|
| 1 | +--- |
| 2 | +title: cabal-install security vulnerability checking |
| 3 | +--- |
| 4 | + |
| 5 | +*cabal-install* is a widely used tool for building Haskell projects. |
| 6 | +In addition to building and testing packages it can update package |
| 7 | +indexes from remote servers and handles some aspects of dependency |
| 8 | +management. |
| 9 | + |
| 10 | +The Haskell Security Response Team maintains the Haskell [Security |
| 11 | +Advisory Database][advisory-db]. This database can serve as the |
| 12 | +basis for enhancing security tooling for the Haskell ecosystem. |
| 13 | + |
| 14 | +In particular, the Advisory Database records known vulnerabilities |
| 15 | +of packages in the Hackage namespace. The advisory data includes |
| 16 | +the affected version ranges, written summary and details of the |
| 17 | +vulnerability, CVSS score and CWE numbers. |
| 18 | + |
| 19 | +We propose the addition of security vulnerability checking to the |
| 20 | +`cabal-install` tool. For discussion purposes, this document |
| 21 | +suggests the `cabal audit` subcommand name, but this is just a |
| 22 | +suggestion. |
| 23 | + |
| 24 | +When executed in package or project context, `cabal audit` would |
| 25 | +analyse the dependencies of the package/project and advise when |
| 26 | +vulnerable dependencies are found. There are several considerations |
| 27 | +that warrant further discussion. |
| 28 | + |
| 29 | +- `.cabal` files, in general, specify version *bounds* via the |
| 30 | + `build-depends` field. In the general case, any overlap between a |
| 31 | + dependency's version bounds specified in the `build-depends` |
| 32 | + field, and known vulnerable version ranges specified in an |
| 33 | + advisory should be reported. |
| 34 | + |
| 35 | +- `cabal-install` can produce *freeze* files via the `cabal freeze` |
| 36 | + subcommand, which specify an exact set of dependencies locked at |
| 37 | + particular versions. `cabal audit` should have a mode that |
| 38 | + analyses freeze files. (This mode could work with an explicit |
| 39 | + input file, outside of a package or project directory context). |
| 40 | + |
| 41 | +- In some cases, the vulnerable behaviour in a dependency is not |
| 42 | + used by the dependent library or program. A mechansim (or |
| 43 | + mechanisms) to suppress false positives is a requirement. Some or |
| 44 | + all of the following mechanisms should be considered: |
| 45 | + |
| 46 | + - A local cache of suppressions. In plain words, this would |
| 47 | + record information such as "suppress HSEC-2024-0001 for package |
| 48 | + *acme-frobnicator*". |
| 49 | + |
| 50 | + - Extending the Cabal package metadata to enable package |
| 51 | + maintainers or trustees to record such suppressions in the |
| 52 | + package metadata itself. The data would be propagated through |
| 53 | + package indexes (e.g. Hackage) and ensure that users do not see |
| 54 | + false positives, after the metadata have been uploaded to the |
| 55 | + package index. |
| 56 | + |
| 57 | + - Extending the Advisory Database to record non-exploitability |
| 58 | + information. This is an alternative way of expressing and |
| 59 | + propagating the same data as the preceding point. The |
| 60 | + approaches are not mutually exclusive. The student should |
| 61 | + engage with the community and pursue a consensus on which |
| 62 | + approach is preferred, or if both are desired, which should be |
| 63 | + prioritised. |
| 64 | + |
| 65 | + - The [*VEX (Vulnerability Exploitability eXchange)*][VEX] |
| 66 | + standard might provide an appropriate data model for recording |
| 67 | + and/or transmitting (non-)exploitability information. |
| 68 | + |
| 69 | + - The Advisory Database can *optionally* record, for each |
| 70 | + advisory, the **names of the problematic functions/values**. It |
| 71 | + may be possible to use this data to *produce* exploitability |
| 72 | + information, but *how* to do so may be complicated or error |
| 73 | + prone. Depending on progress made, the student may or may not |
| 74 | + wish to pursue this idea. |
| 75 | + |
| 76 | + - Commands or behaviours to assist the user in **reporting |
| 77 | + vulnerabilities** to the Advisory Database is another idea to |
| 78 | + consider, if time permits. |
| 79 | + |
| 80 | +See also David Christian's [call to action][] for writing a security |
| 81 | +advisory analyser for Haskell, which discusses the same general |
| 82 | +topic. |
| 83 | + |
| 84 | +[VEX]: https://www.cisa.gov/resources-tools/resources/minimum-requirements-vulnerability-exploitability-exchange-vex |
| 85 | +[call to action]: https://discourse.haskell.org/t/would-you-like-to-write-a-security-advisory-analyzer/7638 |
| 86 | + |
| 87 | + |
| 88 | +## Mentorship |
| 89 | + |
| 90 | +Ideally a *Cabal*/*cabal-install* developer/maintainer would be able |
| 91 | +to mentor the student. |
| 92 | + |
| 93 | +Haskell Security Response Team can mentor and collaborate with |
| 94 | +respect to the Advisory Database, the content of advisories, |
| 95 | +expanding the database to include exploitability information, or |
| 96 | +exporting the data in a format suitable for use by *hackage-server*. |
| 97 | + |
| 98 | +## Difficulty and size |
| 99 | + |
| 100 | +A *Cabal*/*cabal-install* maintainer should weigh in, but this whole |
| 101 | +effort definitely lies on the larger end. |
| 102 | + |
| 103 | +**Difficulty**: Medium/Hard |
| 104 | + |
| 105 | +**Size**: 350 hours |
0 commit comments