Updates based on TWG discussions

Author: david-christiansen

proposals/advisory-db.md

@@ -90,7 +90,7 @@ The TOML frontmatter must contain a table called `advisory` and a table called `
  * `date`, a TOML local date, which is the disclosure date.
  * `url`, an optional string, which is a link to a resource such as release notes or a blog post that describes the issue in detail
  * `cwe`, an optional array of integers, each of which is a [CWE identifier](https://cwe.mitre.org/index.html)
- * `cvss`, an optional string, which is a [CVSS 3.1 vector](https://www.first.org/cvss/)
+ * `cvss`, an mandatory string, which is a [CVSS 3.1 vector](https://www.first.org/cvss/)
  * `keywords`, an optional array of strings, which may be any string that the submitter finds relevant. By convention, they are written in lowercase.
  * `aliases`, an optional array of strings, each of which is another identifier such as a CVE
  * `related`, an optional array of strings, each of which is an identifier for a related advisory (such as for a wrapped C library)
@@ -138,6 +138,8 @@ We recommend that consumers who do not use the Cabal API to process build and fr
 
 We additionally recommend that tools prioritize `.cabal` files, followed by freeze files, followed by consulting `stack.yaml` to retrieve the constraints of a Stackage resolver. This recommendation is because virtually all Haskell projects have `.cabal` files (some of which are generated by tools such as `hpack`), and because Stackage sets can be parsed using the same tools as Cabal freeze files.
 
+Tools that automatically update bounds to exclude packages that have advisories should only do so on freeze files. Otherwise, we are likely to end up with many holes in the allowed dependency versions of intermediate transitive dependencies, which could lead to fragmentation, difficult-to-read build configurations, and complicated dependency errors. Projects without freeze files will ideally be presented only with a warning, and left to react appropriately themselves.
+
 ### Governance and Administration
 
 The Haskell Foundation will be responsible for appointing the administrators of the database. Administrators are expected to be trusted community members who are willing to provide timely feedback in the repository. The Haskell Foundation should check from time to time that feedback is timely, and can serve as a final arbiter of disputes.
@@ -146,6 +148,8 @@ To begin with, the HF executive team will assemble a group of five volunteers, w
 
 We expect that the work done by this team will occur mostly asynchronously, but we plan to have meetings a few times per year in order to have discussions about how the group is working and how it can be improved.
 
+Because CVSS is a bit complex, PRs without CVSS will be provisionally accepted, and the volunteers will work with reporters to help them fill out the field appropriately.
+
 
 ### Deliverables
 
@@ -157,7 +161,7 @@ The deliverables are:
 
 ### Risks and Mitigations
 
-There are primarily reputational risks associated with this project. Low-quality or false advisories risk damaging the reputation of package authors or maintainers, as well as that of the project and/or organization.
+There are primarily reputational risks associated with this project. Low-quality or false advisories risk damaging the reputation of package authors or maintainers, as well as that of the project and/or organization. To mitigate this, we plan to institute a reporting process that notifies authors in private first, and links to a standard responsible-disclosure process for non-responsive authors. In other words, a PR should not be the first step for non-package-authors.
 
 There are very few technical risks to the project itself, as the technology involved is simple and well-understood.
 
@@ -200,11 +204,7 @@ Goals left for future work are:
  1. Develop a reverse-import tool to import GitHub's own security advisories into the canonical database using their GraphQL API
  2. Augment build tools such as `cabal` and `stack` with the ability to audit dependencies and build plans for known advisories
  3. Augment Hackage and Stackage with information about advisories
-
-
-
-
-
-
+ 4. A standard format for advisories to be ignored in the context of a given project, whether it be specific IDs or based on CVSS
+ 5. Automatically-generated remote freeze files that exclude certain classes of packages with advisories, allowing users to simply point a build tool at the remote file to rule out many vulnerable package versions all at once.
 
 

proposals/advisory-db/app/Main.hs

@@ -131,7 +131,7 @@ data Advisory = Advisory
     advisoryCWEs :: [CWE],
     advisoryKeywords :: [Keyword],
     advisoryAliases :: [Text],
-    advisoryCVSS :: Maybe Text,
+    advisoryCVSS :: Text,
     advisoryVersions :: VersionRange,
     advisoryArchitectures :: Maybe [Architecture],
     advisoryOS :: Maybe [OS],
@@ -154,7 +154,7 @@ renderAdvisory adv =
             row "CWEs" (T.intercalate ", " . map (T.pack . show . unCWE) . advisoryCWEs),
             row "Keywords" (T.intercalate ", " . map (T.pack . show) . advisoryKeywords),
             row "Aliases" (T.intercalate ", " . advisoryAliases),
-            row "CVSS" (fromMaybe "" . advisoryCVSS),
+            row "CVSS" advisoryCVSS,
             row "Versions" (T.pack . show . advisoryVersions),
             row
               "Architectures"
@@ -200,7 +200,7 @@ parseAdvisory table = runTableParser $ do
   aliases <-
     fromMaybe []
       <$> optional advisory "aliases" (isArrayOf isString)
-  cvss <- optional advisory "cvss" isString
+  cvss <- mandatory advisory "cvss" isString -- TODO validate CVSS format
 
   (os, arch, decls) <-
     optional table "affected" isTable >>= \case

proposals/advisory-db/example.md

@@ -18,9 +18,10 @@ url = "https://github.com/username/package/issues/123"
 # Optional: Classification of the advisory with respect to the Common Weakness Enumeration.
 cwe = [820]
 
-# Optional: a Common Vulnerability Scoring System score. More information
+# Mandatory: a Common Vulnerability Scoring System score. More information
 # can be found on the CVSS website, https://www.first.org/cvss/.
-#cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+# The committee will assist advisory authors in constructing an appropriate CVSS if necessary.
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
 
 # Freeform keywords which describe this vulnerability (optional)
 keywords = ["ssl", "mitm"]