cabal-audit: init

[MangoIV]

the cabal audit executable

usage

λ nix run github:mangoiv/security-advisories/mangoiv/cabal-audit-osv#cabal-audit --
trying to clone https://github.com/haskell/security-advisories
Cloning into '/tmp/cabal-audit-726d3e9345b766bc'...
remote: Enumerating objects: 172, done.
remote: Counting objects: 100% (172/172), done.
remote: Compressing objects: 100% (129/129), done.
remote: Total 172 (delta 6), reused 114 (delta 1), pack-reused 0
Receiving objects: 100% (172/172), 116.55 KiB | 1.31 MiB/s, done.
Resolving deltas: 100% (6/6), done.


Found advisories:

dependency "base" at version 4.18.1.0 is vulnerable for:
  HSEC-2023-0007 "readFloat: memory exhaustion with large exponent"
  published: 2024-04-23 12:43:30 +1000
  https://haskell.github.io/security-advisories/advisory/HSEC-2023-0007
  No fix version available
  toml, parser, dos

dependency "process" at version 1.6.17.0 is vulnerable for:
  HSEC-2024-0003 "process: command injection via argument list on Windows"
  published: 2024-04-23 12:43:30 +1000
  https://haskell.github.io/security-advisories/advisory/HSEC-2024-0003
  Fix available since version 1.6.19.0
  windows

Note

if this causes some error wrt a lock file incompatibility, upgrade your nix version ;)

features implemented

• query the repository for vulnerabilities
• provide local repository
• pretty output
• run the cabal solver on a project and match vulnerabilities against that
• propose fix version
• link to security-advisories website
• playtest

open features

• don't only provide the latest fix version but a range of fix versions
• check for the newest package on hackage that is greater than the fix version
• more configuration configure the output
• json output instead of only pretty stdout
• use API instead of repository
• more solver options (perhaps offer a special flags to pass on options to cabal)
• more structured monadic code (it's all IO for simplicity)

other changes

• gave the nix code a polish
• gave the devshell a polish
• introduced pre-commit-hooks.nix (please tell me if that's not wanted)

[blackheaven]

It looks great, thanks for the contribution!

[MangoIV]

I have not done anything yet 😅

[MangoIV]

I need to check what's wrong with nixpkgs; it reports that it installs multiple versions of Cabal-Syntax when building hsec-cabal with nix, this is probably due to it being a boot library.

[MangoIV]

mvp seems to work (project with vulnerable library spits it out :3

[MangoIV]

I wonder if I can get rid of cabal-install s own command line parser. It’s awful for this tool where you only want to pass simple arguments. So noisy

[jappeace]

good work fruity fren

[MangoIV]

note to self: xh GET https://hackage.haskell.org/package/:package/preferred Accept:application/json find newest, not vulnerable version; if any; do we propose versions that are older than the current version?

[frasertweedale]

note to self: xh GET https://hackage.haskell.org/package/:package/preferred Accept:application/json find newest, not vulnerable version; if any; do we propose versions that are older than the current version?

That is a very good question. I would say it's fine to propose an older version, if and only if it satisfies the solver.

[MangoIV]

[MangoIV]

calling without arguments:

[MangoIV]

calling with local path:

[MangoIV]

calling in a directory with no known vulnerabilities

[MangoIV]

I have no idea why the docker build is failing

[blackheaven]

I had a fight with GitHub Actions on Saturday, try to rebase your branch, I hope it'll be fine

[MangoIV]

@blackheaven I recently merged; I don't think this branch lack behind main at all?

[MangoIV]

I’ll tell you when I’m ready

[MangoIV]

will do one more iteration of cleanup and then should be good. I wanted to add an integration test but that depends on the issue I just opened.

[MangoIV]

I think this is gtg now, feel free to review; I wanted to add some tests but they seem to depend on the .git directory and I have yet to figure out how to test this properly within nix...

[MangoIV]

I have some follow up plans, should we merge this first or should I push here?

[frasertweedale]

@MangoIV a side note: in the SRT quarterly status report I want to give you kudos for your contributions. Shall I refer to you by "MangoIV", or by some other name?

[MangoIV]

MangoIV is good 😅

[MangoIV]

🥺 👉 👈

[MangoIV]

Hi! can I do something to make this move forward?

[MangoIV]

Hi! Little bump on this; what can I do to make this move forward? Mind, I also have an email by Joel where he intents to hand over the hackage namespace for cabal-audit, is there any news on how this is going to be handled?

Thank you <3

[pwm]

@MangoIV I'd still love to beta-test this on our work codebase but the usage command does not work for me:

~/work(master|✔) $ nix run github:mangoiv/security-advisories/mangoiv/hsec-cabal#hsec-cabal
do you want to allow configuration setting 'allow-import-from-derivation' to be set to 'true' (y/N)? y
do you want to permanently mark this value as trusted (y/N)?
error: unsupported tarball input attribute 'lastModified'
(use '--show-trace' to show detailed location information)

[MangoIV]

Hi @pwm, this is because there's an incompatibility between nix versions wrt flake lock files, (to be fair, they do coin it as an experimental feature); you can fix it by upgrading your nix version to something somewhat recent.

Also be sure to try out the newest version which includes a couple more fixes and allows to output a semi-structured format;

nix run github:mangoiv/security-advisories/mangoiv/cabal-audit-osv#cabal-audit --

Thank you for beta-testing!

edit: I have upgraded the PR description with these instructions

[MangoIV]

This PR was rejected because it is currently out of scope for the security-avisories team. Please find the work at github.com/mangoiv/cabal-audit

[pwm]

@MangoIV do you know where we can read more on what is in-scope vs. out of scope? From an end user perspective a security advisory db in itself is not that useful, it needs tooling like cabal-audit to make it useful.

[MangoIV]

@pwm This is not something I can answer. As far as I am aware this tool was part of the "future goals" of the working group when it was founded. Perhaps open an issue on this repo?

[blackheaven]

@MangoIV do you know where we can read more on what is in-scope vs. out of scope? From an end user perspective a security advisory db in itself is not that useful, it needs tooling like cabal-audit to make it useful.

We should have a dedicated page but we stated it in our last report:

The Haskell Security Response Team (SRT) is a volunteer organisation within the Haskell Foundation that is building tools and processes to aid the entire Haskell ecosystem in assessing and responding to security risks. In particular, we maintain a database of security advisories that can serve as a data source for security tooling.