├── .envrc ├── .github ├── ISSUE_TEMPLATE │ ├── advisory.md │ └── hsec-tools.md ├── PULL_REQUEST_TEMPLATE.md ├── haskell-ci.patch └── workflows │ ├── haskell-ci.yml │ └── nix.yml ├── .gitignore ├── .mailmap ├── CONTRIBUTING.md ├── EXAMPLE_ADVISORY.md ├── LICENSE.txt ├── PROCESS.md ├── README.md ├── advisories ├── .gitkeep ├── ghc │ └── ghc │ │ ├── HSEC-2024-0007.md │ │ ├── HSEC-2024-0008.md │ │ └── HSEC-2025-0001.md ├── hackage │ ├── aeson │ │ └── HSEC-2023-0001.md │ ├── base │ │ ├── HSEC-2023-0007.md │ │ └── HSEC-2024-0006.md │ ├── biscuit-haskell │ │ ├── HSEC-2023-0002.md │ │ └── HSEC-2024-0009.md │ ├── bz2 │ │ └── HSEC-2024-0002.md │ ├── bzlib-conduit │ │ └── HSEC-2024-0002.md │ ├── bzlib │ │ └── HSEC-2024-0002.md │ ├── cabal-install │ │ └── HSEC-2023-0015.md │ ├── crypton │ │ └── HSEC-2025-0002.md │ ├── cryptonite │ │ └── HSEC-2025-0002.md │ ├── git-annex │ │ ├── HSEC-2023-0009.md │ │ ├── HSEC-2023-0010.md │ │ ├── HSEC-2023-0011.md │ │ ├── HSEC-2023-0012.md │ │ └── HSEC-2023-0013.md │ ├── hledger-web │ │ └── HSEC-2023-0008.md │ ├── keter │ │ └── HSEC-2024-0001.md │ ├── pandoc │ │ └── HSEC-2023-0014.md │ ├── process │ │ └── HSEC-2024-0003.md │ ├── spacecookie │ │ └── HSEC-2025-0004.md │ ├── tls-extra │ │ └── HSEC-2023-0005.md │ ├── toml-reader │ │ └── HSEC-2023-0007.md │ ├── x509-validation │ │ └── HSEC-2023-0006.md │ ├── xml-conduit │ │ └── HSEC-2023-0004.md │ ├── xmonad-contrib │ │ └── HSEC-2023-0003.md │ └── xz-clib │ │ └── HSEC-2025-0003.md └── reserved │ ├── .gitkeep │ ├── HSEC-2024-0004.md │ └── HSEC-2024-0005.md ├── cabal.project ├── code ├── LICENSE.txt ├── README.md ├── cvss │ ├── CHANGELOG.md │ ├── cvss.cabal │ ├── src │ │ └── Security │ │ │ └── CVSS.hs │ └── test │ │ └── Spec.hs ├── hsec-core │ ├── .gitignore │ ├── CHANGELOG.md │ ├── README.md │ ├── hsec-core.cabal │ ├── src │ │ └── Security │ │ │ └── Advisories │ │ │ └── Core │ │ │ ├── Advisory.hs │ │ │ └── HsecId.hs │ └── test │ │ └── Spec.hs ├── hsec-sync │ ├── .gitignore │ ├── CHANGELOG.md │ ├── README.md │ ├── app │ │ └── Main.hs │ ├── hsec-sync.cabal │ ├── overview.png │ ├── recommended-workflow.png │ ├── src │ │ └── Security │ │ │ └── Advisories │ │ │ ├── Sync.hs │ │ │ └── Sync │ │ │ ├── Snapshot.hs │ │ │ └── Url.hs │ └── test │ │ ├── Spec.hs │ │ └── Spec │ │ └── SyncSpec.hs ├── hsec-tools │ ├── .gitignore │ ├── CHANGELOG.md │ ├── README.md │ ├── app │ │ ├── Command │ │ │ ├── NextID.hs │ │ │ └── Reserve.hs │ │ ├── Main.hs │ │ └── Util.hs │ ├── assets │ │ ├── css │ │ │ └── default.css │ │ └── images │ │ │ └── hf-logo.png │ ├── hsec-tools.cabal │ ├── index.html │ ├── src │ │ └── Security │ │ │ ├── Advisories.hs │ │ │ └── Advisories │ │ │ ├── Convert │ │ │ └── OSV.hs │ │ │ ├── Filesystem.hs │ │ │ ├── Format.hs │ │ │ ├── Generate │ │ │ ├── HTML.hs │ │ │ ├── Snapshot.hs │ │ │ └── TH.hs │ │ │ ├── Git.hs │ │ │ ├── Parse.hs │ │ │ └── Queries.hs │ └── test │ │ ├── Spec.hs │ │ ├── Spec │ │ ├── FormatSpec.hs │ │ └── QueriesSpec.hs │ │ └── golden │ │ ├── EXAMPLE_ADVISORY.md │ │ ├── EXAMPLE_ADVISORY.md.golden │ │ ├── MISSING_AFFECTED.md │ │ ├── MISSING_AFFECTED.md.golden │ │ ├── MISSING_TITLE.md │ │ └── MISSING_TITLE.md.golden └── osv │ ├── .gitignore │ ├── CHANGELOG.md │ ├── README.md │ ├── osv.cabal │ ├── src │ └── Security │ │ └── OSV.hs │ └── test │ └── Spec.hs ├── docs ├── README.md ├── call-for-volunteers-example.md ├── membership.md └── reports.md ├── flake.lock ├── flake.nix ├── guides └── github.md ├── meeting-notes ├── 2023-05-03.md ├── 2023-05-17.md ├── 2023-05-31.md ├── 2023-06-15.md ├── 2023-06-28.md ├── 2023-07-12.md ├── 2023-07-26.md ├── 2023-08-09.md ├── 2023-08-23.md ├── 2023-09-20.md ├── 2023-10-04.md ├── 2023-10-18.md ├── 2023-11-01.md ├── 2023-11-15.md ├── 2023-11-29.md ├── 2023-12-13.md ├── 2024-01-10.md ├── 2024-01-24.md ├── 2024-02-07.md ├── 2024-02-21.md ├── 2024-03-06.md ├── 2024-03-20.md ├── 2024-04-03.md ├── 2024-04-17.md ├── 2024-05-01.md ├── 2024-05-15.md ├── 2024-05-29.md ├── 2024-06-12.md ├── 2024-06-26.md ├── 2024-07-10.md ├── 2024-07-24.md ├── 2024-08-07.md ├── 2024-08-21.md ├── 2024-09-04.md ├── 2024-10-02.md ├── 2024-10-16.md ├── 2024-10-30.md ├── 2024-11-13.md ├── 2024-11-27.md ├── 2024-12-11.md ├── 2025-01-08.md ├── 2025-02-05.md ├── 2025-02-20.md ├── 2025-03-20.md ├── 2025-04-02.md ├── 2025-04-17.md ├── 2025-04-30.md ├── 2025-05-15.md └── 2025-05-28.md ├── reports ├── 2023-07-10-ann-q2-report.md ├── 2024-01-10-half-year-report.md ├── 2024-04-08-Q1-report.md ├── 2024-07-18-Q2-report.md ├── 2024-11-14-Q3-report.md ├── 2025-02-06-Q4-report.md └── 2025-04-04-Q1-report.md └── shell.nix /.envrc: -------------------------------------------------------------------------------- 1 | use flake 2 | 3 | if [ -f .env ]; then 4 | . .env 5 | fi 6 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/advisory.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: advisory 3 | about: declare a (potential) vulnerability 4 | title: '' 5 | labels: advisory 6 | assignees: '' 7 | 8 | --- 9 | 10 | Mandatory information: 11 | 12 | * Package : `?` 13 | * cvss: `?` 14 | * affected versions: `?` 15 | 16 | Optional: 17 | 18 | * cve: `?` 19 | * keywords: `?` 20 | * aliases: `?` 21 | * related: `?` 22 | * affected OSes: `?` 23 | * affected architecture: `?` 24 | * declarations: `?` 25 | * Long description: `?` 26 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/hsec-tools.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: hsec-tools related 3 | about: Bug or suggestion about hsec-tools 4 | title: '' 5 | labels: hsec-tools 6 | assignees: '' 7 | 8 | --- 9 | 10 | ## Summary 11 | 12 | ## Steps to reproduce 13 | 14 | ## Expected behavior 15 | 16 | ## Cause of the bug 17 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | 2 | --- 3 | 4 | ## Advisory 5 | 6 | - [ ] It's not duplicated 7 | - [ ] All fields are filled 8 | - [ ] It is validated by `hsec-tools` 9 | 10 | ## hsec-tools 11 | 12 | - [ ] Previous advisories are still valid 13 | -------------------------------------------------------------------------------- /.github/haskell-ci.patch: -------------------------------------------------------------------------------- 1 | diff --git a/.github/workflows/haskell-ci.yml b/.github/workflows/haskell-ci.yml 2 | index 96282c2..e40c573 100644 3 | --- a/.github/workflows/haskell-ci.yml 4 | +++ b/.github/workflows/haskell-ci.yml 5 | @@ -19,6 +19,21 @@ 6 | jobs: 7 | + tools_changed: 8 | + continue-on-error: true 9 | + runs-on: ubuntu-22.04 10 | + outputs: 11 | + should_skip: ${{ steps.skip_check.outputs.should_skip }} 12 | + steps: 13 | + - id: skip_check 14 | + uses: fkirc/skip-duplicate-actions@v5.3.1 15 | + with: 16 | + concurrent_skipping: "never" 17 | + skip_after_successful_duplicate: "true" 18 | + paths: '["code/**"]' 19 | + do_not_skip: '["push", "workflow_dispatch", "schedule"]' 20 | linux: 21 | name: Haskell-CI - Linux - ${{ matrix.compiler }} 22 | - runs-on: ubuntu-20.04 23 | + needs: tools_changed 24 | + if: ${{ needs.tools_changed.outputs.should_skip != 'true' }} 25 | + runs-on: ubuntu-22.04 26 | timeout-minutes: 27 | 60 28 | -------------------------------------------------------------------------------- /.github/workflows/nix.yml: -------------------------------------------------------------------------------- 1 | name: nix build and check advisories 2 | on: 3 | - push 4 | - pull_request 5 | jobs: 6 | check-nix: 7 | name: Check nix build 8 | runs-on: ubuntu-22.04 9 | steps: 10 | - name: git checkout 11 | uses: actions/checkout@v4 12 | with: 13 | # We need to retrieve full history to determine the correct 14 | # `published` and `modified` timestamps 15 | fetch-depth: 0 16 | - name: Install Nix 17 | uses: DeterminateSystems/nix-installer-action@main 18 | with: 19 | extra-conf: system-features = nixos-test benchmark big-parallel kvm 20 | - uses: DeterminateSystems/flakehub-cache-action@main 21 | - name: Check Nix flake inputs 22 | uses: DeterminateSystems/flake-checker-action@v4 23 | - name: Build executable (hsec-tools) 24 | run: nix -L build 25 | - name: Build docker image 26 | run: nix build -L '.#packages.x86_64-linux.hsec-tools-image' 27 | - run: mkdir -p ~/.local/dockerImages 28 | - run: cp result ~/.local/dockerImages/hsec-tools 29 | - name: upload executable 30 | uses: actions/upload-artifact@v4 31 | if: ${{ github.event_name == 'push' && github.ref_name == 'main' }} 32 | with: 33 | name: hsec-tools-${{ github.sha }} 34 | path: ~/.local/dockerImages 35 | - run: docker load -i ~/.local/dockerImages/hsec-tools 36 | - name: Run advisory syntax checks 37 | run: | 38 | RESULT=0 39 | # Remove the begining of the README to extract the example. 40 | (echo '```toml'; sed -e '1,/```toml/d' README.md) > EXAMPLE_README.md 41 | while read FILE ; do 42 | [ "$(dirname "$FILE")" != advisories/reserved ] || continue 43 | echo -n "$FILE: " 44 | docker run --rm -v $PWD:/repo --workdir /repo haskell/hsec-tools:latest /bin/hsec-tools check "$FILE" || RESULT=1 45 | done < <(find advisories EXAMPLE_README.md EXAMPLE_ADVISORY.md -type f -name "*.md") 46 | exit $RESULT 47 | - name: Run advisory uniqueness checks 48 | run: | 49 | ! find advisories -type f -name '*.md' -print0 \ 50 | | xargs -0n1 basename | sort | uniq -c | grep -E -v '[[:space:]]*1 ' 51 | - name: Generate OSV data 52 | run: | 53 | DATA_DIR=$PWD/osv 54 | mkdir "$DATA_DIR" 55 | while read FILE ; do 56 | echo "$FILE" 57 | ID=$(basename "$FILE" .md) 58 | YEAR=$(echo "$ID" | cut -d - -f 2) 59 | mkdir -p $DATA_DIR/$YEAR 60 | docker run --rm -v $PWD:/repo --workdir /repo haskell/hsec-tools:latest /bin/hsec-tools osv "$FILE" > $DATA_DIR/$YEAR/$ID.json 61 | done < <(find advisories -type f -name "*.md" | grep -v '^advisories/reserved/') 62 | - name: Validate OSV data 63 | run: | 64 | curl -OL https://raw.githubusercontent.com/ossf/osv-schema/refs/heads/main/validation/schema.json 65 | nix run "nixpkgs#check-jsonschema" -- --schemafile ./schema.json ./osv/*/*.json 66 | - name: Publish OSV data 67 | if: ${{ github.event_name == 'push' && github.ref_name == 'main' && github.repository == 'haskell/security-advisories' }} 68 | env: 69 | GITHUB_SHA: ${{ github.sha }} 70 | run: | 71 | DATA_DIR=$PWD/osv 72 | BRANCH=generated/osv-export 73 | REF=refs/remotes/origin/$BRANCH 74 | export GIT_WORK_TREE=$DATA_DIR 75 | git read-tree "$REF" 76 | git add --all --intent-to-add 77 | git diff --quiet && exit 78 | git add --all 79 | TREE=$(git write-tree) 80 | git config user.email security-advisories@haskell.org 81 | git config user.name "Haskell Security Response Team" 82 | COMMIT=$(git commit-tree "$TREE" -p "$REF" -m "$(date --utc --rfc-3339=seconds) ($GITHUB_SHA)") 83 | git push origin $COMMIT:$BRANCH 84 | - name: Generate snapshot data 85 | run: | 86 | docker run --rm -v $PWD:/repo --workdir /repo haskell/hsec-tools:latest /bin/hsec-tools generate-snapshot . snapshot 87 | diff -r advisories snapshot/advisories | grep -v gitkeep | grep -v 'Only in advisories: reserved' | grep Only && echo 'Some advisories have been created/deleted' && exit 1 || exit 0 88 | - name: Publish snapshot data 89 | if: ${{ github.event_name == 'push' && github.ref_name == 'main' && github.repository == 'haskell/security-advisories' }} 90 | env: 91 | GITHUB_SHA: ${{ github.sha }} 92 | run: | 93 | DATA_DIR=$PWD/snapshot 94 | BRANCH=generated/snapshot-export 95 | REF=refs/remotes/origin/$BRANCH 96 | export GIT_WORK_TREE=$DATA_DIR 97 | git read-tree "$REF" 98 | git add --all --intent-to-add 99 | git diff --quiet && exit 100 | git add --all 101 | TREE=$(git write-tree) 102 | git config user.email security-advisories@haskell.org 103 | git config user.name "Haskell Security Response Team" 104 | COMMIT=$(git commit-tree "$TREE" -p "$REF" -m "$(date --utc --rfc-3339=seconds) ($GITHUB_SHA)") 105 | git push origin $COMMIT:$BRANCH 106 | - name: Generate the website 107 | run: | 108 | mkdir generatedWebsite 109 | docker run --rm -v $PWD:/repo --workdir /repo haskell/hsec-tools:latest /bin/hsec-tools generate-index . generatedWebsite 110 | cp generatedWebsite/by-dates.html generatedWebsite/index.html 111 | rm -Rf generatedWebsite/advisories || echo "Markdown links issue has been fixed" 112 | - name: Deploy the website 113 | uses: peaceiris/actions-gh-pages@v3 114 | if: ${{ github.event_name == 'push' && github.ref_name == 'main' && github.repository == 'haskell/security-advisories' }} 115 | with: 116 | github_token: ${{ secrets.GITHUB_TOKEN }} 117 | publish_dir: ./generatedWebsite 118 | publish_branch: generated/gh-pages 119 | force_orphan: true 120 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *~ 2 | dist-newstyle/ 3 | result 4 | .direnv 5 | .env 6 | -------------------------------------------------------------------------------- /.mailmap: -------------------------------------------------------------------------------- 1 | Fraser Tweedale 2 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # Reporting Vulnerabilities 2 | 3 | To add an advisory to the database, open a [Pull Request] against 4 | [this](https://github.com/haskell/security-advisories/pulls) repository containing the new advisory: 5 | 6 | ## Required Steps 7 | 8 | 1. Create a file named `HSEC-0000-0000.md` in the `advisories/hackage/` 9 | subdirectory of the repository (you may need to create it if it doesn't exist) 10 | 2. Copy and paste the [TOML advisory template] from the README.md file in this repo. 11 | Delete the comments and additional whitespace, and fill it out with the 12 | details of the advisory. Surround the TOML data with \```toml and \``` markers. 13 | 3. Write a human-readable Markdown description in the same file, after the \``` marker and a newline. Use [this example advisory][example] as a reference. 14 | 4. Open a [Pull Request]. After being reviewed your advisory will be assigned 15 | a `HSEC-*` advisory identifier and be published to the database. 16 | 17 | ### Optional Steps 18 | 19 | Feel free to do either or both of these as you see fit (we recommend you do both): 20 | 21 | 4. Deprecate the affected versions of the package on Hackage. 22 | 5. Request a CVE for your vulnerability. See for details: 23 | and . 24 | Alternatively, you can create a GitHub Security Advisory (GHSA) and let them request 25 | a CVE for you. In this case, you can add the GHSA ID to the advisory via the 26 | `aliases` field. 27 | 28 | ### License 29 | 30 | All published security advisories are released under [CC0](https://creativecommons.org/share-your-work/public-domain/cc0/). By contributing an advisory, you agree to release the entire content of the advisory (including machine-readable metadata, example code, and textual descriptions) under CC0. 31 | 32 | ## Criteria 33 | 34 | This is a database of security vulnerabilities. The following are 35 | examples of qualifying vulnerabilities: 36 | 37 | * Code Execution (i.e. RCE) 38 | * Denial of service opportunities 39 | * Memory Corruption 40 | * Privilege Escalation (either at OS level or inside of an app/library) 41 | * File Disclosure / Directory Traversal 42 | * Web Security (e.g. XSS, CSRF) 43 | * Format Injection, e.g. shell escaping, SQL injection (and also XSS) 44 | * Cryptography Failure (e.g. confidentiality breakage, integrity breakage, key leakage) 45 | * Covert Channels (e.g. Spectre, Meltdown) 46 | 47 | ## FAQ 48 | 49 | **Q: Do I need to be the maintainer of a package to file an advisory?** 50 | 51 | A: No, anyone can file an advisory against any package. Reports 52 | will be verified prior to merging. If a report 53 | turns out to be incorrect then it will be corrected or removed from the 54 | database. 55 | 56 | **Q: Can I file an advisory without creating a pull request?** 57 | 58 | A: Yes, instead of creating a full advisory yourself you can also 59 | [open an issue on the security-advisories repo](https://github.com/haskell/security-advisories/issues) 60 | or email information about the vulnerability to 61 | 62 | **Q: Does this project have a PGP key or other means of handling embargoed vulnerabilities?** 63 | 64 | A: High-impact vulnerabilities can be reported privately to 65 | [security-advisories@haskell.org](mailto:security-advisories@haskell.org), 66 | but we do not use PGP. Alternatively, Haskell vulnerabilities can 67 | be reported via the CERT/CC [VINCE] system. Use "Haskell 68 | Programming Language" as the vendor name. 69 | 70 | [VINCE]: https://kb.cert.org/vince/ 71 | [Pull Request]: https://github.com/haskell/security-advisories/pulls 72 | [TOML advisory template]: https://github.com/haskell/security-advisories/blob/main/README.md#advisory-format 73 | [example]: https://raw.githubusercontent.com/haskell/security-advisories/main/EXAMPLE_ADVISORY.md 74 | -------------------------------------------------------------------------------- /EXAMPLE_ADVISORY.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | 3 | [advisory] 4 | # Submit PRs with HSEC-0000-0000, or run `hsec-tools next-id` to 5 | # print the next available ID. 6 | id = "HSEC-0000-0000" 7 | cwe = [] 8 | 9 | # Arbitrary keywords. We recommend to include keywords relating 10 | # to the protocols, data formats or services pertaining to the 11 | # affected package (e.g. "json", "tls", "aws"). You can also 12 | # include keywords describing the vulnerability or impact (e.g. 13 | # "dos", "sqli" "csrf"). Just think, "what keywords would I use 14 | # if I was searching for issues affecting this package, or a 15 | # particular class of vulnerabilities?" 16 | keywords = ["example", "freeform", "keywords"] 17 | 18 | # Corresponding and related advisory IDs. You could include 19 | # CVE, GHSA or other well known databases, as well as other 20 | # HSEC IDs in the `related` field. 21 | aliases = ["CVE-2022-XXXX"] 22 | related = ["CVE-2022-YYYY", "CVE-2022-ZZZZ"] 23 | 24 | # You can declare multiple affected packages 25 | [[affected]] 26 | 27 | # Declare the affected package/component via ONE of the 28 | # following options 29 | # 30 | # OPTION 1: package = hackage-package-name 31 | package = "package-name" 32 | # 33 | # OPTION 2: ghc-component = {ghc,ghci,rts,ghc-pkg,runghc,ghc-iserv,hp2ps,hpc,hsc2hs,haddock} 34 | # ghc-component = "ghci" 35 | 36 | # CVSS vector. Accepted versions: 2.0, 3.0, 3.1 37 | cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" 38 | 39 | # arch = ["x86", "x86_64"] 40 | # os = ["mingw32"] 41 | # declarations = { "Acme.Broken.function" = ">= 1.1.0 && < 1.2.0", "Acme.Broken.renamedFunction" = ">= 1.2.0 && < 1.2.0.5"} 42 | 43 | # Versions affected by the vulnerability. 44 | # 45 | # The `fixed` field is optional. You can specify multiple ranges 46 | # (for example, if the issue was introduced in multiple releases 47 | # series). In the case of multiple ranges, use `fixed` to "close" 48 | # a range, even when the release series does not actually have a 49 | # fix. For example, if an issue was introduced in 1.0.8 and 1.1.2 50 | # (but 1.1 is unaffected), and a fix has not been released for the 51 | # 1.0.x series, specify: 52 | [[affected.versions]] 53 | introduced = "1.0.8" 54 | fixed = "1.1" 55 | [[affected.versions]] 56 | introduced = "1.1.2" 57 | 58 | # References to articles, issues/PRs, etc. Recognised types: 59 | # ADVISORY, ARTICLE, DETECTION, DISCUSSION, REPORT, 60 | # FIX, INTRODUCED, PACKAGE, EVIDENCE, WEB 61 | [[references]] 62 | type = "ARTICLE" 63 | url = "https://example.com" 64 | ``` 65 | 66 | # Advisory Template - Title Goes Here 67 | 68 | This is an example template for an advisory. Please copy this to packages/ and rename it to HSEC-0000-0000.md. 69 | 70 | In this section of the advisory you can write an extended description of the vulnerability. 71 | 72 | * Markdown formatted 73 | * TOML "front matter". See README.md for schema. 74 | * Please include as much detail as you'd like. 75 | 76 | A well structured advisory will include information like: 77 | 78 | > Acme Broken implements safe internal mutation using `unsafePerformIO`. However, in a multithreaded context, an attacker can cause a service to return the wrong answer by forcing an interleaving of writes that violates internal invariants. The flaw was corrected by replacing uses of `IORef` with `MVar` in commit abc123. 79 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | All advisories in the HSec advisory database repository is dedicated to 2 | the public domain: 3 | 4 | https://creativecommons.org/publicdomain/zero/1.0/ 5 | 6 | By committing an advisory to this repository, you hereby waive all 7 | rights to the work worldwide under copyright law, including all 8 | related and neighboring rights, to the extent allowed by law. 9 | 10 | You can copy, modify, distribute, and retransmit any security advisory 11 | information in this repository, even for commercial purposes, without 12 | asking permission. 13 | 14 | ------------------------------------------------------- 15 | 16 | The code for processing advisories (in the "code" directory) is 17 | licensed separately, under the 3-clause BSD license. See 18 | code/LICENSE.txt for details. 19 | -------------------------------------------------------------------------------- /advisories/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/haskell/security-advisories/14475351f69c10eb9a35107ad390b364d601397f/advisories/.gitkeep -------------------------------------------------------------------------------- /advisories/ghc/ghc/HSEC-2024-0007.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2024-0007" 4 | cwe = [194] 5 | keywords = ["integrity", "dos", "historical"] 6 | 7 | [[affected]] 8 | ghc-component = "ghc" 9 | cvss = "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H" 10 | 11 | [[affected.versions]] 12 | introduced = "9.2.4" 13 | fixed = "9.2.5" 14 | 15 | [[affected.versions]] 16 | introduced = "9.4.2" 17 | fixed = "9.4.3" 18 | 19 | [[references]] 20 | type = "REPORT" 21 | url = "https://gitlab.haskell.org/ghc/ghc/-/issues/22282" 22 | 23 | [[references]] 24 | type = "FIX" 25 | url = "https://gitlab.haskell.org/ghc/ghc/-/merge_requests/9152" 26 | 27 | [[references]] 28 | type = "FIX" 29 | url = "https://gitlab.haskell.org/ghc/ghc/-/merge_requests/9139" 30 | ``` 31 | 32 | # Sign extension error in the AArch64 NCG 33 | 34 | Arithmetic operations may result in incorrect runtime results on the native aarch64 backend. 35 | For the most part, this bug only causes availability and data integrity issues. 36 | However, in some circumstances, it may result in other, more complicated security related flaws, such as buffer overflow conditions. 37 | -------------------------------------------------------------------------------- /advisories/ghc/ghc/HSEC-2024-0008.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2024-0008" 4 | cwe = [194] 5 | keywords = ["integrity", "dos"] 6 | 7 | [[affected]] 8 | ghc-component = "ghc" 9 | cvss = "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H" 10 | 11 | [[affected.versions]] 12 | introduced = "9.2.1" 13 | fixed = "9.6.6" 14 | 15 | [[affected.versions]] 16 | introduced = "9.8.1" 17 | fixed = "9.8.3" 18 | 19 | [[affected.versions]] 20 | introduced = "9.10.1" 21 | 22 | [[references]] 23 | type = "REPORT" 24 | url = "https://gitlab.haskell.org/ghc/ghc/-/issues/23034" 25 | 26 | [[references]] 27 | type = "FIX" 28 | url = "https://gitlab.haskell.org/ghc/ghc/-/merge_requests/12885" 29 | ``` 30 | 31 | # Sign extension error in the PPC64le FFI 32 | 33 | Numeric arguments of FFI call on the PPC64le backend may result in incorrect runtime values. 34 | For the most part, this bug only causes availability and data integrity issues. 35 | However, in some circumstances, it may result in other, more complicated security related flaws, such as buffer overflow conditions. 36 | -------------------------------------------------------------------------------- /advisories/ghc/ghc/HSEC-2025-0001.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2025-0001" 4 | cwe = [682] 5 | keywords = ["integrity", "dos"] 6 | 7 | [[affected]] 8 | ghc-component = "ghc" 9 | cvss = "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H" 10 | 11 | [[affected.versions]] 12 | introduced = "9.12.1" 13 | fixed = "9.12.2" 14 | 15 | [[references]] 16 | type = "REPORT" 17 | url = "https://gitlab.haskell.org/ghc/ghc/-/issues/25653" 18 | 19 | [[references]] 20 | type = "REPORT" 21 | url = "https://discourse.haskell.org/t/psa-correctness-issue-in-ghc-9-12/11204" 22 | 23 | [[references]] 24 | type = "FIX" 25 | url = "https://gitlab.haskell.org/ghc/ghc/-/merge_requests/13820" 26 | ``` 27 | 28 | # Subword division operations may produce incorrect results 29 | 30 | Arithmetic operations may produce incorrect results when compiled with optimizations. 31 | For the most part, this bug only causes availability and data integrity issues. 32 | However, in some circumstances, it may result in other, more complicated security related flaws, such as buffer overflow conditions. 33 | -------------------------------------------------------------------------------- /advisories/hackage/aeson/HSEC-2023-0001.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2023-0001" 4 | cwe = [328, 400] 5 | keywords = ["json", "dos", "historical"] 6 | aliases = ["CVE-2022-3433"] 7 | 8 | [[affected]] 9 | package = "aeson" 10 | cvss = "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" 11 | 12 | [[affected.versions]] 13 | introduced = "0.4.0.0" 14 | fixed = "2.0.1.0" 15 | 16 | [[references]] 17 | type = "ARTICLE" 18 | url = "https://cs-syd.eu/posts/2021-09-11-json-vulnerability" 19 | [[references]] 20 | type = "ARTICLE" 21 | url = "https://frasertweedale.github.io/blog-fp/posts/2021-10-12-aeson-hash-flooding-protection.html" 22 | [[references]] 23 | type = "DISCUSSION" 24 | url = "https://github.com/haskell/aeson/issues/864" 25 | ``` 26 | 27 | # Hash flooding vulnerability in aeson 28 | 29 | *aeson* was vulnerable to hash flooding (a.k.a. hash DoS). The 30 | issue is a consequence of the HashMap implementation from 31 | *unordered-containers*. It results in a denial of service through 32 | CPU consumption. This technique has been used in real-world attacks 33 | against a variety of languages, libraries and frameworks over the 34 | years. 35 | -------------------------------------------------------------------------------- /advisories/hackage/base/HSEC-2023-0007.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2023-0007" 4 | cwe = [1284, 789] 5 | keywords = ["toml", "parser", "dos"] 6 | 7 | [[affected]] 8 | package = "base" 9 | cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" 10 | [[affected.versions]] 11 | # it was introduced earlier, but this is the earliest version on Hackage 12 | introduced = "3.0.3.1" 13 | 14 | [[affected]] 15 | package = "toml-reader" 16 | cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" 17 | [[affected.versions]] 18 | introduced = "0.1.0.0" 19 | fixed = "0.2.0.0" 20 | 21 | [[references]] 22 | type = "REPORT" 23 | url = "https://gitlab.haskell.org/ghc/ghc/-/issues/23538" 24 | [[references]] 25 | type = "REPORT" 26 | url = "https://github.com/brandonchinn178/toml-reader/issues/8" 27 | [[references]] 28 | type = "FIX" 29 | url = "https://github.com/brandonchinn178/toml-reader/pull/9" 30 | 31 | ``` 32 | 33 | # `readFloat`: memory exhaustion with large exponent 34 | 35 | `Numeric.readFloat` takes time and memory linear in the size of the 36 | number _denoted_ by the input string. In particular, processing a 37 | number expressed in scientific notation with a very large exponent 38 | could cause a denial of service. The slowdown is observable on a 39 | modern machine running GHC 9.4.4: 40 | 41 | ``` 42 | ghci> import qualified Numeric 43 | ghci> Numeric.readFloat "1e1000000" -- near instantaneous 44 | [(Infinity,"")] 45 | ghci> Numeric.readFloat "1e10000000" -- perceptible pause 46 | [(Infinity,"")] 47 | ghci> Numeric.readFloat "1e100000000" -- ~ 3 seconds 48 | [(Infinity,"")] 49 | ghci> Numeric.readFloat "1e1000000000" -- ~ 35 seconds 50 | [(Infinity,"")] 51 | ``` 52 | 53 | ## In *base* 54 | 55 | `Numeric.readFloat` is defined for all `RealFrac a => a`: 56 | 57 | ```haskell 58 | readFloat :: RealFrac a => ReadS a 59 | ``` 60 | 61 | The `RealFrac` type class does not express any bounds on the size of 62 | values representable in the types for which instances exist, so 63 | bounds checking is not possible (in this *generic* function). 64 | `readFloat` uses to `Text.Read.Lex.numberToRational` which, among 65 | other things, calculates `10 ^ exponent`, which seems to take linear 66 | time and memory. 67 | 68 | **Mitigation:** use `read`. The `Read` instances for `Float` and 69 | `Double` perform bounds checks on the exponent, via 70 | `Text.Read.Lex.numberToRangedRational`. 71 | 72 | 73 | ## In *toml-reader* 74 | 75 | The issue was detected in *toml-reader* version 0.1.0.0, and 76 | mitigated in version 0.2.0.0 by immediately returning `Infinity` 77 | when the exponent is large enough that there's no reason to process 78 | it. 79 | -------------------------------------------------------------------------------- /advisories/hackage/base/HSEC-2024-0006.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2024-0006" 4 | cwe = [192] 5 | keywords = ["integrity", "dos", "historical"] 6 | 7 | [[affected]] 8 | package = "base" 9 | cvss = "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H" 10 | 11 | [[affected.versions]] 12 | introduced = "4.15.0.0" 13 | fixed = "4.15.1.0" 14 | 15 | [[references]] 16 | type = "REPORT" 17 | url = "https://gitlab.haskell.org/ghc/ghc/-/issues/19345" 18 | 19 | [[references]] 20 | type = "REPORT" 21 | url = "https://gitlab.haskell.org/ghc/ghc/-/issues/20066" 22 | 23 | [[references]] 24 | type = "FIX" 25 | url = "https://gitlab.haskell.org/ghc/ghc/-/merge_requests/4980" 26 | 27 | [[references]] 28 | type = "FIX" 29 | url = "https://gitlab.haskell.org/ghc/ghc/-/merge_requests/6109" 30 | ``` 31 | 32 | # `fromIntegral`: conversion error 33 | 34 | `fromIntegral` may result in coercion errors when used with optimization flags `-O1` or `-O2` 35 | in the following situation: 36 | 37 | - Converting negative `Int` to `Natural` does not throw an arithmetic underflow error 38 | - Converting large `Integer` greater than 2^64 to `Natural` overflow. 39 | 40 | For the most part, these errors in and of themselves result only in availability and data integrity issues. 41 | However, in some circumstances, they may result in other, more complicated security related flaws, such as buffer overflow conditions. 42 | -------------------------------------------------------------------------------- /advisories/hackage/biscuit-haskell/HSEC-2023-0002.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2023-0002" 4 | cwe = [347] 5 | keywords = ["crypto", "historical"] 6 | aliases = ["CVE-2022-31053"] 7 | related = ["GHSA-75rw-34q6-72cr"] 8 | 9 | [[affected]] 10 | package = "biscuit-haskell" 11 | cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" 12 | [[affected.versions]] 13 | introduced = "0.1.0.0" 14 | fixed = "0.2.0.0" 15 | 16 | [[references]] 17 | type = "REPORT" 18 | url = "https://eprint.iacr.org/2020/1484" 19 | [[references]] 20 | type = "ADVISORY" 21 | url = "https://github.com/biscuit-auth/biscuit/security/advisories/GHSA-75rw-34q6-72cr" 22 | 23 | ``` 24 | 25 | # Improper Verification of Cryptographic Signature 26 | 27 | The Biscuit specification version 1 contains a vulnerable algorithm that allows 28 | malicious actors to forge valid Γ-signatures. Such an attack would allow an 29 | attacker to create a token with any access level. The version 2 of the 30 | specification mandates a different algorithm than gamma signatures and as such 31 | is not affected by this vulnerability. 32 | -------------------------------------------------------------------------------- /advisories/hackage/biscuit-haskell/HSEC-2024-0009.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2024-0009" 4 | keywords = ["biscuit"] 5 | aliases = ["CVE-2024-41949", "GHSA-rgqv-mwc3-c78m", "GHSA-47cq-pc2v-3rmp"] 6 | 7 | [[references]] 8 | type = "ADVISORY" 9 | url = "https://github.com/biscuit-auth/biscuit-haskell/security/advisories/GHSA-47cq-pc2v-3rmp" 10 | [[references]] 11 | type = "FIX" 12 | url = "https://github.com/biscuit-auth/biscuit-haskell/pull/93" 13 | 14 | [[affected]] 15 | package = "biscuit-haskell" 16 | cvss = "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:N" 17 | 18 | [[affected.versions]] 19 | introduced = "0.3.0.0" 20 | fixed = "0.4.0.0" 21 | ``` 22 | 23 | # Public key confusion in third-party blocks 24 | 25 | Third-party blocks can be generated without transferring the whole token to the third-party authority. Instead, a `ThirdPartyBlock` request can be sent, providing only the necessary info to generate a third-party block and to sign it: 26 | 27 | - the public key of the previous block (used in the signature); 28 | - the public keys part of the token symbol table (for public key interning in datalog expressions). 29 | 30 | A third-party block request forged by a malicious user can trick the third-party authority into generating datalog trusting the wrong keypair. 31 | -------------------------------------------------------------------------------- /advisories/hackage/bz2/HSEC-2024-0002.md: -------------------------------------------------------------------------------- 1 | ../bzlib/HSEC-2024-0002.md -------------------------------------------------------------------------------- /advisories/hackage/bzlib-conduit/HSEC-2024-0002.md: -------------------------------------------------------------------------------- 1 | ../bzlib/HSEC-2024-0002.md -------------------------------------------------------------------------------- /advisories/hackage/bzlib/HSEC-2024-0002.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2024-0002" 4 | cwe = [787] 5 | keywords = ["corruption", "vendored-code", "language-c"] 6 | aliases = ["CVE-2019-12900"] 7 | 8 | [[references]] 9 | type = "DISCUSSION" 10 | url = "https://gnu.wildebeest.org/blog/mjw/2019/08/02/bzip2-and-the-cve-that-wasnt/" 11 | 12 | [[references]] 13 | type = "DISCUSSION" 14 | url = "http://scary.beasts.org/security/CESA-2008-005.html" 15 | 16 | [[references]] 17 | type = "ADVISORY" 18 | url = "https://access.redhat.com/security/cve/cve-2019-12900" 19 | 20 | [[references]] 21 | type = "FIX" 22 | url = "https://sourceware.org/git/?p=bzip2.git;a=commit;h=7ed62bfb46e87a9e878712603469440e6882b184" 23 | 24 | [[affected]] 25 | package = "bzlib" 26 | cvss = "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" 27 | 28 | [[affected.versions]] 29 | introduced = "0.4" 30 | fixed = "0.5.2.0" 31 | 32 | [[affected]] 33 | package = "bz2" 34 | cvss = "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" 35 | 36 | [[affected.versions]] 37 | introduced = "0.1.0.0" 38 | fixed = "1.0.1.1" 39 | 40 | [[affected]] 41 | package = "bzlib-conduit" 42 | cvss = "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" 43 | 44 | [[affected.versions]] 45 | introduced = "0.1.0.0" 46 | fixed = "0.3.0.3" 47 | ``` 48 | 49 | # out-of-bounds write when there are many bzip2 selectors 50 | 51 | A malicious bzip2 payload may produce a memory corruption 52 | resulting in a denial of service and/or remote code execution. 53 | Network services or command line utilities decompressing 54 | untrusted bzip2 payloads are affected. 55 | 56 | Note that the exploitation of this bug relies on an undefined 57 | behavior that appears to be handled safely by current compilers. 58 | 59 | The Haskell libraires are vulnerable when they are built using 60 | the bundled C library source code, which is the default 61 | in most cases. 62 | -------------------------------------------------------------------------------- /advisories/hackage/cabal-install/HSEC-2023-0015.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2023-0015" 4 | cwe = [672] 5 | keywords = ["hackage", "mitm", "supply-chain"] 6 | 7 | [[affected]] 8 | package = "cabal-install" 9 | cvss = "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N" 10 | [[affected.versions]] 11 | introduced = "1.24.0.0" 12 | fixed = "3.10.2.0" 13 | 14 | [[references]] 15 | type = "REPORT" 16 | url = "https://github.com/haskell/cabal/issues/8918#issuecomment-1521096581" 17 | [[references]] 18 | type = "FIX" 19 | url = "https://github.com/haskell/cabal/commit/dcfdc9cffd74cade4e8cf3df37c5993413ffd30f" 20 | ``` 21 | 22 | # cabal-install uses expired key policies 23 | 24 | A problem was recently discovered in `cabal-install`'s 25 | implementation of the Hackage Security protocol that would allow an 26 | attacker who was in possession of a revoked private key and who 27 | could perform a man-in-the-middle attack against Hackage to use the 28 | revoked key to deliver malicious packages. At this time, this is 29 | only a theoretical attack - no keys have been revoked. Release 30 | 3.10.2.0 of `cabal-install` contains a fix for this bug, and we have 31 | contacted distributors of older versions (such as Linux 32 | distributions) with a patch that they can apply. 33 | 34 | ## Background 35 | 36 | Hackage Security is an implementation of [The Update Framework][], 37 | which is a design for a package repository that allows untrusted 38 | mirrors without undermining software supply-chain security. In 39 | particular, Hackage Security cryptographically guarantees the 40 | following properties: 41 | 42 | * Mirrors of Hackage cannot change the contents of packages. This 43 | prevents the insertion of malicious code. 44 | 45 | * Mirrors cannot omit newer packages for more than a few days 46 | without clients noticing. This ensures both that mirrors cannot 47 | maliciously deny security updates, and that mistakes in their 48 | configuration will be noticed. 49 | 50 | Hackage has a [key policy file][] that delegates authority to a 51 | number of private keys for various purposes. Most of the keys are 52 | kept securely offline by trusted community members who annually 53 | re-sign the various files to indicate that they still have 54 | confidence in Hackage's policies. However, to prevent clients from 55 | being denied updates, Hackage has an automated process that 56 | periodically re-signs a timestamp file. This signature has a short 57 | expiry. Additionally, a snapshot file contains signed hashes of the 58 | Hackage index that is updated on each package upload. The timestamp 59 | and snapshot private keys are held in memory on the Hackage server. 60 | These are called the operational keys. If an operational key is ever 61 | compromised, then it will be revoked by having the Hackage root 62 | keyholders sign a new key policy file. To prevent replay attacks, 63 | clients that connect to Hackage after this update will reject older 64 | policy files, based on a monotonically increasing file version 65 | number. 66 | 67 | If a client has not yet received the updated policy file (for 68 | example, because they have a fresh install of `cabal-install` or 69 | because they have not run `cabal update` in some time), the built-in 70 | expiration date in the file limits the window of exposure in which 71 | the revoked operational keys would be expected. As long as the root 72 | keys have not been compromised, the compromised operational keys can 73 | only be used until the policy file expires. In addition to 74 | compromising a Hackage operational key, an attacker would 75 | additionally need to either compromise a Hackage mirror or perform a 76 | man-in-the-middle attack against the target in order to serve a 77 | malicious or obsolete package index. 78 | 79 | [key policy file]: https://hackage.haskell.org/root.json 80 | [The Update Framework]: https://theupdateframework.io/ 81 | 82 | ## The Issue 83 | 84 | A bug in `cabal-install` caused it to skip the verification of the 85 | key policy file's expiration timestamp. This means that users of 86 | older, unpatched versions of `cabal-install` could be vulnerable to 87 | a malicious mirror or man-in-the-middle attack against Hackage if 88 | they have not connected to Hackage in a long time, even after the 89 | policy file has expired. 90 | 91 | We do not believe that it has been possible to exploit this 92 | vulnerability, because no operational keys have been revoked. 93 | However, in case key revocation occurs, we strongly advise all users 94 | of `cabal-install` to ensure that they have version 3.10.2.0 or 95 | newer, which contain the fix. 96 | -------------------------------------------------------------------------------- /advisories/hackage/crypton/HSEC-2025-0002.md: -------------------------------------------------------------------------------- 1 | ../cryptonite/HSEC-2025-0002.md -------------------------------------------------------------------------------- /advisories/hackage/cryptonite/HSEC-2025-0002.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2025-0002" 4 | cwe = [] 5 | keywords = ["crypto"] 6 | related = ["GHSA-w5vr-6qhr-36cc"] 7 | 8 | [[affected]] 9 | package = "cryptonite" 10 | cvss = "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N" 11 | [[affected.versions]] 12 | introduced = "0.1" 13 | 14 | [[affected]] 15 | package = "crypton" 16 | cvss = "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N" 17 | [[affected.versions]] 18 | introduced = "0.31" 19 | fixed = "1.0.3" 20 | 21 | [[references]] 22 | type = "ARTICLE" 23 | url = "https://portswigger.net/daily-swig/dozens-of-cryptography-libraries-vulnerable-to-private-key-theft" 24 | [[references]] 25 | type = "ARTICLE" 26 | url = "https://github.com/MystenLabs/ed25519-unsafe-libs" 27 | [[references]] 28 | type = "ADVISORY" 29 | url = "https://github.com/advisories/GHSA-w5vr-6qhr-36cc" 30 | [[references]] 31 | type = "EVIDENCE" 32 | url = "https://hackage.haskell.org/package/cryptonite-0.30/docs/src/Crypto.PubKey.Ed25519.html#sign" 33 | [[references]] 34 | type = "EVIDENCE" 35 | url = "https://github.com/haskell-crypto/cryptonite/blob/cryptonite-v0.30/cbits/ed25519/ed25519.c#53" 36 | [[references]] 37 | type = "EVIDENCE" 38 | url = "https://github.com/kazu-yamamoto/crypton/blob/48fb9df2de5ee752196724b081f4d3cdb57576ed/cbits/ed25519/ed25519.c#L53" 39 | [[references]] 40 | type = "FIX" 41 | url = "https://github.com/kazu-yamamoto/crypton/pull/47" 42 | 43 | ``` 44 | 45 | # Double Public Key Signing Function Oracle Attack on Ed25519 46 | 47 | The standard specification of Ed25519 message signing involves providing the 48 | algorithm with a message and private key. 49 | 50 | The function will use the private key to compute the public key and sign the message. 51 | Some libraries provide a variant of the message signing function that also takes 52 | the pre-computed public key as an input parameter. 53 | 54 | Libraries that allow arbitrary public keys as inputs without checking if the 55 | input public key corresponds to the input private key are vulnerable to the 56 | following attack. 57 | 58 | By using several public keys and messages, a malicious user with access to the 59 | signing mechanism may build up insights into the private key parameters 60 | resulting in access to the private key. 61 | 62 | This shortcoming means that an attacker could use the signing function as an 63 | Oracle, perform crypto-analysis and ultimately get at secrets. 64 | For example, an attacker who can’t access the private key but can access 65 | the signing mechanism through an API call could use several public keys and 66 | messages to gradually build up insights into private key parameters. 67 | -------------------------------------------------------------------------------- /advisories/hackage/git-annex/HSEC-2023-0009.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2023-0009" 4 | cwe = [20, 78] 5 | keywords = ["ssh", "command-injection", "historical"] 6 | aliases = ["CVE-2017-12976"] 7 | related = ["CVE-2017-9800", "CVE-2017-12836", "CVE-2017-1000116", "CVE-2017-1000117"] 8 | 9 | [[affected]] 10 | package = "git-annex" 11 | cvss = "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" 12 | [[affected.versions]] 13 | introduced = "0" 14 | fixed = "6.20170818" 15 | 16 | [[references]] 17 | type = "ADVISORY" 18 | url = "https://git-annex.branchable.com/security/CVE-2017-12976/" 19 | [[references]] 20 | type = "FIX" 21 | url = "http://source.git-annex.branchable.com/?p=source.git;a=commitdiff;h=df11e54788b254efebb4898b474de11ae8d3b471" 22 | ``` 23 | 24 | # *git-annex* command injection via malicious SSH hostname 25 | 26 | *git-annex* was vulnerable to the same class of security hole as 27 | git's **CVE-2017-1000117**. In several cases, `git-annex` parses a 28 | repository URL, and uses it to generate a `ssh` command, with the 29 | hostname to ssh to coming from the URL. If the hostname it parses is 30 | something like `-eProxyCommand=evil`, this could result in arbitrary 31 | local code execution. 32 | 33 | Some details of URL parsing may prevent the exploit working in some 34 | cases. 35 | 36 | Exploiting this would involve the attacker tricking the victim into 37 | adding a remote something like `ssh://-eProxyCommand=evil/blah`. 38 | 39 | One possible avenue for an attacker that avoids exposing the URL to 40 | the user is to use `initremote` with an SSH remote, so embedding the 41 | URL in the *git-annex* branch. Then the victim would enable it with 42 | `enableremote`. 43 | 44 | This was fixed in version **6.20170818**. Now there's a `SshHost` 45 | type that is not allowed to start with a dash, and every invocation 46 | of `git-annex` uses a function that takes a `SshHost`. 47 | -------------------------------------------------------------------------------- /advisories/hackage/git-annex/HSEC-2023-0010.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2023-0010" 4 | cwe = [200, 610] 5 | keywords = ["exfiltration", "historical"] 6 | aliases = ["CVE-2018-10857"] 7 | 8 | [[affected]] 9 | package = "git-annex" 10 | cvss = "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" 11 | [[affected.versions]] 12 | introduced = "0" 13 | fixed = "6.20180626" 14 | 15 | [[references]] 16 | type = "ADVISORY" 17 | url = "https://git-annex.branchable.com/security/CVE-2018-10857_and_CVE-2018-10859/" 18 | ``` 19 | 20 | # *git-annex* private data exfiltration to compromised remote 21 | 22 | Some uses of git-annex were vulnerable to a private data exposure 23 | and exfiltration attack. It could expose the content of files 24 | located outside the *git-annex* repository, or content from a 25 | private web server on localhost or the LAN. Joey Hess discovered 26 | this attack. 27 | 28 | To perform this attack, the attacker needs to have control over one 29 | of the remotes of the victim's *git-annex* repository. For example, 30 | they may provide a public *git-annex* repository that the victim 31 | clones. Or, equivalantly, the attacker could have read access to the 32 | victim's *git-annex* repository or a repository it pushes to, and 33 | some channel to get commits into it (e.g. pull requests). 34 | 35 | These exploits are most likely to succeed when the victim is running 36 | the `git-annex` assistant, or is periodically running `git annex 37 | sync --content`. 38 | 39 | To perform the attack the attacker runs `git-annex addurl --relaxed 40 | file:///etc/passwd` and commits this to the repository in some out 41 | of the way place. After the victim's git repository receives that 42 | change, `git-annex` follows the attacker-provided URL to the private 43 | data, which it stores in the *git-annex* repository. From there it 44 | transfers the content to the remote *git-annex* repository that the 45 | attacker has access to. 46 | 47 | As well as `file:///` URLs, the attacker can use URLs to private web 48 | servers. The URL can also be one that the attacker controls, that 49 | redirects to a URL that is accessible to the victim system (and not 50 | necessarily the compromised remote). 51 | 52 | ## Fix 53 | 54 | The issue was fixed by making `git-annex` refuse to follow 55 | `file:///` urls and URLs pointing to private/local IP addresses by 56 | default. Two new configuration settings, 57 | `annex.security.allowed-url-schemes` and 58 | `annex.security.allowed-ip-addresses`, can relax this security 59 | policy, and are intended for cases where the *git-annex* repository 60 | is kept private and so the attack does not apply. 61 | 62 | ## Impact on external special remotes 63 | 64 | One variant of this issue can exploit a vulnerable external special 65 | remote, and could not be prevented by `git-annex`. (`git-annex`'s 66 | own built-in special remotes are not vulnerable to this attack.) 67 | 68 | In this attack variant, the attacker guesses the hash of a file 69 | stored on the victim's private web server, and adds it to the 70 | `git-annex` repository. The attacker also has control of the server 71 | hosting an encrypted special remote used by the victim's *git-annex* 72 | repository. They cause that server to redirect to the victim's web 73 | server. This allows the attacker to verify if the victim's web 74 | server contains a file that the attacker already knows the content 75 | of, assuming they can guess the URL to it. 76 | 77 | Developers of external special remotes are encouraged to prevent 78 | this attack by not following such HTTP redirects. 79 | -------------------------------------------------------------------------------- /advisories/hackage/git-annex/HSEC-2023-0011.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2023-0011" 4 | cwe = [200] 5 | keywords = ["exfiltration", "pgp", "historical"] 6 | aliases = ["CVE-2018-10859"] 7 | related = ["HSEC-2023-0010", "CVE-2018-10857"] 8 | 9 | [[affected]] 10 | package = "git-annex" 11 | cvss = "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" 12 | [[affected.versions]] 13 | introduced = "0.20110417" 14 | fixed = "6.20180626" 15 | 16 | [[references]] 17 | type = "ADVISORY" 18 | url = "https://git-annex.branchable.com/security/CVE-2018-10857_and_CVE-2018-10859/" 19 | ``` 20 | 21 | # *git-annex* GPG decryption attack via compromised remote 22 | 23 | A malicious server for a special remote could trick `git-annex` into 24 | decrypting a file that was encrypted to the user's GPG key. This 25 | attack could be used to expose encrypted data that was never stored 26 | in *git-annex*. Daniel Dent discovered this attack in collaboration 27 | with Joey Hess. 28 | 29 | To perform this attack the attacker needs control of a server 30 | hosting an *encrypted* special remote used by the victim's 31 | *git-annex* repository. The attacker uses `git annex addurl 32 | --relaxed` with an innocuous URL, and waits for the user's 33 | `git-annex` to download it, and upload an (encrypted) copy to the 34 | special remote they also control. At some later point, when the 35 | user downloads the content from the special remote, the attacker 36 | instead sends them the content of the GPG-encrypted file that they 37 | wish to have decrypted in its place (which may have been exfiltrated 38 | from the victim's system via the attack described in 39 | **HSEC-2023-0010** / **CVE-2018-10857**, or acquired by other 40 | means). Finally, the attacker drops their own copy of the original 41 | innocuous URL, and waits for the victim `git-annex` to send them the 42 | accidentially decrypted file. 43 | 44 | The issue was fixed by making `git-annex` refuse to download 45 | encrypted content from special remotes, unless it knows the hash of 46 | the expected content. When the attacker provides some other 47 | GPG-encrypted content, it will fail the hash check and be discarded. 48 | -------------------------------------------------------------------------------- /advisories/hackage/git-annex/HSEC-2023-0012.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2023-0012" 4 | cwe = [200] 5 | keywords = ["historical"] 6 | 7 | [[affected]] 8 | package = "git-annex" 9 | cvss = "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" 10 | [[affected.versions]] 11 | introduced = "0.20110417" 12 | fixed = "6.20160419" 13 | 14 | [[references]] 15 | type = "ADVISORY" 16 | url = "https://git-annex.branchable.com/security/checksum_exposure_to_encrypted_special_remotes/" 17 | [[references]] 18 | type = "FIX" 19 | url = "http://source.git-annex.branchable.com/?p=source.git;a=commitdiff;h=b890f3a53d936b5e40aa9acc5876cb98f18b9657" 20 | ``` 21 | 22 | # *git-annex* checksum exposure to encrypted special remotes 23 | 24 | A bug exposed the checksum of annexed files to encrypted special 25 | remotes, which are not supposed to have access to the checksum of 26 | the un-encrypted file. This only occurred when resuming uploads to 27 | the encrypted special remote, so it is considered a low-severity 28 | security hole. 29 | 30 | For details, see commit `b890f3a53d936b5e40aa9acc5876cb98f18b9657`. 31 | 32 | No CVE was assigned for this issue. 33 | 34 | Fixed in *git-annex-6.20160419*. 35 | -------------------------------------------------------------------------------- /advisories/hackage/git-annex/HSEC-2023-0013.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2023-0013" 4 | cwe = [312] 5 | keywords = ["historical"] 6 | aliases = ["CVE-2014-6274"] 7 | 8 | [[affected]] 9 | package = "git-annex" 10 | cvss = "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" 11 | [[affected.versions]] 12 | introduced = "0.20110401" 13 | fixed = "5.20140919" 14 | 15 | [[references]] 16 | type = "ADVISORY" 17 | url = "https://git-annex.branchable.com/security/CVE-2014-6274/" 18 | [[references]] 19 | type = "ARTICLE" 20 | url = "https://git-annex.branchable.com/upgrades/insecure_embedded_creds/" 21 | ``` 22 | 23 | # *git-annex* plaintext storage of embedded credentials on encrypted remotes 24 | 25 | *git-annex* had a bug in the **S3** and **Glacier** remotes where if 26 | `embedcreds=yes` was set, and the remote used `encryption=pubkey` or 27 | `encryption=hybrid`, the embedded AWS credentials were stored in the 28 | Git repository in (effectively) plaintext, not encrypted as they 29 | were supposed to be. 30 | 31 | That means that anyone who gets a copy of the Git repository can 32 | extract the AWS credentials from it. Which would be bad. 33 | 34 | A remote with this problem cannot be enabled using `git annex 35 | enableremote`. Old versions of *git-annex* will fail with a GPG 36 | error; the current version will fail with a pointer to this web 37 | page. 38 | 39 | ## Remediation 40 | 41 | If your repository has this problem, chose from one of these 42 | approaches to deal with it: 43 | 44 | 1. Change your AWS credentials, so the ones stored in the clear in 45 | git won't be used. 46 | 47 | After changing the credentials, make sure you have a fixed 48 | version of git-annex, and you can then re-embed the new creds 49 | into the repository, encrypted this time, by setting the 50 | `AWS_SECRET_ACCESS_KEY` and `AWS_ACCESS_KEY_ID` environment 51 | variables, and running `git annex enableremote $remotename 52 | embedcreds=yes`. 53 | 54 | 2. Fix the problem and then remove the history of the *git-annex* 55 | branch of the repository. 56 | 57 | Make sure you have a fixed version of *git-annex*, and force 58 | *git-annex* to rewrite the embedded creds, with encryption this 59 | time, by setting by setting the `AWS_SECRET_ACCESS_KEY` and 60 | `AWS_ACCESS_KEY_ID` environment variables, and running `git annex 61 | enableremote $remotename embedcreds=yes`. 62 | 63 | Then, to get rid of old versions of the *git-annex* branch that 64 | still contains the creds in cleartext, you can use `git annex 65 | forget`; note that it will remove other historical data too. 66 | 67 | Keep in mind that this will not necessarily delete data from 68 | clones you do not control. 69 | 70 | 3. If you're sure that you're the only one who has access to the 71 | repository, you could decide to leave it as-is. It's no more 72 | insecure than if you had used `encryption=shared` in the first 73 | place when setting it up. 74 | -------------------------------------------------------------------------------- /advisories/hackage/hledger-web/HSEC-2023-0008.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2023-0008" 4 | cwe = [87] 5 | keywords = ["web", "xss", "historical"] 6 | aliases = ["CVE-2021-46888"] 7 | 8 | [[affected]] 9 | package = "hledger-web" 10 | cvss = "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" 11 | [[affected.versions]] 12 | introduced = "0.24" 13 | fixed = "1.23" 14 | 15 | [[references]] 16 | type = "REPORT" 17 | url = "https://github.com/simonmichael/hledger/issues/1525" 18 | [[references]] 19 | type = "INTRODUCED" 20 | url = "https://github.com/simonmichael/hledger/commit/ec51d28839b2910eea360b1b8c72904b51cf7821" 21 | [[references]] 22 | type = "EVIDENCE" 23 | url = "https://www.youtube.com/watch?v=QnRO-VkfIic" 24 | [[references]] 25 | type = "FIX" 26 | url = "https://github.com/simonmichael/hledger/pull/1663" 27 | 28 | ``` 29 | 30 | # Stored XSS in *hledger-web* 31 | 32 | An issue was discovered in *hledger-web* < 1.23. A Stored Cross-Site 33 | Scripting (XSS) vulnerability exists in `toBloodhoundJson` that 34 | allows an attacker to execute JavaScript by encoding user-controlled 35 | values in a payload with base64 and parsing them with the `atob` 36 | function. 37 | 38 | *hledger-web* forms sanitise obvious JavaScript, but not obfuscated 39 | JavaScript (see [OWASP Filter Evasion Cheat Sheet][cheatsheet]). 40 | This means *hledger-web* instances, especially anonymously-writable 41 | ones like `demo.hledger.org`, could be loaded with malicious 42 | JavaScript to be executed by subsequent visitors. 43 | 44 | [cheatsheet]: https://owasp.org/www-community/xss-filter-evasion-cheatsheet 45 | 46 | Reported by Gaspard Baye and Hamidullah Muslih. Fix by Arsen 47 | Arsenović. 48 | -------------------------------------------------------------------------------- /advisories/hackage/keter/HSEC-2024-0001.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2024-0001" 4 | cwe = [79] 5 | keywords = ["http", "xss", "rxss", "historical"] 6 | 7 | [[references]] 8 | type = "FIX" 9 | url = "https://github.com/snoyberg/keter/pull/246" 10 | 11 | [[affected]] 12 | package = "keter" 13 | cvss = "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N" 14 | declarations."Keter.Proxy.toResponse" = ">= 0.3.4 && < 1.0.1" 15 | declarations."Keter.Proxy.unknownHostResponse" = ">= 1.0.1 && < 1.8.4" 16 | 17 | [[affected.versions]] 18 | introduced = "0.3.4" 19 | fixed = "1.8.4" 20 | ``` 21 | 22 | # Reflected XSS vulnerability in keter 23 | 24 | Keter is an app-server/reverse-proxy often used with webapps build on Yesod web-framework. 25 | 26 | In the logic handling VHost dispatch, Keter was echoing back `Host` header value, unescaped, 27 | as part of an HTML error page. This constitutes a reflected-XSS vulnerability. Although 28 | not readily exploitable directly from a browser (where `Host` header can't generally assume 29 | arbitrary values), it may become such in presence of further weaknesses in components 30 | upstream of Keter in the http proxying chain. Therefore, AC:High in CVSS evaluation. 31 | -------------------------------------------------------------------------------- /advisories/hackage/pandoc/HSEC-2023-0014.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2023-0014" 4 | keywords = ["file write"] 5 | aliases = ["CVE-2023-35936", "GHSA-xj5q-fv23-575g"] 6 | cwe = [20] 7 | 8 | [[references]] 9 | type = "REPORT" 10 | url = "https://github.com/jgm/pandoc/security/advisories/GHSA-xj5q-fv23-575g" 11 | 12 | [[affected]] 13 | package = "pandoc" 14 | cvss = "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:L" 15 | 16 | [[affected.versions]] 17 | introduced = "1.13" 18 | fixed = "3.1.4" 19 | 20 | ``` 21 | # Arbitrary file write is possible when using PDF output or --extract-media with untrusted input 22 | 23 | Pandoc is susceptible to an arbitrary file write vulnerability, which can be triggered by providing a specially crafted image element in the input when generating files using the --extract-media option or outputting to PDF format. This vulnerability allows an attacker to create or overwrite arbitrary files on the system (depending on the privileges of the process running pandoc). 24 | 25 | This vulnerability only affects systems that (a) pass untrusted user input to pandoc and (b) allow pandoc to be used to produce a PDF or with the --extract-media option. 26 | 27 | The vulnerability is patched in pandoc 3.1.4. 28 | -------------------------------------------------------------------------------- /advisories/hackage/spacecookie/HSEC-2025-0004.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | 3 | [advisory] 4 | id = "HSEC-2025-0004" 5 | cwe = [23] 6 | capec = [126] 7 | keywords = ["gopher", "path-traversal"] 8 | 9 | aliases = [] 10 | related = [] 11 | 12 | [[affected]] 13 | package = "spacecookie" 14 | cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" 15 | 16 | declarations = { "Network.Gopher.Util.santinizePath" = ">= 0.2.0.0 && < 1.0", "Network.Gopher.Util.santinizeIfNotUrl" = ">= 0.2.0.0 && < 1.0", "Network.Gopher.Util.sanitizePath" = ">= 1.0.0.0 && < 1.0.0.3", "Network.Gopher.Util.sanitizeIfNotUrl" = ">= 1.0.0.0 && < 1.0.0.3" } 17 | 18 | [[affected.versions]] 19 | introduced = "0.2.0.0" 20 | fixed = "1.0.0.3" 21 | 22 | [[references]] 23 | type = "FIX" 24 | url = "https://github.com/sternenseemann/spacecookie/commit/2854a8a70833e7abdeeff3c02596a6f2a2f35c61" 25 | ``` 26 | 27 | # Broken Path Sanitization in spacecookie Library 28 | 29 | The spacecookie library exposes the functions `sanitizePath` and `sanitizeIfNotUrl` intended to 30 | remove `..` components from paths which can be used to prevent path traversal attacks. Due to 31 | erroneous comparison code, this elimination is not actually performed which has been remedied 32 | in version 1.0.0.3 by properly comparing using `equalFilePath`. 33 | 34 | Any user of those respective functions of any version of spacecookie should upgrade to 1.0.0.3 35 | or later. Note that the spacecookie server executable included in the same package is not affected 36 | by the problem since a separate check would reject any malicious path that gets by `sanitizePath`. 37 | -------------------------------------------------------------------------------- /advisories/hackage/tls-extra/HSEC-2023-0005.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2023-0005" 4 | cwe = [295] 5 | keywords = ["x509", "pki", "mitm", "historical"] 6 | aliases = ["CVE-2013-0243"] 7 | 8 | [[affected]] 9 | package = "tls-extra" 10 | cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" 11 | 12 | [[affected.versions]] 13 | introduced = "0.1.0" 14 | fixed = "0.4.6.1" 15 | 16 | [[references]] 17 | type = "DISCUSSION" 18 | url = "https://www.openwall.com/lists/oss-security/2013/01/30/6" 19 | [[references]] 20 | type = "REPORT" 21 | url = "https://github.com/haskell-tls/hs-tls/issues/29" 22 | [[references]] 23 | type = "FIX" 24 | url = "https://github.com/haskell-tls/hs-tls/commit/15885c0649ceabd2f4d2913df8ac6dc63d6b3b37" 25 | ``` 26 | 27 | # tls-extra: certificate validation does not check Basic Constraints 28 | 29 | *tls-extra* does not check the Basic Constraints extension of a 30 | certificate in certificate chain processing. Any certificate is 31 | treated as a CA certificate. As a consequence, anyone who has a 32 | valid certificate can use it to sign another one (with an arbitrary 33 | subject DN/domain name embedded into it) and have it accepted by 34 | *tls*. This allows MITM attacks on TLS connections. 35 | -------------------------------------------------------------------------------- /advisories/hackage/toml-reader/HSEC-2023-0007.md: -------------------------------------------------------------------------------- 1 | ../base/HSEC-2023-0007.md -------------------------------------------------------------------------------- /advisories/hackage/x509-validation/HSEC-2023-0006.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2023-0006" 4 | cwe = [295] 5 | keywords = ["x509", "pki", "historical"] 6 | 7 | [[affected]] 8 | package = "x509-validation" 9 | cvss = "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:N" 10 | 11 | [[affected.versions]] 12 | introduced = "1.4.0" 13 | fixed = "1.4.8" 14 | 15 | [[references]] 16 | type = "FIX" 17 | url = "https://github.com/haskell-tls/hs-certificate/commit/06d15dbbc53739314760d8504ca764000770e46e" 18 | ``` 19 | 20 | # x509-validation does not enforce pathLenConstraint 21 | 22 | *x509-validation* prior to version 1.4.8 did not enforce the 23 | pathLenConstraint value. Constrained CAs could accidentally (or 24 | deliberately) issue CAs below the maximum depth and 25 | *x509-validation* would accept certificates issued by the 26 | unauthorised intermediate CAs. 27 | -------------------------------------------------------------------------------- /advisories/hackage/xml-conduit/HSEC-2023-0004.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2023-0004" 4 | cwe = [776] 5 | keywords = ["xml", "dos", "historical"] 6 | aliases = ["CVE-2021-4249", "VDB-216204"] 7 | 8 | [[affected]] 9 | package = "xml-conduit" 10 | cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" 11 | 12 | [[affected.versions]] 13 | introduced = "0.5.0" 14 | fixed = "1.9.1.0" 15 | 16 | [[references]] 17 | type = "FIX" 18 | url = "https://github.com/snoyberg/xml/pull/161" 19 | [[references]] 20 | type = "FIX" 21 | url = "https://github.com/snoyberg/xml/commit/4be1021791dcdee8b164d239433a2043dc0939ea" 22 | ``` 23 | 24 | # xml-conduit unbounded entity expansion 25 | 26 | A vulnerability was found in *xml-conduit*. It has been classified 27 | as problematic. Affected is an unknown function of the file 28 | `xml-conduit/src/Text/XML/Stream/Parse.hs` of the component DOCTYPE 29 | Entity Expansion Handler. The manipulation leads to infinite loop. 30 | It is possible to launch the attack remotely. Upgrading to version 31 | 1.9.1.0 is able to address this issue. The name of the patch is 32 | `4be1021791dcdee8b164d239433a2043dc0939ea`. It is recommended to 33 | upgrade the affected component. 34 | -------------------------------------------------------------------------------- /advisories/hackage/xmonad-contrib/HSEC-2023-0003.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2023-0003" 4 | cwe = [94] 5 | keywords = ["code", "injection", "historical"] 6 | aliases = ["CVE-2013-1436"] 7 | 8 | [[affected]] 9 | package = "xmonad-contrib" 10 | cvss = "AV:N/AC:L/Au:N/C:P/I:P/A:P" 11 | [[affected.versions]] 12 | introduced = "0.5" 13 | fixed = "0.11.2" 14 | 15 | [[references]] 16 | type = "ADVISORY" 17 | url = "https://security.gentoo.org/glsa/201405-28" 18 | [[references]] 19 | type = "DISCUSSION" 20 | url = "http://www.openwall.com/lists/oss-security/2013/07/26/5" 21 | [[references]] 22 | type = "FIX" 23 | url = "https://github.com/xmonad/xmonad-contrib/commit/d3b2a01e3d01ac628e7a3139dd55becbfa37cf51" 24 | ``` 25 | 26 | # code injection in *xmonad-contrib* 27 | 28 | The `XMonad.Hooks.DynamicLog` module in _xmonad-contrib_ before 29 | **0.11.2** allows remote attackers to execute arbitrary commands via a 30 | web page title, which activates the commands when the user clicks on 31 | the xmobar window title, as demonstrated using an action tag. 32 | -------------------------------------------------------------------------------- /advisories/hackage/xz-clib/HSEC-2025-0003.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-2025-0003" 4 | cwe = [416] 5 | keywords = ["corruption", "vendored-code", "language-c"] 6 | aliases = ["CVE-2025-31115"] 7 | 8 | [[references]] 9 | type = "ARTICLE" 10 | url = "https://tukaani.org/xz/threaded-decoder-early-free.html" 11 | 12 | [[references]] 13 | type = "FIX" 14 | url = "https://github.com/tukaani-project/xz/commit/d5a2ffe41bb77b918a8c96084885d4dbe4bf6480" 15 | 16 | [[references]] 17 | type = "FIX" 18 | url = "https://github.com/hasufell/lzma-static/commit/e95fe96530568addfc83b771900025053e2c6951" 19 | 20 | [[affected]] 21 | package = "xz-clib" 22 | cvss = "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L" 23 | 24 | [[affected.versions]] 25 | introduced = "5.6.3" 26 | fixed = "5.8.1" 27 | ``` 28 | 29 | # Use after free in multithreaded lzma (.xz) decoder 30 | 31 | In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in 32 | liblzma has a bug where invalid input can at least result in a crash 33 | (CVE-2025-31115). The effects include heap use after free and 34 | writing to an address based on the null pointer plus an offset. 35 | Applications and libraries that use the `lzma_stream_decoder_mt` 36 | function are affected. 37 | 38 | The Haskell *xz-clib* library vendors and builds the C 39 | implementation. The *xz* package does not use the multithreaded 40 | decoder and is therefore unaffected. 41 | -------------------------------------------------------------------------------- /advisories/reserved/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/haskell/security-advisories/14475351f69c10eb9a35107ad390b364d601397f/advisories/reserved/.gitkeep -------------------------------------------------------------------------------- /advisories/reserved/HSEC-2024-0004.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/haskell/security-advisories/14475351f69c10eb9a35107ad390b364d601397f/advisories/reserved/HSEC-2024-0004.md -------------------------------------------------------------------------------- /advisories/reserved/HSEC-2024-0005.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/haskell/security-advisories/14475351f69c10eb9a35107ad390b364d601397f/advisories/reserved/HSEC-2024-0005.md -------------------------------------------------------------------------------- /cabal.project: -------------------------------------------------------------------------------- 1 | packages: code/*/*.cabal 2 | 3 | package hsec-core 4 | package hsec-tools 5 | package cvss 6 | package osv 7 | 8 | test-show-details: direct 9 | -------------------------------------------------------------------------------- /code/LICENSE.txt: -------------------------------------------------------------------------------- 1 | The code in this directory is copyright 2023, The Haskell Foundation 2 | 3 | Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 4 | 5 | 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 6 | 7 | 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 8 | 9 | 3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. 10 | 11 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 12 | -------------------------------------------------------------------------------- /code/README.md: -------------------------------------------------------------------------------- 1 | This directory contains code for working with advisories. 2 | -------------------------------------------------------------------------------- /code/cvss/CHANGELOG.md: -------------------------------------------------------------------------------- 1 | # 0.2 2 | 3 | Changed the CVSS v2 parser and printer to omit the "CVSS:2.0/" version prefix according to the spec. 4 | 5 | # 0.1 6 | 7 | Introduction 8 | -------------------------------------------------------------------------------- /code/cvss/cvss.cabal: -------------------------------------------------------------------------------- 1 | cabal-version: 2.4 2 | name: cvss 3 | version: 0.2 4 | synopsis: Common Vulnerability Scoring System. 5 | description: 6 | Use this library to parse CVSS string and compute its score. 7 | 8 | license: BSD-3-Clause 9 | author: Tristan de Cacqueray 10 | maintainer: tdecacqu@redhat.com 11 | category: Data 12 | extra-doc-files: CHANGELOG.md 13 | tested-with: 14 | GHC ==8.10.7 || ==9.0.2 || ==9.2.8 || ==9.4.8 || ==9.6.6 || ==9.8.3 || ==9.10.1 || ==9.12.1 15 | 16 | library 17 | exposed-modules: Security.CVSS 18 | build-depends: 19 | , base >=4.14 && <5 20 | , text >=1.2 && <3 21 | 22 | hs-source-dirs: src 23 | default-language: Haskell2010 24 | ghc-options: 25 | -Wall -Wcompat -Widentities -Wincomplete-record-updates 26 | -Wincomplete-uni-patterns -Wpartial-fields -Wredundant-constraints 27 | 28 | test-suite spec 29 | type: exitcode-stdio-1.0 30 | hs-source-dirs: test 31 | main-is: Spec.hs 32 | build-depends: 33 | , base <5 34 | , cvss 35 | , tasty <1.6 36 | , tasty-hunit <1.0 37 | , text 38 | 39 | default-language: Haskell2010 40 | ghc-options: 41 | -Wall -Wcompat -Widentities -Wincomplete-record-updates 42 | -Wincomplete-uni-patterns -Wpartial-fields -Wredundant-constraints 43 | -------------------------------------------------------------------------------- /code/cvss/test/Spec.hs: -------------------------------------------------------------------------------- 1 | {-# LANGUAGE OverloadedStrings #-} 2 | 3 | module Main where 4 | 5 | import Control.Monad 6 | import Data.Text (Text) 7 | import qualified Security.CVSS as CVSS 8 | import Test.Tasty 9 | import Test.Tasty.HUnit 10 | 11 | main :: IO () 12 | main = defaultMain $ 13 | testCase "Security.CVSS" $ do 14 | forM_ examples $ \(cvssString, score, rating) -> do 15 | case CVSS.parseCVSS cvssString of 16 | Left e -> assertFailure (show e) 17 | Right cvss -> do 18 | CVSS.cvssScore cvss @?= (rating, score) 19 | CVSS.cvssVectorString cvss @?= cvssString 20 | CVSS.cvssVectorStringOrdered cvss @?= cvssString 21 | 22 | examples :: [(Text, Float, CVSS.Rating)] 23 | examples = 24 | [ ("CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", 5.8, CVSS.Medium) 25 | , ("CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", 6.4, CVSS.Medium) 26 | , ("CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", 3.1, CVSS.Low) 27 | , ("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", 6.1, CVSS.Medium) 28 | , ("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", 6.4, CVSS.Medium) 29 | , ("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N", 3.1, CVSS.Low) 30 | , ("CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", 4.0, CVSS.Medium) 31 | , ("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", 9.9, CVSS.Critical) 32 | , ("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", 4.2, CVSS.Medium) 33 | , ("AV:N/AC:L/Au:N/C:N/I:N/A:C", 7.8, CVSS.High) 34 | , ("AV:N/AC:L/Au:N/C:C/I:C/A:C", 10, CVSS.Critical) 35 | , ("AV:L/AC:H/Au:N/C:C/I:C/A:C", 6.2, CVSS.Medium) 36 | ] 37 | -------------------------------------------------------------------------------- /code/hsec-core/.gitignore: -------------------------------------------------------------------------------- 1 | ##### Haskell 2 | dist 3 | dist-* 4 | cabal-dev 5 | *.o 6 | *.hi 7 | *.hie 8 | *.chi 9 | *.chs.h 10 | *.dyn_o 11 | *.dyn_hi 12 | .hpc 13 | .hsenv 14 | .cabal-sandbox/ 15 | cabal.sandbox.config 16 | *.prof 17 | *.aux 18 | *.hp 19 | *.eventlog 20 | .stack-work/ 21 | cabal.project.local 22 | cabal.project.local~ 23 | .HTF/ 24 | .ghc.environment.* 25 | build 26 | bin-* 27 | 28 | result 29 | .direnv 30 | .env 31 | -------------------------------------------------------------------------------- /code/hsec-core/CHANGELOG.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/haskell/security-advisories/14475351f69c10eb9a35107ad390b364d601397f/code/hsec-core/CHANGELOG.md -------------------------------------------------------------------------------- /code/hsec-core/README.md: -------------------------------------------------------------------------------- 1 | # hsec-core 2 | 3 | `hesc-core` aims to support [Haskell advisories database](https://github.com/haskell/security-advisories). 4 | 5 | ## Building 6 | 7 | We aim to support both regular cabal-based and nix-based builds. 8 | 9 | ## Testing 10 | 11 | Run (and auto update) the golden test: 12 | 13 | ```ShellSession 14 | cabal test -O0 --test-show-details=direct --test-option=--accept 15 | ``` 16 | -------------------------------------------------------------------------------- /code/hsec-core/hsec-core.cabal: -------------------------------------------------------------------------------- 1 | cabal-version: 2.4 2 | name: hsec-core 3 | version: 0.2.0.1 4 | 5 | -- A short (one-line) description of the package. 6 | synopsis: Core package representing Haskell advisories 7 | 8 | -- A longer description of the package. 9 | description: Core package representing Haskell advisories. 10 | 11 | -- A URL where users can report bugs. 12 | -- bug-reports: 13 | 14 | -- The license under which the package is released. 15 | license: BSD-3-Clause 16 | author: Haskell Security Response Team 17 | maintainer: security-advisories@haskell.org 18 | 19 | -- A copyright notice. 20 | -- copyright: 21 | category: Data 22 | extra-doc-files: CHANGELOG.md 23 | 24 | tested-with: 25 | GHC ==8.10.7 || ==9.0.2 || ==9.2.8 || ==9.4.8 || ==9.6.6 || ==9.8.3 || ==9.10.1 || ==9.12.1 26 | 27 | library 28 | exposed-modules: 29 | Security.Advisories.Core.Advisory 30 | Security.Advisories.Core.HsecId 31 | 32 | build-depends: 33 | , base >=4.14 && <5 34 | , Cabal-syntax >=3.8.1.0 && <3.15 35 | , cvss >= 0.2 && < 0.3 36 | , osv >= 0.1 && < 0.2 37 | , pandoc-types >=1.22 && <2 38 | , safe >=0.3 && <0.4 39 | , text >=1.2 && <3 40 | , time >=1.9 && <1.15 41 | hs-source-dirs: src 42 | default-language: Haskell2010 43 | ghc-options: 44 | -Wall -Wcompat -Widentities -Wincomplete-record-updates 45 | -Wincomplete-uni-patterns -Wpartial-fields -Wredundant-constraints 46 | 47 | test-suite spec 48 | type: exitcode-stdio-1.0 49 | hs-source-dirs: test 50 | main-is: Spec.hs 51 | build-depends: 52 | , base 53 | , cvss 54 | , hsec-core 55 | , tasty <1.5 56 | , tasty-hunit <0.11 57 | , text 58 | 59 | default-language: Haskell2010 60 | ghc-options: 61 | -Wall -Wcompat -Widentities -Wincomplete-record-updates 62 | -Wincomplete-uni-patterns -Wpartial-fields -Wredundant-constraints 63 | -------------------------------------------------------------------------------- /code/hsec-core/src/Security/Advisories/Core/Advisory.hs: -------------------------------------------------------------------------------- 1 | {-# LANGUAGE DerivingVia, OverloadedStrings #-} 2 | 3 | module Security.Advisories.Core.Advisory 4 | ( Advisory(..) 5 | -- * Supporting types 6 | , Affected(..) 7 | , CAPEC(..) 8 | , CWE(..) 9 | , Architecture(..) 10 | , AffectedVersionRange(..) 11 | , OS(..) 12 | , Keyword(..) 13 | , ComponentIdentifier(..) 14 | , GHCComponent(..) 15 | , ghcComponentToText 16 | , ghcComponentFromText 17 | ) 18 | where 19 | 20 | import Data.Text (Text) 21 | import Data.Time (UTCTime) 22 | import Distribution.Types.Version (Version) 23 | import Distribution.Types.VersionRange (VersionRange) 24 | 25 | import Text.Pandoc.Definition (Pandoc) 26 | 27 | import Security.Advisories.Core.HsecId (HsecId) 28 | import qualified Security.CVSS as CVSS 29 | import Security.OSV (Reference) 30 | 31 | data Advisory = Advisory 32 | { advisoryId :: HsecId 33 | , advisoryModified :: UTCTime 34 | , advisoryPublished :: UTCTime 35 | , advisoryCAPECs :: [CAPEC] 36 | , advisoryCWEs :: [CWE] 37 | , advisoryKeywords :: [Keyword] 38 | , advisoryAliases :: [Text] 39 | , advisoryRelated :: [Text] 40 | , advisoryAffected :: [Affected] 41 | , advisoryReferences :: [Reference] 42 | , advisoryPandoc :: Pandoc -- ^ Parsed document, without TOML front matter 43 | , advisoryHtml :: Text 44 | , advisorySummary :: Text 45 | -- ^ A one-line, English textual summary of the vulnerability 46 | , advisoryDetails :: Text 47 | -- ^ Details of the vulnerability (CommonMark), without TOML front matter 48 | } 49 | deriving stock (Show) 50 | 51 | data ComponentIdentifier = Hackage Text | GHC GHCComponent 52 | deriving stock (Show, Eq) 53 | 54 | -- Keep this list in sync with the 'ghcComponentFromText' below 55 | data GHCComponent = GHCCompiler | GHCi | GHCRTS | GHCPkg | RunGHC | IServ | HP2PS | HPC | HSC2HS | Haddock 56 | deriving stock (Show, Eq, Enum, Bounded) 57 | 58 | ghcComponentToText :: GHCComponent -> Text 59 | ghcComponentToText c = case c of 60 | GHCCompiler -> "ghc" 61 | GHCi -> "ghci" 62 | GHCRTS -> "rts" 63 | GHCPkg -> "ghc-pkg" 64 | RunGHC -> "runghc" 65 | IServ -> "ghc-iserv" 66 | HP2PS -> "hp2ps" 67 | HPC -> "hpc" 68 | HSC2HS -> "hsc2hs" 69 | Haddock -> "haddock" 70 | 71 | ghcComponentFromText :: Text -> Maybe GHCComponent 72 | ghcComponentFromText c = case c of 73 | "ghc" -> Just GHCCompiler 74 | "ghci" -> Just GHCi 75 | "rts" -> Just GHCRTS 76 | "ghc-pkg" -> Just GHCPkg 77 | "runghc" -> Just RunGHC 78 | "ghc-iserv" -> Just IServ 79 | "hp2ps" -> Just HP2PS 80 | "hpc" -> Just HPC 81 | "hsc2hs" -> Just HSC2HS 82 | "haddock" -> Just Haddock 83 | _ -> Nothing 84 | 85 | -- | An affected package (or package component). An 'Advisory' must 86 | -- mention one or more packages. 87 | data Affected = Affected 88 | { affectedComponentIdentifier :: ComponentIdentifier 89 | , affectedCVSS :: CVSS.CVSS 90 | , affectedVersions :: [AffectedVersionRange] 91 | , affectedArchitectures :: Maybe [Architecture] 92 | , affectedOS :: Maybe [OS] 93 | , affectedDeclarations :: [(Text, VersionRange)] 94 | } 95 | deriving stock (Eq, Show) 96 | 97 | newtype CAPEC = CAPEC {unCAPEC :: Integer} 98 | deriving stock (Eq, Show) 99 | 100 | newtype CWE = CWE {unCWE :: Integer} 101 | deriving stock (Eq, Show) 102 | 103 | data Architecture 104 | = AArch64 105 | | Alpha 106 | | Arm 107 | | HPPA 108 | | HPPA1_1 109 | | I386 110 | | IA64 111 | | M68K 112 | | MIPS 113 | | MIPSEB 114 | | MIPSEL 115 | | NIOS2 116 | | PowerPC 117 | | PowerPC64 118 | | PowerPC64LE 119 | | RISCV32 120 | | RISCV64 121 | | RS6000 122 | | S390 123 | | S390X 124 | | SH4 125 | | SPARC 126 | | SPARC64 127 | | VAX 128 | | X86_64 129 | deriving stock (Eq, Show, Enum, Bounded) 130 | 131 | data OS 132 | = Windows 133 | | MacOS 134 | | Linux 135 | | FreeBSD 136 | | Android 137 | | NetBSD 138 | | OpenBSD 139 | deriving stock (Eq, Show, Enum, Bounded) 140 | 141 | newtype Keyword = Keyword {unKeyword :: Text} 142 | deriving stock (Eq, Ord) 143 | deriving (Show) via Text 144 | 145 | data AffectedVersionRange = AffectedVersionRange 146 | { affectedVersionRangeIntroduced :: Version, 147 | affectedVersionRangeFixed :: Maybe Version 148 | } 149 | deriving stock (Eq, Show) 150 | -------------------------------------------------------------------------------- /code/hsec-core/src/Security/Advisories/Core/HsecId.hs: -------------------------------------------------------------------------------- 1 | module Security.Advisories.Core.HsecId 2 | ( 3 | HsecId 4 | , hsecIdYear 5 | , hsecIdSerial 6 | , mkHsecId 7 | , placeholder 8 | , isPlaceholder 9 | , parseHsecId 10 | , printHsecId 11 | , nextHsecId 12 | , getNextHsecId 13 | ) where 14 | 15 | import Control.Monad (guard, join) 16 | 17 | import Data.Time (getCurrentTime, utctDay) 18 | import Data.Time.Calendar.OrdinalDate (toOrdinalDate) 19 | 20 | import Safe (readMay) 21 | 22 | data HsecId = HsecId Integer Integer 23 | deriving (Eq, Ord) 24 | 25 | instance Show HsecId where 26 | show = printHsecId 27 | 28 | -- | Make an 'HsecId'. Year and serial must both be positive, or 29 | -- else both must be zero (the 'placeholder'). 30 | mkHsecId 31 | :: Integer -- ^ Year 32 | -> Integer -- ^ Serial number within year 33 | -> Maybe HsecId 34 | mkHsecId y n 35 | | y > 0 && n > 0 || y == 0 && n == 0 = Just $ HsecId y n 36 | | otherwise = Nothing 37 | 38 | hsecIdYear :: HsecId -> Integer 39 | hsecIdYear (HsecId y _) = y 40 | 41 | hsecIdSerial :: HsecId -> Integer 42 | hsecIdSerial (HsecId _ n) = n 43 | 44 | -- | The placeholder ID: __HSEC-0000-0000__. 45 | -- See also 'isPlaceholder'. 46 | placeholder :: HsecId 47 | placeholder = HsecId 0 0 48 | 49 | -- | Test whether an ID is the 'placeholder' 50 | isPlaceholder :: HsecId -> Bool 51 | isPlaceholder = (==) placeholder 52 | 53 | -- | Parse an 'HsecId'. The 'placeholder' is accepted. 54 | parseHsecId :: String -> Maybe HsecId 55 | parseHsecId s = case s of 56 | 'H':'S':'E':'C':'-':t -> 57 | let 58 | (y, t') = break (== '-') t 59 | n = drop 1 t' 60 | in do 61 | guard $ length y >= 4 -- year must have at least 4 digits 62 | guard $ length n >= 4 -- serial must have at least 4 digits 63 | join $ mkHsecId <$> readMay y <*> readMay n 64 | _ -> Nothing 65 | 66 | printHsecId :: HsecId -> String 67 | printHsecId (HsecId y n) = "HSEC-" <> pad (show y) <> "-" <> pad (show n) 68 | where 69 | pad s = replicate (4 - length s) '0' <> s 70 | 71 | -- | Given a year and an HSEC ID, return a larger HSEC ID. This 72 | -- function, when given the current year and the greatest allocated 73 | -- HSEC ID, returns the next HSEC ID to allocate. 74 | -- 75 | nextHsecId 76 | :: Integer -- ^ Current year 77 | -> HsecId 78 | -> HsecId 79 | nextHsecId curYear (HsecId idYear n) 80 | | curYear > idYear = HsecId curYear 1 81 | | otherwise = HsecId idYear (n + 1) 82 | 83 | -- | Get the current time, and return an HSEC ID greater than the 84 | -- given HSEC ID. The year of the returned HSEC ID is the current 85 | -- year. 86 | -- 87 | getNextHsecId 88 | :: HsecId 89 | -> IO HsecId 90 | getNextHsecId oldId = do 91 | t <- getCurrentTime 92 | let (year, _dayOfYear) = toOrdinalDate (utctDay t) 93 | pure $ nextHsecId year oldId 94 | -------------------------------------------------------------------------------- /code/hsec-core/test/Spec.hs: -------------------------------------------------------------------------------- 1 | module Main where 2 | 3 | import Test.Tasty 4 | 5 | main :: IO () 6 | main = 7 | defaultMain $ 8 | testGroup 9 | "Tests" 10 | [] 11 | -------------------------------------------------------------------------------- /code/hsec-sync/.gitignore: -------------------------------------------------------------------------------- 1 | ##### Haskell 2 | dist 3 | dist-* 4 | cabal-dev 5 | *.o 6 | *.hi 7 | *.hie 8 | *.chi 9 | *.chs.h 10 | *.dyn_o 11 | *.dyn_hi 12 | .hpc 13 | .hsenv 14 | .cabal-sandbox/ 15 | cabal.sandbox.config 16 | *.prof 17 | *.aux 18 | *.hp 19 | *.eventlog 20 | .stack-work/ 21 | cabal.project.local 22 | cabal.project.local~ 23 | .HTF/ 24 | .ghc.environment.* 25 | build 26 | bin-* 27 | 28 | result 29 | .direnv 30 | .env 31 | -------------------------------------------------------------------------------- /code/hsec-sync/CHANGELOG.md: -------------------------------------------------------------------------------- 1 | ## 0.2.0.0 2 | 3 | * Rewrite, using `hsec-tools` snapshots 4 | 5 | ## 0.1.0.0 6 | 7 | * Introduction, `git`-based 8 | -------------------------------------------------------------------------------- /code/hsec-sync/README.md: -------------------------------------------------------------------------------- 1 | # hsec-sync 2 | 3 | Synchronize with the [Haskell advisories database](https://github.com/haskell/security-advisories). 