Skip to content

Files

Failed to load latest commit information.

Latest commit

 Cannot retrieve latest commit at this time.

History

History
 
 

cve-reports

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
bin
bin
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 

README.md

CVE Checks

Background.

Here we generate reports for listing any used packages that are subject to CVEs. We do this for three languages: Haskell, Rust, and Python.

For background, approach, and useful boilerplate, refer to https://github.com/GaloisInc/hello-cve-scans.git

Prerequisites

First, build the software of interest:

  • sawscript itself
  • doc/rust-tutorial/code/salsa20 (a Rust project)
  • saw-python (a Python project)

Ensure you have the following installed (beyond what's required by sawscript):

  • wget
  • rust >= 1.70
  • jq (json query, command line tool used to finagle json files)

Quick Start

Run this script to build & install software needed to do the checks:

cve-reports/bin/cvecheck-build.sh

Run this script to run all three checks, freeform text to stdout:

cve-reports/bin/cvecheck-all.sh

To generate all three JSON reports (each with their own json structure):

cve-reports/bin/cvecheck-all.sh  --write-json

Individual reports can be run also:

cve-reports/bin/cvecheck-hs.sh               # generate the Haskell CVE report
cve-reports/bin/cvecheck-rs.sh               # generate the Rust CVE report
cve-reports/bin/cvecheck-py.sh               # generate the Python CVE report

As well as the json output for each language:

cve-reports/bin/cvecheck-hs.sh --write-json
cve-reports/bin/cvecheck-rs.sh --write-json
cve-reports/bin/cvecheck-py.sh --write-json

A concise rollup of the three JSON reports can be created with:

cve-reports/bin/cvecheck-consolidated.sh

which prints a sequence of normalized JSON values to the standard output for the known CVEs. The form of each CVE is like this example:

{
  "language": "Haskell",
  "id": "HSEC-2023-0007",
  "title": "readFloat: memory exhaustion with large exponent",
  "package": {
    "name": "base",
    "version": "4.17.2.1"
  }
}

Note that cvecheck-consolidated.sh does not generate the respective JSON reports, the user must do that with the above shell scripts.

What we check

We check these three projects

  • the top level Haskell project as captured in saw.cabal.
  • the Python project in saw-python/.
  • the Rust project in doc/rust-tutorial/code/salsa20.

We ignore the projects (packages, etc.) in deps/, if any are used in the above projects, the dependencies should be reflected in the builds of the above.

NOTE: if further rust or python projects get added, they need to be added to the scripts.

Caveats

For further background refer to https://github.com/GaloisInc/hello-cve-scans.git but in a nutshell

  • we may report false positives, as using a package does not imply exercising the code in a package (or environment) that exhibits the vulnerability.

Further details on the CVE checks for our three languages:

Haskell: bin/cvecheck-hs.sh

We use the MangoIV/cabal-audit package https://github.com/MangoIV/cabal-audit.git which is not to be confused with the cabal-audit in hackage. The latter is hopelessly out of date, while the former

  • is beta quality, but is being maintained
  • calls the cabal libraries and thus (for better or worse), inherits the cabal settings and environment.
  • uses the advisories in https://github.com/haskell/security-advisories.git (this repo contains the database as well as some customized Haskell packages.)

Note that the advisory database is checked and downloaded each time that cabal-audit is called.

Python: bin/cvecheck-py.sh

We use the python-audit package. Since are using poetry, we need to first "extract" a requirements.txt using poetry export.

Rust: bin/cvecheck-rs.sh

We use the cargo-audit package.