Display security advisory summary in /security package sub-resource (#…

…790)

* Display CVE summary in /security package sub-resource

* Make the listing responsive

* Link from the package page

.github/PULL_REQUEST_TEMPLATE.md

@@ -2,7 +2,7 @@
 
 ## Contributor checklist
 
-- [ ] My PR is related to \<insert ticket number> 
+- [ ] My PR is related to \<insert ticket number>
 - [ ] I have read and understood the [CONTRIBUTING guide](https://github.com/flora-pm/flora-server/blob/development/CONTRIBUTING.md)
 - [ ] I have inserted my change and a link to this PR in the [CHANGELOG](https://github.com/flora-pm/flora-server/blob/development/CHANGELOG.md)
 - [ ] I have updated documentation in `./docs/docs` if a public feature has a behaviour change

.github/workflows/backend.yml

@@ -56,12 +56,6 @@ jobs:
         ghc-version: "${{ matrix.ghc }}"
         cabal-version: "latest"
 
-    - uses: actions/setup-node@v4
-      with:
-        node-version: "18"
-        cache: "yarn"
-        cache-dependency-path: assets/yarn.lock
-
     - name: Configure environment
       run: |
         ./.github/workflows/setup.sh
@@ -77,20 +71,28 @@ jobs:
         echo "${FLORA_DB_HOST}:${FLORA_DB_PORT}:${FLORA_DB_DATABASE}:${FLORA_DB_USER}:${FLORA_DB_PASSWORD}" > .pgpass
         cat ~/.pgpass
         cabal update
+        mkdir -p ~/.local/share
+        git clone https://github.com/haskell/security-advisories.git ~/.local/share/security-advisories
+        cd ~/.local/share/security-advisories
+        git checkout df64e86a39668c057031fe7e2c679b1003090e03
+        cd -
+
+    - name: "Create freeze file"
+      run: |
+        cabal freeze --enable-tests
     - name: Cache
-      uses: actions/cache@v4.2.0
+      uses: actions/cache@v4
       with:
         path: ${{ steps.setup-haskell.outputs.cabal-store }}
-        key: ${{ runner.os }}-ghc-${{ matrix.ghc }}-cabal-${{ hashFiles('./.plan.json') }}
+        key: ${{ runner.os }}-ghc-${{ matrix.ghc }}-cabal-${{ hashFiles('./dist-newstyle/cache/plan.json') }}
         restore-keys: ${{ runner.os }}-ghc-${{ matrix.ghc }}-
 
     - name: Build
       run: |
         cabal install postgresql-migration
         make soufflé
-        make assets-deps
-        make build-assets
         make build
+
     - name: Test
       run: |
         set -x

Makefile

@@ -30,14 +30,14 @@ clean-assets: ## Remove JS artifacts
 	@cd assets/ && rm -R node_modules
 	@cd docs/ && rm -R node_modules
 
+db-setup: db-create db-init db-migrate ## Setup the dev database
+
 db-create: ## Create the database
 	@createdb -h $(FLORA_DB_HOST) -p $(FLORA_DB_PORT) -U $(FLORA_DB_USER) $(FLORA_DB_DATABASE)
 
 db-drop: ## Drop the database
 	@dropdb -f --if-exists -h $(FLORA_DB_HOST) -p $(FLORA_DB_PORT) -U $(FLORA_DB_USER) $(FLORA_DB_DATABASE)
 
-db-setup: db-create db-init db-migrate ## Setup the dev database
-
 db-init: ## Create the database schema
 	@migrate init "$(FLORA_DB_CONNSTRING)"
 
@@ -56,10 +56,38 @@ db-provision: ## Create categories and repositories
 	@cabal run -- flora-cli provision-repository --name "horizon" --url https://packages.horizon-haskell.net \
 			--description "Packages of the Horizon project"
 