4 | 5 | ## Building 6 | 7 | We aim to support both regular cabal-based and nix-based builds. 8 | 9 | ## Design 10 | 11 | [hsec-tools](../hsec-tools/) is the main entry point for dealing with [security advisories](https://github.com/haskell/security-advisories). 12 | 13 | Libraries implementors and services providers will mainly be interested by 14 | `Security.Advisories.Queries` and `hsec-tools query` which allows querying 15 | against a directory containing the advisories. 16 | 17 | There are two ways for maintaining this local directory up-to-date: 18 | 19 | * Manually (based on `git` of fetching archive from GitHub) 20 | * Relying on `hsec-sync` (either via `Security.Advisories.Sync.sync` or `hsec-sync sync`) 21 | 22 | ![overview](./overview.png) 23 | 24 | The recommended workflow is: 25 | 26 | 1. Use `hsec-sync` to ensure having an up-to-date advisories directory (created or updated) 27 | 2. Use `hsec-tools` to perform queries against it 28 | 29 | ![recommended-workflow](./recommended-workflow.png) 30 | -------------------------------------------------------------------------------- /code/hsec-sync/app/Main.hs: -------------------------------------------------------------------------------- 1 | {-# LANGUAGE OverloadedStrings #-} 2 | 3 | module Main where 4 | 5 | import Control.Monad (join) 6 | import Options.Applicative 7 | import Security.Advisories.Sync 8 | import System.Exit (die) 9 | import System.IO (hPutStrLn, stderr) 10 | 11 | main :: IO () 12 | main = 13 | join $ 14 | customExecParser 15 | (prefs showHelpOnEmpty) 16 | cliOpts 17 | 18 | cliOpts :: ParserInfo (IO ()) 19 | cliOpts = info (commandsParser <**> helper) (fullDesc <> header "Haskell Advisories tools") 20 | where 21 | commandsParser :: Parser (IO ()) 22 | commandsParser = 23 | hsubparser 24 | ( command "sync" (info commandSync (progDesc "Synchronize a local Haskell Security Advisory repository snapshot")) 25 | <> command "status" (info commandStatus (progDesc "Check the status of a local Haskell Security Advisory repository snapshot")) 26 | ) 27 | 28 | commandSync :: Parser (IO ()) 29 | commandSync = go <$> repositoryParser 30 | where 31 | go snapshot = do 32 | result <- sync snapshot 33 | case result of 34 | Left e -> 35 | die e 36 | Right s -> do 37 | putStrLn $ 38 | "Snapshot at " 39 | <> show (snapshotRoot snapshot) 40 | <> " from " 41 | <> show (getSnapshotUrl $ snapshotUrl snapshot) 42 | putStrLn $ 43 | case s of 44 | Created -> "Snapshot just created" 45 | Updated -> "Snapshot updated" 46 | AlreadyUpToDate -> "Snapshot already up-to-date" 47 | 48 | commandStatus :: Parser (IO ()) 49 | commandStatus = go <$> repositoryParser 50 | where 51 | go snapshot = do 52 | result <- status snapshot 53 | hPutStrLn stderr $ 54 | case result of 55 | DirectoryMissing -> "Directory is missing" 56 | DirectoryIncoherent -> "Directory is incoherent" 57 | DirectoryUpToDate -> "Repository is up-to-date" 58 | DirectoryOutDated -> "Repository is out-dated" 59 | 60 | repositoryParser :: Parser Snapshot 61 | repositoryParser = 62 | mkSnapshotSnapshot 63 | <$> strOption 64 | ( long "snapshot-root" 65 | <> short 'd' 66 | <> metavar "SNAPSHOT-ROOT" 67 | <> value (snapshotRoot defaultSnapshot) 68 | ) 69 | <*> (fmap Left repositoryGithubParser <|> fmap Right repositoryUrlParser) 70 | where mkSnapshotSnapshot root params = 71 | case params of 72 | Left (repoUrl, repoBranch) -> 73 | githubSnapshot root repoUrl repoBranch 74 | Right snapshotUrl' -> 75 | Snapshot 76 | { snapshotRoot = root, 77 | snapshotUrl = SnapshotUrl snapshotUrl' 78 | } 79 | 80 | 81 | repositoryGithubParser :: Parser (String, String) 82 | repositoryGithubParser = 83 | (,) 84 | <$> strOption 85 | ( long "repository-url" 86 | <> short 'r' 87 | <> metavar "REPOSITORY-URL" 88 | <> value "https://github.com/haskell/security-advisories" 89 | ) 90 | <*> strOption 91 | ( long "repository-branch" 92 | <> short 'b' 93 | <> metavar "REPOSITORY-BRANCH" 94 | <> value "generated/snapshot-export" 95 | ) 96 | 97 | repositoryUrlParser :: Parser String 98 | repositoryUrlParser = 99 | strOption 100 | ( long "archive-url" 101 | <> short 'u' 102 | <> metavar "ARCHIVE-URL" 103 | ) 104 | -------------------------------------------------------------------------------- /code/hsec-sync/hsec-sync.cabal: -------------------------------------------------------------------------------- 1 | cabal-version: 2.4 2 | name: hsec-sync 3 | version: 0.2.0.1 4 | 5 | -- A short (one-line) description of the package. 6 | synopsis: Synchronize with the Haskell security advisory database 7 | 8 | -- A longer description of the package. 9 | description: Synchronize with the Haskell security advisory database. 10 | 11 | -- A URL where users can report bugs. 12 | -- bug-reports: 13 | 14 | -- The license under which the package is released. 15 | license: BSD-3-Clause 16 | author: Gautier DI FOLCO 17 | maintainer: gautier.difolco@gmail.com 18 | 19 | -- A copyright notice. 20 | -- copyright: 21 | category: Data 22 | extra-doc-files: CHANGELOG.md, overview.png, recommended-workflow.png 23 | tested-with: 24 | GHC ==8.10.7 || ==9.0.2 || ==9.2.8 || ==9.4.8 || ==9.6.6 || ==9.8.3 || ==9.10.1 || ==9.12.1 25 | 26 | library 27 | exposed-modules: Security.Advisories.Sync 28 | other-modules: 29 | Security.Advisories.Sync.Snapshot 30 | Security.Advisories.Sync.Url 31 | 32 | build-depends: 33 | , aeson >=2.0 && <3 34 | , base >=4.14 && <5 35 | , bytestring >=0.10 && <0.13 36 | , directory >=1.3 && <1.4 37 | , either >=5.0 && <5.1 38 | , extra >=1.7 && <1.9 39 | , filepath >=1.4 && <1.6 40 | , hsec-core ^>=0.2 41 | , http-client >=0.7.0 && <0.8 42 | , lens >=5.1 && <5.4 43 | , tar >=0.5 && <0.7 44 | , temporary >=1 && <2 45 | , text >=1.2 && <3 46 | , time >=1.9 && <1.15 47 | , transformers >=0.5 && <0.7 48 | , wreq >=0.5 && <0.6 49 | , zlib >=0.6 && <0.8 50 | 51 | hs-source-dirs: src 52 | default-language: Haskell2010 53 | ghc-options: 54 | -Wall -Wcompat -Widentities -Wincomplete-record-updates 55 | -Wincomplete-uni-patterns -Wpartial-fields -Wredundant-constraints 56 | 57 | executable hsec-sync 58 | main-is: Main.hs 59 | 60 | -- Modules included in this executable, other than Main. 61 | -- other-modules: 62 | 63 | -- LANGUAGE extensions used by modules in this package. 64 | -- other-extensions: 65 | build-depends: 66 | , aeson >=2.0.1.0 && <3 67 | , base >=4.14 && <5 68 | , bytestring >=0.10 && <0.13 69 | , filepath >=1.4 && <1.6 70 | , hsec-sync 71 | , optparse-applicative >=0.17 && <0.19 72 | , text >=1.2 && <3 73 | 74 | hs-source-dirs: app 75 | default-language: Haskell2010 76 | ghc-options: 77 | -Wall -Wcompat -Widentities -Wincomplete-record-updates 78 | -Wincomplete-uni-patterns -Wpartial-fields -Wredundant-constraints 79 | 80 | test-suite spec 81 | type: exitcode-stdio-1.0 82 | hs-source-dirs: test 83 | main-is: Spec.hs 84 | other-modules: Spec.SyncSpec 85 | build-depends: 86 | , base 87 | , directory 88 | , filepath 89 | , hsec-sync 90 | , tasty <1.5 91 | , tasty-hunit <0.11 92 | , temporary >=1 && <2 93 | , text 94 | , time 95 | 96 | default-language: Haskell2010 97 | ghc-options: 98 | -Wall -Wcompat -Widentities -Wincomplete-record-updates 99 | -Wincomplete-uni-patterns -Wpartial-fields -Wredundant-constraints 100 | -------------------------------------------------------------------------------- /code/hsec-sync/overview.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/haskell/security-advisories/14475351f69c10eb9a35107ad390b364d601397f/code/hsec-sync/overview.png -------------------------------------------------------------------------------- /code/hsec-sync/recommended-workflow.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/haskell/security-advisories/14475351f69c10eb9a35107ad390b364d601397f/code/hsec-sync/recommended-workflow.png -------------------------------------------------------------------------------- /code/hsec-sync/src/Security/Advisories/Sync.hs: -------------------------------------------------------------------------------- 1 | {-# LANGUAGE DerivingStrategies #-} 2 | {-# LANGUAGE LambdaCase #-} 3 | 4 | module Security.Advisories.Sync 5 | ( Snapshot (..), 6 | SnapshotUrl (..), 7 | defaultSnapshot, 8 | githubSnapshot, 9 | SyncStatus (..), 10 | sync, 11 | RepositoryStatus (..), 12 | status, 13 | ) 14 | where 15 | 16 | import Control.Monad.IO.Class (liftIO) 17 | import Control.Monad.Trans.Except (runExceptT, withExceptT) 18 | import Security.Advisories.Sync.Snapshot 19 | import Security.Advisories.Sync.Url 20 | 21 | data Snapshot = Snapshot 22 | { snapshotRoot :: FilePath, 23 | snapshotUrl :: SnapshotUrl 24 | } 25 | 26 | defaultSnapshot :: Snapshot 27 | defaultSnapshot = 28 | githubSnapshot 29 | "security-advisories" 30 | "https://github.com/haskell/security-advisories" 31 | "generated/snapshot-export" 32 | 33 | githubSnapshot :: FilePath -> String -> String -> Snapshot 34 | githubSnapshot root repoUrl repoBranch = 35 | Snapshot 36 | { snapshotRoot = root, 37 | snapshotUrl = SnapshotUrl $ ensureFile (mkUrl [repoUrl, "archive/refs/heads", repoBranch]) <> ".tar.gz" 38 | } 39 | 40 | data SyncStatus 41 | = Created 42 | | Updated 43 | | AlreadyUpToDate 44 | deriving stock (Eq, Show) 45 | 46 | sync :: Snapshot -> IO (Either String SyncStatus) 47 | sync s = 48 | runExceptT $ do 49 | snapshotStatus <- liftIO $ snapshotRepositoryStatus $ snapshotRoot s 50 | ensuredStatus <- withExceptT explainSnapshotError $ ensureSnapshot (snapshotRoot s) (snapshotUrl s) snapshotStatus 51 | case ensuredStatus of 52 | SnapshotRepositoryCreated -> 53 | return Created 54 | SnapshotRepositoryExisting -> do 55 | repoStatus <- liftIO $ status' s snapshotStatus 56 | if repoStatus == DirectoryOutDated 57 | then do 58 | withExceptT explainSnapshotError $ overwriteSnapshot (snapshotRoot s) (snapshotUrl s) 59 | return Updated 60 | else return AlreadyUpToDate 61 | 62 | data RepositoryStatus 63 | = DirectoryMissing 64 | | -- | Used when expected files/directories are missing or not readable 65 | DirectoryIncoherent 66 | | DirectoryUpToDate 67 | | DirectoryOutDated 68 | deriving stock (Eq, Show) 69 | 70 | status :: Snapshot -> IO RepositoryStatus 71 | status s = 72 | status' s =<< snapshotRepositoryStatus (snapshotRoot s) 73 | 74 | status' :: Snapshot -> SnapshotRepositoryStatus -> IO RepositoryStatus 75 | status' s = 76 | \case 77 | SnapshotDirectoryMissing -> 78 | return DirectoryMissing 79 | SnapshotDirectoryIncoherent -> 80 | return DirectoryIncoherent 81 | SnapshotDirectoryInitialized -> do 82 | snapshotInfo <- getDirectorySnapshotInfo $ snapshotRoot s 83 | case snapshotInfo of 84 | Left _ -> 85 | return DirectoryOutDated 86 | Right info -> do 87 | update <- runExceptT $ latestUpdate $ snapshotUrl s 88 | return $ 89 | case update of 90 | Right latestETag | latestETag == etag info -> 91 | DirectoryUpToDate 92 | _ -> 93 | DirectoryOutDated 94 | -------------------------------------------------------------------------------- /code/hsec-sync/src/Security/Advisories/Sync/Url.hs: -------------------------------------------------------------------------------- 1 | {-# LANGUAGE LambdaCase #-} 2 | module Security.Advisories.Sync.Url 3 | ( mkUrl 4 | , ensureFile 5 | ) 6 | where 7 | 8 | mkUrl :: [String] -> String 9 | mkUrl = foldl1 () 10 | 11 | infixr 5 12 | 13 | () :: String -> String -> String 14 | "/" ('/' : ys) = '/' : ys 15 | "/" ys = '/' : ys 16 | "" ('/' : ys) = '/' : ys 17 | "" ys = '/' : ys 18 | [x] ('/' : ys) = x : '/' : ys 19 | [x] ys = x : '/' : ys 20 | (x0 : x1 : xs) ys = x0 : ((x1 : xs) ys) 21 | 22 | ensureFile :: String -> String 23 | ensureFile = 24 | \case 25 | "" -> "" 26 | "/" -> "" 27 | (x:xs) -> x : ensureFile xs 28 | -------------------------------------------------------------------------------- /code/hsec-sync/test/Spec.hs: -------------------------------------------------------------------------------- 1 | {-# LANGUAGE OverloadedStrings #-} 2 | 3 | module Main where 4 | 5 | import Test.Tasty 6 | 7 | import qualified Spec.SyncSpec as SyncSpec 8 | 9 | main :: IO () 10 | main = do 11 | defaultMain $ 12 | testGroup "Tests" 13 | [ SyncSpec.spec 14 | ] 15 | -------------------------------------------------------------------------------- /code/hsec-sync/test/Spec/SyncSpec.hs: -------------------------------------------------------------------------------- 1 | {-# LANGUAGE OverloadedStrings #-} 2 | 3 | module Spec.SyncSpec (spec) where 4 | 5 | import Control.Monad (unless) 6 | import Data.Bifunctor (first) 7 | import Security.Advisories.Sync 8 | import qualified System.Directory as D 9 | import System.Environment (lookupEnv) 10 | import System.FilePath (()) 11 | import System.IO.Temp (withSystemTempDirectory) 12 | import Test.Tasty 13 | import Test.Tasty.HUnit 14 | 15 | spec :: TestTree 16 | spec = testGroup "Sync" [] 17 | 18 | _spec :: TestTree 19 | _spec = 20 | testGroup 21 | "Sync" 22 | [ testGroup 23 | "sync" 24 | [ testCase "Invalid root should fail" $ do 25 | let snapshot = snapshotAt "/dev/advisories" 26 | status snapshot >>= (@?= DirectoryMissing) 27 | isGitHubActionRunner <- lookupEnv "GITHUB_ACTIONS" 28 | unless (isGitHubActionRunner == Just "true") $ do 29 | -- GitHub Action runners let you write anywhere 30 | result <- sync snapshot 31 | first (const ("" :: String)) result @?= Left "" 32 | status snapshot >>= (@?= DirectoryMissing), 33 | testCase "Subdirectory creation should work" $ 34 | withSystemTempDirectory "hsec-sync" $ \p -> do 35 | let snapshot = snapshotAt $ p "snapshot" 36 | status snapshot >>= (@?= DirectoryMissing) 37 | result <- sync snapshot 38 | result @?= Right Created 39 | status snapshot >>= (@?= DirectoryUpToDate), 40 | testCase "With existing subdirectory creation should work" $ 41 | withSystemTempDirectory "hsec-sync" $ \p -> do 42 | D.createDirectory $ p "snapshot" 43 | let snapshot = snapshotAt $ p "snapshot" 44 | result <- sync snapshot 45 | result @?= Right Created, 46 | testCase "Sync twice should be a no-op" $ 47 | withSystemTempDirectory "hsec-sync" $ \p -> do 48 | let snapshot = snapshotAt p 49 | status snapshot >>= (@?= DirectoryIncoherent) 50 | resultCreate <- sync snapshot 51 | resultCreate @?= Right Created 52 | resultResync <- sync snapshot 53 | resultResync @?= Right AlreadyUpToDate, 54 | testCase "Sync behind should update" $ 55 | withSystemTempDirectory "hsec-sync" $ \p -> do 56 | let snapshot = snapshotAt p 57 | resultCreate <- sync snapshot 58 | resultCreate @?= Right Created 59 | writeFile 60 | (p "snapshot.json") 61 | "{\"latestUpdate\":\"2020-03-11T12:26:51Z\",\"snapshotVersion\":\"0.1.0.0\"}" 62 | status snapshot >>= (@?= DirectoryOutDated) 63 | resultResync <- sync snapshot 64 | resultResync @?= Right Updated 65 | status snapshot >>= (@?= DirectoryUpToDate), 66 | testCase "Sync a broken snapshot.json" $ 67 | withSystemTempDirectory "hsec-sync" $ \p -> do 68 | let snapshot = snapshotAt p 69 | resultCreate <- sync snapshot 70 | resultCreate @?= Right Created 71 | writeFile 72 | (p "snapshot.json") 73 | "{\"latestpdate\":\"2020-03-11T12:26:51Z\",\"snapshotVersion\":\"0.1.0.0\"}" 74 | status snapshot >>= (@?= DirectoryIncoherent) 75 | resultResync <- sync snapshot 76 | resultResync @?= Right Updated 77 | status snapshot >>= (@?= DirectoryUpToDate), 78 | testCase "Sync a deleted snapshot.json" $ 79 | withSystemTempDirectory "hsec-sync" $ \p -> do 80 | let snapshot = snapshotAt p 81 | resultCreate <- sync snapshot 82 | resultCreate @?= Right Created 83 | D.removeFile (p "snapshot.json") 84 | status snapshot >>= (@?= DirectoryOutDated) 85 | resultResync <- sync snapshot 86 | resultResync @?= Right Updated 87 | status snapshot >>= (@?= DirectoryIncoherent) 88 | ] 89 | ] 90 | 91 | snapshotAt :: FilePath -> Snapshot 92 | snapshotAt root = 93 | defaultSnapshot {snapshotRoot = root} 94 | -------------------------------------------------------------------------------- /code/hsec-tools/.gitignore: -------------------------------------------------------------------------------- 1 | ##### Haskell 2 | dist 3 | dist-* 4 | cabal-dev 5 | *.o 6 | *.hi 7 | *.hie 8 | *.chi 9 | *.chs.h 10 | *.dyn_o 11 | *.dyn_hi 12 | .hpc 13 | .hsenv 14 | .cabal-sandbox/ 15 | cabal.sandbox.config 16 | *.prof 17 | *.aux 18 | *.hp 19 | *.eventlog 20 | .stack-work/ 21 | cabal.project.local 22 | cabal.project.local~ 23 | .HTF/ 24 | .ghc.environment.* 25 | build 26 | bin-* 27 | 28 | result 29 | .direnv 30 | .env 31 | -------------------------------------------------------------------------------- /code/hsec-tools/CHANGELOG.md: -------------------------------------------------------------------------------- 1 | ## 0.2.0.1 2 | 3 | - Rework HTML/Atom generation, use `atom-conduit` instead of `feed` 4 | 5 | ## 0.1.1.0 6 | 7 | - Redesign index 8 | -------------------------------------------------------------------------------- /code/hsec-tools/README.md: -------------------------------------------------------------------------------- 1 | # hsec-tools 2 | 3 | `hesc-tools` aims to support [Haskell advisories database](https://github.com/haskell/security-advisories). 4 | 5 | ## Building 6 | 7 | We aim to support both regular cabal-based and nix-based builds. 8 | 9 | ## Testing 10 | 11 | Run (and auto update) the golden test: 12 | 13 | ```ShellSession 14 | cabal test -O0 --test-show-details=direct --test-option=--accept 15 | ``` 16 | -------------------------------------------------------------------------------- /code/hsec-tools/app/Command/NextID.hs: -------------------------------------------------------------------------------- 1 | module Command.NextID where 2 | 3 | import Security.Advisories.Core.HsecId (printHsecId, getNextHsecId) 4 | import Security.Advisories.Filesystem (getGreatestId) 5 | 6 | import Util (ensureRepo) 7 | 8 | runNextIDCommand :: Maybe FilePath -> IO () 9 | runNextIDCommand mPath = 10 | ensureRepo mPath >>= getGreatestId >>= getNextHsecId >>= putStrLn . printHsecId 11 | -------------------------------------------------------------------------------- /code/hsec-tools/app/Command/Reserve.hs: -------------------------------------------------------------------------------- 1 | {-# LANGUAGE LambdaCase #-} 2 | 3 | module Command.Reserve where 4 | 5 | import Control.Monad (when) 6 | import System.Exit (die) 7 | import System.FilePath ((), (<.>)) 8 | 9 | import Security.Advisories.Git 10 | ( add 11 | , commit 12 | , explainGitError 13 | ) 14 | import Security.Advisories.Core.HsecId 15 | ( placeholder 16 | , printHsecId 17 | , getNextHsecId 18 | ) 19 | import Security.Advisories.Filesystem 20 | ( dirNameAdvisories 21 | , dirNameReserved 22 | , getGreatestId 23 | ) 24 | 25 | import Util (ensureRepo) 26 | 27 | -- | How to choose IDs when creating advisories or 28 | -- reservations. 29 | data IdMode 30 | = IdModePlaceholder 31 | -- ^ Create a placeholder ID (e.g. HSEC-0000-0000). Real IDs 32 | -- will be assigned later. 33 | | IdModeAuto 34 | -- ^ Use the next available ID. This option is more likely to 35 | -- result in conflicts when submitting advisories or reservations. 36 | 37 | data CommitFlag = Commit | DoNotCommit 38 | deriving (Eq) 39 | 40 | runReserveCommand :: Maybe FilePath -> IdMode -> CommitFlag -> IO () 41 | runReserveCommand mPath idMode commitFlag = do 42 | repoPath <- ensureRepo mPath 43 | 44 | hsid <- case idMode of 45 | IdModePlaceholder -> pure placeholder 46 | IdModeAuto -> do 47 | curMax <- getGreatestId repoPath 48 | getNextHsecId curMax 49 | 50 | let 51 | advisoriesPath = repoPath dirNameAdvisories 52 | fileName = printHsecId hsid <.> "md" 53 | filePath = advisoriesPath dirNameReserved fileName 54 | writeFile filePath "" -- write empty file 55 | 56 | when (commitFlag == Commit) $ do 57 | let msg = printHsecId hsid <> ": reserve id" 58 | add repoPath [filePath] >>= \case 59 | Left e -> die $ "Failed to update Git index: " <> explainGitError e 60 | Right _ -> pure () 61 | commit repoPath msg >>= \case 62 | Left e -> die $ "Failed to create Git commit: " <> explainGitError e 63 | Right _ -> pure () 64 | -------------------------------------------------------------------------------- /code/hsec-tools/app/Util.hs: -------------------------------------------------------------------------------- 1 | {-# LANGUAGE LambdaCase #-} 2 | 3 | module Util where 4 | 5 | import Data.Maybe (fromMaybe) 6 | import System.Exit (die) 7 | 8 | import Security.Advisories.Filesystem (isSecurityAdvisoriesRepo) 9 | import Security.Advisories.Git (getRepoRoot) 10 | 11 | -- | Ensure the given path (or current directory "." if @Nothing@) 12 | -- is an advisory Git repo. Return the (valid) repo root, or die 13 | -- with an error message. 14 | -- 15 | ensureRepo :: Maybe FilePath -> IO FilePath 16 | ensureRepo mPath = 17 | getRepoRoot (fromMaybe "." mPath) >>= \case 18 | Left _ -> die "Not a git repo" 19 | Right repoPath -> isSecurityAdvisoriesRepo repoPath >>= \case 20 | False -> die "Not a security-advisories repo" 21 | True -> pure repoPath 22 | -------------------------------------------------------------------------------- /code/hsec-tools/assets/css/default.css: -------------------------------------------------------------------------------- 1 | :root{ 2 | --bg-color:#FFFFFF; 3 | --text-color:#333; 4 | --outline-color:#DB83ED; 5 | --header-color:#5E5184; 6 | --anchor-color:#9E358F; 7 | --anchor-visited-color:#6F5F9C; 8 | --code-bg-color:#FAFAFA; 9 | --filename-bg:#EAEAEA; 10 | --code-color:#383a42; 11 | --code-bg-color:#fafafa; 12 | --code-comment-color:#a0a1a7; 13 | --code-kw-color:#af005f; 14 | --code-name-color:#e45649; 15 | --code-literal-color:#268bd2; 16 | --code-string-color:#cb4b16; 17 | --code-attr-color:#986801; 18 | --code-constructor-color:#5f5faf; 19 | --code-symbol-color:#4078f2; 20 | --code-record-field-color:#c18401; 21 | --code-pragma-color:#2aa198 22 | } 23 | @media (prefers-color-scheme:dark){ 24 | :root{ 25 | --bg-color:#333; 26 | --text-color:#C9D1D9; 27 | --header-color:#BBA1FF; 28 | --anchor-color:#EB82DC; 29 | --anchor-visited-color:#D5C5FF; 30 | --code-bg-color:transparent; 31 | --filename-bg:#2C2C2C; 32 | --code-color:#C9D1D9; 33 | --code-bg-color:#333; 34 | --code-comment-color:#a0a1a7; 35 | --code-kw-color:#BBA1FF; 36 | --code-name-color:#e45649; 37 | --code-literal-color:#268bd2; 38 | --code-string-color:#cb4b16; 39 | --code-attr-color:#986801; 40 | --code-constructor-color:#d079c9; 41 | --code-symbol-color:var(--code-color); 42 | --code-record-field-color:#c18401; 43 | --code-pragma-color:#2aa198 44 | } 45 | } 46 | *:focus-visible{ 47 | outline-color:var(--outline-color) 48 | } 49 | body{ 50 | color:var(--text-color); 51 | background-color:var(--bg-color) 52 | } 53 | a{ 54 | color:var(--anchor-color) 55 | } 56 | a:visited{ 57 | color:var(--anchor-visited-color) 58 | } 59 | h1,h2,h3,h4,h5,h6{ 60 | color:var(--header-color) 61 | } 62 | input{ 63 | background-color:rgba(255,255,255,0.06); 64 | color:var(--text-color) 65 | } 66 | .nav-bar{ 67 | text-align: right; 68 | } 69 | .nav-bar ul{ 70 | display: inline-block; 71 | list-style: none; 72 | margin: 0; 73 | padding: 0; 74 | } 75 | .nav-bar li{ 76 | display: inline-block; 77 | vertical-align: middle; 78 | padding: 0; 79 | margin: 0; 80 | height: 100%; 81 | position: relative; 82 | } 83 | *:focus-visible{ 84 | outline-offset:4px; 85 | outline-width:1px 86 | } 87 | body{ 88 | font-size:1.6rem; 89 | margin:0 auto; 90 | max-width:120rem 91 | } 92 | footer{ 93 | margin-top:3rem; 94 | padding:1.2rem 0; 95 | border-top:0.2rem solid #000; 96 | font-size:1.2rem; 97 | color:#555 98 | } 99 | h1{ 100 | font-size:2.4rem 101 | } 102 | h2{ 103 | font-size:2rem 104 | } 105 | html{ 106 | font-size:62.5%; 107 | font-family:Helvetica,sans-serif 108 | } 109 | table tbody td{ 110 | padding:5px 111 | } 112 | footer{ 113 | padding: 0 2%; 114 | text-align: center; 115 | } 116 | footer .HF{ 117 | height:50px; 118 | line-height:50px; 119 | display:inline-block; 120 | background-repeat:no-repeat; 121 | background-image:url('../images/hf-logo.png'); 122 | background-size:50px; 123 | background-position:left center; 124 | padding-left:60px 125 | } 126 | @media (max-width:319px){ 127 | .nav-bar{ 128 | margin:0 1.5rem 0 0; 129 | } 130 | .nav-bar a{ 131 | display:block; 132 | line-height:1.6 133 | } 134 | } 135 | @media (min-width:320px){ 136 | .nav-bar{ 137 | margin:0 2rem 0 0; 138 | } 139 | .nav-bar a{ 140 | display:inline; 141 | margin:0 0.6rem 142 | } 143 | } 144 | @media (min-width:640px){ 145 | .nav-bar{ 146 | margin:0 3rem 0 0; 147 | } 148 | .nav-bar a{ 149 | margin:0 0 0 1.2rem; 150 | display:inline 151 | } 152 | } 153 | 154 | #advisory dt { 155 | margin-top: 0.75em; 156 | } 157 | -------------------------------------------------------------------------------- /code/hsec-tools/assets/images/hf-logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/haskell/security-advisories/14475351f69c10eb9a35107ad390b364d601397f/code/hsec-tools/assets/images/hf-logo.png -------------------------------------------------------------------------------- /code/hsec-tools/hsec-tools.cabal: -------------------------------------------------------------------------------- 1 | cabal-version: 3.0 2 | name: hsec-tools 3 | version: 0.2.0.1 4 | 5 | -- A short (one-line) description of the package. 6 | synopsis: 7 | Tools for working with the Haskell security advisory database 8 | 9 | -- A longer description of the package. 10 | description: 11 | Tools for working with the Haskell security advisory database. 12 | 13 | -- A URL where users can report bugs. 14 | -- bug-reports: 15 | 16 | -- The license under which the package is released. 17 | license: BSD-3-Clause 18 | author: Haskell Security Response Team 19 | maintainer: security-advisories@haskell.org 20 | 21 | -- A copyright notice. 22 | -- copyright: 23 | category: Data 24 | extra-doc-files: CHANGELOG.md 25 | extra-source-files: 26 | assets/css/*.css 27 | assets/images/*.png 28 | test/golden/*.golden 29 | test/golden/*.md 30 | 31 | tested-with: 32 | GHC ==8.10.7 || ==9.0.2 || ==9.2.8 || ==9.4.8 || ==9.6.6 || ==9.8.3 || ==9.10.1 || ==9.12.1 33 | 34 | library 35 | exposed-modules: 36 | Security.Advisories 37 | Security.Advisories.Convert.OSV 38 | Security.Advisories.Filesystem 39 | Security.Advisories.Generate.HTML 40 | Security.Advisories.Generate.Snapshot 41 | Security.Advisories.Generate.TH 42 | Security.Advisories.Git 43 | Security.Advisories.Format 44 | Security.Advisories.Parse 45 | Security.Advisories.Queries 46 | 47 | other-modules: 48 | Paths_hsec_tools 49 | autogen-modules: 50 | Paths_hsec_tools 51 | 52 | build-depends: 53 | , aeson >=2.0.1.0 && <3 54 | , atom-conduit >=0.9 && <0.10 55 | , base >=4.14 && <5 56 | , bytestring >=0.10 && <0.14 57 | , Cabal-syntax >=3.8.1.0 && <3.15 58 | , commonmark ^>=0.2.2 59 | , commonmark-pandoc >=0.2 && <0.3 60 | , conduit >=1.3 && <1.4 61 | , conduit-extra >=1.3 && <1.4 62 | , containers >=0.6 && <0.8 63 | , cvss >= 0.2 && < 0.3 64 | , data-default >=0.7 && <0.8 65 | , directory <2 66 | , extra >=1.7 && <1.9 67 | , filepath >=1.4 && <1.6 68 | , hsec-core ^>= 0.2 69 | , file-embed >=0.0.13.0 && <0.0.17 70 | , lucid >=2.9.0 && < 3 71 | , mtl >=2.2 && <2.4 72 | , osv >= 0.1 && < 0.2 73 | , pandoc >=2.0 && <3.8 74 | , pandoc-types >=1.22 && <2 75 | , parsec >=3 && <4 76 | , pathwalk >=0.3 && <0.4 77 | , pretty >=1.0 && <1.2 78 | , prettyprinter >=1.7 && <1.8 79 | , process >=1.6 && <1.7 80 | , refined >=0.7 && <0.9 81 | , resourcet >=1.2 && <1.4 82 | , safe >=0.3 && <0.4 83 | , text >=1.2 && <3 84 | , template-haskell >=2.16.0.0 && <2.24 85 | , time >=1.9 && <1.15 86 | , toml-parser >=2.0.0.0 && <2.1 87 | , uri-bytestring >=0.3 && <0.5 88 | , xml-conduit >=1.9 && <1.11 89 | , validation-selective >=0.1 && <1 90 | 91 | hs-source-dirs: src 92 | default-language: Haskell2010 93 | ghc-options: 94 | -Wall -Wcompat -Widentities -Wincomplete-record-updates 95 | -Wincomplete-uni-patterns -Wpartial-fields -Wredundant-constraints 96 | 97 | executable hsec-tools 98 | main-is: Main.hs 99 | other-modules: Command.Reserve 100 | , Command.NextID 101 | , Util 102 | 103 | -- Modules included in this executable, other than Main. 104 | -- other-modules: 105 | 106 | -- LANGUAGE extensions used by modules in this package. 