Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cabal-audit: init #148

Closed
wants to merge 23 commits into from
Closed

cabal-audit: init #148

wants to merge 23 commits into from

Conversation

MangoIV
Copy link
Contributor

@MangoIV MangoIV commented Feb 6, 2024

the cabal audit executable

usage

λ nix run github:mangoiv/security-advisories/mangoiv/cabal-audit-osv#cabal-audit --
trying to clone https://github.com/haskell/security-advisories
Cloning into '/tmp/cabal-audit-726d3e9345b766bc'...
remote: Enumerating objects: 172, done.
remote: Counting objects: 100% (172/172), done.
remote: Compressing objects: 100% (129/129), done.
remote: Total 172 (delta 6), reused 114 (delta 1), pack-reused 0
Receiving objects: 100% (172/172), 116.55 KiB | 1.31 MiB/s, done.
Resolving deltas: 100% (6/6), done.


Found advisories:

dependency "base" at version 4.18.1.0 is vulnerable for:
  HSEC-2023-0007 "readFloat: memory exhaustion with large exponent"
  published: 2024-04-23 12:43:30 +1000
  https://haskell.github.io/security-advisories/advisory/HSEC-2023-0007
  No fix version available
  toml, parser, dos

dependency "process" at version 1.6.17.0 is vulnerable for:
  HSEC-2024-0003 "process: command injection via argument list on Windows"
  published: 2024-04-23 12:43:30 +1000
  https://haskell.github.io/security-advisories/advisory/HSEC-2024-0003
  Fix available since version 1.6.19.0
  windows

Note

if this causes some error wrt a lock file incompatibility, upgrade your nix version ;)

features implemented

  • query the repository for vulnerabilities
  • provide local repository
  • pretty output
  • run the cabal solver on a project and match vulnerabilities against that
  • propose fix version
  • link to security-advisories website
  • playtest

open features

  • don't only provide the latest fix version but a range of fix versions
  • check for the newest package on hackage that is greater than the fix version
  • more configuration configure the output
  • json output instead of only pretty stdout
  • use API instead of repository
  • more solver options (perhaps offer a special flags to pass on options to cabal)
  • more structured monadic code (it's all IO for simplicity)

other changes

  • gave the nix code a polish
  • gave the devshell a polish
  • introduced pre-commit-hooks.nix (please tell me if that's not wanted)

- move to more declarative flake setup to avoid complexity
- init the hsec-cabal cabal project
- move the cabal.project file to `code`
@MangoIV MangoIV force-pushed the mangoiv/hsec-cabal branch from f9efdb3 to 3e093fe Compare February 6, 2024 23:50
@blackheaven
Copy link
Collaborator

It looks great, thanks for the contribution!

@MangoIV
Copy link
Contributor Author

MangoIV commented Feb 7, 2024

I have not done anything yet 😅

@MangoIV
Copy link
Contributor Author

MangoIV commented Feb 12, 2024

I need to check what's wrong with nixpkgs; it reports that it installs multiple versions of Cabal-Syntax when building hsec-cabal with nix, this is probably due to it being a boot library.

@MangoIV MangoIV force-pushed the mangoiv/hsec-cabal branch 2 times, most recently from de66da5 to 4591de7 Compare February 15, 2024 07:40
@MangoIV
Copy link
Contributor Author

MangoIV commented Feb 17, 2024

image

mvp seems to work (project with vulnerable library spits it out :3

@MangoIV
Copy link
Contributor Author

MangoIV commented Feb 17, 2024

I wonder if I can get rid of cabal-install s own command line parser. It’s awful for this tool where you only want to pass simple arguments. So noisy

@jappeace
Copy link

good work fruity fren

@MangoIV
Copy link
Contributor Author

MangoIV commented Mar 12, 2024

note to self: xh GET https://hackage.haskell.org/package/:package/preferred Accept:application/json find newest, not vulnerable version; if any; do we propose versions that are older than the current version?

@frasertweedale
Copy link
Collaborator

note to self: xh GET https://hackage.haskell.org/package/:package/preferred Accept:application/json find newest, not vulnerable version; if any; do we propose versions that are older than the current version?

That is a very good question. I would say it's fine to propose an older version, if and only if it satisfies the solver.

@MangoIV
Copy link
Contributor Author

MangoIV commented Mar 17, 2024

image

@MangoIV
Copy link
Contributor Author

MangoIV commented Mar 17, 2024

calling without arguments:
image

@MangoIV
Copy link
Contributor Author

MangoIV commented Mar 17, 2024

calling with local path:
image

@MangoIV
Copy link
Contributor Author

MangoIV commented Mar 17, 2024

calling in a directory with no known vulnerabilities
image

@MangoIV MangoIV marked this pull request as ready for review March 17, 2024 22:49
@MangoIV MangoIV force-pushed the mangoiv/hsec-cabal branch from 0289b64 to 6f724c9 Compare March 17, 2024 22:50
@MangoIV
Copy link
Contributor Author

MangoIV commented Mar 17, 2024

I have no idea why the docker build is failing

@blackheaven
Copy link
Collaborator

I had a fight with GitHub Actions on Saturday, try to rebase your branch, I hope it'll be fine

@MangoIV
Copy link
Contributor Author

MangoIV commented Mar 18, 2024

@blackheaven I recently merged; I don't think this branch lack behind main at all?

@MangoIV
Copy link
Contributor Author

MangoIV commented Mar 29, 2024

I’ll tell you when I’m ready

cannot use the `advisories` directory usefully
@MangoIV
Copy link
Contributor Author

MangoIV commented Mar 29, 2024

will do one more iteration of cleanup and then should be good. I wanted to add an integration test but that depends on the issue I just opened.

- remove deps from testsuite
- only create tmp dir when really needed
- proper toplevel exception handling
- more documentation
- appease hlint
- format fourmolu.yaml
@MangoIV MangoIV force-pushed the mangoiv/hsec-cabal branch from dfe1790 to f7d21be Compare March 30, 2024 14:46
@MangoIV
Copy link
Contributor Author

MangoIV commented Mar 30, 2024

I think this is gtg now, feel free to review; I wanted to add some tests but they seem to depend on the .git directory and I have yet to figure out how to test this properly within nix...

@MangoIV
Copy link
Contributor Author

MangoIV commented Mar 31, 2024

I have some follow up plans, should we merge this first or should I push here?

@MangoIV MangoIV changed the title init cabal-audit project cabal-audit: init Mar 31, 2024
@frasertweedale
Copy link
Collaborator

@MangoIV a side note: in the SRT quarterly status report I want to give you kudos for your contributions. Shall I refer to you by "MangoIV", or by some other name?

@MangoIV
Copy link
Contributor Author

MangoIV commented Apr 3, 2024

MangoIV is good 😅

@MangoIV
Copy link
Contributor Author

MangoIV commented Apr 12, 2024

🥺 👉 👈

@MangoIV
Copy link
Contributor Author

MangoIV commented Apr 19, 2024

Hi! can I do something to make this move forward?

@MangoIV
Copy link
Contributor Author

MangoIV commented May 1, 2024

Hi! Little bump on this; what can I do to make this move forward? Mind, I also have an email by Joel where he intents to hand over the hackage namespace for cabal-audit, is there any news on how this is going to be handled?

Thank you <3

@pwm
Copy link

pwm commented May 1, 2024

@MangoIV I'd still love to beta-test this on our work codebase but the usage command does not work for me:

~/work(master|✔) $ nix run github:mangoiv/security-advisories/mangoiv/hsec-cabal#hsec-cabal
do you want to allow configuration setting 'allow-import-from-derivation' to be set to 'true' (y/N)? y
do you want to permanently mark this value as trusted (y/N)?
error: unsupported tarball input attribute 'lastModified'
(use '--show-trace' to show detailed location information)

@MangoIV
Copy link
Contributor Author

MangoIV commented May 1, 2024

Hi @pwm, this is because there's an incompatibility between nix versions wrt flake lock files, (to be fair, they do coin it as an experimental feature); you can fix it by upgrading your nix version to something somewhat recent.

Also be sure to try out the newest version which includes a couple more fixes and allows to output a semi-structured format;

nix run github:mangoiv/security-advisories/mangoiv/cabal-audit-osv#cabal-audit --

Thank you for beta-testing!

edit: I have upgraded the PR description with these instructions

@MangoIV
Copy link
Contributor Author

MangoIV commented May 6, 2024

This PR was rejected because it is currently out of scope for the security-avisories team. Please find the work at github.com/mangoiv/cabal-audit

@MangoIV MangoIV closed this May 6, 2024
@pwm
Copy link

pwm commented May 7, 2024

@MangoIV do you know where we can read more on what is in-scope vs. out of scope? From an end user perspective a security advisory db in itself is not that useful, it needs tooling like cabal-audit to make it useful.

@MangoIV
Copy link
Contributor Author

MangoIV commented May 7, 2024

@pwm This is not something I can answer. As far as I am aware this tool was part of the "future goals" of the working group when it was founded. Perhaps open an issue on this repo?

@blackheaven
Copy link
Collaborator

@MangoIV do you know where we can read more on what is in-scope vs. out of scope? From an end user perspective a security advisory db in itself is not that useful, it needs tooling like cabal-audit to make it useful.

We should have a dedicated page but we stated it in our last report:

The Haskell Security Response Team (SRT) is a volunteer organisation within the Haskell Foundation that is building tools and processes to aid the entire Haskell ecosystem in assessing and responding to security risks. In particular, we maintain a database of security advisories that can serve as a data source for security tooling.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants