-
Notifications
You must be signed in to change notification settings - Fork 3
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit cd83c86
Showing
19 changed files
with
1,207 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
name: Build cabal-audit | ||
|
||
on: | ||
workflow_dispatch: | ||
push: | ||
branches: | ||
- main | ||
pull_request: | ||
branches: | ||
- main | ||
|
||
jobs: | ||
build: | ||
name: Build cabal-audit and Docker image | ||
runs-on: ubuntu-latest | ||
|
||
steps: | ||
- name: Checkout code | ||
uses: actions/checkout@v2 | ||
|
||
- name: Install Nix | ||
uses: cachix/install-nix-action@v26 | ||
|
||
- name: Set up cachix | ||
uses: cachix/cachix-action@v14 | ||
with: | ||
name: cabal-audit | ||
authToken: ${{ secrets.CACHIX_AUTH_TOKEN }} | ||
|
||
- name: Build cabal-audit | ||
run: | | ||
nix build | ||
- name: Build cabal-audit Docker image | ||
run: | | ||
nix build .#cabal-audit-docker | ||
- name: Load Docker image into Docker daemon | ||
run: | | ||
docker load < result | ||
docker images | ||
- name: Save Docker image as artifact | ||
run: | | ||
docker save cabal-audit-docker:latest -o cabal-audit-docker.tar | ||
- name: Upload Docker image artifact | ||
uses: actions/upload-artifact@v4 | ||
with: | ||
name: cabal-audit-docker | ||
path: cabal-audit-docker.tar | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
.direnv | ||
result* | ||
dist-newstyle | ||
.pre-commit-config.yaml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
<div align="center"> | ||
<h1>`cabal-audit`</h1> | ||
<a href="https://github.com/mangoiv/cabal-audit/actions"> | ||
<img src="https://github.com/mangoiv/cabal-audit/actions/workflows/cabal-audit.yml/badge.svg" alt="CI"> | ||
</a> | ||
</div> | ||
|
||
`cabal-audit` is a command-line utility that scans Haskell projects for known vulnerabilities based on the | ||
[security advisories database](https://github.com/haskell/security-advisories). | ||
It checks project dependencies, reports potential vulnerabilities, and provides details about the vulnerabilities, including links to relevant | ||
advisories and possible fixes. | ||
|
||
## Installation | ||
|
||
To install `cabal-audit`, you can use Nix by running the following command: | ||
|
||
```bash | ||
nix run github:mangoiv/cabal-audit -- --help | ||
``` | ||
|
||
## Usage | ||
|
||
Run `cabal-audit` to scan your project for known vulnerabilities: | ||
|
||
```console | ||
λ nix run github:mangoiv/security-advisories/mangoiv/cabal-audit-osv#cabal-audit -- | ||
trying to clone https://github.com/haskell/security-advisories | ||
Cloning into '/tmp/cabal-audit-726d3e9345b766bc'... | ||
remote: Enumerating objects: 172, done. | ||
remote: Counting objects: 100% (172/172), done. | ||
remote: Compressing objects: 100% (129/129), done. | ||
remote: Total 172 (delta 6), reused 114 (delta 1), pack-reused 0 | ||
Receiving objects: 100% (172/172), 116.55 KiB | 1.31 MiB/s, done. | ||
Resolving deltas: 100% (6/6), done. | ||
|
||
Found advisories: | ||
|
||
dependency "base" at version 4.18.1.0 is vulnerable for: | ||
HSEC-2023-0007 "readFloat: memory exhaustion with large exponent" | ||
published: 2024-04-23 12:43:30 +1000 | ||
https://haskell.github.io/security-advisories/advisory/HSEC-2023-0007 | ||
No fix version available | ||
toml, parser, dos | ||
|
||
dependency "process" at version 1.6.17.0 is vulnerable for: | ||
HSEC-2024-0003 "process: command injection via argument list on Windows" | ||
published: 2024-04-23 12:43:30 +1000 | ||
https://haskell.github.io/security-advisories/advisory/HSEC-2024-0003 | ||
Fix available since version 1.6.19.0 | ||
windows | ||
``` | ||
|
||
> [!Note] | ||
> If you encounter an error related to lock file incompatibility, consider upgrading your Nix version. | ||
