cabal-audit: add support for outputing as json using osv
#178
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- move to more declarative flake setup to avoid complexity - init the hsec-cabal cabal project - move the cabal.project file to `code`
cannot use the `advisories` directory usefully
- remove deps from testsuite - only create tmp dir when really needed - proper toplevel exception handling - more documentation - appease hlint - format fourmolu.yaml
{
"base": {
"advisories": [
{
"affected": [
{
"package": {
"ecosystem": "Hackage",
"name": "base"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.3.1"
}
],
"type": "ECOSYSTEM"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
},
{
"package": {
"ecosystem": "Hackage",
"name": "toml-reader"
},
"ranges": [
{
"events": [
{
"introduced": "0.1.0.0"
},
{
"fixed": "0.2.0.0"
}
],
"type": "ECOSYSTEM"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
],
"details": "# `readFloat`: memory exhaustion with large exponent\n\n`Numeric.readFloat` takes time and memory linear in the size of the\nnumber _denoted_ by the input string. In particular, processing a\nnumber expressed in scientific notation with a very large exponent\ncould cause a denial of service. The slowdown is observable on a\nmodern machine running GHC 9.4.4:\n\n```\nghci> import qualified Numeric\nghci> Numeric.readFloat \"1e1000000\" -- near instantaneous\n[(Infinity,\"\")]\nghci> Numeric.readFloat \"1e10000000\" -- perceptible pause\n[(Infinity,\"\")]\nghci> Numeric.readFloat \"1e100000000\" -- ~ 3 seconds\n[(Infinity,\"\")]\nghci> Numeric.readFloat \"1e1000000000\" -- ~ 35 seconds\n[(Infinity,\"\")]\n```\n\n## In *base*\n\n`Numeric.readFloat` is defined for all `RealFrac a => a`:\n\n```haskell\nreadFloat :: RealFrac a => ReadS a\n```\n\nThe `RealFrac` type class does not express any bounds on the size of\nvalues representable in the types for which instances exist, so\nbounds checking is not possible (in this *generic* function).\n`readFloat` uses to `Text.Read.Lex.numberToRational` which, among\nother things, calculates `10 ^ exponent`, which seems to take linear\ntime and memory.\n\n**Mitigation:** use `read`. The `Read` instances for `Float` and\n`Double` perform bounds checks on the exponent, via\n`Text.Read.Lex.numberToRangedRational`.\n\n\n## In *toml-reader*\n\nThe issue was detected in *toml-reader* version 0.1.0.0, and\nmitigated in version 0.2.0.0 by immediately returning `Infinity`\nwhen the exponent is large enough that there's no reason to process\nit.\n",
"id": "HSEC-2023-0007",
"modified": "2023-07-22T02:29:32Z",
"published": "2023-07-22T02:29:32Z",
"references": [
{
"type": "REPORT",
"url": "https://gitlab.haskell.org/ghc/ghc/-/issues/23538"
},
{
"type": "REPORT",
"url": "https://github.com/brandonchinn178/toml-reader/issues/8"
},
{
"type": "FIX",
"url": "https://github.com/brandonchinn178/toml-reader/pull/9"
}
],
"schema_version": "1.5.0",
"summary": "readFloat: memory exhaustion with large exponent"
}
],
"version": "4.17.2.1"
},
"toml-reader": {
"advisories": [
{
"affected": [
{
"package": {
"ecosystem": "Hackage",
"name": "base"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.3.1"
}
],
"type": "ECOSYSTEM"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
},
{
"package": {
"ecosystem": "Hackage",
"name": "toml-reader"
},
"ranges": [
{
"events": [
{
"introduced": "0.1.0.0"
},
{
"fixed": "0.2.0.0"
}
],
"type": "ECOSYSTEM"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
],
"details": "# `readFloat`: memory exhaustion with large exponent\n\n`Numeric.readFloat` takes time and memory linear in the size of the\nnumber _denoted_ by the input string. In particular, processing a\nnumber expressed in scientific notation with a very large exponent\ncould cause a denial of service. The slowdown is observable on a\nmodern machine running GHC 9.4.4:\n\n```\nghci> import qualified Numeric\nghci> Numeric.readFloat \"1e1000000\" -- near instantaneous\n[(Infinity,\"\")]\nghci> Numeric.readFloat \"1e10000000\" -- perceptible pause\n[(Infinity,\"\")]\nghci> Numeric.readFloat \"1e100000000\" -- ~ 3 seconds\n[(Infinity,\"\")]\nghci> Numeric.readFloat \"1e1000000000\" -- ~ 35 seconds\n[(Infinity,\"\")]\n```\n\n## In *base*\n\n`Numeric.readFloat` is defined for all `RealFrac a => a`:\n\n```haskell\nreadFloat :: RealFrac a => ReadS a\n```\n\nThe `RealFrac` type class does not express any bounds on the size of\nvalues representable in the types for which instances exist, so\nbounds checking is not possible (in this *generic* function).\n`readFloat` uses to `Text.Read.Lex.numberToRational` which, among\nother things, calculates `10 ^ exponent`, which seems to take linear\ntime and memory.\n\n**Mitigation:** use `read`. The `Read` instances for `Float` and\n`Double` perform bounds checks on the exponent, via\n`Text.Read.Lex.numberToRangedRational`.\n\n\n## In *toml-reader*\n\nThe issue was detected in *toml-reader* version 0.1.0.0, and\nmitigated in version 0.2.0.0 by immediately returning `Infinity`\nwhen the exponent is large enough that there's no reason to process\nit.\n",
