mirror of
https://github.com/GaloisInc/cryptol.git
synced 2024-12-25 17:04:31 +03:00
117 lines
3.4 KiB
Markdown
117 lines
3.4 KiB
Markdown
# CVE Checks
|
|
## Background.
|
|
|
|
Here we generate reports for listing any used packages that are
|
|
subject to CVEs. We do this for both Haskell and Python.
|
|
|
|
For background, approach, and useful boilerplate, refer to
|
|
https://github.com/GaloisInc/hello-cve-scans.git
|
|
|
|
## Prerequisites
|
|
|
|
First, build the software of interest:
|
|
- cryptol itself
|
|
- cryptol-remote-api/python (a Python project), e.g.,
|
|
```
|
|
cd cryptol-remote-api/python
|
|
poetry install
|
|
```
|
|
|
|
Ensure you have the following installed (beyond what's required by cryptol):
|
|
* wget
|
|
* jq (json query, command line tool used to finagle json files)
|
|
|
|
## Quick Start
|
|
|
|
Run this script to build & install software needed to do the checks:
|
|
```
|
|
cve-reports/bin/cvecheck-build.sh
|
|
```
|
|
|
|
Run this script to run both checks, writing freeform text to stdout:
|
|
```
|
|
cve-reports/bin/cvecheck-all.sh
|
|
```
|
|
|
|
Run this to generate both *JSON* reports (each with their own json structure):
|
|
```
|
|
cve-reports/bin/cvecheck-all.sh --write-json
|
|
```
|
|
|
|
Individual reports can be run also:
|
|
```
|
|
cve-reports/bin/cvecheck-hs.sh # generate the Haskell CVE report
|
|
cve-reports/bin/cvecheck-py.sh # generate the Python CVE report
|
|
```
|
|
As well as the json output for each language:
|
|
```
|
|
cve-reports/bin/cvecheck-hs.sh --write-json
|
|
cve-reports/bin/cvecheck-py.sh --write-json
|
|
```
|
|
|
|
A concise rollup of the three JSON reports can be created with:
|
|
```
|
|
cve-reports/bin/cvecheck-consolidated.sh
|
|
```
|
|
which prints a sequence of normalized JSON values to the standard
|
|
output for the known CVEs. The form of each CVE is like this example:
|
|
```
|
|
{
|
|
"language": "Haskell",
|
|
"id": "HSEC-2023-0007",
|
|
"title": "readFloat: memory exhaustion with large exponent",
|
|
"package": {
|
|
"name": "base",
|
|
"version": "4.17.2.1"
|
|
}
|
|
}
|
|
```
|
|
Note that `cvecheck-consolidated.sh` does not generate the respective
|
|
JSON reports, the user must do that with the above shell scripts.
|
|
|
|
## What we check
|
|
|
|
We check both these projects
|
|
* the top level Haskell project as captured in saw-script.cabal.
|
|
* the Python project in `cryptol-remote-api/python/`.
|
|
|
|
We ignore the projects (packages, etc.) in `dep/`, if any are used in
|
|
the above projects, the dependencies should be reflected in the
|
|
builds of the above.
|
|
|
|
NOTE: if further projects get added to the repo, they need to be added
|
|
to the scripts.
|
|
|
|
## Caveats
|
|
|
|
For further background refer to
|
|
https://github.com/GaloisInc/hello-cve-scans.git
|
|
but in a nutshell
|
|
- we may report false positives, as using a package does not imply
|
|
exercising the code in a package (or environment) that exhibits the
|
|
vulnerability.
|
|
|
|
## Further details on the CVE checks for our three languages:
|
|
### Haskell: `bin/cvecheck-hs.sh`
|
|
|
|
We use the `MangoIV/cabal-audit` package
|
|
https://github.com/MangoIV/cabal-audit.git
|
|
which is not to be confused with the `cabal-audit` in hackage.
|
|
The latter is hopelessly out of date, while the former
|
|
|
|
- is beta quality, but is being maintained
|
|
- calls the cabal libraries and thus (for better or worse), inherits
|
|
the cabal settings and environment.
|
|
- uses the advisories in
|
|
https://github.com/haskell/security-advisories.git
|
|
(this repo contains the database as well as some customized Haskell packages.)
|
|
|
|
Note that the advisory database is checked and downloaded each time
|
|
that `cabal-audit` is called.
|
|
|
|
### Python: `bin/cvecheck-py.sh`
|
|
|
|
We use the `python-audit` package.
|
|
Since are using `poetry`, we need to first "extract" a
|
|
requirements.txt using `poetry export`.
|