107 | -- other-extensions: 108 | build-depends: 109 | , aeson >=2.0.1.0 && <3 110 | , base >=4.14 && <5 111 | , bytestring >=0.10 && <0.13 112 | , Cabal-syntax >=3.8.1.0 && <3.15 113 | , filepath >=1.4 && <1.6 114 | , hsec-core ^>= 0.2 115 | , hsec-tools 116 | , optparse-applicative >=0.17 && <0.19 117 | , text >=1.2 && <3 118 | , transformers 119 | , validation-selective >=0.1 && <1 120 | 121 | hs-source-dirs: app 122 | default-language: Haskell2010 123 | ghc-options: 124 | -Wall -Wcompat -Widentities -Wincomplete-record-updates 125 | -Wincomplete-uni-patterns -Wpartial-fields -Wredundant-constraints 126 | 127 | test-suite spec 128 | type: exitcode-stdio-1.0 129 | hs-source-dirs: test 130 | main-is: Spec.hs 131 | autogen-modules: 132 | Paths_hsec_tools 133 | other-modules: 134 | Paths_hsec_tools 135 | Spec.FormatSpec 136 | Spec.QueriesSpec 137 | build-depends: 138 | , aeson-pretty <2 139 | , base 140 | , Cabal-syntax 141 | , containers 142 | , cvss 143 | , directory 144 | , hedgehog <2 145 | , hsec-core 146 | , hsec-tools 147 | , osv 148 | , pretty-simple <5 149 | , prettyprinter 150 | , tasty <1.5 151 | , tasty-golden <2.4 152 | , tasty-hedgehog <2 153 | , tasty-hunit <0.11 154 | , text 155 | , time 156 | , toml-parser 157 | 158 | default-language: Haskell2010 159 | ghc-options: 160 | -Wall -Wcompat -Widentities -Wincomplete-record-updates 161 | -Wincomplete-uni-patterns -Wpartial-fields -Wredundant-constraints 162 | -------------------------------------------------------------------------------- /code/hsec-tools/src/Security/Advisories.hs: -------------------------------------------------------------------------------- 1 | module Security.Advisories 2 | ( module Security.Advisories.Core.Advisory 3 | , module Security.Advisories.Core.HsecId 4 | , module Security.Advisories.Parse 5 | ) 6 | where 7 | 8 | import Security.Advisories.Core.Advisory 9 | import Security.Advisories.Core.HsecId 10 | import Security.Advisories.Parse 11 | -------------------------------------------------------------------------------- /code/hsec-tools/src/Security/Advisories/Convert/OSV.hs: -------------------------------------------------------------------------------- 1 | {-# LANGUAGE OverloadedStrings #-} 2 | 3 | module Security.Advisories.Convert.OSV 4 | ( convert 5 | ) 6 | where 7 | 8 | import qualified Data.Text as T 9 | import Data.Void 10 | import Distribution.Pretty (prettyShow) 11 | 12 | import Security.Advisories 13 | import qualified Security.OSV as OSV 14 | 15 | convert :: Advisory -> OSV.Model Void Void Void Void 16 | convert adv = 17 | ( OSV.newModel' 18 | (T.pack . printHsecId $ advisoryId adv) 19 | (advisoryModified adv) 20 | ) 21 | { OSV.modelPublished = Just $ advisoryPublished adv 22 | , OSV.modelAliases = advisoryAliases adv 23 | , OSV.modelRelated = advisoryRelated adv 24 | , OSV.modelSummary = Just $ advisorySummary adv 25 | , OSV.modelDetails = Just $ advisoryDetails adv 26 | , OSV.modelReferences = advisoryReferences adv 27 | , OSV.modelAffected = fmap mkAffected (advisoryAffected adv) 28 | } 29 | 30 | mkAffected :: Affected -> OSV.Affected Void Void Void 31 | mkAffected aff = 32 | OSV.Affected 33 | { OSV.affectedPackage = mkPackage (affectedComponentIdentifier aff) 34 | , OSV.affectedRanges = pure $ mkRange (affectedVersions aff) 35 | , OSV.affectedSeverity = [OSV.Severity (affectedCVSS aff)] 36 | , OSV.affectedEcosystemSpecific = Nothing 37 | , OSV.affectedDatabaseSpecific = Nothing 38 | } 39 | 40 | mkPackage :: ComponentIdentifier -> OSV.Package 41 | mkPackage ecosystem = OSV.Package 42 | { OSV.packageName = packageName 43 | , OSV.packageEcosystem = ecosystemName 44 | , OSV.packagePurl = Nothing 45 | } 46 | where 47 | (ecosystemName, packageName) = case ecosystem of 48 | Hackage n -> ("Hackage", n) 49 | GHC c -> ("GHC", ghcComponentToText c) 50 | 51 | mkRange :: [AffectedVersionRange] -> OSV.Range Void 52 | mkRange ranges = 53 | OSV.RangeEcosystem (foldMap mkEvs ranges) Nothing 54 | where 55 | mkEvs :: AffectedVersionRange -> [OSV.Event T.Text] 56 | mkEvs range = 57 | OSV.EventIntroduced (T.pack $ prettyShow $ affectedVersionRangeIntroduced range) 58 | : maybe [] (pure . OSV.EventFixed . T.pack . prettyShow) (affectedVersionRangeFixed range) 59 | -------------------------------------------------------------------------------- /code/hsec-tools/src/Security/Advisories/Generate/Snapshot.hs: -------------------------------------------------------------------------------- 1 | {-# LANGUAGE DeriveAnyClass #-} 2 | {-# LANGUAGE DeriveGeneric #-} 3 | {-# LANGUAGE DerivingStrategies #-} 4 | {-# LANGUAGE LambdaCase #-} 5 | {-# LANGUAGE OverloadedStrings #-} 6 | 7 | module Security.Advisories.Generate.Snapshot 8 | ( createSnapshot, 9 | ) 10 | where 11 | 12 | import Data.Aeson (ToJSON, encodeFile) 13 | import Data.Default (def) 14 | import qualified Data.Text.IO as T 15 | import Data.Time (UTCTime) 16 | import Data.Version (Version) 17 | import GHC.Generics (Generic) 18 | import Paths_hsec_tools (version) 19 | import qualified Prettyprinter as Pretty 20 | import qualified Prettyprinter.Render.Text as Pretty 21 | import Security.Advisories.Core.Advisory 22 | import Security.Advisories.Filesystem (advisoryFromFile, forAdvisory, forReserved) 23 | import Security.Advisories.Format (fromAdvisory) 24 | import System.Directory (copyFileWithMetadata, createDirectoryIfMissing) 25 | import System.FilePath (takeDirectory, ()) 26 | import System.IO (hPrint, hPutStrLn, stderr) 27 | import Text.Pandoc (Block (CodeBlock), Pandoc (Pandoc), nullMeta, runIOorExplode) 28 | import Text.Pandoc.Writers (writeCommonMark) 29 | import qualified Toml 30 | import Validation (Validation (..)) 31 | 32 | -- * Actions 33 | 34 | createSnapshot :: FilePath -> FilePath -> IO () 35 | createSnapshot src dst = do 36 | let toDstFilePath orig = dst drop (length src + 1) orig 37 | 38 | forReserved src $ \p _ -> do 39 | createDirectoryIfMissing True $ takeDirectory $ toDstFilePath p 40 | hPutStrLn stderr $ "Copying '" <> p <> "' to '" <> toDstFilePath p <> "'" 41 | copyFileWithMetadata p $ toDstFilePath p 42 | 43 | advisoriesLatestUpdates <- 44 | forAdvisory src $ \p _ -> do 45 | createDirectoryIfMissing True $ takeDirectory $ toDstFilePath p 46 | hPutStrLn stderr $ "Taking a snapshot of '" <> p <> "' to '" <> toDstFilePath p <> "'" 47 | advisoryFromFile p 48 | >>= \case 49 | Failure e -> do 50 | hPrint stderr e 51 | return [] 52 | Success advisory -> do 53 | let pandoc = 54 | Pandoc 55 | nullMeta 56 | ( CodeBlock 57 | ("", ["toml"], []) 58 | ( Pretty.renderStrict $ 59 | Pretty.layoutPretty Pretty.defaultLayoutOptions $ 60 | Toml.encode $ 61 | fromAdvisory advisory 62 | ) 63 | : blocks (advisoryPandoc advisory) 64 | ) 65 | blocks (Pandoc _ xs) = xs 66 | rendered <- runIOorExplode $ writeCommonMark def pandoc 67 | T.writeFile (toDstFilePath p) rendered 68 | return [advisoryModified advisory] 69 | 70 | let metadataPath = dst "snapshot.json" 71 | metadata = 72 | SnapshotMetadata 73 | { latestUpdate = maximum advisoriesLatestUpdates, 74 | snapshotVersion = version 75 | } 76 | hPutStrLn stderr $ "Writing snapshot metadata to '" <> metadataPath <> "'" 77 | encodeFile metadataPath metadata 78 | 79 | data SnapshotMetadata = SnapshotMetadata 80 | { latestUpdate :: UTCTime, 81 | snapshotVersion :: Version 82 | } 83 | deriving stock (Generic) 84 | deriving anyclass (ToJSON) 85 | -------------------------------------------------------------------------------- /code/hsec-tools/src/Security/Advisories/Generate/TH.hs: -------------------------------------------------------------------------------- 1 | module Security.Advisories.Generate.TH ( 2 | readFileTH, 3 | readDirFilesTH, 4 | fileLocation, 5 | ) where 6 | 7 | import Control.Monad.IO.Class (liftIO) 8 | import Data.ByteString.Char8 as BS8 9 | import Data.FileEmbed (embedDir, makeRelativeToLocationPredicate) 10 | import Language.Haskell.TH (Exp (LitE), Lit (StringL), Q) 11 | 12 | -- | Read file at compile-time. 13 | readFileTH :: FilePath -> Q Exp 14 | readFileTH p = fileLocation p $ \p' -> LitE . StringL . BS8.unpack <$> liftIO (BS8.readFile p') 15 | 16 | -- | Read files in (sub-)directory at compile-time. 17 | -- Gives a [(FilePath, ByteString)] 18 | readDirFilesTH :: FilePath -> Q Exp 19 | readDirFilesTH p = fileLocation p embedDir 20 | 21 | fileLocation :: FilePath -> (FilePath -> Q Exp) -> Q Exp 22 | fileLocation fp act = makeRelativeToLocationPredicate (== "hsec-tools.cabal") fp >>= act 23 | -------------------------------------------------------------------------------- /code/hsec-tools/src/Security/Advisories/Git.hs: -------------------------------------------------------------------------------- 1 | {-# LANGUAGE LambdaCase #-} 2 | {-# LANGUAGE DerivingStrategies #-} 3 | 4 | {-| 5 | 6 | Helpers for deriving advisory metadata from a Git repo. 7 | 8 | -} 9 | module Security.Advisories.Git 10 | ( AdvisoryGitInfo(..) 11 | , GitError(..) 12 | , explainGitError 13 | , getAdvisoryGitInfo 14 | , getRepoRoot 15 | , add 16 | , commit 17 | ) 18 | where 19 | 20 | import Data.Char (isSpace) 21 | import Data.List (dropWhileEnd) 22 | import Data.Time (UTCTime, zonedTimeToUTC) 23 | import Data.Time.Format.ISO8601 (iso8601ParseM) 24 | import System.Exit (ExitCode(ExitSuccess)) 25 | import System.FilePath (splitFileName) 26 | import System.Process (readProcessWithExitCode) 27 | import Control.Applicative ((<|>)) 28 | 29 | data AdvisoryGitInfo = AdvisoryGitInfo 30 | { firstAppearanceCommitDate :: UTCTime 31 | , lastModificationCommitDate :: UTCTime 32 | } 33 | 34 | data GitError 35 | = GitProcessError ExitCode String String -- ^ exit code, stdout and stderr 36 | | GitTimeParseError String -- ^ unable to parse this input as a datetime 37 | deriving stock (Eq, Ord, Show) 38 | 39 | explainGitError :: GitError -> String 40 | explainGitError = \case 41 | GitProcessError status stdout stderr -> 42 | unlines 43 | [ "git exited with status " <> show status 44 | , ">>> standard output:" 45 | , stdout 46 | , ">>> standard error:" 47 | , stderr 48 | ] 49 | GitTimeParseError s -> 50 | "failed to parse time: " <> s 51 | 52 | -- | Get top-level directory of the working tree. 53 | -- 54 | getRepoRoot :: FilePath -> IO (Either GitError FilePath) 55 | getRepoRoot path = do 56 | (status, stdout, stderr) <- readProcessWithExitCode 57 | "git" 58 | [ "-C", path 59 | , "rev-parse" 60 | , "--show-toplevel" 61 | ] 62 | "" -- standard input 63 | pure $ case status of 64 | ExitSuccess -> Right $ trim stdout 65 | _ -> Left $ GitProcessError status stdout stderr 66 | where 67 | trim = dropWhileEnd isSpace . dropWhile isSpace 68 | 69 | -- | Add changes to index 70 | -- 71 | add 72 | :: FilePath -- ^ path to working tree 73 | -> [FilePath] -- ^ files to update in index 74 | -> IO (Either GitError ()) 75 | add path pathspecs = do 76 | (status, stdout, stderr) <- readProcessWithExitCode 77 | "git" 78 | ( ["-C", path, "add"] <> pathspecs ) 79 | "" -- standard input 80 | pure $ case status of 81 | ExitSuccess -> Right () 82 | _ -> Left $ GitProcessError status stdout stderr 83 | 84 | -- | Commit changes to repo. 85 | -- 86 | commit 87 | :: FilePath -- ^ path to working tree 88 | -> String -- ^ commit message 89 | -> IO (Either GitError ()) 90 | commit path msg = do 91 | (status, stdout, stderr) <- readProcessWithExitCode 92 | "git" 93 | ["-C", path, "commit", "-m", msg] 94 | "" -- standard input 95 | pure $ case status of 96 | ExitSuccess -> Right () 97 | _ -> Left $ GitProcessError status stdout stderr 98 | 99 | getAdvisoryGitInfo :: FilePath -> IO (Either GitError AdvisoryGitInfo) 100 | getAdvisoryGitInfo path = do 101 | let (dir, file) = splitFileName path 102 | (status, stdout, stderr) <- readProcessWithExitCode 103 | "git" 104 | [ "-C", dir 105 | , "log" 106 | , "--pretty=format:%cI" -- print committer date 107 | , "--find-renames" 108 | , file 109 | ] 110 | "" -- standard input 111 | let timestamps = filter (not . null) $ lines stdout 112 | case status of 113 | ExitSuccess | not (null timestamps) -> 114 | pure $ AdvisoryGitInfo 115 | <$> parseTime (last timestamps) -- first commit is last line 116 | <*> parseTime (head timestamps) -- most recent commit is first line 117 | _ -> 118 | -- `null lines` should not happen, but if it does we treat it 119 | -- the same as `ExitFailure` 120 | pure . Left $ GitProcessError status stdout stderr 121 | where 122 | parseTime :: String -> Either GitError UTCTime 123 | parseTime s = maybe (Left $ GitTimeParseError s) Right $ 124 | iso8601ParseM s 125 | <|> zonedTimeToUTC <$> iso8601ParseM s 126 | -------------------------------------------------------------------------------- /code/hsec-tools/src/Security/Advisories/Queries.hs: -------------------------------------------------------------------------------- 1 | module Security.Advisories.Queries 2 | ( listVersionAffectedBy 3 | , listVersionRangeAffectedBy 4 | , isVersionAffectedBy 5 | , isVersionRangeAffectedBy 6 | ) 7 | where 8 | 9 | import Control.Monad.IO.Class (MonadIO) 10 | import Data.Text (Text) 11 | import Distribution.Types.Version (Version) 12 | import Distribution.Types.VersionInterval (asVersionIntervals) 13 | import Distribution.Types.VersionRange (VersionRange, anyVersion, earlierVersion, intersectVersionRanges, noVersion, orLaterVersion, unionVersionRanges, withinRange) 14 | import Validation (Validation(..)) 15 | 16 | import Security.Advisories.Core.Advisory 17 | import Security.Advisories.Filesystem 18 | import Security.Advisories.Parse 19 | 20 | -- | Check whether a package and a version is concerned by an advisory 21 | isVersionAffectedBy :: Text -> Version -> Advisory -> Bool 22 | isVersionAffectedBy = isAffectedByHelper withinRange 23 | 24 | -- | Check whether a package and a version range is concerned by an advisory 25 | isVersionRangeAffectedBy :: Text -> VersionRange -> Advisory -> Bool 26 | isVersionRangeAffectedBy = isAffectedByHelper $ 27 | \queryVersionRange affectedVersionRange -> 28 | isSomeVersion (affectedVersionRange `intersectVersionRanges` queryVersionRange) 29 | where 30 | isSomeVersion :: VersionRange -> Bool 31 | isSomeVersion range 32 | | [] <- asVersionIntervals range = False 33 | | otherwise = True 34 | 35 | -- | Helper function for 'isVersionAffectedBy' and 'isVersionRangeAffectedBy' 36 | isAffectedByHelper :: (a -> VersionRange -> Bool) -> Text -> a -> Advisory -> Bool 37 | isAffectedByHelper checkWithRange queryPackageName queryVersionish = 38 | any checkAffected . advisoryAffected 39 | where 40 | checkAffected :: Affected -> Bool 41 | checkAffected affected = case affectedComponentIdentifier affected of 42 | Hackage pkg -> queryPackageName == pkg && checkWithRange queryVersionish (fromAffected affected) 43 | -- TODO: support GHC ecosystem query, e.g. by adding a cli flag 44 | _ -> False 45 | 46 | fromAffected :: Affected -> VersionRange 47 | fromAffected = foldr (unionVersionRanges . fromAffectedVersionRange) noVersion . affectedVersions 48 | 49 | fromAffectedVersionRange :: AffectedVersionRange -> VersionRange 50 | fromAffectedVersionRange avr = intersectVersionRanges 51 | (orLaterVersion (affectedVersionRangeIntroduced avr)) 52 | (maybe anyVersion earlierVersion (affectedVersionRangeFixed avr)) 53 | 54 | type QueryResult = Validation [(FilePath, ParseAdvisoryError)] [Advisory] 55 | 56 | -- | List the advisories matching a package name and a version 57 | listVersionAffectedBy 58 | :: MonadIO m 59 | => FilePath -> Text -> Version -> m QueryResult 60 | listVersionAffectedBy = listAffectedByHelper isVersionAffectedBy 61 | 62 | -- | List the advisories matching a package name and a version range 63 | listVersionRangeAffectedBy 64 | :: (MonadIO m) 65 | => FilePath -> Text -> VersionRange -> m QueryResult 66 | listVersionRangeAffectedBy = listAffectedByHelper isVersionRangeAffectedBy 67 | 68 | -- | Helper function for 'listVersionAffectedBy' and 'listVersionRangeAffectedBy' 69 | listAffectedByHelper 70 | :: (MonadIO m) 71 | => (Text -> a -> Advisory -> Bool) -> FilePath -> Text -> a -> m QueryResult 72 | listAffectedByHelper checkAffectedBy root queryPackageName queryVersionish = 73 | fmap (filter (checkAffectedBy queryPackageName queryVersionish)) <$> 74 | listAdvisories root 75 | -------------------------------------------------------------------------------- /code/hsec-tools/test/Spec.hs: -------------------------------------------------------------------------------- 1 | {-# LANGUAGE OverloadedStrings #-} 2 | 3 | module Main where 4 | 5 | import Data.Aeson.Encode.Pretty (encodePretty) 6 | import Data.List (isSuffixOf) 7 | import qualified Data.Text.IO as T 8 | import qualified Data.Text.Lazy as LText 9 | import qualified Data.Text.Lazy.Encoding as LText 10 | import Data.Time (UTCTime(UTCTime)) 11 | import Data.Time.Calendar.OrdinalDate (fromOrdinalDate) 12 | import Paths_hsec_tools (getDataFileName) 13 | import qualified Security.Advisories.Convert.OSV as OSV 14 | import Security.Advisories.Parse 15 | import qualified Spec.FormatSpec as FormatSpec 16 | import qualified Spec.QueriesSpec as QueriesSpec 17 | import System.Directory (listDirectory) 18 | import Test.Tasty (defaultMain, testGroup, TestTree) 19 | import Test.Tasty.Golden (goldenVsString) 20 | import Text.Pretty.Simple (pShowNoColor) 21 | 22 | main :: IO () 23 | main = do 24 | goldenFiles <- listGoldenFiles 25 | defaultMain $ 26 | testGroup 27 | "Tests" 28 | [ goldenTestsSpec goldenFiles 29 | , QueriesSpec.spec 30 | , FormatSpec.spec 31 | ] 32 | 33 | listGoldenFiles :: IO [FilePath] 34 | listGoldenFiles = map (mappend dpath) . filter (not . isSuffixOf ".golden") <$> (getDataFileName dpath >>= listDirectory) 35 | where 36 | dpath = "test/golden/" 37 | 38 | goldenTestsSpec :: [FilePath] -> TestTree 39 | goldenTestsSpec goldenFiles = testGroup "Golden test" $ map doGoldenTest goldenFiles 40 | 41 | doGoldenTest :: FilePath -> TestTree 42 | doGoldenTest fp = goldenVsString fp (fp <> ".golden") (LText.encodeUtf8 <$> doCheck) 43 | where 44 | doCheck :: IO LText.Text 45 | doCheck = do 46 | input <- getDataFileName fp >>= T.readFile 47 | let fakeDate = UTCTime (fromOrdinalDate 1970 0) 0 48 | attr = OutOfBandAttributes 49 | { oobPublished = fakeDate 50 | , oobModified = fakeDate 51 | , oobComponentIdentifier = Nothing 52 | } 53 | res = parseAdvisory NoOverrides (Right attr) input 54 | osvExport = case res of 55 | Right adv -> 56 | let osv = OSV.convert adv 57 | in LText.unlines 58 | [ pShowNoColor osv 59 | , LText.decodeUtf8 (encodePretty osv) 60 | ] 61 | Left _ -> "" 62 | pure (LText.unlines [pShowNoColor res, osvExport]) 63 | -------------------------------------------------------------------------------- /code/hsec-tools/test/golden/EXAMPLE_ADVISORY.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | 3 | [advisory] 4 | id = "HSEC-0000-0000" 5 | cwe = [] 6 | keywords = ["example", "freeform", "keywords"] 7 | aliases = ["CVE-2022-XXXX"] 8 | related = ["CVE-2022-YYYY", "CVE-2022-ZZZZ"] 9 | 10 | [[affected]] 11 | package = "package-name" 12 | cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" 13 | 14 | [[affected.versions]] 15 | introduced = "1.0.8" 16 | fixed = "1.1" 17 | [[affected.versions]] 18 | introduced = "1.1.2" 19 | 20 | [[references]] 21 | type = "ARTICLE" 22 | url = "https://example.com" 23 | ``` 24 | 25 | # Advisory Template - Title Goes Here 26 | 27 | This is an example template. 28 | 29 | * Markdown 30 | * TOML "front matter". 31 | 32 | > Acme Broken. 33 | -------------------------------------------------------------------------------- /code/hsec-tools/test/golden/MISSING_AFFECTED.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-0000-0000" 4 | cwe = [] 5 | ``` 6 | 7 | ## Title 8 | -------------------------------------------------------------------------------- /code/hsec-tools/test/golden/MISSING_AFFECTED.md.golden: -------------------------------------------------------------------------------- 1 | Left 2 | ( AdvisoryError 3 | [ MatchMessage 4 | { matchAnn = Just 5 | ( Position 6 | { posIndex = 0 7 | , posLine = 1 8 | , posColumn = 1 9 | } 10 | ) 11 | , matchPath = [] 12 | , matchMessage = "missing key: affected" 13 | } 14 | ] "1:1: missing key: affected in 15 | " 16 | ) 17 | 18 | -------------------------------------------------------------------------------- /code/hsec-tools/test/golden/MISSING_TITLE.md: -------------------------------------------------------------------------------- 1 | ```toml 2 | [advisory] 3 | id = "HSEC-0000-0000" 4 | cwe = [] 5 | date = 1970-01-01 6 | ``` 7 | -------------------------------------------------------------------------------- /code/hsec-tools/test/golden/MISSING_TITLE.md.golden: -------------------------------------------------------------------------------- 1 | Left 2 | ( MarkdownFormatError "Does not have summary heading" ) 3 | 4 | -------------------------------------------------------------------------------- /code/osv/.gitignore: -------------------------------------------------------------------------------- 1 | ##### Haskell 2 | dist 3 | dist-* 4 | cabal-dev 5 | *.o 6 | *.hi 7 | *.hie 8 | *.chi 9 | *.chs.h 10 | *.dyn_o 11 | *.dyn_hi 12 | .hpc 13 | .hsenv 14 | .cabal-sandbox/ 15 | cabal.sandbox.config 16 | *.prof 17 | *.aux 18 | *.hp 19 | *.eventlog 20 | .stack-work/ 21 | cabal.project.local 22 | cabal.project.local~ 23 | .HTF/ 24 | .ghc.environment.* 25 | build 26 | bin-* 27 | 28 | result 29 | .direnv 30 | .env 31 | -------------------------------------------------------------------------------- /code/osv/CHANGELOG.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/haskell/security-advisories/14475351f69c10eb9a35107ad390b364d601397f/code/osv/CHANGELOG.md -------------------------------------------------------------------------------- /code/osv/README.md: -------------------------------------------------------------------------------- 1 | # osv 2 | 3 | This project aims to support [Open Source Vulnerability format](https://ossf.github.io/osv-schema/). 4 | 5 | ## Building 6 | 7 | We aim to support both regular cabal-based and nix-based builds. 8 | -------------------------------------------------------------------------------- /code/osv/osv.cabal: -------------------------------------------------------------------------------- 1 | cabal-version: 2.4 2 | name: osv 3 | version: 0.1.0.2 4 | 5 | -- A short (one-line) description of the package. 6 | synopsis: 7 | Open Source Vulnerability format 8 | 9 | -- A longer description of the package. 10 | description: 11 | Open Source Vulnerability format. 12 | 13 | -- A URL where users can report bugs. 14 | -- bug-reports: 15 | 16 | -- The license under which the package is released. 17 | license: BSD-3-Clause 18 | author: Haskell Security Response Team 19 | maintainer: security-advisories@haskell.org 20 | 21 | -- A copyright notice. 22 | -- copyright: 23 | category: Data 24 | extra-doc-files: CHANGELOG.md 25 | 26 | tested-with: 27 | GHC ==8.10.7 || ==9.0.2 || ==9.2.8 || ==9.4.8 || ==9.6.6 || ==9.8.3 || ==9.10.1 || ==9.12.1 28 | 29 | library 30 | exposed-modules: 31 | Security.OSV 32 | 33 | build-depends: 34 | , aeson >=2.0.1.0 && <3 35 | , base >=4.14 && <5 36 | , cvss >=0.2 && <0.3 37 | , text >=1.2 && <3 38 | , time >=1.9 && <1.15 39 | 40 | hs-source-dirs: src 41 | default-language: Haskell2010 42 | ghc-options: 43 | -Wall -Wcompat -Widentities -Wincomplete-record-updates 44 | -Wincomplete-uni-patterns -Wpartial-fields -Wredundant-constraints 45 | 46 | test-suite spec 47 | type: exitcode-stdio-1.0 48 | hs-source-dirs: test 49 | main-is: Spec.hs 50 | build-depends: 51 | , base 52 | , osv 53 | , tasty <1.5 54 | , tasty-hunit <0.11 55 | 56 | default-language: Haskell2010 57 | ghc-options: 58 | -Wall -Wcompat -Widentities -Wincomplete-record-updates 59 | -Wincomplete-uni-patterns -Wpartial-fields -Wredundant-constraints 60 | -------------------------------------------------------------------------------- /code/osv/test/Spec.hs: -------------------------------------------------------------------------------- 1 | {-# LANGUAGE OverloadedStrings #-} 2 | 3 | module Main where 4 | 5 | import Test.Tasty 6 | 7 | main :: IO () 8 | main = 9 | defaultMain $ 10 | testGroup "Tests" 11 | [] 12 | -------------------------------------------------------------------------------- /docs/README.md: -------------------------------------------------------------------------------- 1 | # Haskell Security Response Team documentation 2 | 3 | The files in the directory document the functional and 4 | administrative processes of the Haskell Security Response Team. 5 | 6 | - [SRT membership processes](./membership.md) 7 | - [Quarterly reports](./reports.md) 8 | 9 | Documentation for our tools, libraries and the advisory source 10 | format live in the `code/` directory of the main repo. 11 | -------------------------------------------------------------------------------- /docs/call-for-volunteers-example.md: -------------------------------------------------------------------------------- 1 | **(PREAMBLE)** 2 | 3 | The Security Response Team (SRT) is formally calling for 4 | applications to join the SRT. People from the Haskell community 5 | with information security experience are encouraged to apply. This 6 | is an opportunity to have a large impact on the practice of Haskell 7 | programming going forward. If you have an interest in helping the 8 | team continue its mission, please apply! 9 | 10 | ## Security Response Team responsibilities 11 | 12 | The general responsibilities of the SRT are: 13 | 14 | - Manage the Haskell Security Advisory Database, on behalf of the 15 | Haskell community and the Haskell Foundation. 16 | - Triage and assess incoming security reports or proposed/candidate 17 | security advisories. 18 | - Assist reporters to determine CVSS scores and CWE values for 19 | confirmed security issues. 20 | - Communicate with package maintainers and the community to promote 21 | the timely resolution of reported security issues. 22 | - Ensure the security advisory data are useful for downstream 23 | security tooling. (Development of downstream tooling is not an SRT 24 | responsibility, but engaging with the developers is) 25 | - Report quarterly on the activities of the SRT and 26 | statistics/trends in new security issues. 27 | 28 | ## How can you help? 29 | 30 | - You can apply. 31 | - If you don’t want to apply but know someone who would be great, 32 | encourage them to apply. 33 | - Applicants should have experience in one or more of the following 34 | areas: 35 | - web application security 36 | - information security incident response 37 | - vulnerability research and analysis 38 | - penetration testing 39 | - cryptography 40 | - authentication and identity management 41 | - governance, risk management and compliance (GRC) 42 | - secure application development 43 | - algorithms, data structures, and their role in DoS attacks 44 | - related disciplines 45 | 46 | ## Who is involved? 47 | 48 | The current membership of the SRT is: 49 | 50 | - ***(CURRENT MEMBERS)*** 51 | 52 | The team is hoping to gain ***(FILL ME)*** new members via this call 53 | for volunteers. 54 | 55 | ## How to apply 56 | 57 | Email ***(DELEGATE )*** with subject ***Haskell SRT 58 | Application***. Include a brief overview of your background in 59 | security and the specific topics (e.g. from the list above) with 60 | which you have experience. 61 | 62 | ## Deadline 63 | 64 | Please submit your applications by end of day ***(DEADLINE)***. 65 | -------------------------------------------------------------------------------- /docs/membership.md: -------------------------------------------------------------------------------- 1 | # SRT members and membership processes 2 | 3 | ## Current members 4 | 5 | - Fraser Tweedale (SRT project leader; 2023-05–) 6 | - Gautier Di Folco (2023-05–) 7 | - Lei Zhu (2024-10–) 8 | - Mihai Maruseac (2023-05–) 9 | - Montez Fitzpatrick (2024-10–) 10 | - Tristan de Cacqueray (2023-05–) 11 | 12 | ## Former members 13 | 14 | We thank past members for their valuable contributions! 15 | 16 | - Casey Mattingly (2023-05–2024-06) 17 | 18 | ## Member onboarding (and offboarding) 19 | 20 | There are some necessary tasks when members join or leave the SRT. 21 | These are: 22 | 23 | - Update the member lists in this document. 24 | 25 | - Add (or remove) the member from the 26 | `security-advisories[at]haskell.org` mailing list. Contact the 27 | [Haskell Infrastructure Admins][haskell-infra] for assistance. 28 | 29 | - Add (or remove) the member from the VINCE group, if they are 30 | participating in that capacity. 31 | 32 | - Update the member list at https://www.haskell.org/security/. 33 | By pull request against 34 | [https://github.com/haskell-infra/www.haskell.org/](haskell-infra/www.haskell.org). 35 | 36 | - Announce the membership change(s) on [Discourse]. Usually this 37 | could be included in the quarterly report. 38 | 39 | [haskell-infra]: https://github.com/haskell-infra/haskell-admins 40 | [Discourse]: https://discourse.haskell.org/ 41 | 42 | 43 | ## Running a Call for Volunteers 44 | 45 | To fill vacancies or grow the SRT, run a *Call for Volunteers*. 46 | The following is a rough guide on how we do that. 47 | 48 | - For previous calls, we appointed an SRT member to receive the 49 | applications (to their personal email address). 50 | 51 | - *After applications close*, they compile the applications and 52 | share with the rest of the SRT for review. We start a voting 53 | thread on the mailing list, each member states their preferred 54 | applicant(s) with summary reasons, and we reach a consensus. This 55 | process has worked well, so far. 56 | 57 | - See [example content](call-for-volunteers-example.md). There are 58 | some placeholders to be filled. The content can be modified as 59 | needed. 