Replace categories with CWEs

Author: david-christiansen

proposals/advisory-db.md

@@ -92,8 +92,8 @@ The TOML frontmatter must contain a table called `advisory` and a table called `
  * `package`, a string, the name of the affected Hackage package
  * `date`, a TOML local date, which is the disclosure date.
  * `url`, an optional string, which is a link to a resource such as release notes or a blog post that describes the issue in detail
- * `categories`, an optional array of strings, each of which one of `...` TODO
- * `cvss`, an optional string, which is a CVSS 3.1 vector
+ * `cwe`, an optional array of integers, each of which is a [CWE identifier](https://cwe.mitre.org/index.html)
+ * `cvss`, an optional string, which is a [CVSS 3.1 vector](https://www.first.org/cvss/)
  * `keywords`, an optional array of strings, which may be any string that the submitter finds relevant. By convention, they are written in lowercase.
  * `aliases`, an optional array of strings, each of which is another identifier such as a CVE
  * `related`, an optional array of strings, each of which is an identifier for a related advisory (such as for a wrapped C library)

proposals/advisory-db/advisory-proposal.cabal

@@ -29,7 +29,7 @@ executable advisory-proposal
 
     -- LANGUAGE extensions used by modules in this package.
     -- other-extensions:
-    build-depends:    base ^>=4.14.3.0,
+    build-depends:    base >=4.14 && < 4.17,
                       commonmark ^>= 0.2.2,
                       text ^>= 1.2,
                       time ^>= 1.9,

proposals/advisory-db/app/Main.hs

@@ -68,7 +68,7 @@ main = do
 
       exitSuccess
 
-data Category = CodeExecution | CryptoFailure | PrivilegeEscalation | DOS | FileDisclosure | FormatInjection | MemoryCorruption | MemoryExposure
+newtype CWE = CWE { unCWE :: Integer }
   deriving (Show)
 
 data Architecture = AArch64 | Alpha | Arm | HPPA | HPPA1_1 | I386 | IA64 | M68K | MIPS | MIPSEB | MIPSEL | NIOS2 | PowerPC | PowerPC64 | PowerPC64LE | RISCV32 | RISCV64 | RS6000 | S390 | S390X | SH4 | SPARC | SPARC64 | VAX | X86_64
@@ -89,7 +89,7 @@ data Advisory = Advisory
     advisoryPackage :: Text,
     advisoryDate :: Date,
     advisoryUrl :: Text,
-    advisoryCategories :: [Category],
+    advisoryCWEs :: [CWE],
     advisoryKeywords :: [Keyword],
     advisoryAliases :: [Text],
     advisoryCVSS :: Maybe Text,
@@ -112,7 +112,7 @@ renderAdvisory adv =
             row "Package" advisoryPackage,
             row "Date" (date . advisoryDate),
             row "URL" advisoryUrl,
-            row "Categories" (T.intercalate ", " . map (T.pack . show) . advisoryCategories),
+            row "CWEs" (T.intercalate ", " . map (T.pack . show . unCWE) . advisoryCWEs),
             row "Keywords" (T.intercalate ", " . map (T.pack . show) . advisoryKeywords),
             row "Aliases" (T.intercalate ", " . advisoryAliases),
             row "CVSS" (fromMaybe "" . advisoryCVSS),
@@ -139,7 +139,7 @@ parseAdvisory table = runTableParser $ do
   package <- mandatory advisory "package" isString
   date <- mandatory advisory "date" isDate <&> uncurry3 Date . toGregorian
   url <- mandatory advisory "url" isString
-  cats <- fromMaybe [] <$> optional advisory "categories" (isArrayOf (isString >=> category))
+  cats <- fromMaybe [] <$> optional advisory "cwe" (isArrayOf (fmap CWE . isInt))
   kwds <- fromMaybe [] <$> optional advisory "keywords" (isArrayOf (fmap Keyword . isString))
   aliases <- fromMaybe [] <$> optional advisory "aliases" (isArrayOf isString)
   cvss <- optional advisory "cvss" isString
@@ -162,7 +162,7 @@ parseAdvisory table = runTableParser $ do
         advisoryPackage = package,
         advisoryDate = date,
         advisoryUrl = url,
-        advisoryCategories = cats,
+        advisoryCWEs = cats,
         advisoryKeywords = kwds,
         advisoryAliases = aliases,
         advisoryCVSS = cvss,
@@ -176,17 +176,6 @@ parseAdvisory table = runTableParser $ do
 uncurry3 :: (a -> b -> c -> d) -> (a, b, c) -> d
 uncurry3 f (x, y, z) = f x y z
 
