"is version affected" functions: migrate to library

haskell / security-advisories

https://haskell.github.io/security-advisories/

Other

46 stars 18 forks source link

"is version affected" functions: migrate to library #253

Open frasertweedale opened 4 days ago

frasertweedale commented 4 days ago

If feasible, it would be good if Flora could handle unknown introduced/fixed versions in advisories and use comparison operators on the Version type to deduce whether some known package version is affected.

If it would help, we can add library functions to hsec-core to perform these sorts of checks. It's already implemented in the hsec-tools query command so we only need to move some code around and expose a library function.

Originally posted by @frasertweedale in https://github.com/haskell/security-advisories/issues/247#issuecomment-2480346756

blackheaven commented 4 days ago

Is there anything preventing hsec-tools to be used as a library?

In my mind, it aimed to be a library with an executable, not an executable with a supporting library.

blackheaven commented 4 days ago

/cc @tchoutri

tchoutri commented 4 days ago

If feasible, it would be good if Flora could handle unknown introduced/fixed versions in advisories and use comparison operators on the Version type to deduce whether some known package version is affected.

I am now storing raw versions, instead of resolving to a package/release in the database: https://github.com/flora-pm/flora-server/pull/791

Is there anything preventing hsec-tools to be used as a library?

Absolutely not on my end, I actually already do that. I use listAdvisories from Security.Advisories.Filesystem.