## Features | ||
|
||
- **Query vulnerabilities**: Scans project dependencies for known vulnerabilities. | ||
- **Human-readable output**: Displays human-readable results. | ||
- **Machine-readable output**: Displays machine-readable output as json containing osvs. | ||
- **Cabal solver**: Matches vulnerabilities against project dependencies. | ||
- **Fix version suggestion**: Provides fix version or a link to relevant advisories. | ||
|
||
## Open Features | ||
|
||
- Provide a range of fix versions instead of just the latest. | ||
- Suggest the latest package version on Hackage that is greater than the fix version. | ||
- Additional Cabal solver options. | ||
- More structured monadic code. (also enables disabling colouring) | ||
|
||
## Contributing | ||
|
||
Contributions are welcome. This repo is flake-enabled. To setup a `devShell`, run `nix develop` or `direnv allow`. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
module Main (main) where | ||
|
||
import Distribution.Audit (auditMain) | ||
|
||
main :: IO () | ||
main = auditMain |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,108 @@ | ||
cabal-version: 2.4 | ||
name: cabal-audit | ||
version: 1.0.0.0 | ||
|
||
-- A short (one-line) description of the package. | ||
synopsis: Checking a cabal project for security advisories | ||
|
||
-- A longer description of the package. | ||
description: | ||
Tools for querying the haskell security advisories database against cabal projects. | ||
|
||
-- A URL where users can report bugs. | ||
-- bug-reports: | ||
|
||
-- The license under which the package is released. | ||
license: BSD-3-Clause | ||
author: @MangoIV | ||
maintainer: [email protected] | ||
|
||
-- A copyright notice. | ||
-- copyright: | ||
category: Data | ||
extra-doc-files: | ||
extra-source-files: | ||
tested-with: | ||
GHC ==8.10.7 || ==9.0.2 || ==9.2.8 || ==9.4.8 || ==9.6.3 || ==9.8.1 | ||
|
||
common common-all | ||
ghc-options: | ||
-Wall -Wcompat -Widentities -Wincomplete-record-updates | ||
-Wincomplete-uni-patterns -Wredundant-constraints | ||
-fmax-relevant-binds=0 -fno-show-valid-hole-fits | ||
|
||
if impl(ghc >=9.6.1) | ||
ghc-options: -fno-show-error-context | ||
|
||
default-extensions: | ||
BlockArguments | ||
DeriveGeneric | ||
DerivingStrategies | ||
EmptyCase | ||
GADTs | ||
ImportQualifiedPost | ||
LambdaCase | ||
NamedFieldPuns | ||
NoStarIsType | ||
OverloadedStrings | ||
PartialTypeSignatures | ||
RankNTypes | ||
ScopedTypeVariables | ||
StandaloneDeriving | ||
StandaloneKindSignatures | ||
TypeApplications | ||
ViewPatterns | ||
|
||
library | ||
import: common-all | ||
exposed-modules: | ||
Distribution.Audit | ||
Security.Advisories.Cabal | ||
|
||
build-depends: | ||
, aeson | ||
, base <5 | ||
, bytestring | ||
, Cabal | ||
, cabal-install | ||
, colourista | ||
, containers | ||
, filepath | ||
, fused-effects | ||
, hsec-core | ||
, hsec-tools | ||
, http-client | ||
, kan-extensions | ||
, optparse-applicative | ||
, process | ||
, temporary | ||
, text | ||
, unliftio | ||
, validation-selective | ||
|
||
hs-source-dirs: src | ||
default-language: Haskell2010 | ||
|
||
executable cabal-audit | ||
import: common-all | ||
hs-source-dirs: app | ||
main-is: Main.hs | ||
other-modules: | ||
build-depends: | ||
, base <5 | ||
, cabal-audit | ||
|
||
default-language: Haskell2010 | ||
|
||
test-suite spec | ||
import: common-all | ||
type: exitcode-stdio-1.0 | ||
hs-source-dirs: test | ||
main-is: Main.hs | ||
other-modules: Spec | ||
build-depends: | ||
, base <5 | ||
, cabal-audit | ||
, hspec | ||
|
||
default-language: Haskell2010 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
packages: | ||
./. | ||
|
||
test-show-details: direct |
Oops, something went wrong.