Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce snapshots to distribute advisories (#170) #179

Open
wants to merge 20 commits into
base: main
Choose a base branch
from
Open

Introduce snapshots to distribute advisories (#170) #179

wants to merge 20 commits into from

Conversation

blackheaven
Copy link
Collaborator

@blackheaven blackheaven commented Apr 1, 2024
edited

hsec-tools

  • Previous advisories are still valid

@blackheaven
Copy link
Collaborator Author

@frasertweedale I think the failure is expected as the file is oob (not tracked in Git history)

@blackheaven blackheaven force-pushed the snapshots/introduction branch 2 times, most recently from 2feae57 to 24bd053 Compare April 1, 2024 17:15
MangoIV
MangoIV reviewed Apr 1, 2024
View reviewed changes
Copy link
Contributor

@MangoIV MangoIV left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should consider being more careful in pulling in new dependencies, either depends on a whole load of things, admittedly the dependencies are quite low in the dependency tree, usually, but I don't think it's justified here.

A few more informative comments/ docstrings wouldn't hurt either, to increase readability.

I don't think switching the toml parsing library is a good idea at all. e.g. because it doesn't even support toml 1.0.0 or it actually does wrong parses in our case (see my review).

I also think treewide formatting changes in files that get heavily changed should be done in a separate PR.

code/hsec-tools/hsec-tools.cabal Outdated Show resolved Hide resolved
code/hsec-sync/src/Security/Advisories/Sync/Atom.hs Outdated
Comment on lines 21 to 22
resultE <- try $ get $ repoUrl </> "commits" </> branch </> "advisories.atom"
resultE <- try $ get $ mkUrl [repoUrl, "commits", branch, "advisories.atom"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what is the advantage of this as compared to https://hackage.haskell.org/package/filepath-1.5.2.0/docs/System-FilePath.html#v:-60--47--62-

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

filepath is OS-dependant, here we are dealing with URL, I did not want to pull a new library just for that.

Copy link
Contributor

@MangoIV MangoIV Apr 1, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah, this is an URL, sure; I think with these error prone things, it would actually be useful to pull a new library, in contrast to extra or either which provide trivial combinators

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did not find a proper library, do you have any suggestions?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@hasufell: I believe you had to deal with URLs/URIs in the recent past. What would you recommend?

code/hsec-tools/src/Security/Advisories/Format.hs Outdated Show resolved Hide resolved
code/hsec-tools/src/Security/Advisories/Format.hs Outdated Show resolved Hide resolved
code/hsec-tools/test/golden/MISSING_AFFECTED.md.golden Outdated Show resolved Hide resolved
code/hsec-tools/src/Security/Advisories/Format.hs Show resolved Hide resolved
code/hsec-tools/src/Security/Advisories/Generate/Snapshot.hs Outdated Show resolved Hide resolved
code/hsec-tools/src/Security/Advisories/Format.hs Show resolved Hide resolved
code/hsec-sync/src/Security/Advisories/Sync.hs Outdated Show resolved Hide resolved
code/hsec-sync/src/Security/Advisories/Sync/Url.hs Show resolved Hide resolved
@blackheaven blackheaven force-pushed the snapshots/introduction branch 3 times, most recently from 722d7fe to 534c3ce Compare April 3, 2024 18:00
@blackheaven
refactoring: migrate to tomland
642a3a7
@blackheaven
refactoring: extract tomland format
bf60f73
@blackheaven
feature: add hsec-tools snapshot
90af8ab
@blackheaven
refactoring: adapt hsec-sync to snapshots
09b324d
@blackheaven
fix: disable hsec-sync tests until snapshots are published
48f1e61
@blackheaven
fix: send hsec-sync error to STDERR
52a512e
@blackheaven
fix: hsec-sync default repository url
9c66ed5
@blackheaven
refactoring: some hsec-tools refactorings
fce363f
@blackheaven
refactoring: some hsec-sync refactorings
75be6cc
@blackheaven
refactoring: propagate ExpecT in hsec-sync internals
de5a2b2
@blackheaven
fix: hsec-tools regression on advisory.affected
a368d30
@blackheaven
refactoring: set hsec-tools working outputs to stderr
24bbeb5
@blackheaven
refactoring: import cosmetic in hsec-tools
29e7a39
@blackheaven
fix: hsec-tools regression on advisory.affected.{os,architecture}
5732882
@blackheaven
refactoring: restore and adapt toml-parser
c12a275
@blackheaven
fix: hsec-sync CI pipeline check
4b1bac0
@blackheaven
fix: hsec-tools snapshot generation (thanks to property test)
4b2eca7
@blackheaven
refactoring: stop enumerating architectures in format
5f0cef1
@blackheaven
Copy link
Collaborator Author

@frasertweedale FYI, I have revert back to toml-parser and properly tested FrontMatter rendering

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@glguy glguy glguy left review comments

@Kleidukos Kleidukos Kleidukos left review comments

@MangoIV MangoIV MangoIV left review comments

@frasertweedale frasertweedale Awaiting requested review from frasertweedale

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@blackheaven @glguy @frasertweedale @Kleidukos @MangoIV