60 | 61 | - Publish the call on [Discourse] and promote it in the logical ways 62 | (e.g. Haskell Foundation social media, r/haskell, etc). 63 | 64 | - The application period should be about 4 weeks. Bump and do 65 | another burst of promotion at the halfway point. 66 | 67 | - After the application deadline, the full SRT membership reviews 68 | the proposals and selects the new member(s). 69 | 70 | - Notify the successful applicant(s) and seek their affirmation that 71 | they are prepared to join the SRT. 72 | 73 | - Notify unsuccessful applicants before public announcement of the 74 | outcome. 75 | 76 | - Commence onboarding and notify the community of the outcome. 77 | -------------------------------------------------------------------------------- /docs/reports.md: -------------------------------------------------------------------------------- 1 | # SRT reporting 2 | 3 | The SRT is to report each quarter to update the community on the 4 | activities and plans of the SRT. 5 | 6 | ## Who should write the report? 7 | 8 | The SRT project lead prepares the report (though the task could be 9 | delegated with sufficient notice). It is a good idea to gather 10 | items for the report through the reporting period, so you don't 11 | forget anything significant. 12 | 13 | ## Publishing reports 14 | 15 | The canonical version of each report is committed to this repo under 16 | `/reports/`. 17 | 18 | Each report should also be republished on [Discourse], and added to 19 | the list of reports at https://www.haskell.org/security/ (file a 20 | pull request against 21 | [https://github.com/haskell-infra/www.haskell.org/](haskell-infra/www.haskell.org)). 22 | 23 | Reports for the previous quarter should generally be published in 24 | the first few weeks following that quarter. In some cases we have 25 | delayed a report to include significant new developments, e.g. the 26 | result of a *Call for Volunteers*. 27 | 28 | [Discourse]: https://discourse.haskell.org/ 29 | 30 | ## Report content 31 | 32 | Each report should contain: 33 | 34 | - A preamble explaining what the SRT is and who are its members 35 | (just copy the preamble from the previous report). 36 | 37 | - Statistics about the number of contemporary and historical 38 | advisories added to the advisory database during the reporting 39 | period. Also mention any new or outstanding HSEC ID reservations 40 | (for embargoed issues), and any other significant updates to the 41 | **content** of the advisory DB. 42 | 43 | - Discussion of any significant security incidents during the 44 | reporting period that impacted Haskell infrastructure, the 45 | toolchain, or the library ecosystem. 46 | 47 | - Mention of notable updates to SRT-owned tools and libraries, and 48 | related developments in downstream tooling. 49 | 50 | - Any other news related to Haskell ecosystem security. 51 | -------------------------------------------------------------------------------- /flake.lock: -------------------------------------------------------------------------------- 1 | { 2 | "nodes": { 3 | "flake-utils": { 4 | "inputs": { 5 | "systems": "systems" 6 | }, 7 | "locked": { 8 | "lastModified": 1731533236, 9 | "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", 10 | "owner": "numtide", 11 | "repo": "flake-utils", 12 | "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", 13 | "type": "github" 14 | }, 15 | "original": { 16 | "owner": "numtide", 17 | "repo": "flake-utils", 18 | "type": "github" 19 | } 20 | }, 21 | "nixpkgs": { 22 | "locked": { 23 | "lastModified": 1743095683, 24 | "narHash": "sha256-gWd4urRoLRe8GLVC/3rYRae1h+xfQzt09xOfb0PaHSk=", 25 | "owner": "NixOS", 26 | "repo": "nixpkgs", 27 | "rev": "5e5402ecbcb27af32284d4a62553c019a3a49ea6", 28 | "type": "github" 29 | }, 30 | "original": { 31 | "owner": "NixOS", 32 | "ref": "nixos-unstable", 33 | "repo": "nixpkgs", 34 | "type": "github" 35 | } 36 | }, 37 | "root": { 38 | "inputs": { 39 | "flake-utils": "flake-utils", 40 | "nixpkgs": "nixpkgs" 41 | } 42 | }, 43 | "systems": { 44 | "locked": { 45 | "lastModified": 1681028828, 46 | "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", 47 | "owner": "nix-systems", 48 | "repo": "default", 49 | "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", 50 | "type": "github" 51 | }, 52 | "original": { 53 | "owner": "nix-systems", 54 | "repo": "default", 55 | "type": "github" 56 | } 57 | } 58 | }, 59 | "root": "root", 60 | "version": 7 61 | } 62 | -------------------------------------------------------------------------------- /flake.nix: -------------------------------------------------------------------------------- 1 | { 2 | description = "hsec-tools"; 3 | 4 | inputs = { 5 | nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; 6 | flake-utils.url = "github:numtide/flake-utils"; 7 | }; 8 | 9 | outputs = { self, nixpkgs, flake-utils }: 10 | flake-utils.lib.eachDefaultSystem (system: 11 | let 12 | overlays = [ ]; 13 | pkgs = 14 | import nixpkgs { inherit system overlays; config.allowBroken = true; }; 15 | jailbreakUnbreak = pkg: 16 | pkgs.haskell.lib.doJailbreak (pkgs.haskell.lib.dontCheck (pkgs.haskell.lib.unmarkBroken pkg)); 17 | 18 | cvss = pkgs.haskellPackages.callCabal2nix "cvss" ./code/cvss { }; 19 | osv = pkgs.haskellPackages.callCabal2nix "osv" ./code/osv { inherit cvss; }; 20 | hsec-core = pkgs.haskellPackages.callCabal2nix "hsec-core" ./code/hsec-core { 21 | inherit cvss osv; 22 | }; 23 | hsec-tools = returnShellEnv: 24 | pkgs.haskellPackages.developPackage { 25 | inherit returnShellEnv; 26 | name = "hsec-tools"; 27 | root = ./code/hsec-tools; 28 | withHoogle = false; 29 | overrides = self: super: { 30 | inherit cvss hsec-core osv; 31 | toml-parser = super.toml-parser_2_0_1_0; 32 | typst = super.typst_0_6_1; 33 | typst-symbols = super.typst-symbols_0_1_7; 34 | texmath = super.texmath_0_12_8_12; 35 | pandoc = super.pandoc_3_6; 36 | commonmark-pandoc = super.commonmark-pandoc_0_2_2_3; 37 | commonmark-extensions = super.commonmark-extensions_0_2_5_6; 38 | doclayout = super.doclayout_0_5; 39 | skylighting = super.skylighting_0_14_5; 40 | skylighting-core = super.skylighting-core_0_14_5; 41 | tls = super.tls_2_1_5; 42 | crypton-connection = super.crypton-connection_0_4_3; 43 | }; 44 | 45 | modifier = drv: 46 | if returnShellEnv 47 | then 48 | pkgs.haskell.lib.addBuildTools drv 49 | (with pkgs.haskellPackages; 50 | [ 51 | cabal-fmt 52 | cabal-install 53 | ghcid 54 | haskell-language-server 55 | pkgs.nixpkgs-fmt 56 | ]) 57 | else drv; 58 | }; 59 | hsec-sync = 60 | pkgs.haskell.lib.dontCheck 61 | (pkgs.haskellPackages.callCabal2nix 62 | "hsec-sync" 63 | ./code/hsec-sync 64 | { inherit hsec-core; }); 65 | 66 | gitconfig = 67 | pkgs.writeTextFile { 68 | name = ".gitconfig"; 69 | text = '' 70 | [safe] 71 | directory = * 72 | ''; 73 | destination = "/.gitconfig"; # should match 'config.WorkDir' 74 | }; 75 | in 76 | { 77 | packages.cvss = cvss; 78 | packages.osv = osv; 79 | packages.hsec-core = hsec-core; 80 | packages.hsec-tools = pkgs.haskell.lib.justStaticExecutables (hsec-tools false); 81 | packages.hsec-sync = hsec-sync; 82 | packages.hsec-tools-image = 83 | pkgs.dockerTools.buildImage { 84 | name = "haskell/hsec-tools"; 85 | tag = "latest"; 86 | 87 | copyToRoot = pkgs.buildEnv { 88 | name = "image-root"; 89 | paths = [ 90 | self.packages.${system}.hsec-tools 91 | pkgs.gitMinimal.out 92 | gitconfig 93 | ]; 94 | pathsToLink = [ "/bin" "/" ]; 95 | }; 96 | runAsRoot = "rm -Rf /share"; 97 | config = { 98 | Cmd = [ "/bin/hsec-tools" ]; 99 | Env = [ 100 | "LOCALE_ARCHIVE=${pkgs.glibcLocalesUtf8}/lib/locale/locale-archive" 101 | "LC_TIME=en_US.UTF-8" 102 | "LANG=en_US.UTF-8" 103 | "LANGUAGE=en" 104 | "LC_ALL=en_US.UTF-8" 105 | "GIT_DISCOVERY_ACROSS_FILESYSTEM=1" 106 | ]; 107 | Volumes = { 108 | "/repo" = { }; 109 | }; 110 | WorkDir = "/"; 111 | }; 112 | }; 113 | # Used by `nix build` & `nix run` (prod exe) 114 | defaultPackage = self.packages.${system}.hsec-tools; 115 | 116 | # Used by `nix develop` (dev shell) 117 | devShell = hsec-tools true; 118 | }); 119 | } 120 | -------------------------------------------------------------------------------- /meeting-notes/2023-05-17.md: -------------------------------------------------------------------------------- 1 | # SRT 2023-05-17 2 | 3 | ## Preview meeting's Action items 4 | 5 | - David: schedule fortnightly meetings in this slot 6 | - David: Contact haskell.org to create the mailing list security-advisories@haskell.org (TODO) 7 | - Fraser: Will create issues based on the contents of these notes to serve as basis for assigning tasks 8 | - David: figure out how to get the Github permissions to happen 9 | 10 | 11 | ## Review open GitHub tickets 12 | 13 | - review open tickets 14 | 15 | 16 | ## License for tool source code 17 | 18 | - Decision: BSD-3-Clause 19 | - Advisories themselves remain under Public Domain 20 | 21 | - Labels for issues PRs: 22 | - ones to add: advisory, tools, operations 23 | 24 | ## Mailing list 25 | 26 | Question from haskell.org admin: "do you want a genuine mailman list that’s like a google group (only members can post), or an “alias list” that’s just an alias that forwards to a specified set of people?" 27 | 28 | - Casey: prefers proper list with archive. Broad agreement. 29 | 30 | ## GitHub automation 31 | 32 | BTW, do we merge PRs manually, or do we use an app/bot such as mergify? 33 | 34 | - FT: I'm for it, but it's not urgent. Get the repo "open for business" first. 35 | 36 | ## Nix 37 | 38 | There was a discussion about using it, but not mandating. 39 | 40 | - Agreed. 41 | - FT has a PR relaxing version bounds and adding CI for GHC 8.10 through 9.6. 42 | - https://github.com/blackheaven/security-advisories/blob/tools/introduce-nix/.github/workflows/nix.yml 43 | 44 | ## The tool 45 | 46 | - Tristan: What is the scope? 47 | - David: The initial idea is "what RustSec does". Please rewrite it to whatever we need. 48 | - FT: conformance checking and conversions (e.g OSV, HTML, RSS) 49 | -------------------------------------------------------------------------------- /meeting-notes/2023-05-31.md: -------------------------------------------------------------------------------- 1 | # SRT 2023-05-31 2 | 3 | ## Review open tickets 4 | 5 | - **ensure OSV schema compatibility (#3)** 6 | - register HSEC database and hackage ecosystem with OSV (#4) 7 | - update hackage with "report security issue" feature (#7) 8 | - Tristan's update: there is a template, where we can add it. 9 | - add reporting how-to to haskell.org (#8) 10 | - example advisory (#14) 11 | 12 | ## Future tasks (no issue yet) 13 | 14 | - **Announcements of security-advisories readiness to receive contributions** 15 | - OSV export 16 | - improving the tooling to "check all" / "render all" 17 | - static site generation / CI/CD for publishing it 18 | 19 | ## Directory structure 20 | 21 | - rustsec uses directories for `crates/packagename` and `rust/(rustdoc|std|...)`. We can do similar. 22 | - the CI already supports nested directory 23 | - the only file extension examined is: `*.md` 24 | 25 | 26 | ## Ask about cabal.project.freeze 27 | 28 | - it gets in the way of development (for me) as I have different GHC version. 29 | - do we need to keep it? If so, can we mitigate the impact on developers somehow? 30 | - Gautier: it's a way to be in sync with nix, but if the CI does not use it, I guess we can drop it 31 | - Remove it and see if nix build breaks? 32 | 33 | ## Tooling to import older CVEs 34 | 35 | - FT: AFAIK it's mostly in blog posts, a few CVE registrations, and tribal knowledge/folklore. There doesn't seem to be much we could do automate that. 36 | 37 | 38 | ## Announcing the security-advisories is open for business 39 | 40 | - ASAP, after we are happy with the schema and CI machinery 41 | - Mailing list(s), discourse, reddit 42 | - "official" orgs - Haskell.org, HF 43 | - and their twitter/fediverse accounts, ... 44 | 45 | ## ZuriHac 46 | 47 | - Remote participation via discord server 48 | - We should have a security-advisories channel to solicit advisories, and maybe hack on tooling too. 49 | - https://s.surveylegend.com/-NWCiIfeZ0IjuNxEs7CL 50 | 51 | ## Other AIs 52 | 53 | - Follow with David about google meet access 54 | - Create issue for zurihac. If we need an impromptu meeting it's ok :) 55 | - Create issue to discuss if/how to represent packages not on hackage (e.g. on GitHub only). 56 | - For example, hackage-server lives on GitHub and makes releases from a branch. If there is an issue, how to represent introduced/fixed versions. How does OSV deal with this scenario? -------------------------------------------------------------------------------- /meeting-notes/2023-06-15.md: -------------------------------------------------------------------------------- 1 | # SRT 2023-06-15 2 | 3 | ## Present 4 | - Gautier 5 | - Casey 6 | - Mihai 7 | - Fraser 8 | - David 9 | 10 | ## Apology from David 11 | 12 | David apologized for not being there to let people into the meeting room. He will change the invite to a jit.si link for next time. 13 | 14 | ## How to make the announcement 15 | 16 | - official announcement: on discourse 17 | - David: suggests doing so after there are ~5 real advisories in the repo 18 | - We should give a few days heads up to projects that the public might think support it but don't at the start 19 | - Announcement should include: 20 | - Short-term plans (e.g. OSV integration) 21 | - Long-term goals (cabal audit, Stack, Hackage, etc) 22 | - Fraser will draft on mailing list next week 23 | 24 | ## Initial content 25 | 26 | - List of known security issues: https://github.com/haskell/security-advisories/issues/32 27 | - We should validate that the CVSS is correct while creating the advisory, rather than taking it at face value 28 | - Relevant post: https://daniel.haxx.se/blog/2023/06/12/nvd-damage-continued/ 29 | - Fraser plans to work on a CVSS toolkit in Haskell 30 | - David will create one for the TOML parser on Monday 31 | 32 | ## ZuriHac 33 | 34 | - a lot of people were excited 35 | - folks wondered why it was empty 36 | - One volunteer pull request 37 | - FT it was a great contribution! 38 | - David's general comments: 39 | - GHC workshop went well 40 | - Getting folks together to contribute to important core stuff is very good. 41 | - Future thoughts: projects for Cabal / Hackage integration. 42 | 43 | ## Other community interest 44 | - Casey: Should we look into letting Linux distributions know about us so we can get their reports? 45 | - Fraser: Let's rely on the OSV tooling and hope that projects are consuming those streams. Also, most distros package only the dependencies for particular programs they want (e.g. pandoc) so we would have (a little) extra work to determine which distros are affected by an advisory. 46 | 47 | 48 | # hsec-tools tooling 49 | 50 | - support for multiple references, instead of single-valued "url" field, with the types supported by OSV (e.g. advisory, blog post, etc) 51 | - We presently parse it as CommonMark, but we store the rendered HTML in the advisory datatype. We should instead store the CommonMark, because that's what's needed for OSV. 52 | - Store original text or AST or both? We should try and see. 53 | - Can we migrate to `pandoc-types`? David didn't pick them to avoid GPL constraints, but it seems that the Pandoc integration is doable with BSD after all (the types package is BSD3). We should migrate. 54 | - *pandoc* is GPL, so static site builder w/ Hakyll needs to be a separate package under GPL, which consumes our libraries. 55 | - We should (not urgent) extract OSV bits to a dedicated package. 56 | - FT plans to write a CVSS library. -------------------------------------------------------------------------------- /meeting-notes/2023-06-28.md: -------------------------------------------------------------------------------- 1 | # SRT 2023-06-28 2 | 3 | ## Previous Action Items 4 | 5 | - Fraser did not yet draft the SRT announcement 6 | - We still have several known issues yet to have the advisories submitted 7 | 8 | ## Library advisory role-play 9 | 10 | - For multiple affected packages, where root cause is in a 11 | lower-level dependency: we MUST mention the "root" package, and 12 | SHOULD mention dependent packages that specifically mitigate the 13 | issue. So that tooling (e.g. cabal audit) can deduce that the 14 | issue is not occurring. 15 | 16 | - Upcoming "vex" standard: 17 | - https://blog.adolus.com/what-is-vex-and-what-does-it-have-to-do-with-sboms 18 | - https://cyclonedx.org/capabilities/vex/ 19 | 20 | 21 | ## OSV export 22 | 23 | - demo 24 | - branch name 25 | - **decision: `generated/osv-export`** 26 | - git "user id" (name and email address) 27 | - Haskell Security Response Team 28 | - commit message 29 | - currently just the timestamp 30 | - could include a reference to commit ID and/or commit message from the `main` branch 31 | - **Decision**: include source commit ID in OSV branch commit message 32 | - Casey: what about signing the commits? 33 | - FT: then the private key needs to live in GitHub secrets. Not thrilled about it. 34 | - sigstore? What sort of GitHub actions integration do they have? 35 | - https://github.com/sigstore/gitsign 36 | - **Decision: investigate further** 37 | 38 | 39 | ## Real advisories 40 | (redacted) 41 | 42 | ## Distributor notification 43 | 44 | - We should have a directory of important distributors so that they can 45 | respond to issues. 46 | - Commit the checklist / playbook to the repo. 47 | - **Owner: Tristan** 48 | - Who: 49 | - Stack, GHCup, haskell-ci? 50 | - Linux distros 51 | 52 | ## Advisory "official launch" 53 | 54 | - still needs to draft announcement (David will draft and send to mailing list) 55 | - Also need to do quarterly report, so can roll them into one announcement :) 56 | 57 | ## Action items 58 | - Tristan: will adapt responsible disclosure instructions 59 | - Fraser: complete OSV data export CI action 60 | - David: will draft announcement/report for group 61 | - Tristan: Will email mailing list about **** issue and affected packages 62 | -------------------------------------------------------------------------------- /meeting-notes/2023-07-12.md: -------------------------------------------------------------------------------- 1 | # SRT 2023-07-12 2 | 3 | [Previous meeting](https://github.com/haskell/security-advisories/blob/main/meeting-notes/2023-06-28.md) 4 | 5 | ## Previous Items 6 | 7 | * Fraser sent the announcement/Q2 report - we are officially launched! 8 | * Tristan: will adapt responsible disclosure instructions - merged! 9 | * We do need to collect emails of packagers - Mihai will probably have them by tomorrow 10 | * We need a process update that specifies a collaboration with maintainers where they ensure patches apply cleanly and approve everything 11 | * Fraser: complete OSV data export CI action 12 | * Works on the test instance, waiting for review from OSV: https://github.com/haskell/security-advisories/tree/generated/osv-export/2023 13 | * Tristan: Will email mailing list about issue and affected packages Disclosure 14 | 15 | ## Switch TOML libraries? 16 | 17 | We were sent a patch to use a different TOML parser by its author. David will get back to the author and ask him for a PR 18 | - Advantages: It can output TOML (nice in case of schema upgrades) and it lets us delete a little code 19 | 20 | ## GHC issue 23538 21 | https://gitlab.haskell.org/ghc/ghc/-/issues/23538 22 | 23 | David will ask GHC developers about an advisory 24 | 25 | ## Example roleplay (PR #56) 26 | https://github.com/haskell/security-advisories/pull/56 27 | 28 | David submitted and got CI to pass. 29 | Process issues: 30 | * CVSS didn´t get checked, and David didn't know what to do - ask for screenshot of CVSS calculator? 31 | * Can we make a GitHub bot that creates a verbose table from a CVSS vector in a PR? 32 | * PR isn't merged 33 | * What about a bot that merges anything approved? We can just use an existing one. 34 | 35 | ## Action Items 36 | - Tristan: will create an issue about using the declaration field in the schema for tooling 37 | - David will ask GHC about a base advisory 38 | - David will ask the TOML library author for a PR 39 | - Mihai will get the rest of the package maintainer emails 40 | -------------------------------------------------------------------------------- /meeting-notes/2023-07-26.md: -------------------------------------------------------------------------------- 1 | # SRT 2023-07-26 2 | 3 | ## osv.dev 4 | 5 | - Hackage advisories are in production now 6 | - Version enumeration for Hackage and GHC was merged 7 | - Outstanding task: add examples to osv-schema 8 | - Mihai has PR in the works 9 | 10 | ## Update on handling embargoed stuff 11 | 12 | - Gathering contact points for downstream 13 | - Someone needs to connect the dots to send messages 14 | - Contact list needs to be committed somewhere 15 | - Private contacts not be in the repo... so where? 16 | - Stored encrypted version in the security-advisories repo? 17 | - no 18 | - Use HF bitwarden account? (access/modify via HF admin access) 19 | - agreed 20 | 21 | ## What should be part of the database format? 22 | 23 | - Repo data storage / semantics. David has some concerns: 24 | - Symlinks. Doesn't work well on Windows? 25 | - dates being stored in Git repo 26 | 27 | ## Audit GHCup download practices 28 | 29 | - https://github.com/haskell/ghcup-hs/issues/858 30 | - FT's comments: https://github.com/haskell/ghcup-hs/issues/858#issuecomment-1639300092 31 | 32 | ## Reserving HSEC IDs 33 | 34 | - It would be useful to be able to reserve an HSEC ID 35 | - FT will propose a way to do it (discuss it in a GH issue) 36 | 37 | ## Any other known historical (or current) issues? 38 | 39 | - Pandoc 40 | - https://nvd.nist.gov/vuln/detail/CVE-2023-38745 41 | - https://nvd.nist.gov/vuln/detail/CVE-2023-35936 42 | 43 | ## Action items 44 | - Mihai 45 | - Will follow up for project contacts for embargoed issues 46 | - Look into GHCup #858 47 | - Everyone 48 | - Send David the email address used by your Bitwarden account 49 | so it can be added to HF's organization. 50 | - FT 51 | - Documentation of repo structure, including symlinks 52 | - Documentation about dates - that they are retieved from Git history 53 | - full history required, not shallow clone 54 | - Create GH issue to design HSEC ID reservation feature 55 | - re Base readFloat, update bgamari that advisory exists 56 | - ping pandoc folks, ask them to submit advisories 57 | - someone 58 | - Requirements/guidelines for dependency analysis tooling 59 | - Start writing them down, commit to our repo 60 | -------------------------------------------------------------------------------- /meeting-notes/2023-08-09.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2023-08-09 2 | 3 | [Previous meeting notes](https://github.com/haskell/security-advisories/blob/main/meeting-notes/2023-07-26.md) 4 | 5 | ## Previous AIs: 6 | 7 | - Mihai 8 | - Will follow up for project contacts for embargoed issues 9 | - Look into GHCup #858 -- still in progress 10 | - Everyone 11 | - Send David the email address used by your Bitwarden account 12 | so it can be added to HF's organization. 13 | - FT 14 | - Documentation of repo structure, including symlinks 15 | - Documentation about dates - that they are retieved from Git history 16 | - full history required, not shallow clone 17 | - Create GH issue to design HSEC ID reservation feature 18 | - re Base readFloat, update bgamari that advisory exists 19 | - ping pandoc folks, ask them to submit advisories 20 | - someone 21 | - Requirements/guidelines for dependency analysis tooling 22 | - Start writing them down, commit to our repo 23 | 24 | ## Pandoc 25 | 26 | - New pandoc issue: https://github.com/jgm/pandoc/security/advisories/GHSA-xj5q-fv23-575g 27 | - Related issue: https://github.com/jgm/pandoc/issues/8584 28 | - Security section of manual: https://pandoc.org/MANUAL.html#a-note-on-security 29 | 30 | 31 | ## Recording affected symbols 32 | 33 | - Tristan looking into it 34 | - Some doubts about how to record e.g. type class instances 35 | - GitHub issue we can use for discussion: https://github.com/haskell/security-advisories/issues/86 *"Leverage the declaration field to specify which function is affected"* 36 | 37 | 38 | ## ID reservation 39 | 40 | - PR: https://github.com/haskell/security-advisories/pull/114 41 | - `hsec-tools reserve-id --assign --commit` 42 | - TODO: add diagnostic output e.g. "Reserved HSEC-YYYY-NNNN.md" 43 | 44 | 45 | ## Publishing hsec-tools to hackage? 46 | 47 | - We should probably do it some time :) 48 | - Maybe extract OSV library first, and land the toml library change first 49 | 50 | ## Purl parsing 51 | 52 | - [spec](https://github.com/package-url/purl-spec) 53 | - [Hackage](https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst#hackage) 54 | - Casey started work on this 55 | - We should define and propose to haskell community a *profile* of Purl, in particular how to represent 56 | - Package components (`lib`, `exe:`, `lib:`) 57 | - Cabal flags (`[+-]`) 58 | - There is a hackage namespace defined for Purl, but it does not suggest how to represent these data 59 | 60 | 61 | ## Action Items 62 | - Bitwarden accounts? 63 | - Mihai: 64 | - Progress on embargoed items 65 | - Look into GHCup #858 -- still in progress 66 | - Tristan: rebase the toml-parser PR#88 67 | 68 | - David: Encourage Pandoc devs to test out our advisory process 69 | - FT: Documentation of repo structure 70 | - FT: Diagnostic output (created file XYZ) 71 | - FT to publish PR for (currently WIP) enhancement to record package components in HSEC security-advisories 72 | -------------------------------------------------------------------------------- /meeting-notes/2023-08-23.md: -------------------------------------------------------------------------------- 1 | # SRT 2023-08-23 2 | 3 | [Previous meeting](https://github.com/haskell/security-advisories/blob/main/meeting-notes/2023-08-09.md) 4 | 5 | Present: 6 | * Gautier 7 | * Mihai 8 | * Casey 9 | * Tristan 10 | * david 11 | 12 | # Previous action items 13 | 14 | 15 | * Bitwarden accounts? 16 | * Mihai and Casey have access and are confirmed 17 | 18 | * Mihai: 19 | 20 | * Progress on embargoed items 21 | * The repo now contains the distribution list for who to send embargoed items to 22 | * Look into GHCup #858 -- still in progress 23 | * Mostly done, need to decide whether to send private email or reply on issue 24 | 25 | * Tristan: rebase the toml-parser PR#88 26 | * Done, this is now ready to review 27 | 28 | * David: Encourage Pandoc devs to test out our advisory process 29 | * Done: HSEC-2023-0014 30 | 31 | * FT: Documentation of repo structure 32 | 33 | * FT: Diagnostic output (created file XYZ) 34 | 35 | * FT to publish PR for (currently WIP) enhancement to record package components in HSEC security-advisories 36 | 37 | # HSEC-2023-0014 38 | 39 | * First advisory contribution: https://github.com/haskell/security-advisories/pull/115 40 | 41 | # CWE Library 42 | 43 | * Tristan proposed a new library to resolve CWE id and make advisory more readable: https://github.com/haskell/security-advisories/pull/116 44 | -------------------------------------------------------------------------------- /meeting-notes/2023-09-20.md: -------------------------------------------------------------------------------- 1 | - SRT 2023/09/20 2 | 3 | # Present 4 | - Gautier 5 | - Mihai 6 | - David 7 | - Casey 8 | 9 | # hsec-tools 10 | - casey: need to rebase changes in regarding purl spec code and sync up with Frasier about his comments about the specification. 11 | - mihai: embargo status and still working on GHCup review 12 | 13 | # security scanner 14 | - david: had a conversation about the need for a security scanner. 15 | -------------------------------------------------------------------------------- /meeting-notes/2023-10-04.md: -------------------------------------------------------------------------------- 1 | - SRT 2023/10/04 2 | 3 | # Present 4 | - Gautier 5 | - Tristan 6 | 7 | # Pull-Requests 8 | - Gautier: many PRs are stalling, while being approved 9 | - Gautier: rebase PRs and merge them if there are enough approval 10 | 11 | # Embargo update 12 | - Tristan: still waiting for upstream release, should we make the advisory public? 13 | 14 | # Action items 15 | - Let's merge the open PR unless there is an objections 16 | -------------------------------------------------------------------------------- /meeting-notes/2023-10-18.