integration for cabal
#145
Comments
|
This ticket can be a bag-of-holding for any and all work we need to do in the advisory-db and associated libs/tools, to support such features in cabal-install. |
|
Now that I think about it; what kinda machine readable format would be best suited to output vulnerabilities for some project? Perhaps there’s already something pre-made I can output instead of coming up with my own serialisation format. Any ideas? |
|
@MangoIV it depends. If you want compatibility with a wide range of tooling, a bundle of OSV objects would be a good option. But some information may be lost, or the usefulness of the info may be degraded, in that transformation (e.g. some fields would be "database specific" and not understood by generic OSV tooling). On the other hand, if you are mainly concerned about Haskell-specific tooling, whatever our archive/distribution format ends up being (#170) would seem to be a good option, assuming you can slim it to the subset of advisories you are interested in. |
|
@frasertweedale see my follow up PR for what I’ve decided to do, perhaps you have some input? |
|
Also perhaps if we could get the first PR merged, would be easier to review the second 😅 (don’t wanna pressure though) |
Summary
It would be nice to have a
cabalintegration, likecabal auditthat can build a report for a cabal package, now that you can write plugins forcabal.IO, use more fine grained stack to allow some nice changes in a clean way, e.g. outputting without colouring, cf. https://no-color.org/—dont-solvethat compares against the parsed version range in the stanza instead of solving the project. This would be useful for e.g. librariescabaland showcabalhelp textgit cloneand filepath parsing, be clever about creating directories and showing errorsoffer API to request security advisories #166The text was updated successfully, but these errors were encountered: