mirror of
https://github.com/GaloisInc/cryptol.git
synced 2024-12-24 16:31:34 +03:00
add scripts & doc for doing CVE checks
This commit is contained in:
parent
9821aa9deb
commit
d90de928ce
3
.gitignore
vendored
3
.gitignore
vendored
@ -48,3 +48,6 @@ cryptol.wixpdb
|
||||
|
||||
# happy-generated files
|
||||
src/Cryptol/Parser.hs
|
||||
|
||||
# tempfile used for CVE checks:
|
||||
cryptol-remote-api/python/tmp-requirements.txt
|
1
cve-reports/.gitignore
vendored
Normal file
1
cve-reports/.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
||||
cabal-audit-src/
|
116
cve-reports/README.md
Normal file
116
cve-reports/README.md
Normal file
@ -0,0 +1,116 @@
|
||||
# CVE Checks
|
||||
## Background.
|
||||
|
||||
Here we generate reports for listing any used packages that are
|
||||
subject to CVEs. We do this for both Haskell and Python.
|
||||
|
||||
For background, approach, and useful boilerplate, refer to
|
||||
https://github.com/GaloisInc/hello-cve-scans.git
|
||||
|
||||
## Prerequisites
|
||||
|
||||
First, build the software of interest:
|
||||
- cryptol itself
|
||||
- cryptol-remote-api/python (a Python project), e.g.,
|
||||
```
|
||||
cd cryptol-remote-api/python
|
||||
poetry install
|
||||
```
|
||||
|
||||
Ensure you have the following installed (beyond what's required by cryptol):
|
||||
* wget
|
||||
* jq (json query, command line tool used to finagle json files)
|
||||
|
||||
## Quick Start
|
||||
|
||||
Run this script to build & install software needed to do the checks:
|
||||
```
|
||||
cve-reports/bin/cvecheck-build.sh
|
||||
```
|
||||
|
||||
Run this script to run both checks, writing freeform text to stdout:
|
||||
```
|
||||
cve-reports/bin/cvecheck-all.sh
|
||||
```
|
||||
|
||||
Run this to generate both *JSON* reports (each with their own json structure):
|
||||
```
|
||||
cve-reports/bin/cvecheck-all.sh --write-json
|
||||
```
|
||||
|
||||
Individual reports can be run also:
|
||||
```
|
||||
cve-reports/bin/cvecheck-hs.sh # generate the Haskell CVE report
|
||||
cve-reports/bin/cvecheck-py.sh # generate the Python CVE report
|
||||
```
|
||||
As well as the json output for each language:
|
||||
```
|
||||
cve-reports/bin/cvecheck-hs.sh --write-json
|
||||
cve-reports/bin/cvecheck-py.sh --write-json
|
||||
```
|
||||
|
||||
A concise rollup of the three JSON reports can be created with:
|
||||
```
|
||||
cve-reports/bin/cvecheck-consolidated.sh
|
||||
```
|
||||
which prints a sequence of normalized JSON values to the standard
|
||||
output for the known CVEs. The form of each CVE is like this example:
|
||||
```
|
||||
{
|
||||
"language": "Haskell",
|
||||
"id": "HSEC-2023-0007",
|
||||
"title": "readFloat: memory exhaustion with large exponent",
|
||||
"package": {
|
||||
"name": "base",
|
||||
"version": "4.17.2.1"
|
||||
}
|
||||
}
|
||||
```
|
||||
Note that `cvecheck-consolidated.sh` does not generate the respective
|
||||
JSON reports, the user must do that with the above shell scripts.
|
||||
|
||||
## What we check
|
||||
|
||||
We check both these projects
|
||||
* the top level Haskell project as captured in saw-script.cabal.
|
||||
* the Python project in `cryptol-remote-api/python/`.
|
||||
|
||||
We ignore the projects (packages, etc.) in `dep/`, if any are used in
|
||||
the above projects, the dependencies should be reflected in the
|
||||
builds of the above.
|
||||
|
||||
NOTE: if further projects get added to the repo, they need to be added
|
||||
to the scripts.
|
||||
|
||||
## Caveats
|
||||
|
||||
For further background refer to
|
||||
https://github.com/GaloisInc/hello-cve-scans.git
|
||||
but in a nutshell
|
||||
- we may report false positives, as using a package does not imply
|
||||
exercising the code in a package (or environment) that exhibits the
|
||||
vulnerability.
|
||||
|
||||
## Further details on the CVE checks for our three languages:
|
||||
### Haskell: `bin/cvecheck-hs.sh`
|
||||
|
||||
We use the `MangoIV/cabal-audit` package
|
||||
https://github.com/MangoIV/cabal-audit.git
|
||||
which is not to be confused with the `cabal-audit` in hackage.
|
||||
The latter is hopelessly out of date, while the former
|
||||
|
||||
- is beta quality, but is being maintained
|
||||
- calls the cabal libraries and thus (for better or worse), inherits
|
||||
the cabal settings and environment.
|
||||
- uses the advisories in
|
||||
https://github.com/haskell/security-advisories.git
|
||||
(this repo contains the database as well as some customized Haskell packages.)
|
||||
|
||||
Note that the advisory database is checked and downloaded each time
|
||||
that `cabal-audit` is called.
|
||||
|
||||
### Python: `bin/cvecheck-py.sh`
|
||||
|
||||
We use the `python-audit` package.
|
||||
Since are using `poetry`, we need to first "extract" a
|
||||
requirements.txt using `poetry export`.
|
BIN
cve-reports/bin/cabal-audit
Executable file
BIN
cve-reports/bin/cabal-audit
Executable file
Binary file not shown.
