search

MangoIV / cabal-audit

audit your cabal projects for haskell-specific security-advisories
21 stars 2 forks source link

make cabal-audit work well with libraries #18

Open MangoIV opened 3 months ago

MangoIV commented 3 months ago

currently, as cabal-audit uses the cabal solver, it is mainly suited for projects that have a somewhat fixed dependency set, ideally we want to check against the entire possible version bounds in a package to make cabal-audit work well for library authors, as well.

MangoIV commented 1 month ago

I just realized that this may only ever work properly by doing solving on the direct dependencies vs the transitive dependencies because the transitive dependencies really depend on the actual solving setup, e.g. a users could have jailbroken dependencies which would now include previously excluded dependencies. The problem is that when checking the transitive deps, what happens is that you would have to check each of the possible versions for the vulnerable dependency and then flag every library that could depend on that version as "burned".