ecluse:ecluse-core
Safe HaskellNone
LanguageGHC2021

Ecluse.Core.Cve.Internal

Description

The advisory lookup's internals: the hardened SQLite open and the raw queries Ecluse.Core.Cve curates into the public handle.

Importing this module opts out of the public surface's stability promises; it exists so tests can pin the hardening properties (the connection refuses writes, schema-borne SQL is distrusted) directly against the connection the handle actually uses.

Synopsis

Documentation

data AdvisoryRange Source #

One advisory range recorded against a package: the advisory's identifier, its optional qualitative severity label, and the affected interval's bounds as the artifact stores them (verbatim version text; Nothing introduced means "from the beginning", Nothing fixed means "no fix known").

Instances

Instances details
Show AdvisoryRange Source # 
Instance details

Defined in Ecluse.Core.Cve.Internal

Eq AdvisoryRange Source # 
Instance details

Defined in Ecluse.Core.Cve.Internal

data CveDbRejected Source #

Why a downloaded artifact was refused before a handle was built over it.

A rejection is a value, not an exception: the caller (the sync task, once it exists) has a real decision to make, keep the last known-good database and alarm, rather than a fault to unwind from.

Constructors

CveDbWrongEpoch Int

The artifact's user_version stamp (carried) does not match this binary's osvSchemaEpoch.

CveDbRangesNotATable

The ranges relation is not a plain table -- a view here is attacker-authored SQL wearing the table's name.

CveDbEcosystemMismatch (Maybe Text)

The artifact's meta table names a different ecosystem (carried) than the one this handle was asked to serve.

Instances

Instances details
Show CveDbRejected Source # 
Instance details

Defined in Ecluse.Core.Cve.Internal

Eq CveDbRejected Source # 
Instance details

Defined in Ecluse.Core.Cve.Internal

openHardenedConnection :: Ecosystem -> FilePath -> IO (Either CveDbRejected Connection) Source #

Open an artifact read-only-in-effect and accept or reject it.

Hardening order matters: trusted_schema = OFF (schema-defined functions, views feeding triggers, and virtual tables in the file are distrusted) and query_only = ON (the connection refuses every write, so no trigger can ever fire through it) are applied before the first query. Acceptance then checks, cheapest and least trusting first: the osvSchemaEpoch stamp, the ranges relation being a real table, and the meta ecosystem matching the one asked for. A rejected artifact's connection is closed before returning.

Read-only is enforced at the connection level: sqlite-simple's public API has no way to pass SQLITE_OPEN_READONLY at open time, and query_only yields the same guarantee for every statement this connection will run.

probeQuery :: Connection -> Text -> Text -> IO Bool Source #

Does any advisory for this package name this exact version string as a fixed bound? One indexed probe (package_name, fixed_version); deliberately string equality, per the artifact contract's canonical-semver expectation.

advisoriesQuery :: Connection -> Text -> IO [AdvisoryRange] Source #

Every advisory range recorded against a package name.

provenanceQuery :: Connection -> IO [(Text, Text)] Source #

The artifact's meta provenance rows, key-sorted for a deterministic snapshot. An artifact with no meta table would have failed acceptance, so this only ever runs on an accepted connection.