Skip to content

Commit

Permalink
[init]
Browse files Browse the repository at this point in the history
  • Loading branch information
MangoIV committed May 6, 2024
0 parents commit cd83c86
Show file tree
Hide file tree
Showing 19 changed files with 1,207 additions and 0 deletions.
52 changes: 52 additions & 0 deletions .github/workflows/cabal-audit.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
name: Build cabal-audit

on:
workflow_dispatch:
push:
branches:
- main
pull_request:
branches:
- main

jobs:
build:
name: Build cabal-audit and Docker image
runs-on: ubuntu-latest

steps:
- name: Checkout code
uses: actions/checkout@v2

- name: Install Nix
uses: cachix/install-nix-action@v26

- name: Set up cachix
uses: cachix/cachix-action@v14
with:
name: cabal-audit
authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}

- name: Build cabal-audit
run: |
nix build
- name: Build cabal-audit Docker image
run: |
nix build .#cabal-audit-docker
- name: Load Docker image into Docker daemon
run: |
docker load < result
docker images
- name: Save Docker image as artifact
run: |
docker save cabal-audit-docker:latest -o cabal-audit-docker.tar
- name: Upload Docker image artifact
uses: actions/upload-artifact@v4
with:
name: cabal-audit-docker
path: cabal-audit-docker.tar

4 changes: 4 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
.direnv
result*
dist-newstyle
.pre-commit-config.yaml
73 changes: 73 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
<div align="center">
<h1>`cabal-audit`</h1>
<a href="https://github.com/mangoiv/cabal-audit/actions">
<img src="https://github.com/mangoiv/cabal-audit/actions/workflows/cabal-audit.yml/badge.svg" alt="CI">
</a>
</div>

`cabal-audit` is a command-line utility that scans Haskell projects for known vulnerabilities based on the
[security advisories database](https://github.com/haskell/security-advisories).
It checks project dependencies, reports potential vulnerabilities, and provides details about the vulnerabilities, including links to relevant
advisories and possible fixes.

## Installation

To install `cabal-audit`, you can use Nix by running the following command:

```bash
nix run github:mangoiv/cabal-audit -- --help
```

## Usage

Run `cabal-audit` to scan your project for known vulnerabilities:

```console
λ nix run github:mangoiv/security-advisories/mangoiv/cabal-audit-osv#cabal-audit --
trying to clone https://github.com/haskell/security-advisories
Cloning into '/tmp/cabal-audit-726d3e9345b766bc'...
remote: Enumerating objects: 172, done.
remote: Counting objects: 100% (172/172), done.
remote: Compressing objects: 100% (129/129), done.
remote: Total 172 (delta 6), reused 114 (delta 1), pack-reused 0
Receiving objects: 100% (172/172), 116.55 KiB | 1.31 MiB/s, done.
Resolving deltas: 100% (6/6), done.

Found advisories:

dependency "base" at version 4.18.1.0 is vulnerable for:
HSEC-2023-0007 "readFloat: memory exhaustion with large exponent"
published: 2024-04-23 12:43:30 +1000
https://haskell.github.io/security-advisories/advisory/HSEC-2023-0007
No fix version available
toml, parser, dos

dependency "process" at version 1.6.17.0 is vulnerable for:
HSEC-2024-0003 "process: command injection via argument list on Windows"
published: 2024-04-23 12:43:30 +1000
https://haskell.github.io/security-advisories/advisory/HSEC-2024-0003
Fix available since version 1.6.19.0
windows
```

> [!Note]
> If you encounter an error related to lock file incompatibility, consider upgrading your Nix version.
## Features

- **Query vulnerabilities**: Scans project dependencies for known vulnerabilities.
- **Human-readable output**: Displays human-readable results.
- **Machine-readable output**: Displays machine-readable output as json containing osvs.
- **Cabal solver**: Matches vulnerabilities against project dependencies.
- **Fix version suggestion**: Provides fix version or a link to relevant advisories.

## Open Features

- Provide a range of fix versions instead of just the latest.
- Suggest the latest package version on Hackage that is greater than the fix version.
- Additional Cabal solver options.
- More structured monadic code. (also enables disabling colouring)

## Contributing

Contributions are welcome. This repo is flake-enabled. To setup a `devShell`, run `nix develop` or `direnv allow`.
6 changes: 6 additions & 0 deletions app/Main.hs
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
module Main (main) where

import Distribution.Audit (auditMain)

main :: IO ()
main = auditMain
108 changes: 108 additions & 0 deletions cabal-audit.cabal
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
cabal-version: 2.4
name: cabal-audit
version: 1.0.0.0

-- A short (one-line) description of the package.
synopsis: Checking a cabal project for security advisories

-- A longer description of the package.
description:
Tools for querying the haskell security advisories database against cabal projects.

-- A URL where users can report bugs.
-- bug-reports:

-- The license under which the package is released.
license: BSD-3-Clause
author: @MangoIV
maintainer: [email protected]

-- A copyright notice.
-- copyright:
category: Data
extra-doc-files:
extra-source-files:
tested-with:
GHC ==8.10.7 || ==9.0.2 || ==9.2.8 || ==9.4.8 || ==9.6.3 || ==9.8.1

common common-all
ghc-options:
-Wall -Wcompat -Widentities -Wincomplete-record-updates
-Wincomplete-uni-patterns -Wredundant-constraints
-fmax-relevant-binds=0 -fno-show-valid-hole-fits

if impl(ghc >=9.6.1)
ghc-options: -fno-show-error-context

default-extensions:
BlockArguments
DeriveGeneric
DerivingStrategies
EmptyCase
GADTs
ImportQualifiedPost
LambdaCase
NamedFieldPuns
NoStarIsType
OverloadedStrings
PartialTypeSignatures
RankNTypes
ScopedTypeVariables
StandaloneDeriving
StandaloneKindSignatures
TypeApplications
ViewPatterns

library
import: common-all
exposed-modules:
Distribution.Audit
Security.Advisories.Cabal

build-depends:
, aeson
, base <5
, bytestring
, Cabal
, cabal-install
, colourista
, containers
, filepath
, fused-effects
, hsec-core
, hsec-tools
, http-client
, kan-extensions
, optparse-applicative
, process
, temporary
, text
, unliftio
, validation-selective

hs-source-dirs: src
default-language: Haskell2010

executable cabal-audit
import: common-all
hs-source-dirs: app
main-is: Main.hs
other-modules:
build-depends:
, base <5
, cabal-audit

default-language: Haskell2010

test-suite spec
import: common-all
type: exitcode-stdio-1.0
hs-source-dirs: test
main-is: Main.hs
other-modules: Spec
build-depends:
, base <5
, cabal-audit
, hspec

default-language: Haskell2010
4 changes: 4 additions & 0 deletions cabal.project
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
packages:
./.

test-show-details: direct
Loading

0 comments on commit cd83c86

Please sign in to comment.