The Haskell Security Response Team (SRT) is a volunteer organization within the Haskell Foundation that is building tools and processes to aid the entire Haskell ecosystem in assessing and responding to
security risks. In particular, we maintain a database of security advisories that can serve as a data source for security tooling.
This report details the SRT activities from April through June 2024.
The SRT is:
- Casey Mattingly
- Fraser Tweedale
- Gautier Di Folco
- Mihai Maruseac
- Tristan de Cacqueray
How to contact the SRT
For assistance in coordinating a security response to newly discovered, high impact vulnerabilities, contact security-advisories@haskell.org. Due to limited resources, we can only coordinate embargoed disclosures for high impact vulnerabilities affecting current versions of core Haskell tools and libraries, or in other exceptional cases.
You can submit lower-impact or historical vulnerabilities to the advisory database via a pull request to our GitHub repository.
You can also contact the SRT about non-advisory/security-response topics. We prefer public communication where possible. In most cases, GitHub issues are an appropriate forum. But the mail address is there if no other appropriate channel exists.
Growing the SRT
Following discussions at the 2024 Haskell Ecosystem Workshop, we have decided to grow the SRT. This is in recognition of the expanding scope of the SRT’s work. For example, we would like to improve security tooling for Haskell developers, but we are limited by our volunteer members’ capacity. There are several high-impact projects awaiting attention. Growing the team will enable us to address more of these, while (hopefully) reserving some capacity to address urgent security issues when they arise.
Additionally, Casey Mattingly has decided to retire from the SRT. Casey, thank you for your significant contributions during the SRT’s first year.
The SRT will put out a new Call for Volunteers soon. Keep an eye out for it, and we look forward to welcoming new members soon!
Advisory database
1 contemporary advisory was published during the reporting period.
0 historical advisories were added during the reporting period.
2 HSEC IDs (HSEC-2024-0004 and HSEC-2024-0005) have been reserved for embargoed vulnerabilities, which will be published later.
We urge community members to submit to the database any known security issues, including historical issues, that are not yet included.
SRT at the Haskell Ecosystem Workshop and ZuriHac 2024
In early June, Gautier and Fraser attended the Haskell Ecosystem Workshop and ZuriHac, co-located at OST Rapperswil near Zürich. Fraser presented (slides) at the Workshop, giving an overview of the SRT’s processes, work, tooling, and future evolution.
There were many highlights from 5 days of collaboration across both events:
-
New security issues were reported, and SRT initiated a response.
-
New contributors made valuable contributions:
- André Espaze implemented a Security page for the
www.haskell.orgwebsite (pull request). - andrii (
@unorsk) took up the work of implementing CVSS 4.0 support for the advisory database.
- André Espaze implemented a Security page for the
-
Gautier improved the HTML advisory index generation
-
Mango (
@MangoIV) continued work on cabal-audit and bugfixes/improvements to the advisory libraries. -
Mango also started work on SPDX SBOM generation.
-
SRT members gave security advice to other projects.
-
Many people shared ideas about the evolution and strengthening of the SRT, and the Haskell security posture more generally.
Fraser especially thanks the Haskell Foundation for travel assistance (Zürich is a long way from Australia!)
Reporting vulnerabilities via VINCE
The CERT/CC VINCE system supports confidential reporting of vulnerabilities and response coordination. The Haskell ecosystem is now represented in VINCE as the “Haskell Programming Language” vendor.
VINCE is especially valuable for coordinated security response and disclosure of vulnerabilities that impact multiple ecosystems. For example, HSEC-2024-0003 impacted many languages, including Rust, PHP, Node.js and Erlang. Representatives of the affected ecosystems shared information, including mitigation techniques, and prepared for coordinated disclosure and fix releases.
Although anyone can use VINCE to report a vulnerability to the SRT, we encourage its use only for high-impact vulnerabilities and vulnerabilities that impact multiple ecosystems or vendors. For low-severity issues that only impact the Haskell ecosystem, please follow the process in the Reporting Vulnerabilities document.
Security guides
The SRT from time to time will publish “security best practices” guides on particular topics, tailored to users of Haskell. Mihai published the first of these in May: How to secure GitHub repositories. Thanks Mihai!
What other security guides would be helpful for the Haskell community? Please let us know via email or GitHub issue.
SRT libraries and tools on Hackage
We have published the following libraries and tools on hackage.haskell.org:
-
cvss:
types and functions for the Common Vulnerability Scoring System -
osv:
the Open Source Vulnerabilities (OSV) schema -
hsec-core:
our core advisory type -
hsec-tools:
advisory parsing and processing (library), and thehsec-tools
executable for managing the advisory database and export
artifacts -
hsec-sync:
executable for downloading and synchronising snapshots of the
advisory database content, intended for Haskell ecosystem tooling
We will also publish a Common Weakness Enumeration (CWE) library, which is still in development.
Tooling updates
- Gautier implemented advisory snapshots. These are intended for distribution and consumption by downstream tools (so they don’t have to clone the whole security-advisories Git repo).
- Gautier enhanced the style and content of our HTML advisory index generator.
- Mango fixed several bugs in hsec-core and purged
ZonedTimefrom the codebase. TheAdvisorytype now usesUTCTime. - Tristan is adding support for the
GHCadvisory namespace, which is already defined in the OSV schema. It is for advisories affecting the compiler or other tools that can not be properly identified in theHackagenamespace. - Early in Q3 we will publish new versions of most of our packages, incorporating the changes mentioned above (and more).