-2024-0004 and HSEC-2024-0005) have been reserved +for embargoed vulnerabilities, which will be published later. + +We urge community members to submit to the database any known +security issues, including historical issues, that are not yet +included. + + +## SRT at the Haskell Ecosystem Workshop and ZuriHac 2024 + +In early June, Gautier and Fraser attended the [Haskell Ecosystem +Workshop] and [ZuriHac], co-located at OST Rapperswil near Zürich. +Fraser presented ([slides]) at the Workshop, giving an overview of +the SRT's processes, work, tooling, and future evolution. + +[slides]: https://speakerdeck.com/frasertweedale/haskell-security-response-team-haskell-ecosystem-workshop-2024 + +There were many highlights from 5 days of collaboration across both +events: + +- New security issues were reported, and SRT initiated a response. +- New contributors made valuable contributions: + - André Espaze implemented a [*Security* page][haskell.org-security] + for the `www.haskell.org` website ([pull request][pr-300]). + - andrii (`@unorsk`) took up the work of implementing CVSS 4.0 + support for the advisory database. + +- Gautier improved the HTML advisory index generation +- Mango (`@MangoIV`) continued work on [cabal-audit] and + bugfixes/improvements to the advisory libraries. +- Mango also started work on SPDX SBOM generation. +- SRT members gave security advice to other projects. +- Many people shared ideas about the evolution and strengthening of + the SRT, and the Haskell security posture more generally. + +[pr-300]: https://github.com/haskell-infra/www.haskell.org/pull/300 +[cabal-audit]: https://github.com/MangoIV/cabal-audit +[haskell.org-security]: https://www.haskell.org/security/ + +Fraser especially thanks the Haskell Foundation for travel +assistance (Zürich is a long way from Australia!) + + +## Reporting vulnerabilities via VINCE + +The CERT/CC [VINCE] system supports confidential reporting of +vulnerabilities and response coordination. The Haskell ecosystem is +now represented in VINCE as the *"Haskell Programming Language"* +vendor. + +VINCE is especially valuable for coordinated security response and +disclosure of vulnerabilities that impact multiple ecosystems. For +example, [HSEC-2024-0003] impacted many languages, including Rust, +PHP, Node.js and Erlang. Representatives of the affected ecosystems +shared information, including mitigation techniques, and prepared +for coordinated disclosure and fix releases. + +Although anyone can use VINCE to report a vulnerability to the SRT, +we encourage its use only for **high-impact vulnerabilities** and +**vulnerabilities that impact multiple ecosystems** or vendors. For +low-severity issues that only impact the Haskell ecosystem, please +follow the process in the [Reporting Vulnerabilities][reporting] +document. + +[VINCE]: https://kb.cert.org/vince/ +[HSEC-2024-0003]: https://osv.dev/vulnerability/HSEC-2024-0003 +[reporting]: https://github.com/haskell/security-advisories/blob/main/CONTRIBUTING.md + + +## Security guides + +The SRT from time to time will publish "security best practices" +guides on particular topics, tailored to users of Haskell. Mihai +published the first of these in May: [How to secure GitHub +repositories][guide-github]. Thanks Mihai! + +What other security guides would be helpful for the Haskell +community? Please let us know via email or GitHub issue. + +[guide-github]: https://github.com/haskell/security-advisories/blob/main/guides/github.md + + +## SRT libraries and tools on Hackage + +We have published the following libraries and tools on +`hackage.haskell.org`: + +- [***cvss***](https://hackage.haskell.org/package/cvss): + types and functions for the [*Common Vulnerability Scoring System*][cvss] +- [***osv***](https://hackage.haskell.org/package/osv): + the [*Open Source Vulnerabilities (OSV) schema*][osv-schema] +- [***hsec-core***](https://hackage.haskell.org/package/hsec-core): + our core advisory type +- [***hsec-tools***](https://hackage.haskell.org/package/hsec-tools): + advisory parsing and processing (library), *and* the `hsec-tools` + executable for managing the advisory database and export + artifacts +- [***hsec-sync***](https://hackage.haskell.org/package/hsec-sync): + executable for downloading and synchronising *snapshots* of the + advisory database content, intended for Haskell ecosystem tooling + +[cvss]: https://en.wikipedia.org/wiki/Common_Vulnerability_Scoring_System +[osv-schema]: https://ossf.github.io/osv-schema/ + +We will also publish a [*Common Weakness Enumeration (CWE)*][cwe] +library, which is still in development. + +[cwe]: https://cwe.mitre.org/ + + +## Tooling updates + +- Gautier implemented advisory snapshots. These are intended for + distribution and consumption by downstream tools (so they don't + have to clone the whole *security-advisories* Git repo). +- Gautier enhanced the style and content of our HTML advisory index + generator. +- Mango fixed several bugs in *hsec-core* and purged `ZonedTime` + from the codebase. The `Advisory` type now uses `UTCTime`. +- Tristan is adding support for the `GHC` advisory namespace, which + is already defined in the OSV schema. It is for advisories + affecting the compiler or other tools that can not be properly + identified in the `Hackage` namespace. +- Early in Q3 we will publish new versions of most of our packages, + incorporating the changes mentioned above (and more).