Start the data model for security advisories

flora-pm · Nov 13, 2024 · 29cd72d · 29cd72d
1 parent 5420681
commit 29cd72d
Show file tree

Hide file tree

Showing 75 changed files with 6,338 additions and 57 deletions.
diff --git a/cabal.project b/cabal.project
@@ -7,16 +7,18 @@ active-repositories: hackage.haskell.org
 
 tests: True
 
-allow-newer: type-errors-pretty:base
-           , souffle-haskell:text
-           , servant-lucid:text
-           , hashable:filepath
-           , qrcode-juicypixels:text
+allow-newer: hashable:filepath
+           , hsec-sync:lens
+           , hsec-tools:pandoc
+           , qrcode-core:bytestring
            , qrcode-core:text
            , qrcode-juicypixels:bytestring
-           , qrcode-core:bytestring
+           , qrcode-juicypixels:text
+           , servant-lucid:text
+           , souffle-haskell:text
            , tasty-test-reporter:ansi-terminal
            , tasty-test-reporter:tasty
+           , type-errors-pretty:base
 
 allow-older: pg-entity:time
 
@@ -31,6 +33,17 @@ package warp
 package zlib
   flags: -pkg-config
 
+source-repository-package
+    type: git
+    location: https://github.com/haskell/security-advisories/
+    tag: b6eca11d65ab18fce60030d1dba7793789157292
+    subdir:
+      ./code/cvss
+      ./code/osv
+      ./code/hsec-core
+      ./code/hsec-sync
+      ./code/hsec-tools
+
 source-repository-package
     type: git
     location: https://github.com/scrive/tracing

diff --git a/changelog.d/762 b/changelog.d/762
@@ -0,0 +1,4 @@
+synopsis: Start the data model for security advisories
+prs: #762
+significance: significant
+
diff --git a/flora.cabal b/flora.cabal
@@ -75,6 +75,13 @@ library
   -- cabal-fmt: expand src/core
   -- cabal-fmt: expand src/datatypes
   exposed-modules:
+    Advisories.AffectedVersionRange.Orphans
+    Advisories.CAPEC.Orphans
+    Advisories.CVSS.Orphans
+    Advisories.CWE.Orphans
+    Advisories.HsecId.Orphans
+    Advisories.Keyword.Orphans
+    Advisories.System.Orphans
     Data.Aeson.Orphans
     Data.Positive
     Data.Text.Display.Orphans
@@ -114,6 +121,7 @@ library
     Flora.Model.Job
     Flora.Model.Organisation
     Flora.Model.Package
+    Flora.Model.Package.Guard
     Flora.Model.Package.Orphans
     Flora.Model.Package.Publisher
     Flora.Model.Package.Query
@@ -124,6 +132,7 @@ library
     Flora.Model.PackageIndex.Update
     Flora.Model.PersistentSession
     Flora.Model.Release
+    Flora.Model.Release.Guard
     Flora.Model.Release.Query
     Flora.Model.Release.Types
     Flora.Model.Release.Update
@@ -137,6 +146,8 @@ library
     JSON
     Log.Backend.File
     Lucid.Orphans
+    OSV.Reference.Orphans
+    Pandoc.Orphans
     Servant.API.ContentTypes.GZip
 
   build-depends:
@@ -153,6 +164,7 @@ library
     , cryptohash-sha256
     , cryptonite
     , cryptonite-conduit
+    , cvss
     , dani-servant-lucid2
     , deepseq
     , deriving-aeson
@@ -162,6 +174,8 @@ library
     , effectful-plugin
     , envparse
     , filepath
+    , hsec-core
+    , hsec-sync
     , http-api-data
     , http-media
     , iso8601-time
@@ -175,6 +189,8 @@ library
     , odd-jobs
     , openapi3
     , optics-core
+    , osv
+    , pandoc-types
     , pcre2
     , pg-entity
     , pg-transact
@@ -197,6 +213,7 @@ library
     , text-display
     , time
     , tracing
+    , tracing-effectful
     , unliftio
     , utf8-string
     , uuid
@@ -205,6 +222,47 @@ library
 
