cabal-audit: init

.github/workflows/nix.yml

@@ -20,8 +20,14 @@ jobs:
       - uses: DeterminateSystems/magic-nix-cache-action@main
       - name: Check Nix flake inputs
         uses: DeterminateSystems/flake-checker-action@v4
+      - name: Check formatting and lint
+        run: nix -L flake check
       - name: Build executable (hsec-tools)
         run: nix -L build
+      - name: Build executable (hsec-sync)
+        run: nix -L build '.#hsec-sync'
+      - name: Build executable (cabal-audit)
+        run: nix -L build '.#cabal-audit'
       - name: Build docker image
         run: nix build -L '.#packages.x86_64-linux.hsec-tools-image'
       - run: mkdir -p ~/.local/dockerImages

.gitignore

@@ -1,5 +1,6 @@
 *~
 dist-newstyle/
-result
+result*
 .direnv
 .env
+.pre-commit-config.yaml

README.md

@@ -11,6 +11,29 @@ please open a PR listing it here.
 To report a new vulnerability, open a pull request using the template below.
 See [CONTRIBUTING.md] for more information.
 
+## Checking your project for vulnerabilities
+
+For cabal projects, the security-advisories repository offers a way to inspect your project 
+for vulnerabilities. 
+
+To do so 
+1. install the `cabal-audit` executable, for example with nix by running `nix shell github:haskell/security-advisories#cabal-audit`
+2. navigate to your cabal project
+3. run `cabal-audit`
+
+The `cabal-audit` executable will then go on and 
+1. git clone the newest version of https://github.com/haskell/security-advisories
+2. solve your project 
+3. query the created plan against the advisory database
+
+Run `cabal-audit --help` to see available options.
+
+What to do if `cabal-audit` reported a vulnerability (in that order): 
+1. check if you can upgrade to at least the proposed fix version
+2. check if you can upgrade to a fix version that is not shown (find more information at the provided URL)
+3. check if there is a not vulnerable dependency that you can switch to
+4. check if the vulnerable behaviour applies to your project (find more information at the provided URL)
+
 ## Advisory Format
 
 See [EXAMPLE_ADVISORY.md] for a template.

code/.envrc

@@ -0,0 +1 @@
+use flake .. -Lv 

code/cabal-audit/app/Main.hs

@@ -0,0 +1,6 @@
+module Main (main) where
+
+import Distribution.Audit (auditMain)
+
+main :: IO ()
+main = auditMain

code/cabal-audit/cabal-audit.cabal

@@ -0,0 +1,100 @@
+cabal-version:      2.4
+name:               cabal-audit
+version:            1.0.0.0
+
+-- A short (one-line) description of the package.
+synopsis:           Checking a cabal project for security advisories
+
+-- A longer description of the package.
+description:
+  Tools for querying the haskell security advisories database against cabal projects.
+
+-- A URL where users can report bugs.
+-- bug-reports:
+
+-- The license under which the package is released.
+license:            BSD-3-Clause
+author:             @MangoIV
+maintainer:         contact@mangoiv.com
+
+-- A copyright notice.
+-- copyright:
+category:           Data
+extra-doc-files:
+extra-source-files:
+tested-with:
+  GHC ==8.10.7 || ==9.0.2 || ==9.2.8 || ==9.4.8 || ==9.6.3 || ==9.8.1
+
+common common-all
+  ghc-options:
+    -Wall -Wcompat -Widentities -Wincomplete-record-updates
+    -Wincomplete-uni-patterns -Wpartial-fields -Wredundant-constraints
+    -fmax-relevant-binds=0 -fno-show-valid-hole-fits
+
+  if impl(ghc >=9.6.1)
+    ghc-options: -fno-show-error-context
+
+  default-extensions:
+    BlockArguments
+    DeriveGeneric
+    DerivingStrategies
+    EmptyCase
+    ImportQualifiedPost
+    LambdaCase
+    NamedFieldPuns
+    NoStarIsType
+    OverloadedStrings
+    PartialTypeSignatures
+    ScopedTypeVariables
+    StandaloneDeriving
+    StandaloneKindSignatures
+    TypeApplications
+
+library
+  import:           common-all
+  exposed-modules:
+    Distribution.Audit
+    Security.Advisories.Cabal
+
+  build-depends:
+    , base                  <5
+    , Cabal
+    , cabal-install
+    , colourista
+    , containers
+    , filepath
+    , hsec-core
+    , hsec-tools
+    , http-client
+    , optparse-applicative
+    , process
+    , temporary
+    , text
+    , validation-selective
+
+  hs-source-dirs:   src
+  default-language: Haskell2010
+
+executable cabal-audit
+  import:           common-all
+  hs-source-dirs:   app
+  main-is:          Main.hs
+  other-modules:
+  build-depends:
+    , base         <5
+    , cabal-audit
+
+  default-language: Haskell2010
+
+test-suite spec
+  import:           common-all
+  type:             exitcode-stdio-1.0
+  hs-source-dirs:   test
+  main-is:          Main.hs
+  other-modules:    Spec
+  build-depends:
+    , base         <5
+    , cabal-audit
+    , hspec
+
+  default-language: Haskell2010

code/cabal-audit/fourmolu.yaml

@@ -0,0 +1,14 @@
+comma-style: leading
+function-arrows: leading
+haddock-style: single-line
+import-export-style: leading
+in-style: right-align
+indent-wheres: false
+indentation: 2
+let-style: inline
+newlines-between-decls: 1
+record-brace-space: true
+respectful: false
+single-constraint-parens: never
+single-deriving-parens: never
+unicode: never