11
cve-reports/bin/cvecheck-all.sh
Executable file
11
cve-reports/bin/cvecheck-all.sh
Executable file
@ -0,0 +1,11 @@
|
||||
#!/bin/sh
|
||||
# cvecheck-all.sh: do all CVE checks
|
||||
# usage: cvecheck-all.sh
|
||||
|
||||
THIS_DIR=$(realpath $(dirname $0))
|
||||
|
||||
echo "\ncvecheck-all.sh: check Haskell"
|
||||
${THIS_DIR}/cvecheck-hs.sh $*
|
||||
|
||||
echo "\ncvecheck-all.sh: check Python"
|
||||
${THIS_DIR}/cvecheck-py.sh $*
|
48
cve-reports/bin/cvecheck-build.sh
Executable file
48
cve-reports/bin/cvecheck-build.sh
Executable file
@ -0,0 +1,48 @@
|
||||
#!/bin/sh
|
||||
# cvecheck-build.sh: build what's needed to do CVE checks
|
||||
# usage: ./cvecheck-build.sh
|
||||
|
||||
set -e
|
||||
|
||||
TOP_DIR=$(realpath $(dirname $0)/../..)
|
||||
MY_BIN_DIR=$(realpath $(dirname $0))
|
||||
PYTHON_DIR=${TOP_DIR}/cryptol-remote-api/python
|
||||
|
||||
##################################################################
|
||||
##### For Haskell: build MangoIV/cabal-audit: ####
|
||||
|
||||
# We build cabal-audit "out of line" from the current cabal due to its
|
||||
# complicated mix of non-hackage dependencies.
|
||||
#
|
||||
# (Maybe we can change this once MargoIV/cabal-audit becomes more
|
||||
# mature and the required dependencies are in hackage.)
|
||||
|
||||
cd ${MY_BIN_DIR}/..
|
||||
|
||||
if [ ! -e cabal-audit-src ]; then
|
||||
echo "\ncvecheck-build.sh: acquire cabal-audit source ..."
|
||||
wget -O cabal-audit.tar.gz \
|
||||
https://github.com/MangoIV/cabal-audit/archive/2fe849d.tar.gz
|
||||
# software's a little finicky, so we pick a known commit.
|
||||
tar xzvf cabal-audit.tar.gz
|
||||
rm cabal-audit.tar.gz
|
||||
mv cabal-audit-* cabal-audit-src
|
||||
fi
|
||||
|
||||
echo "\ncvecheck-build.sh: build cabal-audit source ..."
|
||||
cd cabal-audit-src
|
||||
cabal build
|
||||
|
||||
echo "\ncvecheck-build.sh: install cabal-audit in ${MY_BIN_DIR}."
|
||||
cp -pv $(cabal list-bin -v0 exe:cabal-audit) ${MY_BIN_DIR}
|
||||
|
||||
|
||||
##################################################################
|
||||
##### For Python: pip-audit ####
|
||||
|
||||
cd ${PYTHON_DIR}
|
||||
|
||||
echo "\ninstalling pip-audit."