-category :: Text -> TableParser Category
-category "code-execution" = pure CodeExecution
-category "crypto-failure" = pure CryptoFailure
-category "denial-of-service" = pure DOS
-category "file-disclosure" = pure FileDisclosure
-category "format-injection" = pure FormatInjection
-category "memory-corruption" = pure MemoryCorruption
-category "memory-exposure" = pure MemoryExposure
-category "privilege-escalation" = pure PrivilegeEscalation
-category other = throwError $ InvalidCategory other
-
 operatingSystem :: Text -> TableParser OS
 operatingSystem "darwin" = pure MacOS
 operatingSystem "freebsd" = pure FreeBSD
@@ -236,7 +225,6 @@ data TableParseErr
   = UnexpectedKeys (NonEmpty Text)
   | MissingKey Text
   | InvalidFormat Text Text
-  | InvalidCategory Text
   | InvalidOS Text
   | InvalidArchitecture Text
   | UnderlyingParserError Text
@@ -263,6 +251,10 @@ mandatory tbl k act = onKey tbl k (throwError $ MissingKey k) act
 onKey :: TOML.Table -> Text -> TableParser a -> (TOML.Value -> TableParser a) -> TableParser a
 onKey tbl k absent present = maybe absent present $ Map.lookup k tbl
 
+isInt :: TOML.Value -> TableParser Integer
+isInt (TOML.Integer i) = pure i
+isInt other = throwError $ InvalidFormat "Integer" (describeValue other)
+
 isString :: TOML.Value -> TableParser Text
 isString (TOML.String txt) = pure txt
 isString other = throwError $ InvalidFormat "String" (describeValue other)

proposals/advisory-db/example.md

@@ -6,19 +6,17 @@
 id = "HSEC-0000-0000"
 
 # Name of the affected package on Hackage (mandatory)
-package = "mycrate"
+package = "acme-broken"
 
 # Disclosure date of the advisory as an RFC 3339 date (mandatory)
 date = 2021-01-31
 
 # URL to a long-form description of this issue, e.g. a GitHub issue/PR,
 # a change log entry, or a blogpost announcing the release (optional)
-url = "https://github.com/mystuff/package/issues/123"
+url = "https://github.com/username/package/issues/123"
 
-# Optional: Categories this advisory falls under. Valid categories are:
-# "code-execution", "crypto-failure", "denial-of-service", "file-disclosure"
-# "format-injection", "memory-corruption", "memory-exposure", "privilege-escalation"
-categories = ["crypto-failure"]
+# Optional: Classification of the advisory with respect to the Common Weakness Enumeration.
+cwe = [820]
 
 # Optional: a Common Vulnerability Scoring System score. More information
 # can be found on the CVSS website, https://www.first.org/cvss/.
@@ -56,7 +54,7 @@ keywords = ["ssl", "mitm"]
 # name (e.g. if an affected function or datatype was renamed between versions). 
 # The path syntax is the module import path, without any type signatures or
 # additional information, followed by the affected versions.
-#declarations = { "Acme.Broken.function" = ">= 1.1.0 && < 1.2.0", "Acme.Broken.renamedFunction = ">= 1.2.0 && < 1.2.0.5"}
+#declarations = { "Acme.Broken.function" = ">= 1.1.0 && < 1.2.0", "Acme.Broken.renamedFunction" = ">= 1.2.0 && < 1.2.0.5"}
 
 # Versions affected by the vulnerability
 [versions]