[fix] some minor fixes

[MangoIV]

• introduce Exception instance for ParseAdvisoryError
• display if parsing out of band git attributes failed
• also try to parse into a UTCTime instead of a ZonedTime

resolves #203
resolves #202
resolves #200

---

hsec-tools

• Previous advisories are still valid

[TristanCacqueray]

May we return a validation error instead of a warning on the stderr?

[MangoIV]

chesterton's fence: why's the error ignoed in the first place, are there valid reasons to not abort here?

[MangoIV]

if not, then this was an actual bug but it seems too obvious to be one.

[MangoIV]

I think the idea is that we don't want to fail if there's no git information as there might still be one supplied by the advisory itself. I think this is an issue with the structure of the code.

[MangoIV]

I have decided to bubble the error up instead of using this oobValue with optional fields. I think it was just not very fortunately designed.

[TristanCacqueray]

Thanks, that looks reasonable to me. Though I worry this is a complicated API for downstream users, perhaps we could do instead:

• Make the oob attributes explicit in the advisory document, and/or
• Publish a static version of the advisories with the oob attributes pre resolved.

What do you think @frasertweedale ?

[MangoIV]

Publishing a version with the oob pre resolved would be a good idea anyways. That would make testing without git possible and generally would allow distribution without git. I don’t think the interface for downstream users is more complicated now, tbh it was quite complicated with these fields that could independently be Nothing when in reality I don’t see a reason why they should be able to. Not attaching a reason for why the oob attributes being missing was problematic as well, imo, this caused the Git errors to never be shown.

[MangoIV]

something else I was wondering. Do we really want ZonedTime? It has some really awful properties like it missing an Ord instance. What do you think about changing everything to UTCTime, @TristanCacqueray?

[MangoIV]

… it seems like this is an endeavour for another day, toml-parser doesn’t support it (though it should)

[MangoIV]

I have refactored the out of band stuff such that we can bubble up information on why it failed. This is important if git doesn't work as expected.

[MangoIV]

I can backport 4b and fe to the minor version if you don’t want breaking changes but I don’t know if it’d be too helpful.

[telser]

I believe this will resolve an issue that currently causes https://github.com/MangoIV/cabal-audit to break for me. Though @MangoIV can correct me if that is incorrect.

[MangoIV]

Yes @frasertweedale already knows :)

[blackheaven]

Quick note aside: I'm not a fan of BlockArguments

@MangoIV can you check whether forcing git date format fixes the issue please?

[blackheaven]

I'm not sure it does preserve the date

[MangoIV]

what do you mean?

[TristanCacqueray]

I just validated that the osv files are not changed by this PR with:

mkdir osvs
for i in $(find advisories/ -name "*.md" | grep -v reserved); do cabal run exe:hsec-tools -- osv $i > osvs/$(basename $i); done

[blackheaven]

It's not that obvious, we get a time and day without time zone, assuming UTC seems audacious.

IMO, we should rely only on UTCTime, enforcing it in the git command.

[TristanCacqueray]

Oh I see, yes I'm on UTC. Then I remove my approval. Perhaps we could just parse an epoch timestamp if possible?

[MangoIV]

hsec-tools already does this several times (assuming UTC when there's not enough information) That's why I opened the issue about removing ZonedTime from hsec-tools. It makes stuff harder as well. It is however the correct time to assume, it's not wrong, it's just not semantically as nice. See #203 cc @frasertweedale who commented on #203

[blackheaven]

We should force the format at git level: https://stackoverflow.com/a/7651782

[MangoIV]

I tried to pass --date=local and it didn't work. This is in general not really ideal, we shouldn't depend on the git installation if git itself doesn't guarantee a stable interface to these things and/ or this is not documented.

There's also haskell/time#257 which I don't know whether it's the case.

[MangoIV]

https://github.com/MangoIV/cabal-audit/actions/runs/9321254777/job/25659857545

here's a run. the build step is Test git which uses the date format local and it still outputs a non-zoned iso8601. I wouldn't have done the separate parse try without trying that first.

[MangoIV]

I assume (read "guess") that it is valid to output a non-zoned iso8601 even with local if the computer is itself in UTC which is why I'm not sure whether parsing an unzoned time into a UTCTime should just work.

[blackheaven]

Let's do this, it seems to be the lesser bad solution we have.

[MangoIV]

I'm confused, setting it in git is a non-solution because it doesn't work. We have to do it like this, no?

[blackheaven]

I'm confused, I thought that, requiring a ZonedTime from git wasn't working, requiring a UTCTime doesn't work either?

[MangoIV]

oh but then we always lose zone information, what does that improve? should we do #203 then?

[blackheaven]

@frasertweedale was talking of a flag few minutes ago (at ZuriHac), maybe we can have a try

[MangoIV]

I have replaced ZonedTime with UTCTime; there's now not a single place where ZonedTime occurs anymore

[MangoIV]

how do I check if the advisories are still valid btw? :3

[MangoIV]

don't wanna break your stuff :3

[MangoIV]

thank you for your review @blackheaven @TristanCacqueray <3

[blackheaven]

how do I check if the advisories are still valid btw? :3

the CI handles it :)

[frasertweedale]

Thank you @MangoIV! Merging now.