"id": "HSEC-2023-0007",
"modified": "2023-07-22T02:29:32Z",
"published": "2023-07-22T02:29:32Z",
"references": [
{
"type": "REPORT",
"url": "https://gitlab.haskell.org/ghc/ghc/-/issues/23538"
},
{
"type": "REPORT",
"url": "https://github.com/brandonchinn178/toml-reader/issues/8"
},
{
"type": "FIX",
"url": "https://github.com/brandonchinn178/toml-reader/pull/9"
}
],
"schema_version": "1.5.0",
"summary": "readFloat: memory exhaustion with large exponent"
}
],
"version": "0.1.0.0"
}
} |
MangoIV
force-pushed
the
mangoiv/cabal-audit-osv
branch
2 times, most recently
from
14ccb18 to
78bf05a
Compare
hasufell
reviewed
Mar 31, 2024
hasufell
reviewed
Mar 31, 2024
hasufell
reviewed
Mar 31, 2024
hasufell
reviewed
Mar 31, 2024
hasufell
reviewed
Mar 31, 2024
| , help "the path the the repository containing an advisories directory" | ||
| ] | ||
| <|> Right | ||
| <$> strOption do |
There was a problem hiding this comment.
I suggest to build a proper URI parser. E.g. GHCup uses uri-bytestring:
- https://github.com/haskell/ghcup-hs/blob/be4a1bdf7a78f6783cba04de425b652d336192c3/lib-opt/GHCup/OptParse/Common.hs#L216-L217
- https://hackage.haskell.org/package/uri-bytestring-0.3.3.1/docs/URI-ByteString.html#v:parseURI
But network-uri probably does the job too:
There was a problem hiding this comment.
what would be the immediate advantage of that? I don't want to pass in my files as file:// etc.
There was a problem hiding this comment.
what would be the immediate advantage of that? I don't want to pass in my files as
file://etc.
I'm not talking about filepath, but the URI options (for the git repo). Users passing malformed URIs will get errors once your code tries to git clone instead of directly.
There was a problem hiding this comment.
yeah, this assumes that you will pass a proper git cloneeable URI, I don't know if the advantage of proper parsing and writing a bunch of handlers outweigh the advantage of the simplicity of this, for now? I can add this as future work to the tracking issue, though, if that's okay with you?
hasufell
reviewed
Mar 31, 2024
hasufell
reviewed
Mar 31, 2024
hasufell
reviewed
Mar 31, 2024
hasufell
reviewed
Mar 31, 2024
MangoIV
force-pushed
the
mangoiv/cabal-audit-osv
branch
from
78bf05a to
3b15a09
Compare
|
|
|
@hasufell this is fixed on the branch you're reviewing. I should backport to the other branch though, you're right. |
|
(that's because |
hasufell
reviewed
Mar 31, 2024
|
@hasufell thank you for the review, btw, much appreciated <3 |
- formatting and outputting should be different things - two options; one to output to json (--json), one to output to stdout vs a file
MangoIV
force-pushed
the
mangoiv/cabal-audit-osv
branch
from
dcfd0a3 to
89637d7
Compare
|
Hello Mango, Sorry for the delay, we had a meeting last Wednesday and it seems there is a miscommunication regarding our response. The thing is, we have discussed about your pull request and we would like to start a discussion with you about it. We think that your contribution may be more suited in it's own repository (either under your GitHub handle, or @haskell), there are few reasons for that:
WDYT? |
|
Yeah sure, that’s possible. I thought it would be suited for this repo as it was part of the stated longer term plan of the security working group but thats totally fine. I’ll publish this tool separately then. I will put it into my own git until it finds a final place after some adoption. Thank you for the kind review and time spent on this, all of you ❤️ |
|
This PR was rejected because it is currently out of scope for the security-avisories team. Please find the work at github.com/mangoiv/cabal-audit |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds support for outputting found advisories as json by pairing a package name with a version and a list of advisories in
osvformat.It also fixes some minor issues with printing etc
depends on #148
hsec-tools