The Haskell Security Advisory Database is a repository of security advisories filed against packages published via Hackage.
This database is still new. If you develop a tool or database that uses its information, please open a PR listing it here.
To report a new vulnerability, open a pull request using the template below. See CONTRIBUTING.md for more information.
See EXAMPLE_ADVISORY.md for a template.
Advisories are formatted in Markdown with machine-readable TOML "front matter".
Below is the schema of the TOML "front matter" section of an advisory. If you base your advisory on this explanation rather than on EXAMPLE_ADVISORY.md, please remember to remove the explanatory comments for each field.
[advisory]
# Identifier for the advisory (mandatory). Will be assigned a "HSEC-YYYY-NNNN"
# identifier e.g. HSEC-2022-0001. Please use "HSEC-0000-0000" in PRs.
id = "HSEC-0000-0000"
# Name of the affected package on Hackage (mandatory)
package = "acme-broken"
# Disclosure date of the advisory as an RFC 3339 date (mandatory)
date = 2021-01-31
# Optional: Classification of the advisory with respect to the Common Weakness Enumeration.
cwe = [820]
# Mandatory: a Common Vulnerability Scoring System score. More information
# can be found on the CVSS website, https://www.first.org/cvss/.
# The committee will assist advisory authors in constructing an appropriate CVSS if necessary.
cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
# Freeform keywords which describe this vulnerability (optional)
keywords = ["ssl", "mitm"]
# Vulnerability aliases, e.g. CVE IDs (optional but recommended)
# Request a CVE for your HSec vulns: https://iwantacve.org/
#aliases = ["CVE-2018-XXXX"]
# Related vulnerabilities (optional)
# e.g. CVE for a C library wrapped by a Haskell library
#related = ["CVE-2018-YYYY", "CVE-2018-ZZZZ"]
# References to articles, issues/PRs, etc. Recognised types:
# ADVISORY, ARTICLE, DETECTION, DISCUSSION, REPORT,
# FIX, INTRODUCED, PACKAGE, EVIDENCE, WEB
[[references]]
type = "REPORT"
url = "https://github.com/username/package/issues/123"
[[references]]
type = "FIX"
url = "https://github.com/username/package/pull/139"
# Optional: metadata which narrows the scope of what this advisory affects
[affected]
# CPU architectures impacted by this vulnerability (optional).
# Only use this if the vulnerability is specific to a particular CPU architecture,
# e.g. the vulnerability is in x86 assembly.
# For a list of CPU architecture strings, see the documentation for System.Info.arch:
# <https://hackage.haskell.org/package/base-4.16.1.0/docs/System-Info.html>
#arch = ["x86", "x86_64"]
# Operating systems impacted by this vulnerability (optional)
# Only use this if the vulnerable is specific to a particular OS, e.g. it was
# located in a binding to a Windows-specific API.
# For a list of OS strings, see the documentation for System.Info.os:
# <https://hackage.haskell.org/package/base-4.16.1.0/docs/System-Info.html>
#os = ["mingw32"]
# Table of canonical paths to vulnerable declarations in the package (optional)
# that describes which versions impacted by this advisory used that particular
# name (e.g. if an affected function or datatype was renamed between versions).
# The path syntax is the module import path, without any type signatures or
# additional information, followed by the affected versions.
#declarations = { "Acme.Broken.function" = ">= 1.1.0 && < 1.2.0", "Acme.Broken.renamedFunction" = ">= 1.2.0 && < 1.2.0.5"}
# Versions affected by the vulnerability. Multiple range should not overlap.
[[versions]]
introduced = "1.1.0"
fixed = "1.2.0.5"The above TOML "front matter" is followed by the long description in Markdown format.
- Tristan de Cacqueray
- Gautier Di Folco
- Mihai Maruseac
- Casey Mattingly
- David Thrane Christiansen
- Fraser Tweedale
Please see Contributing for details.
The process and documentation in this repository are based off the work of the RustSec team.
All security advisory content in this repository is placed in the public domain, including metadata, descriptions, and example code.
The contents of the code subdirectory, which contains tools and libraries for working with the advisory data format in Haskell, are licensed under a three-clause BSD license. Please refer to that subdirectory's LICENSE file for details.