|
| 1 | +--- |
| 2 | +title: Enhance Hackage server to display security vulnerability information |
| 3 | +--- |
| 4 | + |
| 5 | +[Hackage][hackage-web] is the Haskell community's central package |
| 6 | +archive of open source software. It is an instance of the open |
| 7 | +source [hackage-server][] program. |
| 8 | + |
| 9 | +[hackage-web]: https://hackage.haskell.org/ |
| 10 | +[hackage-server]: https://github.com/haskell/hackage-server |
| 11 | + |
| 12 | +The Haskell Security Response Team maintains the Haskell [Security |
| 13 | +Advisory Database][advisory-db]. This database can serve as the |
| 14 | +basis for enhancing security tooling for the Haskell ecosystem. |
| 15 | + |
| 16 | +In particular, the Advisory Database records known vulnerabilities |
| 17 | +of packages in the Hackage namespace. The advisory data includes |
| 18 | +the affected version ranges, written summary and details of the |
| 19 | +vulnerability, CVSS score and CWE numbers. |
| 20 | + |
| 21 | +[advisory-db]: https://github.com/haskell/security-advisories |
| 22 | + |
| 23 | +We propose to enhance hackage-server to use the advisory database to |
| 24 | +augment package pages with security information about the package. |
| 25 | +In particular, we propose: |
| 26 | + |
| 27 | +- Updating package/version pages to clearly indicate that the |
| 28 | + package/version contains known security issues, and provide |
| 29 | + details of those issues (a brief summary with a link to an |
| 30 | + external resource could be sufficient). |
| 31 | + |
| 32 | +- Updating package/version pages to clearly indicate that the |
| 33 | + package/version depends on (or *may* depend on, according to |
| 34 | + version bounds) vulnerable version of *other* packages. |
| 35 | + |
| 36 | +- Provide a link or information on every package page about how to |
| 37 | + report security vulnerabilities in that package. This could be a |
| 38 | + form that creates an issue or pull request against the |
| 39 | + `security-advisories` repository, sends an email to the SRT, or |
| 40 | + something along those lines. |
| 41 | + |
| 42 | +[call to action]: https://discourse.haskell.org/t/would-you-like-to-write-a-security-advisory-analyzer/7638 |
| 43 | + |
| 44 | +## Mentorship |
| 45 | + |
| 46 | +Ideally someone familiar with the *hackage-server* implementation |
| 47 | +would be able to mentor the student. |
| 48 | + |
| 49 | +Haskell Security Response Team can mentor and collaborate with |
| 50 | +respect to the Advisory Database, the content of advisories, or |
| 51 | +exporting the data in a format suitable for use by *hackage-server*. |
| 52 | + |
| 53 | +## Difficulty and size |
| 54 | + |
| 55 | +**TODO**: we would like someone familiar with *hackage-server* to |
| 56 | +provide difficulty and size estimates. |
0 commit comments