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2023-10-18 2 | 3 | [Previous meeting notes](https://github.com/haskell/security-advisories/blob/main/meeting-notes/2023-10-04.md) 4 | 5 | ## Present 6 | 7 | - Tristan, Gautier and Fraser 8 | 9 | ## Previous AIs 10 | 11 | - PR have been merged 12 | 13 | ## Remaining work to be merged 14 | 15 | - CWE and CVSS validation and data type 16 | - Work on GitHub workflow automation enhancement can proceed when this has been merged. 17 | - FT: As far as I know, we have to pursue a webhook or "bot" approach 18 | rather than exeucting behaviour within webhooks, because PRs from 19 | forks do not have privileged tokens. 20 | - Tristan: what about issues? Do actions triggered by issues have the needed permissions? 21 | - OpenStack CI has a concept of config job which can run with privileged on untrusted project. 22 | 23 | ## Downstream tooling 24 | 25 | - David's post calling for action: 26 | https://discourse.haskell.org/t/would-you-like-to-write-a-security-advisory-analyzer/7638 27 | - Gautier: community contribution that was merged as part of the `check` command: https://github.com/blackheaven/security-advisories/pull/2 28 | 29 | ## Outstanding embargoed issue 30 | 31 | - Follow up with Mihai if he knows the status. We might 32 | set a date for disclosure and advise downstream and upstream 33 | -------------------------------------------------------------------------------- /meeting-notes/2023-11-01.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2023-11-01 2 | 3 | Previous notes: https://edit.smart-cactus.org/cpEZf5ykQZGowfAzI3OPcA?both# 4 | 5 | ## Present 6 | 7 | - Tristan, Gautier and Fraser 8 | 9 | 10 | ## CVSS 11 | 12 | - Tristan is working through the TODOs. 13 | 14 | ## GitHub automation 15 | 16 | - Fraser is hoping to start work during the next 2 weeks. 17 | 18 | 19 | ## Outstanding embargoed issue 20 | 21 | - Follow up with Mihai if he knows the status. We might 22 | set a date for disclosure and advise downstream and upstream 23 | 24 | ## Quarterly report 25 | 26 | - We are overdue for the Q3 report. Fraser will draft 27 | a report in the next period. -------------------------------------------------------------------------------- /meeting-notes/2023-11-15.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2023-11-15 2 | 3 | Previous notes: https://github.com/haskell/security-advisories/blob/main/meeting-notes/2023-11-01.md 4 | 5 | ## Previous AIs 6 | 7 | - FT still need to write up (overdue) quarterly report 8 | 9 | ## cabal-install issue 10 | 11 | - It is now public and the HSEC advisory created. 12 | - https://osv.dev/vulnerability/HSEC-2023-0015 13 | 14 | ## Purl-spec refinements 15 | 16 | - https://github.com/haskell/security-advisories/issues/102 17 | - This work should resume soon 18 | 19 | ## Website 20 | 21 | - https://github.com/haskell/security-advisories/issues/31 22 | - Where to publish 23 | - GitHub pages, and ask haskell.org for a subdomain? 24 | - Gautier will handle GitHub pages publication 25 | - **AI**: Mihai will ask. 26 | 27 | ## VEX 28 | 29 | ## New HF ED 30 | 31 | - FT will sync with Jose and let him know what we're up to. 32 | -------------------------------------------------------------------------------- /meeting-notes/2023-11-29.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2023-11-29 2 | 3 | Previous meeting notes: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2023-11-15.md 5 | 6 | ## Previous AIs 7 | 8 | - Website - generation and pushing to `generated/gh-pages` is done. 9 | But it is not being published as expected. Investigation ongoing. 10 | - FT synced with Jose. 11 | - "Quarterly" report still TODO 12 | 13 | ## Purl-spec refinements 14 | 15 | - https://github.com/haskell/security-advisories/issues/102 16 | - Casey: should be happening soon 17 | 18 | ## GitHub tooling 19 | 20 | - FT hoping to start over Christmas break 21 | 22 | ## Libraries 23 | 24 | - Still plan to do OSV extration. 25 | - Still plan to extract our core Advisory types and parsing/printing. 26 | - Publishing our libs on Hackage. 27 | -------------------------------------------------------------------------------- /meeting-notes/2023-12-13.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2023-12-13 2 | 3 | Previous meeting notes: https://github.com/haskell/security-advisories/blob/main/meeting-notes/2023-11-29.md 4 | 5 | ## Previous AIs 6 | 7 | - Website publication (from https://github.com/haskell/security-advisories/tree/generated/gh-pages ) 8 | - "Quarterly" report still TODO 9 | 10 | ## OSV output fixed 11 | 12 | - Reported by a community member: https://github.com/haskell/security-advisories/issues/135 13 | 14 | ## Website 15 | 16 | - Need to request the creation of this repository: https://github.com/haskell/haskell.github.io 17 | 18 | ## CWE data type 19 | 20 | - TC: to add osv export golden test and rebase the PR 21 | -------------------------------------------------------------------------------- /meeting-notes/2024-01-10.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-01-10 2 | 3 | Previous meeting notes: https://github.com/haskell/security-advisories/blob/main/meeting-notes/2023-12-13.md 4 | 5 | 6 | ## 2023 H2 report 7 | 8 | - Draft sent to list; thanks for reviews. FT will publish today. 9 | 10 | ## ZuriHac plans 11 | 12 | - We agree it's a good idea to have a project, e.g. `cabal audit`, Hackage server. 13 | - Timeline: Jan for concept, March for concrete budget. 14 | - Jose has contact points with cabal-install and HLS. hackage-server seems somewhat unloved. 15 | - Maybe we prioritise getting hackage-server attention? 16 | - Many security improvment should/could be done (e.g. 2FA) 17 | - Can continue the discussion on list or GH issue (public). 18 | 19 | ## Oustanding PRs 20 | 21 | - CWE library support. 22 | 23 | ## Downstream toolling 24 | 25 | - Tristan already started something regarding tracking function calls 26 | https://github.com/TristanCacqueray/cabal-audit 27 | - Support to suppress false positives will be important, esp. because we have >0 advisories for *base*. This could be VEX and/or some other mechanism. 28 | 29 | ## Publishing the HTML advisory index 30 | 31 | - Mihai: I was planning to look into the GHA but didn't get a chance yet 32 | -------------------------------------------------------------------------------- /meeting-notes/2024-01-24.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-01-24 2 | 3 | Previous meeting notes: https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-01-10.md 4 | 5 | ## Undisclosed security issue 6 | 7 | - Received via the mailing-list 8 | - the reporter was unable to send the full report (the PDF is too big) 9 | - Gautier has contacted the maintainers. 10 | 11 | ## WebSite got published 12 | 13 | Initial version is now available at: https://haskell.github.io/security-advisories/ 14 | 15 | ## Report got published 16 | 17 | The H2 report has been published on discourse: 18 | https://discourse.haskell.org/t/haskell-security-response-team-2023-july-december-report/8531 19 | -------------------------------------------------------------------------------- /meeting-notes/2024-02-07.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-02-07 2 | 3 | Previous meeting notes: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-01-24.md 5 | 6 | ## Ongoing security issue (embargoed) 7 | 8 | - SRT agrees it matters, but it is out of our hands. 9 | - All we can do is make recommendations. 10 | - Mihai will lead response. 11 | 12 | ## hackage-server 13 | 14 | - Gautier filed a PR adding link to security-advisories repo: 15 | https://github.com/haskell/hackage-server/pull/1292 16 | 17 | ## Small CLI improvements 18 | 19 | - A community member worked on small fix in 20 | [#147](https://github.com/haskell/security-advisories/pull/147) and 21 | bootstrapped the cabal audit command in 22 | [#148](https://github.com/haskell/security-advisories/pull/148). 23 | -------------------------------------------------------------------------------- /meeting-notes/2024-02-21.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-02-21 2 | 3 | Previous meeting notes: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-02-07.md 5 | 6 | ## Ongoing security issue (embargoed) 7 | 8 | - Mihai wits for Google approval to share the guidelines (hopefully today or tomorrow) 9 | 10 | ## Small CLI improvements 11 | 12 | - [#148](https://github.com/haskell/security-advisories/pull/148) some progress have been made, but the PR is still in draft 13 | 14 | ## ZuriHac workshop 15 | 16 | - Two days has been nearly filled 17 | - Jose will coordinate HRT and Hackage team 18 | -------------------------------------------------------------------------------- /meeting-notes/2024-03-06.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-03-06 2 | 3 | - Previous meeting: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-02-21.md 5 | 6 | ## pre-ZuriHac ecosystem workshop 7 | 8 | - 6-7 June (before ZuriHac) 9 | - https://haskell.foundation/events/2024-haskell-ecosystem-workshop.html 10 | - Registration is open; fee can be waived for SRT members 11 | - SRT members attending: 12 | - Gautier confirmed, others looking into it. 13 | - Jose wants all of us to attend, if we can. 14 | Other SRT members want to come but need to work out if we can. 15 | 16 | 17 | ## Other updates (things that happened) 18 | 19 | - Update hsec-tools to toml-parser v2 20 | - Fixed web advisory index publishing. 21 | - One historical advisory added (external contributor) 22 | - Mihai has approval to publish the GHA documentation/guide. 23 | He will send to SRT list first, then to researcher. 24 | 25 | ## Outstanding PRs 26 | 27 | - CWE module 28 | ([#116](https://github.com/haskell/security-advisories/pull/116)) 29 | 30 | ## Other work to be done 31 | 32 | - Publishing our libraries on Hackage. 33 | - What is the state of our package docs? Might need some work... 34 | -------------------------------------------------------------------------------- /meeting-notes/2024-03-20.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-03-20 2 | 3 | - Previous meeting: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-03-20.md 5 | 6 | ## Code update 7 | 8 | - We implemented an atom feed in [#160](https://github.com/haskell/security-advisories/pull/157): https://haskell.github.io/security-advisories/atom.xml 9 | - We added a CAPEC field in [#164](https://github.com/haskell/security-advisories/pull/164). 10 | - The command line to check a given project is taking shape in [#148](https://github.com/haskell/security-advisories/pull/148). 11 | - The CWE module is still up for review ([#116](https://github.com/haskell/security-advisories/pull/116)). 12 | 13 | ## Advisory update 14 | 15 | - We published HSEC-2024-0002 quickly after the initial report ([#157](https://github.com/haskell/security-advisories/pull/157)). 16 | - We are coordinating a new issue reported via the mailing-list. 17 | -------------------------------------------------------------------------------- /meeting-notes/2024-04-03.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-04-03 2 | 3 | Previous meeting notes: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-03-20.md 5 | 6 | ## ZuriHac / Haskell Ecosystem Workshop 7 | 8 | - Fraser is going 9 | - Gautier is going 10 | - Mihai will know on Friday if he is attending 11 | - Tristan cannot attend 12 | 13 | ## Quarterly report 14 | 15 | - Draft: https://github.com/haskell/security-advisories/pull/180 16 | - FT asked Mihai to contribute a section for the CI security 17 | recommendations. 18 | 19 | ## VINCE 20 | 21 | - FT reached out to CERT/CC to ask for help 22 | - `security-advisories@haskell.org` is notification-only. 23 | - We should make individual accounts (TOTP required) and they can be 24 | associated with the "Haskell Programming Language" org within 25 | VINCE. 26 | 27 | ## GitHub Actions Runners 28 | 29 | - The reporter was asking what the resolution was. 30 | - Mihai will create a PR with the guidelines documentation and 31 | contact the repo and reporter. 32 | - We cannot fix globally because there is not a single org with all 33 | the Haskell. But we can provide the guidance and recommendations 34 | to the community. 35 | 36 | ## A "security" section within haskell.org 37 | 38 | - Jose: Is there a place for collecting ecosystem-wide best 39 | practices? (whether for security, or more generally) 40 | - We would like a section within haskell.org where our 41 | recommendations and info about the advisory DB lives. A more 42 | "official" documentation about Haskell security and the SRT. 43 | - Perhaps also the wiki. 44 | 45 | ## liblzma/xz vulnerability? 46 | 47 | - The backdoor was inserted using binary data from test suite, and 48 | only during RPM/.deb builds. Even if code was lifted and used in 49 | cbits, the backdoor probably would not be there. 50 | - But we should still verify. FT will ask Casey. 51 | 52 | ## yaml vulnerability 53 | 54 | - Impact and exploitability vector are not clear enough to offer 55 | remediation advice. 56 | - FT will create the advisory. 57 | - We need to check if other yaml packages are affected. 58 | 59 | ## Pull requests 60 | 61 | - [cabal audit (#148)](https://github.com/haskell/security-advisories/pull/148) 62 | - The author is keen on making changes if any more feedback 63 | - He is afraid of going forward with other contributions if he has to rebase 64 | - [cabal audit osv/json (#178)](https://github.com/haskell/security-advisories/pull/178) 65 | 66 | - [hsec-sync (#168)](https://github.com/haskell/security-advisories/pull/168) (merged) 67 | - [hsec-tools snapshot (#179)](https://github.com/haskell/security-advisories/pull/179) 68 | - FT: we want to avoid switching TOML library (again), if we can. 69 | -------------------------------------------------------------------------------- /meeting-notes/2024-04-17.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-04-17 2 | 3 | Previous meeting notes: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-04-03.md 5 | 6 | ## YAML vulnerability 7 | 8 | * Assessment in progress for CVE-2024-3205 ([#181](https://github.com/haskell/security-advisories/issues/181)) 9 | 10 | ## Revised HSEC-2024-0003 11 | 12 | * Updated advisory to include released fixes ([#191](https://github.com/haskell/security-advisories/pull/191)) 13 | 14 | ## Initial Hackage password storage migration plan 15 | 16 | * Fraser came up with a draft 17 | * Some comments have been made but everyone agree it is the right direction 18 | 19 | ## SRT meeting rescheduling 20 | 21 | * Over time the chosen time-slot seems to conflict with team members' schedules 22 | * Gautier will create and send a new poll to pick a more suitable one 23 | -------------------------------------------------------------------------------- /meeting-notes/2024-05-01.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-05-01 2 | 3 | Previous notes: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-04-17.md 5 | 6 | ## CI security advice 7 | 8 | - Mihai published the draft: 9 | https://github.com/haskell/security-advisories/blob/main/guides/github.md 10 | - A couple more comments to handle, then it will be published to Discourse 11 | 12 | ## Web area for SRT 13 | 14 | - FT will work to bootstrap this. We can publish our guides, 15 | reports, and general information there. 16 | 17 | ## Publishing our packages to Hackage 18 | 19 | - FT will begin on this in the next week. 20 | - Discussion: do we want to set up auto-publish from GitHub? 21 | - There is a GHA by Brandon Chinn to publish to Hackage. 22 | - https://github.com/fourmolu/fourmolu/blob/main/.github/workflows/release.yml 23 | - Does it work with subpackages? We would need to see. 24 | - From supply chain security POV it's better to have an action 25 | than having developers make the dist and publish themselves. 26 | - Maybe this is a good topic for our second *guide* and/or a tool 27 | to validate release tarball from the sources :) 28 | - We will look into this after the initial package release to Hackage. 29 | 30 | ## New meeting time 31 | 32 | - The when2meet tool does not seem to take timezones into account? 33 | - We might need a second round / better tool :) 34 | - FT will look for a better tool. Or else use same tool but in UTC. 35 | 36 | ## The expanding scope of SRT 37 | 38 | - With cabal-audit proposed for our repo, the scope has expanded. 39 | 40 | - Advisory workload is low, so team does have capacity to own this 41 | 42 | - FT: I see cabal-audit as a transitional effort anyway; ideally we 43 | do not have to own it forever and the capability can be absorbed 44 | into Cabal itself. 45 | 46 | - Idea: cabal-audit lives in its own repo, not security-advisories repo 47 | - Prerequisite: publish our packages 48 | - Advantage: not "owned" by SRT, others might be more eager/willing to contribute. 49 | - We will have the discussion in public, with the contributor MangoIV. 50 | -------------------------------------------------------------------------------- /meeting-notes/2024-05-15.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-05-15 2 | 3 | Previous notes: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-05-01.md 5 | 6 | ## Cabal plan integration 7 | 8 | - A new cabal-audit project consuming the security-avisories is now being worked on https://github.com/mangoiv/cabal-audit 9 | 10 | ## CI Security Advice Update 11 | 12 | - Shared on [discourse]( https://discourse.haskell.org/t/how-to-secure-github-repositories/9478) 13 | - Updated the guide based on feedback [PR#193](https://github.com/haskell/security-advisories/pull/193) 14 | 15 | ## Hackage Auth 16 | 17 | - Discussed with hackage team to improve the authentication scheme. 18 | 19 | ## Dependencies analysis 20 | 21 | - Investigated getting in touch with deps.dev to increase audit coverage. 22 | - Also considering dependabot support for cabal dependencies. 23 | -------------------------------------------------------------------------------- /meeting-notes/2024-05-29.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-05-29 2 | 3 | Previously: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-05-15.md 5 | 6 | ## publishing our tools on Hackage 7 | 8 | - Packages: cvss, osv, hsec-core, hsec-tools, hsec-sync 9 | - FT will upload. Just asking if there are further comments about 10 | version numbers, dep version constraints, etc? 11 | - Co-maintainers - who, and what are your Hackage usernames? 12 | - `gdifolco` 13 | - `TristanCacqueray` 14 | 15 | ## SRT members, moving forward 16 | 17 | - Casey has limited time 18 | - We're at the 1y point, time for a new call? 19 | - Updating the charter: Casey thinks we should expand it to be more 20 | involved with the tooling (within and without ecosystem) 21 | 22 | - Remember the original motivation: supporting enterprise adoption. 23 | - e.g. financial industry - how well do we meet their standards? 24 | - Survey industry users to understand what is lacking? 25 | - [FT] FIPS mode, verified crypto libraries (i.e. back on to 26 | OpenSSL/NSS/etc) 27 | 28 | - What is missing: 29 | - SBOM? ("software provenance") 30 | - Larger discovery effort? 31 | - OSS-Fuzz support? 32 | - OpenSSF best practices: 33 | https://www.bestpractices.dev/en/criteria/0 ? 34 | 35 | - SRT has some context-switching. Should we have separate subgroups 36 | for triage / tool development / etc? 37 | 38 | - We can discuss on list over the coming days, and engage with folks 39 | at ZuriHac to determine the next move. General agreement that we 40 | can/should grow the team. 41 | 42 | - Retirements: Casey will step back. (Thank you for all you've 43 | done!) 44 | 45 | ## YAML advisory has been rejected ([#181](https://github.com/haskell/security-advisories/issues/181)) 46 | 47 | - FT will ask Julian if he is satisfied with this conclusion. 48 | 49 | ## deps.dev 50 | 51 | - FT received message from deps.dev developer at Google. Still need 52 | to follow up. 53 | -------------------------------------------------------------------------------- /meeting-notes/2024-06-12.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-06-12 2 | 3 | Previously: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-05-29.md 5 | 6 | ## haskell.org security page 7 | 8 | There is now https://www.haskell.org/security/ 9 | 10 | We still need to configre subdomains so advisories (which was redesigned to be compliant with Haskell Foundation design) index is automatically updated. 11 | 12 | ## CVSS Version 4 13 | 14 | Initial PR to support CVSS Version 4 [#208](https://github.com/haskell/security-advisories/pull/208) 15 | 16 | ## Fixed git timestamp parsing logic 17 | 18 | Switched to UTCTime everywhere to avoid unexpected issues [#201](https://github.com/haskell/security-advisories/pull/201). 19 | 20 | ## Snapshots to distribute advisories 21 | 22 | Gautier worked on [#179](https://github.com/haskell/security-advisories/pull/179) to introduce a new export mode to hsec-sync to help downstream user (without git dependency). 23 | 24 | ## Ecosystem Workshop 25 | 26 | Fraser introduced the SRT at the ZuriHac workshop. 27 | 28 | The main issue to tackle is the SBOM (e.g. with SPDX). 29 | 30 | ## 2024 April-June report 31 | 32 | Fraser mostly completed it, we might want to add the slides he has used during ZuriHac Ecosystem Workshop in the repository. 33 | 34 | ## Advisory database 35 | 36 | Additionally, 2 HSEC ID has been reserved for an embargoed vulnerability that we anticipate will be published in Q3. 37 | -------------------------------------------------------------------------------- /meeting-notes/2024-06-26.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-06-26 2 | 3 | Previously: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-06-12.md 5 | 6 | ## GHC numeric bugs [#210](https://github.com/haskell/security-advisories/issues/210) 7 | 8 | - Tristan will prepare advisory 9 | 10 | - For the aarch64 / powerpc issues, these are not base but compiler. 11 | - advisory content would live in `advisories/ghc/compiler`, e.g. 12 | - we need to decide and document the "component" names in the `ghc` namespace 13 | - e.g. `compiler`, `GHCi`, `RTS` 14 | - And we will also need to update our OSV generation code to read the 15 | files in the `ghc` subdir and generate the correct osv, using the `GHC` 16 | namespace and the recognised component names. 17 | - We are up to `HSEC-2024-0006` (0004 and 0005 have been reserved) 18 | 19 | ## Snapshot PR 20 | 21 | - Gautier addressed the review comments; Fraser is still 22 | reviewing the updates. 23 | 24 | ## GitHub integration 25 | 26 | - Gautier will reach out to others who already looked at or 27 | thought about this. 28 | -------------------------------------------------------------------------------- /meeting-notes/2024-07-10.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-07-10 2 | 3 | Previously: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-06-26.md 5 | 6 | ## Advisories ecosystem ([#213](https://github.com/haskell/security-advisories/pull/213)) 7 | 8 | - Schema update proposed. 9 | - Example advisories for GHC proposed in [#214](https://github.com/haskell/security-advisories/pull/214). 10 | 11 | ## Snapshots 12 | 13 | - FT still needs to (re)review Gautier's PR. 14 | 15 | ## Growing SRT / call for volunteers 16 | 17 | - Time to draft a call for volunteers ([previous one](https://discourse.haskell.org/t/call-for-volunteers-haskell-security-response-team/5770)) 18 | - How many people? 19 | 20 | ## Dependabot 21 | 22 | - Gautier will ping people who had previously attempted GitHub integration 23 | -------------------------------------------------------------------------------- /meeting-notes/2024-07-24.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-07-24 2 | 3 | Previously: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-07-10.md 5 | 6 | 7 | ## GitHub dependabot integration 8 | 9 | - Gautier talked to Arnaud which made an integration attempt 10 | - Arnaud paired with someone in GH but they have not made 11 | significant work on it 12 | - We may have to start over 13 | 14 | 15 | ## Tooling 16 | 17 | - Finally merged the snapshots PR [(#179)][pr-179] (thanks Gautier) 18 | - Merged the CVSS v2.0 (+ OSV) fix [(#218)][pr-218] (thanks Tristan) 19 | - Adding the GHC ecosystem support [(#213)][pr-213] 20 | - review in progress 21 | - advisory for GHC numeric bugs [(#214)][pr-214] depends on this 22 | - CVSS 4.0 support [(#208)][pr-208] 23 | - ping andrii for status update? 24 | 25 | [pr-179]: https://github.com/haskell/security-advisories/pull/179 26 | [pr-208]: https://github.com/haskell/security-advisories/pull/208 27 | [pr-213]: https://github.com/haskell/security-advisories/pull/213 28 | [pr-214]: https://github.com/haskell/security-advisories/pull/214 29 | [pr-218]: https://github.com/haskell/security-advisories/pull/218 30 | 31 | 32 | ## Quarterly report 33 | 34 | - Was published: 35 | https://discourse.haskell.org/t/haskell-security-response-team-2024-april-june-report/9983 36 | 37 | 38 | ## Call for Volunteers 39 | 40 | - We should draft and publish one soon. 41 | - Q: call for a specific number, or wait and see? 42 | - Be general and commit later. 43 | - We can mention particular projects / initiatives and applicants 44 | can (optionally) identify the particular area(s) they'd like to 45 | tackle. 46 | - This includes development efforts, and "latent capacity" for 47 | dealing with advisory or security incidents. 48 | - José will draft an announcement, and we will review on the mailing 49 | list. 50 | 51 | 52 | ## Mailing list 53 | 54 | - FT will make sure José is on it! 55 | 56 | 57 | ## Bay Area Haskell meetup 58 | 59 | - Mihai will present about SRT at a future session 60 | -------------------------------------------------------------------------------- /meeting-notes/2024-08-07.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-08-07 2 | 3 | Previously: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-07-24.md 5 | 6 | ## Embargoed vulnerability work 7 | 8 | We contacted the affected maintainers and we are coordinating the disclosure. 9 | 10 | ## haskell.org crlf injection vulnerability 11 | 12 | Divya Singh reported a vulnerability on the haskell.org website that has been fixed by upgrading the apache package. 13 | 14 | ## CVSS version 4.0 [#208](https://github.com/haskell/security-advisories/pull/208) 15 | 16 | @unorsk added support for the latest Common Vulnerability Scoring System. 17 | 18 | ## haskell.org blog and security advisories 19 | 20 | We discussed about posting security update news to the upcoming haskell.org blog. 21 | 22 | ## Call for Volunteers 23 | 24 | The draft is still in progress. 25 | 26 | ## GitHub Action cabal-audit scan 27 | 28 | * Gautier has start to work on a [GitHub Action](https://github.com/blackheaven/haskell-security-action) which aims to run `cabal audit` 29 | * Still under development, most of the code is done (i.e. push results to the security section of the repository) 30 | * Packaging issues mainly for the moment 31 | -------------------------------------------------------------------------------- /meeting-notes/2024-08-21.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-08-21 2 | 3 | Previously: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-08-07 5 | 6 | ## Embargoed vulnerability work 7 | 8 | We provided a fix and we are coordinating the disclosure. 9 | 10 | ## Call for Volunteers 11 | 12 | Jose wrote a draft to be communicated soon. 13 | 14 | ## GitHub Action cabal-audit scan 15 | 16 | * Gautier has a minimal working version [GitHub Action](https://github.com/blackheaven/haskell-security-action) 17 | * Some example: [here](https://github.com/blackheaven/vulnerable-sandbox/security/code-scanning/1) 18 | * He made a [RFC](https://discourse.haskell.org/t/request-for-comments-github-haskell-security-action/10191) 19 | * After discussing with MangoIV, Gautier will upstream the sarif file generation in `cabal-audit` 20 | -------------------------------------------------------------------------------- /meeting-notes/2024-09-04.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-09-04 2 | 3 | Previously: https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-08-21.md 4 | 5 | ## HSEC-2024-0003 - process fix 6 | 7 | - PR [#324](https://github.com/haskell/process/pull/324) published (expect merge and release soon) 8 | - HSEC-2024-0003 advisory update draft PR: [#236](https://github.com/haskell/security-advisories/pull/236) 9 | 10 | ## *Trusted publishing* for Hackage 11 | 12 | - Token workflow 13 | - Hackage supports token authn today, but they are unscoped 14 | - See also PyPI implementation: https://docs.pypi.org/trusted-publishers/ 15 | - Project page references the trusted repo 16 | - GHA uses OIDC to auth to PyPI and get short-lived (minutes) token 17 | - GHA or publishing workflow uses the token to publish new package version. 