{"id":15010906,"url":"https://github.com/haskell/security-advisories","last_synced_at":"2025-04-09T15:04:47.304Z","repository":{"id":66132124,"uuid":"565999293","full_name":"haskell/security-advisories","owner":"haskell","description":null,"archived":false,"fork":false,"pushed_at":"2025-04-04T13:29:06.000Z","size":686,"stargazers_count":51,"open_issues_count":26,"forks_count":18,"subscribers_count":20,"default_branch":"main","last_synced_at":"2025-04-09T15:04:43.381Z","etag":null,"topics":["hacktoberfest","hacktoberfest2024","haskell","security","vulnerabilities"],"latest_commit_sha":null,"homepage":"https://haskell.github.io/security-advisories/","language":"Haskell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/haskell.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-11-14T19:08:36.000Z","updated_at":"2025-04-08T13:41:50.000Z","dependencies_parsed_at":null,"dependency_job_id":"81b7bf8d-b98f-4cd2-ac2c-542b31e33238","html_url":"https://github.com/haskell/security-advisories","commit_stats":{"total_commits":350,"total_committers":17,"mean_commits":20.58823529411765,"dds":0.6428571428571428,"last_synced_commit":"1e0bab4a2e84fcbb8e6a0e229358f97b5ece8c87"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/haskell%2Fsecurity-advisories","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/haskell%2Fsecurity-advisories/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/haskell%2Fsecurity-advisories/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/haskell%2Fsecurity-advisories/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/haskell","download_url":"https://codeload.github.com/haskell/security-advisories/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248055284,"owners_count":21040157,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hacktoberfest","hacktoberfest2024","haskell","security","vulnerabilities"],"created_at":"2024-09-24T19:37:06.964Z","updated_at":"2025-04-09T15:04:47.286Z","avatar_url":"https://github.com/haskell.png","language":"Haskell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Haskell Security Advisory DB\n\nThe Haskell Security Advisory Database is a repository of security advisories filed\nagainst packages published via Hackage.\n\nThis database is still new. If you develop a tool or database that uses its information,\nplease open a PR listing it here.\n\n## Reporting Vulnerabilities\n\nTo report a new vulnerability, open a pull request using the template below.\nSee [CONTRIBUTING.md] for more information.\n\n## Advisory Format\n\nSee [EXAMPLE_ADVISORY.md] for a template.\n\nAdvisories are formatted in [Markdown] with machine-readable [TOML] \"front matter\".\n\nBelow is the schema of the [TOML] \"front matter\" section of an advisory. If you base\nyour advisory on this explanation rather than on [EXAMPLE_ADVISORY.md], please remember\nto remove the explanatory comments for each field.\n\n```toml\n\n[advisory]\n# Identifier for the advisory (mandatory). Will be assigned a \"HSEC-YYYY-NNNN\"\n# identifier e.g. HSEC-2022-0001. Please use \"HSEC-0000-0000\" in PRs.\n# Or run `hsec-tools next-id` to print the next available ID.\nid = \"HSEC-0000-0000\"\n\n# Publication date of the advisory as an RFC 3339 date.\n# DO NOT INCLUDE THIS in files committed to Git.\n# It will be derived from the Git commit history.\ndate = 2021-01-31\n\n# Optional: Classification of the advisory with respect to the Common Weakness Enumeration.\ncwe = [820]\n\n# Optional: Classification of the advisory with respect to the Common Attack Pattern Enumerations and Classifications.\ncapec = [123]\n\n# Arbitrary keywords.  We recommend to include keywords relating\n# to the protocols, data formats or services pertaining to the\n# affected package (e.g. \"json\", \"tls\", \"aws\").  You can also\n# include keywords describing the vulnerability or impact (e.g.\n# \"dos\", \"sqli\" \"csrf\").  Just think, \"what keywords would I use\n# if I was searching for issues affecting this package, or a\n# particular class of vulnerabilities?\"\nkeywords = [\"ssl\", \"mitm\"]\n\n# Vulnerability aliases, e.g. CVE or GHSA IDs.  This field is\n# optional, but it is strongly recommended to reference any known\n# aliases.\n#\n# A corresponding CVE is not required, but you can request one if\n# you want: https://iwantacve.org/\n#\n#aliases = [\"CVE-2018-XXXX\"]\n\n# Related vulnerabilities (optional)\n# e.g. CVE for a C library wrapped by a Haskell library\n#related = [\"CVE-2018-YYYY\", \"CVE-2018-ZZZZ\"]\n\n# References to articles, issues/PRs, etc.  