Merge branch 'main' into cvss4.0-support

CONTRIBUTING.md

@@ -48,8 +48,8 @@ examples of qualifying vulnerabilities:
 
 **Q: Do I need to be the maintainer of a package to file an advisory?**
 
-A:  No, anyone can file an advisory against any package. The legitimacy of
-    vulnerabilities will be determined prior to merging. If a vulnerability
+A:  No, anyone can file an advisory against any package.  Reports
+    will be verified prior to merging.  If a report
     turns out to be incorrect then it will be corrected or removed from the
     database.
 
@@ -58,14 +58,16 @@ A:  No, anyone can file an advisory against any package. The legitimacy of
 A: Yes, instead of creating a full advisory yourself you can also
    [open an issue on the security-advisories repo](https://github.com/haskell/security-advisories/issues)
    or email information about the vulnerability to
-   [[email protected]](mailto:[email protected]).
 
-**Q: Does this project have a GPG key or other means of handling embargoed vulnerabilities?**
+**Q: Does this project have a PGP key or other means of handling embargoed vulnerabilities?**
 
-A: We do not presently handle embargoed vulnerabilities. Please ensure embargoes
-   have been lifted and details have been disclosed to the public prior to filing
-   them here.
+A: High-impact vulnerabilities can be reported privately to
+[[email protected]](mailto:[email protected]),
+but we do not use PGP.  Alternatively, Haskell vulnerabilities can
+be reported via the CERT/CC [VINCE] system.  Use "Haskell
+Programming Language" as the vendor name.
 
+[VINCE]: https://kb.cert.org/vince/
 [Pull Request]: https://github.com/haskell/security-advisories/pulls
 [TOML advisory template]: https://github.com/haskell/security-advisories/blob/main/README.md#advisory-format
 [example]: https://raw.githubusercontent.com/haskell/security-advisories/main/EXAMPLE_ADVISORY.md

PROCESS.md

@@ -27,14 +27,26 @@ disclosure process. Here are the steps we follow.
 
 ### Reception
 
-Private report can be received by email to [[email protected]](mailto:[email protected]).
-The HSRT does not presently handle embargoed vulnerabilities.
-Please ensure embargoes have been lifted and details have been disclosed to the public prior to filing a report.
-
-The HSRT may *provisionally* offer coordinated disclosure for
-HIGH severity issues, affecting a widely used library or tool.
-
-Public report can be submitted as a [regular issue on the security-advisories repo](https://github.com/haskell/security-advisories/issues).
+High-impact vulnerabilities can be reported privately to
+[[email protected]](mailto:[email protected]).
+We do not use PGP.  Alternatively, Haskell vulnerabilities can be
+reported via the CERT/CC [VINCE] system.  Use "Haskell Programming
+Language" as the vendor name.
+
+[VINCE]: https://kb.cert.org/vince/
+
+As a volunteer effort with limited resources, we coordinate security
+response for embargoed vulnerabilities for high impact issues only.
+Factors that influence whether we will deal with an issue under
+embargo or not include:
+
+- How severe is the vulnerability?
+- How widely used is the library or tool in which the issue occurs?
+- Does the issue also affect other ecosystems, or is there already a
+  security response underway?  (We will not break someone else's
+  embargo.)
+
+Public reports can be submitted as a [regular issue or PR on the security-advisories repo](https://github.com/haskell/security-advisories/issues).
 In that case, please follow the process defined in
 the [Reporting Vulnerabilities](./CONTRIBUTING.md) document.
 

cabal.project

@@ -4,3 +4,5 @@ package hsec-core
 package hsec-tools
 package cvss
 package osv
+
+test-show-details: direct

code/hsec-core/hsec-core.cabal

@@ -1,6 +1,6 @@
 cabal-version:      2.4
 name:               hsec-core
-version:            0.1.0.0
+version:            0.2.0.0
 
 -- A short (one-line) description of the package.
 synopsis:           Core package representing Haskell advisories

code/hsec-core/src/Security/Advisories/Core/Advisory.hs

@@ -14,20 +14,20 @@ module Security.Advisories.Core.Advisory
   where
 
 import Data.Text (Text)
-import Data.Time (ZonedTime)
+import Data.Time (UTCTime)
 import Distribution.Types.Version (Version)
 import Distribution.Types.VersionRange (VersionRange)
 
 import Text.Pandoc.Definition (Pandoc)
 
