cabal-audit icon indicating copy to clipboard operation
cabal-audit copied to clipboard
verified publisher icon MangoIV

Checking dependencies listed in cabal.project source-repository-package

Open BebeSparkelSparkel opened this issue 1 year ago • 6 comments

It would be helpful to have some insights to forked packages listed in the cabal.project file and if that fork has unresolved vulnerabilities.

BebeSparkelSparkel avatar May 16 '24 15:05 BebeSparkelSparkel

I guess you mean if you have a cabal.project file, that has source-repository packages declared, there should be information on that?

What kind of information do you imagine? A fork would still have versioning, so if you e.g. have some vulnerable library x that is vulnerable from version n and you have a fork of x with version >= n, then this vulnerability would still show up.

MangoIV avatar May 16 '24 16:05 MangoIV

Something like that. If using git, you could look to see if the error is in the history without the fix commit.

I may be incorrect with the following, but if the fork also increments the version numbers it could be hard to tell if the fix has been added.

BebeSparkelSparkel avatar May 17 '24 11:05 BebeSparkelSparkel

Yes, it appears. Perhaps we could add a warning like “this dependency is included in your project a fork, take extra care”

MangoIV avatar May 17 '24 12:05 MangoIV

That's a good start.

BebeSparkelSparkel avatar May 17 '24 13:05 BebeSparkelSparkel

I think I will make this part of a larger task that I’m imagining to also suggest updating outdated dependencies, I think that’s a good fit.

MangoIV avatar May 17 '24 13:05 MangoIV

Many will want a flag to disable that option.

BebeSparkelSparkel avatar May 17 '24 13:05 BebeSparkelSparkel