-
Notifications
You must be signed in to change notification settings - Fork 18
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
64ba2eb
commit 1281b5a
Showing
1 changed file
with
192 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,192 @@ | ||
# Haskell Security Response Team - 2024 April–June report | ||
|
||
The Haskell Security Response Team (SRT) is a volunteer organization | ||
within the Haskell Foundation that is building tools and processes | ||
to aid the entire Haskell ecosystem in assessing and responding to | ||
security risks. In particular, we maintain a [database][repo] of | ||
security advisories that can serve as a data source for security | ||
tooling. | ||
|
||
This report details the SRT activities from April through June | ||
2024. | ||
|
||
The SRT is: | ||
|
||
- Casey Mattingly | ||
- Fraser Tweedale | ||
- Gautier Di Folco | ||
- Mihai Maruseac | ||
- Tristan de Cacqueray | ||
|
||
|
||
## How to contact the SRT | ||
|
||
For assistance in coordinating a security response to newly | ||
discovered, high impact vulnerabilities, contact | ||
`[email protected]`. Due to limited resources, we can | ||
only coordinate embargoed disclosures for high impact | ||
vulnerabilities affecting current versions of core Haskell tools and | ||
libraries, or in other exceptional cases. | ||
|
||
You can submit lower-impact or historical vulnerabilities to the | ||
advisory database via a pull request to our [GitHub | ||
repository][repo]. | ||
|
||
You can also contact the SRT about non-advisory/security-response | ||
topics. We prefer public communication where possible. In most | ||
cases, [GitHub issues][gh-new-issue] are an appropriate forum. But | ||
the mail address is there if no other appropriate channel exists. | ||
|
||
[gh-new-issue]: https://github.com/haskell/security-advisories/issues/new/choose | ||
|
||
|
||
## Growing the SRT | ||
|
||
Following discussions at the 2024 Haskell Ecosystem Workshop, we | ||
have decided to grow the SRT. This is in recognition of the | ||
expanding scope of the SRT's work. For example, we would like to | ||
collaborate develop more tooling, but we are limited by our | ||
volunteer members' capacity. There are several high-impact projects | ||
awaiting attention. Growing the team will enable us to address more | ||
of these, while (hopefully) reserving some capacity to address | ||
urgent security issues when they arise. | ||
|
||
Additionally, Casey Mattingly has decided to retire from the SRT. | ||
Casey, thank you for your significant contributions during the SRT's | ||
first year. | ||
|
||
The SRT will put out a new Call for Volunteers soon. Keep an eye | ||
out for it, and we look forward to welcoming new members soon! | ||
|
||
|
||
## Advisory database | ||
|
||
1 contemporary advisory was published during the reporting period. | ||
|
||
0 historical advisories were added during the reporting period. | ||
|
||
2 HSEC IDs (HSEC-2024-0004 and HSEC-2024-0005) have been reserved | ||
for embargoed vulnerabilities, which will be published later. | ||
|
||
We urge community members to submit to the database any known | ||
security issues, including historical issues, that are not yet | ||
included. | ||
|
||
|
||
## SRT at the Haskell Ecosystem Workshop and ZuriHac 2024 | ||
|
||
In early June, Gautier and Fraser attended the [Haskell Ecosystem | ||
Workshop] and [ZuriHac], co-located at OST Rapperswil near Zürich. | ||
Fraser presented ([slides]) at the Workshop, giving an overview of | ||
the SRT's processes, work, tooling, and future evolution. | ||
|
||
[slides]: https://speakerdeck.com/frasertweedale/haskell-security-response-team-haskell-ecosystem-workshop-2024 | ||
|
||
There were many highlights from 5 days of collaboration across both | ||
events: | ||
|
||
- New security issues were reported, and SRT initiated a response. | ||
- New contributors made valuable contributions: | ||
- André Espaze implemented a [*Security* page][haskell.org-security] | ||
for the `www.haskell.org` website ([pull request][pr-300]). | ||
- andrii (`@unorsk`) took up the work of implementing CVSS 4.0 | ||
support for the advisory database. | ||
|
||
- Gautier improved the HTML advisory index generation | ||
- Mango (`@MangoIV`) continued work on [cabal-audit] and | ||
bugfixes/improvements to the advisory libraries. | ||
- Mango also started work on SPDX SBOM generation. | ||