-db-provision-test-packages: ## Load development data in the database
+db-provision-advisories: ## Load HSEC advisories in the database
+	@cabal run -- flora-cli provision advisories
+
+db-provision-packages: ## Load development data in the dev database
 	@cabal run -- flora-cli provision test-packages --repository "hackage"
 	@cabal run -- flora-cli provision test-packages --repository "cardano"
 
+db-test-create: ## Create the test database
+	./scripts/run-with-test-config.sh db-create
+
+db-test-setup: db-test-create db-test-init db-test-migrate ## Setup the dev database
+
+db-test-drop: ## Drop the test database
+	./scripts/run-with-test-config.sh db-drop
+
+db-test-init: ## Create the test database schema
+	./scripts/run-with-test-config.sh db-init
+
+db-test-migrate: ## Apply test database migrations
+	./scripts/run-with-test-config.sh db-migrate
+
+db-test-reset: db-test-drop db-test-setup db-test-provision ## Reset the test database
+
+db-test-provision: ## Create categories and repositories
+	./scripts/run-with-test-config.sh db-provision
+
+db-test-provision-advisories: ## Load HSEC advisories in the test database
+	./scripts/run-with-test-config.sh db-provision-advisories
+
+db-test-provision-packages: ## Load development data in the database
+	./scripts/run-with-test-config.sh db-provision-packages
+
 import-from-hackage: ## Imports every cabal file from the ./index-01 directory
 	@cabal run -- flora-cli import-packages ./01-index
 
@@ -125,9 +153,20 @@ tags: ## Generate ctags for the project with `ghc-tags`
 
 design-system: ## Generate the HTML components used by the design system
 	@cabal run -- flora-cli gen-design-system
+
 start-design-sysytem: ## Start storybook.js
 	@cd design; yarn storybook
 
+migration: ## Generate timestamped database migration boilerplate files
+	@if test -z "$$name"; then \
+	  echo "Usage: make migration name=some-name"; \
+	else \
+	  migName="`date -u '+%Y%m%d%H%M%S'`_$$name"; \
+	  fname="migrations/$$migName.sql"; \
+	  touch "$$fname"; \
+	  echo "Touched $$fname";\
+	fi
+
 help:
 	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | awk 'BEGIN {FS = ":.* ?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'
 
@@ -144,14 +183,3 @@ endif
 .PHONY: all $(MAKECMDGOALS)
 
 .DEFAULT_GOAL := help
-
-.PHONY: migration
-migration: ## Generate timestamped database migration boilerplate files
-	@if test -z "$$name"; then \
-	  echo "Usage: make migration name=some-name"; \
-	else \
-	  migName="`date -u '+%Y%m%d%H%M%S'`_$$name"; \
-	  fname="migrations/$$migName.sql"; \
-	  touch "$$fname"; \
-	  echo "Touched $$fname";\
-	fi

README.md

@@ -49,7 +49,7 @@
 * 🌓 Dark and light modes
 * 📱 Mobile user interface
 
-## 📖 Guides 
+## 📖 Guides
 
 Visit https://flora.pm/documentation for explanations on what Flora can do.
 
@@ -66,4 +66,4 @@ To setup a local installation, see [CONTRIBUTING.md#project-setup](https://githu
 
 ## 🫶 Special Collaborations
 
-We would like to thank our dear friends at Guérilla Studio ([www](https://guerilla.studio/), [GitHub](https://github.com/GuerillaStudio)) for help with accessibility and CSS integration.
+We would like to thank our dear friends at Guérilla.Studio ([www](https://guerilla.studio/), [GitHub](https://github.com/GuerillaStudio)) for help with accessibility and CSS integration.

app/cli/DesignSystem.hs

@@ -5,8 +5,10 @@ module DesignSystem where
 import Control.Monad.Trans.Reader (runReaderT)
 import Data.ByteString.Lazy (ByteString)
 import Data.ByteString.Lazy qualified as ByteString
+import Data.Either.Extra
 import Data.Foldable (forM_)
 import Data.Functor.Identity (runIdentity)
+import Data.Maybe (fromJust)
 import Data.Text (Text)
 import Data.Text.Lazy qualified as TL
 import Data.Time.Calendar.OrdinalDate as Time
@@ -20,13 +22,17 @@ import Effectful.Fail
 import Env
 import Lucid
 import PyF (fmt)
+import Security.Advisories.Core.HsecId qualified as HsecId
+import Security.CVSS
 