-import Security.Advisories.Core.HsecId
+import Security.Advisories.Core.HsecId (HsecId)
 import qualified Security.CVSS as CVSS
 import Security.OSV (Reference)
 
 data Advisory = Advisory
   { advisoryId :: HsecId
-  , advisoryModified :: ZonedTime
-  , advisoryPublished :: ZonedTime
+  , advisoryModified :: UTCTime
+  , advisoryPublished :: UTCTime
   , advisoryCAPECs :: [CAPEC]
   , advisoryCWEs :: [CWE]
   , advisoryKeywords :: [Keyword]

code/hsec-sync/hsec-sync.cabal

@@ -35,7 +35,7 @@ library
     , extra        >=1.7   && <1.8
     , feed         >=1.3   && <1.4
     , filepath     >=1.4   && <1.5
-    , hsec-core    >= 0.1  && < 0.2
+    , hsec-core    ^>= 0.2
     , http-client  >=0.7.0 && <0.8
     , lens         >=5.1   && <5.3
     , process      >=1.6   && <1.7

code/hsec-tools/CHANGELOG.md

@@ -0,0 +1,3 @@
+## 0.1.1.0
+
+- Redesign index

code/hsec-tools/app/Main.hs

@@ -1,13 +1,13 @@
-{-# LANGUAGE LambdaCase #-}
 {-# LANGUAGE OverloadedStrings #-}
 
 module Main where
 
 import Control.Monad (forM_, join, void, when)
+import Control.Monad.Trans.Except (runExceptT, ExceptT (ExceptT), withExceptT, throwE)
+import Control.Monad.IO.Class (liftIO)
 import qualified Data.ByteString.Lazy as L
 import Data.Maybe (fromMaybe)
 import Data.Foldable (for_)
-import Data.Functor ((<&>))
 import Data.List (intercalate, isPrefixOf)
 import Distribution.Parsec (eitherParsec)
 import Distribution.Types.VersionRange (VersionRange, anyVersion)
@@ -19,6 +19,7 @@ import Validation (Validation(..))
 import qualified Data.Aeson
 import qualified Data.Text as T
 import qualified Data.Text.IO as T
+import Control.Exception (Exception(displayException))
 import Options.Applicative
 
 import Security.Advisories
@@ -153,24 +154,18 @@ withAdvisory :: (Maybe FilePath -> Advisory -> IO ()) -> Maybe FilePath -> IO ()
 withAdvisory go file = do
   input <- maybe T.getContents T.readFile file
 
-  oob <- ($ emptyOutOfBandAttributes) <$> case file of
-    Nothing -> pure id
-    Just path ->
-      getAdvisoryGitInfo path <&> \case
-        Left _ -> id
-        Right gitInfo -> \oob -> oob
-          { oobPublished = Just (firstAppearanceCommitDate gitInfo)
-          , oobModified = Just (lastModificationCommitDate gitInfo)
-          }
+  oob <- runExceptT $ case file of
+    Nothing -> throwE StdInHasNoOOB
+    Just path -> withExceptT GitHasNoOOB $ do 
+      gitInfo <- ExceptT $ liftIO $ getAdvisoryGitInfo path 
+      pure OutOfBandAttributes
+        { oobPublished = firstAppearanceCommitDate gitInfo
+        , oobModified = lastModificationCommitDate gitInfo
+        }
 
   case parseAdvisory NoOverrides oob input of
     Left e -> do
-      T.hPutStrLn stderr $
-        case e of
-          MarkdownError _ explanation -> "Markdown parsing error:\n" <> explanation
-          MarkdownFormatError explanation -> "Markdown structure error:\n" <> explanation
-          TomlError _ explanation -> "Couldn't parse front matter as TOML:\n" <> explanation
-          AdvisoryError _ explanation -> "Advisory structure error:\n" <> explanation
+      hPutStrLn stderr (displayException e)
       exitFailure
     Right advisory -> do
       go file advisory