- SRT members gave security advice to other projects. | ||
- Many people shared ideas about the evolution and strengthening of | ||
the SRT, and the Haskell security posture more generally. | ||
|
||
[pr-300]: https://github.com/haskell-infra/www.haskell.org/pull/300 | ||
[cabal-audit]: https://github.com/MangoIV/cabal-audit | ||
[haskell.org-security]: https://www.haskell.org/security/ | ||
|
||
Fraser especially thanks the Haskell Foundation for travel | ||
assistance (Zürich is a long way from Australia!) | ||
|
||
|
||
## Reporting vulnerabilities via VINCE | ||
|
||
The CERT/CC [VINCE] system supports confidential reporting of | ||
vulnerabilities and response coordination. The Haskell ecosystem is | ||
now represented in VINCE as the *"Haskell Programming Language"* | ||
vendor. | ||
|
||
VINCE is especially valuable for coordinated security response and | ||
disclosure of vulnerabilities that impact multiple ecosystems. For | ||
example, [HSEC-2024-0003] impacted many languages, including Rust, | ||
PHP, Node.js and Erlang. Representatives of the affected ecosystems | ||
shared information, including mitigation techniques, and prepared | ||
for coordinated disclosure and fix releases. | ||
|
||
Although anyone can use VINCE to report a vulnerability to the SRT, | ||
we encourage its use only for **high-impact vulnerabilities** and | ||
**vulnerabilities that impact multiple ecosystems** or vendors. For | ||
low-severity issues that only impact the Haskell ecosystem, please | ||
follow the process in the [Reporting Vulnerabilities][reporting] | ||
document. | ||
|
||
[VINCE]: https://kb.cert.org/vince/ | ||
[HSEC-2024-0003]: https://osv.dev/vulnerability/HSEC-2024-0003 | ||
[reporting]: https://github.com/haskell/security-advisories/blob/main/CONTRIBUTING.md | ||
|
||
|
||
## Security guides | ||
|
||
The SRT from time to time will publish "security best practices" | ||
guides on particular topics, tailored to users of Haskell. Mihai | ||
published the first of these in May: [How to secure GitHub | ||
repositories][guide-github]. Thanks Mihai! | ||
|
||
What other security guides would be helpful for the Haskell | ||
community? Please let us know via email or GitHub issue. | ||
|
||
[guide-github]: https://github.com/haskell/security-advisories/blob/main/guides/github.md | ||
|
||
|
||
## SRT libraries and tools on Hackage | ||
|
||
We have published the following libraries and tools on | ||
`hackage.haskell.org`: | ||
|
||
- [***cvss***](https://hackage.haskell.org/package/cvss): | ||
types and functions for the [*Common Vulnerability Scoring System*][cvss] | ||
- [***osv***](https://hackage.haskell.org/package/osv): | ||
the [*Open Source Vulnerabilities (OSV) schema*][osv-schema] | ||
- [***hsec-core***](https://hackage.haskell.org/package/hsec-core): | ||
our core advisory type | ||
- [***hsec-tools***](https://hackage.haskell.org/package/hsec-tools): | ||
advisory parsing and processing (library), *and* the `hsec-tools` | ||
executable for managing the advisory database and export | ||
artifacts | ||
- [***hsec-sync***](https://hackage.haskell.org/package/hsec-sync): | ||
executable for downloading and synchronising *snapshots* of the | ||
advisory database content, intended for Haskell ecosystem tooling | ||
|
||
[cvss]: https://en.wikipedia.org/wiki/Common_Vulnerability_Scoring_System | ||
[osv-schema]: https://ossf.github.io/osv-schema/ | ||
|
||
We will also publish a [*Common Weakness Enumeration (CWE)*][cwe] | ||
library, which is still in development. | ||
|
||
[cwe]: https://cwe.mitre.org/ | ||
|
||
|
||
## Tooling updates | ||
|
||
- Gautier implemented advisory snapshots. These are intended for | ||
distribution and consumption by downstream tools (so they don't | ||
have to clone the whole *security-advisories* Git repo). | ||
- Gautier enhanced the style and content of our HTML advisory index | ||
generator. | ||
- Mango fixed several bugs in *hsec-core* and purged `ZonedTime` | ||
from the codebase. The `Advisory` type now uses `UTCTime`. | ||
- Tristan is adding support for the `GHC` advisory namespace, which | ||
is already defined in the OSV schema. It is for advisories | ||
affecting the compiler or other tools that can not be properly | ||
identified in the `Hackage` namespace. | ||
- Early in Q3 we will publish new versions of most of our packages, | ||
incorporating the changes mentioned above (and more). |