|
||||
pip install pip-audit
|
||||
|
||||
|
34
cve-reports/bin/cvecheck-consolidated.sh
Executable file
34
cve-reports/bin/cvecheck-consolidated.sh
Executable file
@ -0,0 +1,34 @@
|
||||
#!/bin/sh
|
||||
# cvecheck-all.sh: do all CVE checks
|
||||
# usage: cvecheck-all.sh
|
||||
|
||||
set -e
|
||||
|
||||
export THIS_DIR=$(realpath $(dirname $0))
|
||||
. ${THIS_DIR}/variables.sh
|
||||
|
||||
JQ='jq'
|
||||
JQARGS='--indent 2'
|
||||
|
||||
if ! which ${JQ} >/dev/null ; then
|
||||
echo "no ${JQ} executable found"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# debugging/testing
|
||||
# HS_JSON_FILE=~/src/GaloisInc/hello-cve-scans/hs-project/T.json
|
||||
# PY_JSON_FILE=~/src/GaloisInc/hello-cve-scans/py-project/T-pip-audit.json
|
||||
|
||||
# echo consolidating
|
||||
# for f in ${HS_JSON_FILE} ${PY_JSON_FILE}; do
|
||||
# echo " " $f
|
||||
# done;
|
||||
# echo into ${COMMON_JSON_FILE}
|
||||
|
||||
${JQ} ${JQARGS} \
|
||||
'to_entries .[] | {language: "Haskell", id: .value.advisories.[0].id, title: .value.advisories.[0].summary, package: {name: .key, version: .value.version}}' \
|
||||
${HS_JSON_FILE}
|
||||
|
||||
${JQ} ${JQARGS} \
|
||||
'.dependencies | .[] | select(.vulns != []) | {language: "Python", id: .vulns.[0].id , title: "", package: {name: .name, version: .version}}' \
|
||||
${PY_JSON_FILE}
|
29
cve-reports/bin/cvecheck-hs.sh
Executable file
29
cve-reports/bin/cvecheck-hs.sh
Executable file
@ -0,0 +1,29 @@
|
||||
#!/bin/sh
|
||||
# cvecheck-hs.sh: do CVE checks
|
||||
# usage: cvecheck-hs.sh
|
||||
|
||||
set -e
|
||||
|
||||
export THIS_DIR=$(realpath $(dirname $0))
|
||||
. ${THIS_DIR}/variables.sh
|
||||
|
||||
AUDIT_EXE=${THIS_DIR}/cabal-audit
|
||||
|
||||
echo
|
||||
echo "Running cabal-audit, at top level:"
|
||||
|
||||
if [ ! -x ${AUDIT_EXE} ] ; then
|
||||
echo error: ${AUDIT_EXE} does not exist.
|
||||
exit 1
|
||||
elif [ $# == 0 ] ; then
|
||||
ARGS=""
|
||||
elif [ $# -eq 1 ] && [ $1 = "--write-json" ] ; then
|
||||
ARGS="--json -o ${HS_JSON_FILE}"
|
||||
else
|
||||
echo "Usage: cvecheck-hs.sh [--write-json]"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
cd ${TOP_DIR}
|
||||
|
||||
${AUDIT_EXE} ${ARGS}
|
28
cve-reports/bin/cvecheck-py.sh
Executable file
28
cve-reports/bin/cvecheck-py.sh
Executable file
@ -0,0 +1,28 @@
|
||||
#!/bin/sh
|
||||
# cvecheck-py.sh: do CVE checks
|
||||
# usage: cvecheck-py.sh [--write-json]
|
||||
|
||||
set -e
|
||||
|
||||
export THIS_DIR=$(realpath $(dirname $0))
|
||||
. ${THIS_DIR}/variables.sh
|
||||
|
||||
PROJ_DIR=${TOP_DIR}/cryptol-remote-api/python
|
||||
|
||||
echo
|
||||
echo "Running pip-audit in ${PROJ_DIR}:"
|
||||
|
||||
if [ $# == 0 ] ; then
|
||||
ARGS=""
|
||||
elif [ $# -eq 1 ] && [ $1 = "--write-json" ] ; then
|
||||
ARGS="-f json -o ${PY_JSON_FILE}"
|
||||
else
|
||||
echo "Usage: cvecheck-py.sh [--write-json]"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
cd ${PROJ_DIR}
|
||||
|
||||
poetry export -frequirements.txt -o tmp-requirements.txt
|
||||
|
||||
pip-audit -r ./tmp-requirements.txt ${ARGS}
|
4
cve-reports/bin/variables.sh
Normal file
4
cve-reports/bin/variables.sh
Normal file
@ -0,0 +1,4 @@
|
||||
TOP_DIR=$(realpath ${THIS_DIR}/../..)
|
||||
HS_JSON_FILE=$(realpath ${THIS_DIR}/..)/hs-cves.json
|
||||
PY_JSON_FILE=$(realpath ${THIS_DIR}/..)/py-cves.json
|
||||
COMMON_JSON_FILE=$(realpath ${THIS_DIR}/..)/all-cves.json
|
1
cve-reports/hs-cves.json
Normal file
1
cve-reports/hs-cves.json
Normal file
File diff suppressed because one or more lines are too long
1
cve-reports/py-cves.json
Normal file
1
cve-reports/py-cves.json
Normal file
@ -0,0 +1 @@
|
||||
{"dependencies": [{"name": "argo-client", "version": "0.0.13", "vulns": []}, {"name": "bitvector", "version": "3.5.0", "vulns": []}, {"name": "certifi", "version": "2024.7.4", "vulns": []}, {"name": "charset-normalizer", "version": "3.3.2", "vulns": []}, {"name": "idna", "version": "3.7", "vulns": []}, {"name": "requests", "version": "2.32.0", "vulns": []}, {"name": "types-requests", "version": "2.31.0.20240406", "vulns": []}, {"name": "typing-extensions", "version": "4.11.0", "vulns": []}, {"name": "urllib3", "version": "2.2.2", "vulns": []}], "fixes": []}
|
Loading…
Reference in New Issue
Block a user