Recognised types:\n# ADVISORY, ARTICLE, DETECTION, DISCUSSION, REPORT,\n# FIX, INTRODUCED, PACKAGE, EVIDENCE, WEB\n[[references]]\ntype = \"REPORT\"\nurl = \"https://github.com/username/package/issues/123\"\n[[references]]\ntype = \"FIX\"\nurl = \"https://github.com/username/package/pull/139\"\n\n# Affected package(s).  You can declare one or more packages.\n# Sub-fields are `package`, `cvss`, `arch`, `os`, `declarations`\n# and the `versions` table.\n[[affected]]\n\n# Mandatory package component identifier; ONE of the following:\n#\n# OPTION 1: name of the affected package on Hackage\npackage = \"acme-broken\"\n#\n# OPTION 2: component of GHC compiler suite\n# ghc-component = {ghc,ghci,rts,ghc-pkg,runghc,ghc-iserv,hp2ps,hpc,hsc2hs,haddock}\n\n# Mandatory: a Common Vulnerability Scoring System score. More information\n# can be found on the CVSS website, https://www.first.org/cvss/.\n# The committee will assist advisory authors in constructing an appropriate CVSS if necessary.\ncvss = \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n\n# Optional: CPU architectures impacted by this vulnerability\n# Only use this if the vulnerability is specific to a particular CPU architecture,\n# e.g. the vulnerability is in x86 assembly.\n# For a list of CPU architecture strings, see the documentation for System.Info.arch:\n# \u003chttps://hackage.haskell.org/package/base-4.16.1.0/docs/System-Info.html\u003e\n#arch = [\"x86\", \"x86_64\"]\n\n# Optional: Operating systems impacted by this vulnerability\n# Only use this if the vulnerable is specific to a particular OS, e.g. it was\n# located in a binding to a Windows-specific API.\n# For a list of OS strings, see the documentation for System.Info.os:\n# \u003chttps://hackage.haskell.org/package/base-4.16.1.0/docs/System-Info.html\u003e\n#os = [\"mingw32\"]\n\n# Optional: Table of canonical paths to vulnerable declarations in the package\n# that describes which versions impacted by this advisory used that particular\n# name (e.g. if an affected function or datatype was renamed between versions).\n# The path syntax is the module import path, without any type signatures or\n# additional information, followed by the affected versions.\n#declarations = { \"Acme.Broken.function\" = \"\u003e= 1.1.0 \u0026\u0026 \u003c 1.2.0\", \"Acme.Broken.renamedFunction\" = \"\u003e= 1.2.0 \u0026\u0026 \u003c 1.2.0.5\"}\n\n# Versions affected by the vulnerability.\n#\n# The `fixed` field is optional.  You can specify multiple ranges\n# (for example, if the issue was introduced in multiple releases\n# series).  In the case of multiple ranges, use `fixed` to \"close\"\n# a range, even when the release series does not actually have a\n# fix.  For example, if an issue was introduced in 1.0.8 and 1.1.2\n# (but 1.1 is unaffected), and a fix has not been released for the\n# 1.0.x series, specify:\n[[affected.versions]]\nintroduced = \"1.0.8\"\nfixed = \"1.1\"\n[[affected.versions]]\nintroduced = \"1.1.2\"\n```\n\nThe above [TOML] \"front matter\" is followed by the long description in [Markdown] format.\n\n## Current Members\n\nPlease see [Current members](./docs/membership.md).\n\n## Processes\n\nPlease see [Contributing](./CONTRIBUTING.md) for details.\n\n## Acknowledgments\n\nThe process and documentation in this repository are based off the work of the [RustSec](https://rustsec.org/) team.\n\n## License\n\nAll security advisory content in this repository is placed in the public domain, including metadata, descriptions, and example code.\n\n[![Public Domain](http://i.creativecommons.org/p/zero/1.0/88x31.png)](https://github.com/haskell/security-advisories/LICENSE.txt)\n\nThe contents of the `code` subdirectory, which contains tools and libraries for working with the advisory data format in Haskell, are licensed under a three-clause BSD license. Please refer to [that subdirectory's LICENSE file](code/LICENSE.txt) for details.\n\n[EXAMPLE_ADVISORY.md]: https://github.com/haskell/security-advisories/blob/main/EXAMPLE_ADVISORY.md\n[Markdown]: https://www.markdownguide.org/\n[TOML]: https://github.com/toml-lang/toml\n[CONTRIBUTING.md]: https://github.com/haskell/security-advisories/blob/main/CONTRIBUTING.md\n[RustSec]: https://github.com/rustsec/advisory-db\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhaskell%2Fsecurity-advisories","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhaskell%2Fsecurity-advisories","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhaskell%2Fsecurity-advisories/lists"}