Skip to content

Commit

Permalink
reports: add 2024 Q2 report
Browse files Browse the repository at this point in the history
  • Loading branch information
frasertweedale committed Jul 18, 2024
1 parent 64ba2eb commit 578f190
Showing 1 changed file with 194 additions and 0 deletions.
194 changes: 194 additions & 0 deletions reports/2024-07-18-Q2-report.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,194 @@
# Haskell Security Response Team - 2024 April–June report

The Haskell Security Response Team (SRT) is a volunteer organization
within the Haskell Foundation that is building tools and processes
to aid the entire Haskell ecosystem in assessing and responding to
security risks. In particular, we maintain a [database][repo] of
security advisories that can serve as a data source for security
tooling.

This report details the SRT activities from April through June
2024.

The SRT is:

- Casey Mattingly
- Fraser Tweedale
- Gautier Di Folco
- Mihai Maruseac
- Tristan de Cacqueray

[repo]: https://github.com/haskell/security-advisories


## How to contact the SRT

For assistance in coordinating a security response to newly
discovered, high impact vulnerabilities, contact
`[email protected]`. Due to limited resources, we can
only coordinate embargoed disclosures for high impact
vulnerabilities affecting current versions of core Haskell tools and
libraries, or in other exceptional cases.

You can submit lower-impact or historical vulnerabilities to the
advisory database via a pull request to our [GitHub
repository][repo].

You can also contact the SRT about non-advisory/security-response
topics. We prefer public communication where possible. In most
cases, [GitHub issues][gh-new-issue] are an appropriate forum. But
the mail address is there if no other appropriate channel exists.

[gh-new-issue]: https://github.com/haskell/security-advisories/issues/new/choose


## Growing the SRT

Following discussions at the 2024 Haskell Ecosystem Workshop, we
have decided to grow the SRT. This is in recognition of the
expanding scope of the SRT's work. For example, we would like to
improve security tooling for Haskell developers, but we are limited
by our volunteer members' capacity. There are several high-impact
projects awaiting attention. Growing the team will enable us to
address more of these, while (hopefully) reserving some capacity to
address urgent security issues when they arise.

Additionally, Casey Mattingly has decided to retire from the SRT.
Casey, thank you for your significant contributions during the SRT's
first year.

The SRT will put out a new Call for Volunteers soon. Keep an eye
out for it, and we look forward to welcoming new members soon!


## Advisory database

1 contemporary advisory was published during the reporting period.

0 historical advisories were added during the reporting period.

2 HSEC IDs (HSEC-2024-0004 and HSEC-2024-0005) have been reserved
for embargoed vulnerabilities, which will be published later.

We urge community members to submit to the database any known
security issues, including historical issues, that are not yet
included.


## SRT at the Haskell Ecosystem Workshop and ZuriHac 2024

In early June, Gautier and Fraser attended the [Haskell Ecosystem
Workshop] and [ZuriHac], co-located at OST Rapperswil near Zürich.
Fraser presented ([slides]) at the Workshop, giving an overview of
the SRT's processes, work, tooling, and future evolution.

[slides]: https://speakerdeck.com/frasertweedale/haskell-security-response-team-haskell-ecosystem-workshop-2024

There were many highlights from 5 days of collaboration across both
events:

- New security issues were reported, and SRT initiated a response.
- New contributors made valuable contributions:
- André Espaze implemented a [*Security* page][haskell.org-security]
for the `www.haskell.org` website ([pull request][pr-300]).
- andrii (`@unorsk`) took up the work of implementing CVSS 4.0
support for the advisory database.

- Gautier improved the HTML advisory index generation
- Mango (`@MangoIV`) continued work on [cabal-audit] and
bugfixes/improvements to the advisory libraries.
- Mango also started work on SPDX SBOM generation.
- SRT members gave security advice to other projects.
- Many people shared ideas about the evolution and strengthening of
the SRT, and the Haskell security posture more generally.

[pr-300]: https://github.com/haskell-infra/www.haskell.org/pull/300
[cabal-audit]: https://github.com/MangoIV/cabal-audit
[haskell.org-security]: https://www.haskell.org/security/

Fraser especially thanks the Haskell Foundation for travel
assistance (Zürich is a long way from Australia!)


## Reporting vulnerabilities via VINCE

The CERT/CC [VINCE] system supports confidential reporting of
vulnerabilities and response coordination. The Haskell ecosystem is
now represented in VINCE as the *"Haskell Programming Language"*
vendor.

VINCE is especially valuable for coordinated security response and
disclosure of vulnerabilities that impact multiple ecosystems. For
example, [HSEC-2024-0003] impacted many languages, including Rust,
PHP, Node.js and Erlang. Representatives of the affected ecosystems
shared information, including mitigation techniques, and prepared
for coordinated disclosure and fix releases.

Although anyone can use VINCE to report a vulnerability to the SRT,
we encourage its use only for **high-impact vulnerabilities** and
**vulnerabilities that impact multiple ecosystems** or vendors. For
low-severity issues that only impact the Haskell ecosystem, please
follow the process in the [Reporting Vulnerabilities][reporting]
document.

[VINCE]: https://kb.cert.org/vince/
[HSEC-2024-0003]: https://osv.dev/vulnerability/HSEC-2024-0003
[reporting]: https://github.com/haskell/security-advisories/blob/main/CONTRIBUTING.md


## Security guides

The SRT from time to time will publish "security best practices"
guides on particular topics, tailored to users of Haskell. Mihai
published the first of these in May: [How to secure GitHub
repositories][guide-github]. Thanks Mihai!

What other security guides would be helpful for the Haskell
community? Please let us know via email or GitHub issue.

[guide-github]: https://github.com/haskell/security-advisories/blob/main/guides/github.md


## SRT libraries and tools on Hackage

We have published the following libraries and tools on
`hackage.haskell.org`:

- [***cvss***](https://hackage.haskell.org/package/cvss):
types and functions for the [*Common Vulnerability Scoring System*][cvss]
- [***osv***](https://hackage.haskell.org/package/osv):
the [*Open Source Vulnerabilities (OSV) schema*][osv-schema]
- [***hsec-core***](https://hackage.haskell.org/package/hsec-core):
our core advisory type
- [***hsec-tools***](https://hackage.haskell.org/package/hsec-tools):
advisory parsing and processing (library), *and* the `hsec-tools`
executable for managing the advisory database and export
artifacts
- [***hsec-sync***](https://hackage.haskell.org/package/hsec-sync):
executable for downloading and synchronising *snapshots* of the
advisory database content, intended for Haskell ecosystem tooling

[cvss]: https://en.wikipedia.org/wiki/Common_Vulnerability_Scoring_System
[osv-schema]: https://ossf.github.io/osv-schema/

We will also publish a [*Common Weakness Enumeration (CWE)*][cwe]
library, which is still in development.

[cwe]: https://cwe.mitre.org/


## Tooling updates

- Gautier implemented advisory snapshots. These are intended for
distribution and consumption by downstream tools (so they don't
have to clone the whole *security-advisories* Git repo).
- Gautier enhanced the style and content of our HTML advisory index
generator.
- Mango fixed several bugs in *hsec-core* and purged `ZonedTime`
from the codebase. The `Advisory` type now uses `UTCTime`.
- Tristan is adding support for the `GHC` advisory namespace, which
is already defined in the OSV schema. It is for advisories
affecting the compiler or other tools that can not be properly
identified in the `Hackage` namespace.
- Early in Q3 we will publish new versions of most of our packages,
incorporating the changes mentioned above (and more).

0 comments on commit 578f190

Please sign in to comment.