security-advisories icon indicating copy to clipboard operation
security-advisories copied to clipboard
verified publisher icon haskell

"is version affected" functions: migrate to library

Open frasertweedale opened this issue 1 year ago • 3 comments

If feasible, it would be good if Flora could handle unknown introduced/fixed versions in advisories and use comparison operators on the Version type to deduce whether some known package version is affected.

If it would help, we can add library functions to hsec-core to perform these sorts of checks. It's already implemented in the hsec-tools query command so we only need to move some code around and expose a library function.

Originally posted by @frasertweedale in https://github.com/haskell/security-advisories/issues/247#issuecomment-2480346756

frasertweedale avatar Nov 27 '24 15:11 frasertweedale

Is there anything preventing hsec-tools to be used as a library?

In my mind, it aimed to be a library with an executable, not an executable with a supporting library.

blackheaven avatar Nov 27 '24 19:11 blackheaven

/cc @tchoutri

blackheaven avatar Nov 27 '24 19:11 blackheaven

If feasible, it would be good if Flora could handle unknown introduced/fixed versions in advisories and use comparison operators on the Version type to deduce whether some known package version is affected.

I am now storing raw versions, instead of resolving to a package/release in the database: https://github.com/flora-pm/flora-server/pull/791

Is there anything preventing hsec-tools to be used as a library?

Absolutely not on my end, I actually already do that. I use listAdvisories from Security.Advisories.Filesystem.

tchoutri avatar Nov 27 '24 19:11 tchoutri