   ghc-options:     -fplugin=Effectful.Plugin
 
+library flora-advisories
+  import:          common-extensions
+  import:          common-ghc-options
+  hs-source-dirs:  ./src/advisories
+
+  -- cabal-fmt: expand src/advisories
+  exposed-modules:
+    Advisories.Import
+    Advisories.Import.Error
+    Advisories.Model.Advisory.Query
+    Advisories.Model.Advisory.Types
+    Advisories.Model.Advisory.Update
+    Advisories.Model.Affected.Query
+    Advisories.Model.Affected.Types
+    Advisories.Model.Affected.Update
+
+  build-depends:
+    , aeson
+    , base
+    , Cabal-syntax
+    , containers
+    , cvss
+    , deepseq
+    , effectful
+    , flora
+    , hsec-core
+    , hsec-sync
+    , hsec-tools
+    , osv
+    , pandoc-types
+    , pg-entity
+    , pg-transact-effectful
+    , postgresql-simple
+    , text
+    , time
+    , tracing
+    , tracing-effectful
+    , uuid
+    , validation-selective
+    , vector
+
 library flora-web
   import:          common-extensions
   import:          common-ghc-options
@@ -481,6 +539,7 @@ test-suite flora-test
     , exceptions
     , filepath
     , flora
+    , flora-advisories
     , flora-web
     , hedgehog
     , http-client
@@ -505,13 +564,15 @@ test-suite flora-test
     , tasty-test-reporter
     , text
     , time
+    , tracing-effectful
     , uuid
     , vector
     , vector-algorithms
     , zlib
 
   ghc-options:    -fplugin=Effectful.Plugin
   other-modules:
+    Flora.AdvisorySpec
     Flora.BlobSpec
     Flora.CabalSpec
     Flora.CategorySpec

diff --git a/hie.yaml b/hie.yaml
@@ -1,12 +1,15 @@
 cradle:
   cabal:
-    - path: "././src/core"
+    - path: "./src/core"
       component: "lib:flora"
 
-    - path: "././src/datatypes"
+    - path: "./src/datatypes"
       component: "lib:flora"
 
-    - path: "././src/web"
+    - path: "./src/advisories"
+      component: "lib:flora"
+
+    - path: "./src/web"
       component: "flora:lib:flora-web"
 
     - path: "./src/jobs-worker"

diff --git a/migrations/20241011153354_create_security_advisories.sql b/migrations/20241011153354_create_security_advisories.sql
@@ -0,0 +1,16 @@
+CREATE TABLE IF NOT EXISTS security_advisories (
+    advisory_id uuid PRIMARY KEY
+  , hsec_id text NOT NULL
+  , modified timestamptz NOT NULL
+  , published timestamptz NOT NULL
+  , capecs integer[] NOT NULL
+  , cwes integer[] NOT NULL
+  , keywords text[] NOT NULL
+  , aliases text[] NOT NULL
+  , related text[] NOT NULL
+  , advisory_references jsonb NOT NULL
+  , pandoc jsonb NOT NULL
+  , html text NOT NULL
+  , summary text NOT NULL
+  , details text NOT NULL
+);
diff --git a/migrations/20241011154110_create_affected_packages.sql b/migrations/20241011154110_create_affected_packages.sql
@@ -0,0 +1,15 @@
+CREATE TABLE IF NOT EXISTS affected_packages (
+    affected_package_id uuid PRIMARY KEY
+  , advisory_id uuid REFERENCES security_advisories
+  , package_id uuid REFERENCES packages NOT NULL
+  , cvss text NOT NULL
+  , architectures text[]
+  , operating_systems text[]
+  , declarations text[][]
+);
+
+CREATE INDEX affected_packages_advisory_id_fkey
+  ON affected_packages (advisory_id);
+
+CREATE INDEX affected_packages_package_id_fkey
+  ON affected_packages (package_id);
diff --git a/migrations/20241014081932_create_affected_version_ranges.sql b/migrations/20241014081932_create_affected_version_ranges.sql
@@ -0,0 +1,15 @@
+CREATE TABLE IF NOT EXISTS affected_version_ranges (
+    affected_version_id uuid PRIMARY KEY
+  , affected_package_id uuid REFERENCES affected_packages NOT NULL
+  , introduced_version uuid REFERENCES releases (release_id) NOT NULL
+  , fixed_version uuid REFERENCES releases (release_id)
+);
+
+CREATE INDEX affected_version_ranges_affected_package_id_fkey
+  ON affected_version_ranges (affected_package_id);
+
+CREATE INDEX affected_version_ranges_introduced_version_fkey
+  ON affected_version_ranges (introduced_version);
+
+CREATE INDEX affected_version_ranges_fixed_version_fkey
+  ON affected_version_ranges (fixed_version);