[Request for Comments] GitHub haskell-security-action

gdifolco · August 18, 2024, 2:58pm

Hello everyone,

I’m part of the Haskell Security Response Team.
One of the main goal of the team was to provide a proper GitHub integration.
It is a long way to have it, as dependabot is currently closed to new programming languages.
Hopefully, GitHub provides actions and an API to load scan results.
Over the last weeks (I have been busy), I have came up with haskell-security-action, based on cabal-audit.
It’s currently hack-ish, and there are a lot of short-comings, it does the job.

Many thanks to @MangoIV @Kleidukos @julm

My hope with this thread is to collect comments, issues, bugs, ideas, feature requests(, contributors maybe?).

After a stabilization period, I want to transfer it back to @haskell.

Thanks in advance.

MangoIV · August 18, 2024, 4:07pm

I don’t know if it’d make sense in your opinion, but if it’s possible, we can also make this part of cabal-audit. I’d be happy to think about the shortcomings, as well as I assume that they’re mostly shortcomings of cabal-audit.

gdifolco · August 18, 2024, 4:22pm

I mean, if cabal-audit can produce a sarif file, it’ll be simplified as just few nix/yaml file.

Another concern was packaging a static binary.

MangoIV · August 18, 2024, 4:38pm

I am already producing a fully static binary so that shouldn’t be an issue.

And yeah I think it would be fine to add a new subcommand „ci“ that could house all the things you’d need from cabal-audit.

gdifolco · August 18, 2024, 4:54pm

sarif could be a regular output.

MangoIV · August 18, 2024, 4:57pm

Yeah, however you’d like and fits best. There’s also this issue which we can use for further discussion

As you can see there’s already a —ci flag which will return a non-zero exit code whenever there’s an advisory.

About the static exe:

github.com

MangoIV/cabal-audit/blob/f8521608daced7252982ceaffdffa1ff1a31d5e6/flake.nix#L84

    
      
              packagesFrom = [config.devShells.plain-haskell];
              packages = [pkgs.cabal2nix pkgs.alejandra];
              startup.pre-commit.text = config.pre-commit.installationScript;
            };
          };
          
          
packages = {
            inherit (hspkgs) cabal-audit;
            inherit (pkgs) groff;
            default = config.packages.cabal-audit;
            cabal-audit-static = import ./nix/static.nix {inherit pkgs;};
            regen-nix = pkgs.writeShellApplication {
              name = "regen-cabal-audit-nix";
              runtimeInputs = [pkgs.cabal2nix pkgs.alejandra];
              text = let
                v = "d09058a544bf45cc0814ed9b300cd940bc263617";
                cmd = pkg: ''
                  cabal2nix https://github.com/haskell/security-advisories.git \
                    --revision ${v} \
                    --subpath code/${pkg}/ > ./${pkg}.nix
                '';

This output builds the fully static cabal-audit with musl.

see the file static.nix to see how it’s built.

gdifolco · August 18, 2024, 5:23pm

I’ll have a look at the static part.

It’s a bit more subtle than an error:

I collect the advisories from cabal-audit
regroup them
create the sarif data structure
I upload it through GitHub API

MangoIV · August 18, 2024, 5:25pm

Yea as I said, anything is good.