| Safe Haskell | None |
|---|---|
| Language | GHC2021 |
Ecluse.Core.Cve.Internal
Description
The advisory lookup's internals: the hardened SQLite open and the raw queries Ecluse.Core.Cve curates into the public handle.
Importing this module opts out of the public surface's stability promises; it exists so tests can pin the hardening properties (the connection refuses writes, schema-borne SQL is distrusted) directly against the connection the handle actually uses.
Synopsis
- data AdvisoryRange = AdvisoryRange {}
- data CveDbRejected
- openHardenedConnection :: Ecosystem -> FilePath -> IO (Either CveDbRejected Connection)
- probeQuery :: Connection -> Text -> Text -> IO Bool
- advisoriesQuery :: Connection -> Text -> IO [AdvisoryRange]
- provenanceQuery :: Connection -> IO [(Text, Text)]
Documentation
data AdvisoryRange Source #
One advisory range recorded against a package: the advisory's identifier,
its optional qualitative severity label, and the affected interval's bounds as
the artifact stores them (verbatim version text; Nothing introduced means
"from the beginning", Nothing fixed means "no fix known").
Constructors
| AdvisoryRange | |
Instances
| Show AdvisoryRange Source # | |
Defined in Ecluse.Core.Cve.Internal Methods showsPrec :: Int -> AdvisoryRange -> ShowS # show :: AdvisoryRange -> String # showList :: [AdvisoryRange] -> ShowS # | |
| Eq AdvisoryRange Source # | |
Defined in Ecluse.Core.Cve.Internal Methods (==) :: AdvisoryRange -> AdvisoryRange -> Bool # (/=) :: AdvisoryRange -> AdvisoryRange -> Bool # | |
data CveDbRejected Source #
Why a downloaded artifact was refused before a handle was built over it.
A rejection is a value, not an exception: the caller (the sync task, once it exists) has a real decision to make, keep the last known-good database and alarm, rather than a fault to unwind from.
Constructors
| CveDbWrongEpoch Int | The artifact's |
| CveDbRangesNotATable | The ranges relation is not a plain table -- a view here is attacker-authored SQL wearing the table's name. |
| CveDbEcosystemMismatch (Maybe Text) | The artifact's |
Instances
| Show CveDbRejected Source # | |
Defined in Ecluse.Core.Cve.Internal Methods showsPrec :: Int -> CveDbRejected -> ShowS # show :: CveDbRejected -> String # showList :: [CveDbRejected] -> ShowS # | |
| Eq CveDbRejected Source # | |
Defined in Ecluse.Core.Cve.Internal Methods (==) :: CveDbRejected -> CveDbRejected -> Bool # (/=) :: CveDbRejected -> CveDbRejected -> Bool # | |
openHardenedConnection :: Ecosystem -> FilePath -> IO (Either CveDbRejected Connection) Source #
Open an artifact read-only-in-effect and accept or reject it.
Hardening order matters: trusted_schema = OFF (schema-defined functions,
views feeding triggers, and virtual tables in the file are distrusted) and
query_only = ON (the connection refuses every write, so no trigger can ever
fire through it) are applied before the first query. Acceptance then checks,
cheapest and least trusting first: the osvSchemaEpoch stamp, the ranges
relation being a real table, and the meta ecosystem matching the one asked
for. A rejected artifact's connection is closed before returning.
Read-only is enforced at the connection level: sqlite-simple's public API has
no way to pass SQLITE_OPEN_READONLY at open time, and query_only yields
the same guarantee for every statement this connection will run.
probeQuery :: Connection -> Text -> Text -> IO Bool Source #
Does any advisory for this package name this exact version string as a
fixed bound? One indexed probe (package_name, fixed_version); deliberately
string equality, per the artifact contract's canonical-semver expectation.
advisoriesQuery :: Connection -> Text -> IO [AdvisoryRange] Source #
Every advisory range recorded against a package name.
provenanceQuery :: Connection -> IO [(Text, Text)] Source #
The artifact's meta provenance rows, key-sorted for a deterministic
snapshot. An artifact with no meta table would have failed acceptance, so
this only ever runs on an accepted connection.