18 | 19 | ## Roadmap of ecosystem security improvements 20 | 21 | - Man years of effort are already known :) 22 | - We should write it all down in an disgestible form. 23 | - Might make getting funding easier? 24 | - Menu / prospectus 25 | 26 | ### New ideas 27 | 28 | - RTS fuzzing (Mihai) 29 | - or general fuzzing tooling for Haskell programmers 30 | 31 | ## haskell-security-action (GHA) 32 | 33 | - Gautier published draft GHA for detecting security 34 | issues and bumping bounds (using [cabal-audit](https://github.com/MangoIV/cabal-audit/pull/50)) 35 | - GHA draft: https://github.com/blackheaven/haskell-security-action 36 | - Playground: https://github.com/blackheaven/vulnerable-sandbox/ 37 | - Please review and test! 38 | - Still a lot of work on it: correct file name/line, fix propositions, PR creation, etc. 39 | 40 | ## Call for volunteers 41 | 42 | - Jose's draft is good. 43 | - How many: "around two or three more members" 44 | - Closing date: end of September. 45 | - Fraser will be primary collector of submissions 46 | -------------------------------------------------------------------------------- /meeting-notes/2024-10-02.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-10-02 2 | 3 | Previously: https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-09-04.md 4 | 5 | ## Quarterly report 6 | 7 | Fraser will draft this weekend, and send to list for review. 8 | 9 | ## New SRT members 10 | 11 | Application period closed. There were 4 applications. 12 | Fraser will compile them and share in the coming days. 13 | 14 | ## Hacktoberfest (GitHub) 15 | 16 | - Hécate asks us to put forward some issues. 17 | - `good-first-issue` (or similar) label? 18 | - Let's review the open issues and discuss on-list, then share with Hécate. 19 | 20 | ## Hackage packages release 21 | 22 | - Downstream (`cabal-audit`, `flora`) ask for it (the new `hsec-sync` does not rely on `git`) 23 | - Too much work left to be done on `CVSS 4.0`, it'll be shipped in the next release 24 | 25 | ## Trusted publishing and fuzzing 26 | 27 | - Mihai still to do this prep/proposal. 28 | 29 | ## Prospectus 30 | 31 | - Prospectus of ideas for SRT (or other people working on Haskell security) 32 | will be valuable for HF in asking for funding. 33 | - So, we need to put it together :) 34 | 35 | ## GHC 9.10 support in tools/libs 36 | 37 | - Still waiting on `feed` which does not support base-4.20. 38 | - Probably need to nudge Hackage trustees for a metadata revision. 39 | 40 | ## Outstanding PR review 41 | 42 | - We went through the outstanding PRs in our repo; discussed 43 | what to do with them. 44 | -------------------------------------------------------------------------------- /meeting-notes/2024-10-16.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-10-16 2 | 3 | Previously: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-10-02.md 5 | 6 | ## Call for Volunteers 7 | 8 | - FT sent each of the 4 application to the list 9 | - Upon discussion, we will accept 2 10 | - SRT members, please review and respond on the ML (the initial thread) 11 | 12 | ## Stack traces proposal 13 | 14 | - CLC proposal: 15 | https://github.com/haskell/core-libraries-committee/issues/285#issuecomment-2414727239 16 | - Discussion: 17 | - For 2 decades people wanted stack traces, now we have them 18 | there are doubts :D 19 | - Most other languages are showing the stack trace 20 | - Sensitive information in error messages is an application 21 | developer's fault 22 | - It's not unreasonable to want a way to disable the default 23 | behaviour, or catch and suppress, if the actual program 24 | structure (e.g. function names) is sensitive for some reason. 25 | - The proposal Part 2 seems to suggest the stacktrace would be 26 | leaked with `displayException` too, which might be used for 27 | end-user facing message, perhaps it would be safer to only 28 | print them through the main exception handler. That's how 29 | python does it, printing an exception just show the error, the 30 | stacktrace is only displayed by default from uncaught 31 | exception. 32 | 33 | ## Draft quarterly report 34 | 35 | - call for volunteers update 36 | - advisory DB changes (1 new vuln, 0 historical, 2 reserved) 37 | - HSEC-2024-0003 update 38 | - haskell.org Apache httpd update 39 | - hackage-server "Reporting Vulnerabilities" link 40 | - tooling update 41 | - CVSS 4.0 work (ongoing) 42 | - GHA / Renovate progress 43 | 44 | ## GHC hash collision 45 | 46 | - Simon PJ and FT think it is not a huge deal 47 | - But we should fix it. 48 | - Changing the Hash function is simple and buys us another 10-20 49 | years (hopefully) 50 | 51 | ### Documenting known weaknesses 52 | 53 | This is a good opportunity to take a look at the ways 54 | that the compiler/toolchain can be compromised by malicious 55 | source code, and document them. Guide / blog post / GHC docs. 56 | 57 | Many of these would not warrant an HSEC-ID (especially structural 58 | issues that are impossible / very hard to fix), but we can still 59 | collect them and let the community know in a more formal way. 60 | 61 | ## GHC numeric bug 62 | 63 | - Tristan will rebase the advisory draft #214 64 | 65 | ## Updated major dependencies for hsec-tools 66 | 67 | #239 and #241 68 | -------------------------------------------------------------------------------- /meeting-notes/2024-10-30.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-10-30 2 | 3 | Previously: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-10-16.md 5 | 6 | ## Call for Volunteers 7 | 8 | We received the candidatures and voted for the new members to be announced. 9 | 10 | ## GHC Math bugs 11 | 12 | The advisories are updated and available for review: [#214](https://github.com/haskell/security-advisories/pull/214) 13 | -------------------------------------------------------------------------------- /meeting-notes/2024-11-13.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-11-13 2 | 3 | Previously: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-10-30.md 5 | 6 | ## Q3(+) report 7 | 8 | The report is proposed: [#244](https://github.com/haskell/security-advisories/pull/244). We will reproduce it on Discourse tomorrow, and submit a PR to update https://www.haskell.org/security/. 9 | 10 | ## SRT Process 11 | 12 | We should document more thoroughly the SRT processes 13 | (administrative), particularly since we went through our first 14 | vacancy->new appointments cycle. 15 | 16 | ## GHC Math bugs 17 | 18 | The advisories are updated and available for review: [#214](https://github.com/haskell/security-advisories/pull/214) 19 | 20 | ## flora integration 21 | 22 | [flora](https://github.com/flora-pm/flora-server/) has pinged Gautier and Fraser 23 | regarding [security advisories integration PR#762](https://github.com/flora-pm/flora-server/pull/762). 24 | 25 | After a discussion between Gautier and Hecate (the maintainer), flora will 26 | integrate advisories search and the decision was made to replicate the advisories 27 | structure in PostGreSQL. 28 | 29 | Perhaps we should recommend to use the OSV export? 30 | -------------------------------------------------------------------------------- /meeting-notes/2024-11-27.md: -------------------------------------------------------------------------------- 1 | # Haskell SRT meeting 2024-11-27 2 | 3 | Previously: https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-11-13.md 4 | 5 | Present: Fraser, Gautier, Montez, Tristan 6 | 7 | ## Onboarding 8 | 9 | The new team members have been introduced to the on-going work. 10 | 11 | ## GitHub Open Source Secure Fund 12 | 13 | GitHub opened a program to [fund securisaton of FOSS projects](https://github.blog/news-insights/company-news/announcing-github-secure-open-source-fund/) 14 | until January 7th. 15 | 16 | - Project ideas: 17 | - GitHub integration 18 | - Correct file/line 19 | - Snippet proposition/PR opening 20 | - Hackage 21 | - show known vulnerability info 22 | - vulnerabilities endpoints (publish vulnerability info) 23 | - e.g. `advisories.haskell.org/...` 24 | - [API server (#166)](https://github.com/haskell/security-advisories/issues/166) 25 | - improve the HTML presentation of the advisories 26 | - https://haskell.github.io/security-advisories/advisory/... 27 | 28 | - OSV ask: `human_link` source definition 29 | - https://github.com/haskell/security-advisories/issues/252 30 | - We can already address this - link to e.g. 31 | `https://haskell.github.io/security-advisories/HSEC-xxxx` 32 | - Montez will take this side. 33 | - But we should also improve the HTML presentation in those pages. 34 | - Gautier will take this side. 35 | 36 | - OSV ask: JSON Schema validation 37 | - https://github.com/haskell/security-advisories/issues/251 38 | - JSON schema: 39 | https://github.com/ossf/osv-schema/blob/main/validation/schema.json 40 | - Tristan will take the first look 41 | 42 | - Onboarding 43 | - Follow-up on mailing list membership for Lei and Montez 44 | - Github org membership, sorted now, but Fraser to add this step 45 | to the onboarding docs. 46 | -------------------------------------------------------------------------------- /meeting-notes/2024-12-11.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2024-12-11 2 | 3 | Previously: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-11-27.md 5 | 6 | ## GitHub OSSF 7 | 8 | - Gautier published a draft on the SRT mailing list 9 | - Let's review it on the ML and publish it on Discourse 10 | 11 | ## json-schema validation in CI 12 | 13 | - The task is proposed in 14 | [#254](https://github.com/haskell/security-advisories/pull/254). 15 | - Tested and validated, ready for merge. 16 | 17 | ## Advisories index hosting 18 | 19 | - Gautier improved advisory's page layout 20 | - Start to discuss haskell.org with Jose, he'll talk about it in the 21 | next *haskell.org*/*infrastructure* meeting 22 | -------------------------------------------------------------------------------- /meeting-notes/2025-01-08.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2025-01-08 2 | 3 | Previously: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2024-12-11.md 5 | 6 | ## Topics for quarterly report 7 | 8 | - (Actually just Nov + Dec) 9 | - Advisory database 10 | - no new advisories 11 | - one change for a git-annex introduced version (needed to 12 | "introduced from beginning" indication - required for 13 | Flora.pm) 14 | - OSV JSON schema validation 15 | (https://github.com/haskell/security-advisories/pull/254) 16 | - Renovate support (Janus) 17 | - Advisory HTML page layout improvement (Gautier) 18 | - Outstanding efforts 19 | - CVSS 4.0 support 20 | - OSV feedback and user journey 21 | (https://github.com/haskell/security-advisories/issues/252) 22 | 23 | ## GitHub OSSF opportunity 24 | 25 | - Gautier put it to Discourse 26 | - Opportunity closed early January 27 | 28 | ## New meeting time 29 | 30 | - Every 2nd meeting (starting in 2 weeks - Wed 2025-01-22 or Thu 31 | 2025-01-23) to be in an APAC-friendly time. Aiming for EU 32 | overlap. 33 | - Lei to propose time on mailing list. 34 | -------------------------------------------------------------------------------- /meeting-notes/2025-02-05.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2025-02-05 2 | 3 | Previously: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2025-01-08.md 5 | 6 | ## 2024 Q4 report (draft) 7 | 8 | - PR: https://github.com/haskell/security-advisories/pull/260 9 | - Please review. FT will publish in ~24h. 10 | 11 | 12 | ## New meeting time: 13 | 14 | - Proposal: **Thursday** UTC 12:00. It works for Lei, Gautier, Fraser. 15 | - Lock it in. Next meeting (2025-02-20) will be at the new time. 16 | - How to change the Google Calendar event? FT will follow up. 17 | - It belongs to Jose, we think. 18 | -------------------------------------------------------------------------------- /meeting-notes/2025-02-20.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2025-02-20 2 | 3 | Previously: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2025-02-05.md 5 | 6 | Attended: Gautier, Lei, Tristan, Fraser 7 | 8 | ## Tooling - GHC 9.10 and GHC 9.12 support 9 | 10 | - 9.10 support still depends on update to the 11 | [`feed`](https://hackage.haskell.org/package/feed) package. 12 | Probably just a *base* bounds nudge is needed, e.g. via metadata 13 | revision. 14 | - 9.12 needs CI updates. And also `feed`. And what else? We don't 15 | know yet :) 16 | - haskell-ci refresh probably needed 17 | - Gautier will take a look at it. 18 | 19 | ## ZuriHac / Ecosystem Workshop 20 | 21 | - Ecosystem Workshop Friday 6 June 22 | - https://haskell.foundation/events/2025-haskell-implementors-workshop.html 23 | - ZuriHac Saturday 7 .. Monday 9 June 24 | - https://zfoh.ch/zurihac2025/ 25 | - Gautier will attend ZuriHac, not the workshop 26 | - Tristan is not able to commit 27 | - Fraser is not sure yet (it's 50/50). 28 | 29 | ## List spam 30 | 31 | - It's a shame... 32 | - Can we allow-list the SRT members and other stakeholders? 33 | 34 | ## Meeting calendar 35 | 36 | - FT will check with Jose if he can update the events. 37 | - Otherwise, artisanal hand-crafted iCalendar events :) 38 | -------------------------------------------------------------------------------- /meeting-notes/2025-03-20.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2025-03-20 2 | 3 | Present: Gautier, Fraser 4 | 5 | Previously: 6 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2025-02-20.md 7 | 8 | ## Thank-yous 9 | 10 | - Thanks Tristan for handling HSEC-2025-0001. 11 | - Thanks Gautier for completing support for GHC 9.10, 12 | by switching from *feed* to *atom-conduit*. 13 | - 9.12 PR is ready for review. 14 | 15 | ## ZuriHac + Ecosystem Workshop 16 | 17 | - Gautier confirmed his attendence for the full event. 18 | - FT still a maybe. 19 | 20 | ## HSEC-2024-000{6,7,8} 21 | 22 | - 2025-0001 reminded me of the outstanding PR for the GHC numeric bugs: 23 | [#214](https://github.com/haskell/security-advisories/pull/214). 24 | - IIRC, the delay was to get the tool support for GHC 25 | (cf Hackage) ecosystem in place. This is all sorted now; 26 | e.g. see https://osv.dev/vulnerability/HSEC-2025-0001. 27 | - Let's merge it? 28 | 29 | ## Conf presentation - Security response for open source ecosystems 30 | 31 | - FT will present at CrikeyCon this weekend. 32 | - https://crikeycon.com/schedule/ 33 | - I will circulate the slide deck for review tomorrow - feedback welcome. 34 | 35 | ## Mailing list delivery issues? 36 | 37 | - FT: Did anyone else get a big burst of delayed mail yesterday/this 38 | morning? 39 | - Confirmed - but I guess it's fixed now :) 40 | -------------------------------------------------------------------------------- /meeting-notes/2025-04-02.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2025-04-02 2 | 3 | Present: Gautier, Montez, Mihai, JOse 4 | 5 | Previously: 6 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2025-03-20.md 7 | 8 | ## ZuriHac + Ecosystem Workshop 9 | 10 | - Gautier confirmed his attendance for the full event. 11 | - Mihai still a maybe. 12 | 13 | ## HSEC-2025-0002: Double Public Key Signing Function Oracle Attack on Ed25519 14 | 15 | - Gautier created the PR For cryptonite [#268](https://github.com/haskell/security-advisories/pull/268) 16 | - Tristan noticed crypton was also vulnerable 17 | - Fraser submitted a patch 18 | - The maintainer published a new version on Hackage 19 | -------------------------------------------------------------------------------- /meeting-notes/2025-04-17.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2025-04-17 2 | 3 | Present: Gautier, Montez 4 | 5 | Previously: 6 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2025-04-02.md 7 | 8 | ## Embargoed ``hackage-server`` 9 | 10 | - Some mitigations have already been pushed 11 | - Fraser drives the next fixes 12 | 13 | ## HSEC-2025-0003: Use after free in multithreaded lzma (.xz) decoder 14 | 15 | - Published and fixed 16 | -------------------------------------------------------------------------------- /meeting-notes/2025-04-30.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2025-04-30 2 | 3 | Previously: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2025-04-17.md 5 | 6 | 7 | ## ZuriHac + Ecosystem Workshop 8 | 9 | - Gautier confirmed. 10 | - Fraser cannot come. 11 | -------------------------------------------------------------------------------- /meeting-notes/2025-05-15.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2025-05-15 2 | 3 | Previously: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2025-04-30.md 5 | 6 | ## proposal: c-lib best practices guide 7 | 8 | - Two recommended approaches: 9 | - Use system clibs 10 | - Bundle the clib in a standalone cabal package, then depend on 11 | that. e.g.: 12 | - https://hackage.haskell.org/package/lzma-clib 13 | - https://hackage.haskell.org/package/libyaml-clib 14 | - Write up the recommended approaches and discourage other kinds of 15 | vendoring. 16 | - FT will propose to mailing list and see if someone will take it 17 | on. 18 | 19 | 20 | ## ZuriHac ideas 21 | 22 | - Gautier and Fraser populated the idea list: 23 | https://github.com/haskell/security-advisories/issues/272 24 | - Ecosystem library review, i.e. for security-related use cases, 25 | what libs are there. Can we do a list with commentary? 26 | -------------------------------------------------------------------------------- /meeting-notes/2025-05-28.md: -------------------------------------------------------------------------------- 1 | # SRT meeting 2025-05-28 2 | 3 | Previously: 4 | https://github.com/haskell/security-advisories/blob/main/meeting-notes/2025-05-28.md 5 | 6 | ## haskell.org listing vulnerability report 7 | 8 | * We received a vulnerability report on 2025-05-27 9 | * We are able to list directories when there is no `index.html`, which is an Apache misconfiguration 10 | * Since all the assets are on GitHub, it is not a problem 11 | 12 | ## ZuriHac 13 | 14 | * Gautier, Jose, and Tristan will attend 15 | -------------------------------------------------------------------------------- /reports/2025-02-06-Q4-report.md: -------------------------------------------------------------------------------- 1 | # Haskell Security Response Team - 2024 November–December report 2 | 3 | The Haskell Security Response Team (SRT) is a volunteer organization 4 | within the Haskell Foundation that is building tools and processes 5 | to aid the entire Haskell ecosystem in assessing and responding to 6 | security risks. In particular, we maintain a [database][repo] of 7 | security advisories that can serve as a data source for security 8 | tooling. 9 | 10 | This report details the SRT activities for November–December 2024 (a 11 | two month period due to extension of the previous reporting period). 12 | 13 | [repo]: https://github.com/haskell/security-advisories 14 | 15 | The SRT is: 16 | 17 | - Fraser Tweedale 18 | - Gautier Di Folco 19 | - Lei Zhu 20 | - Mihai Maruseac 21 | - Montez Fitzpatrick 22 | - Tristan de Cacqueray 23 | 24 | 25 | ## How to contact the SRT 26 | 27 | For assistance in coordinating a security response to newly 28 | discovered, high impact vulnerabilities, contact 29 | `security-advisories@haskell.org`. Due to limited resources, we can 30 | only coordinate embargoed disclosures for high impact 31 | vulnerabilities affecting current versions of core Haskell tools and 32 | libraries, or in other exceptional cases. 33 | 34 | You can submit lower-impact or historical vulnerabilities to the 35 | advisory database via a pull request to our [GitHub 36 | repository][repo]. 37 | 38 | You can also contact the SRT about non-advisory/security-response 39 | topics. We prefer public communication where possible. In most 40 | cases, [GitHub issues][gh-new-issue] are an appropriate forum. But 41 | the mail address is there if no other appropriate channel exists. 42 | 43 | [gh-new-issue]: https://github.com/haskell/security-advisories/issues/new/choose 44 | 45 | 46 | ## Advisory database 47 | 48 | A quiet quarter… 49 | 50 | 0 contemporary advisories were published during the reporting period. 51 | 52 | 0 historical advisories were added during the reporting period. 53 | 54 | 2 HSEC IDs (HSEC-2024-0004 and HSEC-2024-0005) **remain** reserved 55 | for embargoed vulnerabilities, which will be published later. 56 | 57 | We ask community members to report any known security issues, 58 | including historical issues, that are not yet included. 59 | 60 | 61 | ## Documenting SRT processes 62 | 63 | Fraser spent some time documenting the SRT's internal processes, in 64 | particular: running a call for volunteers, member on/off-boarding, 65 | and the quarterly report. The content is in the [`docs/` 66 | subdirectory][docs-srt] of the security-advisories repo. 67 | 68 | [docs-srt]: https://github.com/haskell/security-advisories/tree/main/docs 69 | 70 | 71 | ## Github Secure Open Source Fund 72 | 73 | In November, GitHub [announced][gh-sosf] their *Secure Open Source 74 | Fund*, which would initially offer USD 1.25M across 125 projects. 75 | Gautier shared this via a Haskell [Discourse post] in December, 76 | along with some project ideas. Applications closed in early 77 | January. The SRT did not apply for the first round, and we are not 78 | specifically aware of any other Haskell-flavoured applications. 79 | 80 | The second round is scheduled for June and is accepting applications 81 | now ([form]). We encourage anyone who wants to apply to this 82 | program to work on Haskell ecosystem security to reach out to the 83 | SRT, so we can align and support the work. 84 | 85 | [gh-sosf]: https://github.blog/news-insights/company-news/announcing-github-secure-open-source-fund/ 86 | [Discourse post]: https://discourse.haskell.org/t/rfc-github-open-source-secure-fund/11025 87 | [form]: https://docs.google.com/forms/d/e/1FAIpQLScDBalom0XhmJrvyI3kwD7dZ-dD4_uhmLNysVXtA8fH_WUKoA/viewform 88 | 89 | The GitHub program raises the broader question of funding for 90 | Haskell security work—a topic the SRT will explore further in the 91 | coming months. 92 | 93 | 94 | ## Cabal version bumping via Renovate 95 | 96 | The SRT acknowledges Janus Troelsen's work on Haskell support for 97 | [Renovate], a dependency management tool that includes a bot for 98 | bumping versions. Basic support was [recently 99 | merged](https://github.com/renovatebot/renovate/pull/33142), and 100 | [work is 101 | ongoing](https://github.com/renovatebot/renovate/discussions/31493). 102 | 103 | Thank you Janus for tackling this critical gap in the Haskell 104 | security tooling! 105 | 106 | [Renovate]: https://github.com/renovatebot/renovate 107 | 108 | 109 | ## Tooling updates 110 | 111 | - Tristan added OSV schema validation to the CI checks 112 | ([#254](https://github.com/haskell/security-advisories/pull/254)). 113 | 114 | - Gautier made big improvements to the appearance of the HTML export 115 | of the advisory data. See the result at 116 | https://haskell.github.io/security-advisories/. 117 | 118 | - CVSS 4.0 support: no further progress on this objective during the 119 | period. 120 | 121 | - There is an outstanding ask from the OSV.dev project to define 122 | feedback channels for our advisories, so that consumers downstream 123 | of OSV.dev know where/how to provide corrective feedback on 124 | individual records 125 | ([#252](https://github.com/haskell/security-advisories/issues/252)). 126 | -------------------------------------------------------------------------------- /reports/2025-04-04-Q1-report.md: -------------------------------------------------------------------------------- 1 | # Haskell Security Response Team - 2025 January–March report 2 | 3 | The Haskell Security Response Team (SRT) is a volunteer organization 4 | within the Haskell Foundation that is building tools and processes 5 | to aid the entire Haskell ecosystem in assessing and responding to 6 | security risks. In particular, we maintain a [database][repo] of 7 | security advisories that can serve as a data source for security 8 | tooling. 9 | 10 | This report details the SRT activities for January–March 2025. 11 | 12 | [repo]: https://github.com/haskell/security-advisories 13 | 14 | The SRT is: 15 | 16 | - Fraser Tweedale 17 | - Gautier Di Folco 18 | - Lei Zhu 19 | - Mihai Maruseac 20 | - Montez Fitzpatrick 21 | - Tristan de Cacqueray 22 | 23 | 24 | ## How to contact the SRT 25 | 26 | For assistance in coordinating a security response to newly 27 | discovered, high impact vulnerabilities, contact 28 | `security-advisories@haskell.org`. Due to limited resources, we can 29 | only coordinate embargoed disclosures for high impact 30 | vulnerabilities affecting current versions of core Haskell tools and 31 | libraries, or in other exceptional cases. 32 | 33 | You can submit lower-impact or historical vulnerabilities to the 34 | advisory database via a pull request to our [GitHub 35 | repository][repo]. 36 | 37 | You can also contact the SRT about non-advisory/security-response 38 | topics. We prefer public communication where possible. In most 39 | cases, [GitHub issues][gh-new-issue] are an appropriate forum. But 40 | the mail address is there if no other appropriate channel exists. 41 | 42 | [gh-new-issue]: https://github.com/haskell/security-advisories/issues/new/choose 43 | 44 | 45 | ## Haskell Security Response Team at ZuriHac + Ecosystem Workshop 46 | 47 | Gautier will represent the SRT at [ZuriHac] and the [Haskell 48 | Ecosystem Workshop][] (June 5–9). This is a great opportunity to 49 | collaborate on Haskell security tooling, either in person in Zürich 50 | or virtually. 51 | 52 | If you have a particular project or collaboration idea, please share 53 | it in the [planning issue (#272)][ticket]. 54 | 55 | [ZuriHac]: https://zfoh.ch/zurihac2025/ 56 | [Haskell Ecosystem Workshop]: https://haskell.foundation/events/2025-haskell-ecosystem-workshop.html 57 | [ticket]: https://github.com/haskell/security-advisories/issues/272 58 | 59 | 60 | ## Conference presentation: *Security response for open source ecosystems* 61 | 62 | Fraser presented at [CrikeyCon], a cybersecurity conference in 63 | Brisbane, Australia. The talk *Security response for open source 64 | ecosystems* explains why open source security matters and how to 65 | start and run a security response team, based on his experiences 66 | with the Haskell SRT. 67 | 68 | The [slide deck] is available now. Video of the presentation should 69 | appear on the CrikeyCon [YouTube channel] at some point. 70 | 71 | [CrikeyCon]: https://crikeycon.com/ 72 | [slide deck]: https://speakerdeck.com/frasertweedale/security-response-for-open-source-ecosystems 73 | [YouTube channel]: https://www.youtube.com/@CrikeyCon 74 | 75 | 76 | ## Advisory database 77 | 78 | 3 contemporary advisories were published during the reporting period. 79 | 80 | 2 historical advisories were added during the reporting period. 81 | 82 | 2 HSEC IDs (HSEC-2024-0004 and HSEC-2024-0005) **remain** reserved 83 | for embargoed vulnerabilities, which will be published later. 84 | 85 | We ask community members to report any known security issues, 86 | including historical issues, that are not yet included. 87 | 88 | 89 | ## Advisories for the GHC toolchain 90 | 91 | Following preparatory work last year, 2025-Q1 saw the publication of 92 | the first advisories for components of the GHC toolchain itself. To 93 | declare a GHC component as affected in an advisory, set the 94 | `ghc-component` field (cf. `package` for the Hackage namespace): 95 | 96 | ``` 97 | [[affected]] 98 | ghc-component = "ghc" 99 | ``` 100 | 101 | The valid `ghc-component` values are: `ghc`, `ghci`, `rts`, 102 | `ghc-pkg`, `runghc`, `ghc-iserv`, `hp2ps`, `hpc`, `hsc2hs`, and 103 | `haddock`. 104 | 105 | We registered the `GHC` namespace in the OSV schema. Advisories can 106 | be browsed on OSV.dev: https://osv.dev/list?q=&ecosystem=GHC. 107 | 108 | 109 | ## Tooling updates 110 | 111 | - Gautier updated our tooling to build with GHC 9.10 and 9.12 112 | support. This involved switching our Atom feed generation from 113 | the unmaintained *feed* library to *atom-conduit*. 114 | -------------------------------------------------------------------------------- /shell.nix: -------------------------------------------------------------------------------- 1 | (builtins.getFlake ("git+file://" + toString ./.)).devShell.${builtins.currentSystem} 2 | --------------------------------------------------------------------------------