code/hsec-tools/assets/css/default.css

@@ -0,0 +1,152 @@
+:root{
+    --bg-color:#FFFFFF;
+    --text-color:#333;
+    --outline-color:#DB83ED;
+    --header-color:#5E5184;
+    --anchor-color:#9E358F;
+    --anchor-visited-color:#6F5F9C;
+    --code-bg-color:#FAFAFA;
+    --filename-bg:#EAEAEA;
+    --code-color:#383a42;
+    --code-bg-color:#fafafa;
+    --code-comment-color:#a0a1a7;
+    --code-kw-color:#af005f;
+    --code-name-color:#e45649;
+    --code-literal-color:#268bd2;
+    --code-string-color:#cb4b16;
+    --code-attr-color:#986801;
+    --code-constructor-color:#5f5faf;
+    --code-symbol-color:#4078f2;
+    --code-record-field-color:#c18401;
+    --code-pragma-color:#2aa198
+}
+@media (prefers-color-scheme:dark){
+    :root{
+        --bg-color:#333;
+        --text-color:#C9D1D9;
+        --header-color:#BBA1FF;
+        --anchor-color:#EB82DC;
+        --anchor-visited-color:#D5C5FF;
+        --code-bg-color:transparent;
+        --filename-bg:#2C2C2C;
+        --code-color:#C9D1D9;
+        --code-bg-color:#333;
+        --code-comment-color:#a0a1a7;
+        --code-kw-color:#BBA1FF;
+        --code-name-color:#e45649;
+        --code-literal-color:#268bd2;
+        --code-string-color:#cb4b16;
+        --code-attr-color:#986801;
+        --code-constructor-color:#d079c9;
+        --code-symbol-color:var(--code-color);
+        --code-record-field-color:#c18401;
+        --code-pragma-color:#2aa198
+    }
+}
+*:focus-visible{
+    outline-color:var(--outline-color)
+}
+body{
+    color:var(--text-color);
+    background-color:var(--bg-color)
+}
+a{
+    color:var(--anchor-color)
+}
+a:visited{
+    color:var(--anchor-visited-color)
+}
+h1,h2,h3,h4,h5,h6{
+    color:var(--header-color)
+}
+input{
+    background-color:rgba(255,255,255,0.06);
+    color:var(--text-color)
+}
+.nav-bar{
+    text-align: right;
+}
+.nav-bar ul{
+    display: inline-block;
+    list-style: none;
+    margin: 0;
+    padding: 0;
+}
+.nav-bar li{
+    display: inline-block;
+    vertical-align: middle;
+    padding: 0;
+    margin: 0;
+    height: 100%;
+    position: relative;
+}
+ *:focus-visible{
+    outline-offset:4px;
+    outline-width:1px
+}
+body{
+    font-size:1.6rem;
+    margin:0 auto;
+    max-width:120rem
+}
+footer{
+    margin-top:3rem;
+    padding:1.2rem 0;
+    border-top:0.2rem solid #000;
+    font-size:1.2rem;
+    color:#555
+}
+h1{
+    font-size:2.4rem
+}
+h2{
+    font-size:2rem
+}
+html{
+    font-size:62.5%;
+    font-family:Helvetica,sans-serif
+}
+table tbody td{
+    padding:5px
+}
+footer{
+    padding: 0 2%;
+    text-align: center;
+}
+footer .HF{
+    height:50px;
+    line-height:50px;
+    display:inline-block;
+    background-repeat:no-repeat;
+    background-image:url('../images/hf-logo.png');
+    background-size:50px;
+    background-position:left center;
+    padding-left:60px
+}
+@media (max-width:319px){
+    .nav-bar{
+        margin:0 1.5rem 0 0;
+    }
+    .nav-bar a{
+        display:block;
+        line-height:1.6
+    }
+}
+@media (min-width:320px){
+    .nav-bar{
+        margin:0 2rem 0 0;
+    }
+    .nav-bar a{
+        display:inline;
+        margin:0 0.6rem
+    }
+}
+@media (min-width:640px){
+    .nav-bar{
+        margin:0 3rem 0 0;
+    }
+    .nav-bar a{
+        margin:0 0 0 1.2rem;
+        display:inline
+    }
+}

code/hsec-tools/hsec-tools.cabal

@@ -1,6 +1,6 @@
 cabal-version:      2.4
 name:               hsec-tools
-version:            0.1.0.0
+version:            0.2.0.0
 
 -- A short (one-line) description of the package.
 synopsis:
@@ -23,6 +23,8 @@ maintainer:         [email protected]
 category:           Data
 extra-doc-files:    CHANGELOG.md
 extra-source-files:
+  assets/css/*.css
+  assets/images/*.png
   test/golden/*.golden
   test/golden/*.md
 
@@ -35,13 +37,15 @@ library
     Security.Advisories.Convert.OSV
     Security.Advisories.Filesystem
     Security.Advisories.Generate.HTML
+    Security.Advisories.Generate.TH
     Security.Advisories.Git
     Security.Advisories.Parse
     Security.Advisories.Queries
 
   build-depends:
     , aeson                 >=2.0.1.0  && <3
     , base                  >=4.14     && <4.20
+    , bytestring            >=0.10    && <0.13
     , Cabal-syntax          >=3.8.1.0  && <3.11
     , commonmark            ^>=0.2.2
     , commonmark-pandoc     >=0.2      && <0.3
@@ -50,8 +54,9 @@ library
     , directory             <2
     , extra                 ^>=1.7.5
     , filepath              >=1.4      && <1.5
-    , hsec-core             >= 0.1     && < 0.2
+    , hsec-core             ^>= 0.2
     , feed                  ==1.3.*
+    , file-embed            >=0.0.13.0 && <0.0.17
     , lucid                 >=2.9.0    && < 3
     , mtl                   >=2.2      && <2.4
     , osv                   >= 0.1     && < 0.2
@@ -61,8 +66,9 @@ library
     , process               >=1.6      && <1.7
     , safe                  >=0.3      && < 0.4
     , text                  >=1.2      && <3
+    , template-haskell      >=2.16.0.0 && <2.23
     , time                  >=1.9      && <1.14
-    , toml-parser           ^>=2.0.0.0
+    , toml-parser           ^>=2.0.1.0
     , validation-selective  >=0.1      && <1
 
   hs-source-dirs:   src
@@ -86,10 +92,11 @@ executable hsec-tools
     , bytestring            >=0.10    && <0.13
     , Cabal-syntax          >=3.8.1.0 && <3.11
     , filepath              >=1.4     && <1.5
-    , hsec-core             >= 0.1    && < 0.2
+    , hsec-core             ^>= 0.2
     , hsec-tools
     , optparse-applicative  >=0.17    && <0.19
     , text                  >=1.2     && <3
+    , transformers
     , validation-selective  >=0.1     && <1
 
   hs-source-dirs:   app