+import Advisories.Model.Affected.Types
 import Distribution.SPDX
 import Flora.Environment.Config
 import Flora.Model.Category
 import Flora.Model.Category qualified as Category
 import Flora.Model.Package
 import Flora.Search
+import FloraWeb.Components.AdvisoryListItem qualified as Component
 import FloraWeb.Components.Alert qualified as Component
 import FloraWeb.Components.CategoryCard qualified as Component
 import FloraWeb.Components.PackageListItem qualified as Component
@@ -73,6 +79,7 @@ components =
     , ("category-card", ComponentTitle "Category", ComponentName "CategoryCard", categoryCardExample)
     , ("pagination-area", ComponentTitle "Pagination Area", ComponentName "Pagination", paginationExample)
     , ("alerts", ComponentTitle "Alerts", ComponentName "Alert", alertsExample)
+    , ("advisory-preview", ComponentTitle "Advisories", ComponentName "AdvisoryPreviews", packageAdvisoriesExample)
     ]
 
 -----------------------
@@ -133,9 +140,50 @@ paginationExample = div_ $ do
     Component.paginationNav 32 1 (SearchPackages "text")
 
 alertsExample :: FloraHTML
-alertsExample = div_ $ do
-  div_ $ do
-    h4_ "Info alert"
-    Component.info "Info alert"
-    h4_ "Error alert"
-    Component.exception "Error alert!"
+alertsExample = div_ $ div_ $ do
+  h4_ "Info alert"
+  Component.info "Info alert"
+  h4_ "Error alert"
+  Component.exception "Error alert!"
+
+packageAdvisoriesExample :: FloraHTML
+packageAdvisoriesExample = do
+  let advisoryPreviews =
+        Vector.fromList
+          [ PackageAdvisoryPreview
+              { hsecId = fromJust $ HsecId.parseHsecId "HSEC-2023-0009"
+              , summary = "git-annex command injection via malicious SSH hostname"
+              , fixed = True
+              , published = read "2023-07-25 13:25:42 UTC"
+              , cvss = fromRight' $ parseCVSS "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+              }
+          , PackageAdvisoryPreview
+              { hsecId = fromJust $ HsecId.parseHsecId "HSEC-2023-0010"
+              , summary = "git-annex private data exfiltration to compromised remote"
+              , fixed = True
+              , published = read "2023-07-25 13:25:42 UTC"
+              , cvss = fromRight' $ parseCVSS "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+              }
+          , PackageAdvisoryPreview
+              { hsecId = fromJust $ HsecId.parseHsecId "HSEC-2023-0012"
+              , summary = "git-annex checksum exposure to encrypted special remotes"
+              , fixed = True
+              , published = read "2023-07-25 13:25:42 UTC"
+              , cvss = fromRight' $ parseCVSS "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
+              }
+          , PackageAdvisoryPreview
+              { hsecId = fromJust $ HsecId.parseHsecId "HSEC-2023-0013"
+              , summary = "git-annex plaintext storage of embedded credentials on encrypted remotes"
+              , fixed = True
+              , published = read "2023-07-25 13:25:42 UTC"
+              , cvss = fromRight' $ parseCVSS "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"
+              }
+          , PackageAdvisoryPreview
+              { hsecId = fromJust $ HsecId.parseHsecId "HSEC-2023-0011"
+              , summary = "git-annex GPG decryption attack via compromised remote"
+              , fixed = True
+              , published = read "2023-07-25 13:25:42 UTC"
+              , cvss = fromRight' $ parseCVSS "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+              }
+          ]
+  ul_ [class_ "advisory-list"] $ Vector.forM_ advisoryPreviews (\preview -> Component.advisoryListRow preview)