Handle CWE name

.github/workflows/haskell-ci.yml

@@ -183,6 +183,7 @@ jobs:
           touch cabal.project
           echo "packages: $GITHUB_WORKSPACE/source/code/hsec-core" >> cabal.project
           echo "packages: $GITHUB_WORKSPACE/source/code/hsec-tools" >> cabal.project
+          echo "packages: $GITHUB_WORKSPACE/source/code/cwe" >> cabal.project
           echo "packages: $GITHUB_WORKSPACE/source/code/cvss" >> cabal.project
           echo "packages: $GITHUB_WORKSPACE/source/code/osv" >> cabal.project
           cat cabal.project
@@ -198,34 +199,35 @@ jobs:
         run: |
           PKGDIR_hsec_tools="$(find "$GITHUB_WORKSPACE/unpacked" -maxdepth 1 -type d -regex '.*/hsec-tools-[0-9.]*')"
           echo "PKGDIR_hsec_tools=${PKGDIR_hsec_tools}" >> "$GITHUB_ENV"
-          PKGDIR_hsec_tools="$(find "$GITHUB_WORKSPACE/unpacked" -maxdepth 1 -type d -regex '.*/hsec-tools-[0-9.]*')"
-          echo "PKGDIR_hsec_tools=${PKGDIR_hsec_tools}" >> "$GITHUB_ENV"
+          PKGDIR_cwe="$(find "$GITHUB_WORKSPACE/unpacked" -maxdepth 1 -type d -regex '.*/cwe-[0-9.]*')"
+          echo "PKGDIR_cwe=${PKGDIR_cwe}" >> "$GITHUB_ENV"
+          PKGDIR_cvss="$(find "$GITHUB_WORKSPACE/unpacked" -maxdepth 1 -type d -regex '.*/cvss-[0-9.]*')"
+          echo "PKGDIR_cvss=${PKGDIR_cvss}" >> "$GITHUB_ENV"
           PKGDIR_hsec_core="$(find "$GITHUB_WORKSPACE/unpacked" -maxdepth 1 -type d -regex '.*/hsec-core-[0-9.]*')"
           echo "PKGDIR_hsec_core=${PKGDIR_hsec_core}" >> "$GITHUB_ENV"
           PKGDIR_osv="$(find "$GITHUB_WORKSPACE/unpacked" -maxdepth 1 -type d -regex '.*/osv-[0-9.]*')"
           echo "PKGDIR_osv=${PKGDIR_osv}" >> "$GITHUB_ENV"
-          PKGDIR_cvss="$(find "$GITHUB_WORKSPACE/unpacked" -maxdepth 1 -type d -regex '.*/cvss-[0-9.]*')"
-          echo "PKGDIR_cvss=${PKGDIR_cvss}" >> "$GITHUB_ENV"
           rm -f cabal.project cabal.project.local
           touch cabal.project
           touch cabal.project.local
-          echo "packages: ${PKGDIR_hsec_core}" >> cabal.project
           echo "packages: ${PKGDIR_hsec_tools}" >> cabal.project
-          echo "packages: ${PKGDIR_osv}" >> cabal.project
+          echo "packages: ${PKGDIR_cwe}" >> cabal.project
           echo "packages: ${PKGDIR_cvss}" >> cabal.project
+          echo "packages: ${PKGDIR_hsec_core}" >> cabal.project
+          echo "packages: ${PKGDIR_osv}" >> cabal.project
           echo "package hsec-tools" >> cabal.project
           echo "    ghc-options: -Werror=missing-methods" >> cabal.project
-          echo "package hsec-tools" >> cabal.project
+          echo "package cwe" >> cabal.project
+          echo "    ghc-options: -Werror=missing-methods" >> cabal.project
+          echo "package cvss" >> cabal.project
           echo "    ghc-options: -Werror=missing-methods" >> cabal.project
           echo "package hsec-core" >> cabal.project
           echo "    ghc-options: -Werror=missing-methods" >> cabal.project
           echo "package osv" >> cabal.project
           echo "    ghc-options: -Werror=missing-methods" >> cabal.project
-          echo "package cvss" >> cabal.project
-          echo "    ghc-options: -Werror=missing-methods" >> cabal.project
           cat >> cabal.project <<EOF
           EOF
-          $HCPKG list --simple-output --names-only | perl -ne 'for (split /\s+/) { print "constraints: $_ installed\n" unless /^(cvss|osv|hsec-core|hsec-tools)$/; }' >> cabal.project.local
+          $HCPKG list --simple-output --names-only | perl -ne 'for (split /\s+/) { print "constraints: $_ installed\n" unless /^(cvss|cwe|hsec-core|hsec-tools|osv)$/; }' >> cabal.project.local
           cat cabal.project
           cat cabal.project.local
       - name: dump install plan
@@ -264,6 +266,8 @@ jobs:
           ${CABAL} -vnormal check
           cd ${PKGDIR_hsec_tools} || false
           ${CABAL} -vnormal check
+          cd ${PKGDIR_cwe} || false
+          ${CABAL} -vnormal check
           cd ${PKGDIR_cvss} || false
           ${CABAL} -vnormal check
           cd ${PKGDIR_osv} || false

README.md

@@ -34,7 +34,8 @@ id = "HSEC-0000-0000"
 date = 2021-01-31
 
 # Optional: Classification of the advisory with respect to the Common Weakness Enumeration.
-cwe = [820]
+# Get number and names from https://cwe.mitre.org/, or look at the Security.CWE.Data module.
+cwe = ["820: Missing Synchronization"]
 
 # Arbitrary keywords.  We recommend to include keywords relating
 # to the protocols, data formats or services pertaining to the

advisories/hackage/aeson/HSEC-2023-0001.md

@@ -1,7 +1,7 @@
 ```toml
 [advisory]
 id = "HSEC-2023-0001"
-cwe = [328, 400]
+cwe = ["328: Use of Weak Hash", "400: Uncontrolled Resource Consumption"]
 keywords = ["json", "dos", "historical"]
 aliases = ["CVE-2022-3433"]
 

advisories/hackage/base/HSEC-2023-0007.md

@@ -1,7 +1,8 @@
 ```toml
 [advisory]
 id = "HSEC-2023-0007"
-cwe = [1284, 789]
+cwe = ["1284: Improper Validation of Specified Quantity in Input",
+       "789: Memory Allocation with Excessive Size Value"]
 keywords = ["toml", "parser", "dos"]
 
 [[affected]]

advisories/hackage/biscuit-haskell/HSEC-2023-0002.md

@@ -1,7 +1,7 @@
 ```toml
 [advisory]
 id = "HSEC-2023-0002"
-cwe = [347]
+cwe = ["347: Improper Verification of Cryptographic Signature"]
 keywords = ["crypto", "historical"]
 aliases = ["CVE-2022-31053"]
 related = ["GHSA-75rw-34q6-72cr"]

advisories/hackage/git-annex/HSEC-2023-0009.md

@@ -1,7 +1,8 @@
 ```toml
 [advisory]
 id = "HSEC-2023-0009"
-cwe = [20, 78]
+cwe = ["20: Improper Input Validation",
+       "78: Improper Neutralization of Special Elements used in an OS Command"]
 keywords = ["ssh", "command-injection", "historical"]
 aliases = ["CVE-2017-12976"]
 related = ["CVE-2017-9800", "CVE-2017-12836", "CVE-2017-1000116", "CVE-2017-1000117"]

advisories/hackage/git-annex/HSEC-2023-0010.md

@@ -1,7 +1,8 @@
 ```toml
 [advisory]
 id = "HSEC-2023-0010"
-cwe = [200, 610]
+cwe = ["200: Exposure of Sensitive Information to an Unauthorized Actor",
+       "610: Externally Controlled Reference to a Resource in Another Sphere"]
 keywords = ["exfiltration", "historical"]
 aliases = ["CVE-2018-10857"]
 

advisories/hackage/git-annex/HSEC-2023-0011.md

@@ -1,7 +1,7 @@
 ```toml
 [advisory]
 id = "HSEC-2023-0011"
-cwe = [200]
+cwe = ["200: Exposure of Sensitive Information to an Unauthorized Actor"]
 keywords = ["exfiltration", "pgp", "historical"]
 aliases = ["CVE-2018-10859"]
 related = ["HSEC-2023-0010", "CVE-2018-10857"]

advisories/hackage/git-annex/HSEC-2023-0012.md

@@ -1,7 +1,7 @@
 ```toml
 [advisory]
 id = "HSEC-2023-0012"
-cwe = [200]
+cwe = ["200: Exposure of Sensitive Information to an Unauthorized Actor"]
 keywords = ["historical"]
 
 [[affected]]

advisories/hackage/git-annex/HSEC-2023-0013.md

@@ -1,7 +1,7 @@
 ```toml
 [advisory]
 id = "HSEC-2023-0013"
-cwe = [312]
+cwe = ["312: Cleartext Storage of Sensitive Information"]
 keywords = ["historical"]
 aliases = ["CVE-2014-6274"]
 

advisories/hackage/hledger-web/HSEC-2023-0008.md

@@ -1,7 +1,7 @@
 ```toml
 [advisory]
 id = "HSEC-2023-0008"
-cwe = [87]
+cwe = ["87: Improper Neutralization of Alternate XSS Syntax"]
 keywords = ["web", "xss", "historical"]
 aliases = ["CVE-2021-46888"]
 

advisories/hackage/pandoc/HSEC-2023-0014.md

@@ -3,7 +3,7 @@
 id = "HSEC-2023-0014"
 keywords = ["file write"]
 aliases = ["CVE-2023-35936", "GHSA-xj5q-fv23-575g"]
-cwe = [20]
+cwe = ["20: Improper Input Validation"]
 
 [[references]]
 type = "REPORT"

advisories/hackage/tls-extra/HSEC-2023-0005.md

@@ -1,7 +1,7 @@
 ```toml
 [advisory]
 id = "HSEC-2023-0005"
-cwe = [295]
+cwe = ["295: Improper Certificate Validation"]
 keywords = ["x509", "pki", "mitm", "historical"]
 aliases = ["CVE-2013-0243"]
 

advisories/hackage/x509-validation/HSEC-2023-0006.md

@@ -1,7 +1,7 @@
 ```toml
 [advisory]
 id = "HSEC-2023-0006"
-cwe = [295]
+cwe = ["295: Improper Certificate Validation"]
 keywords = ["x509", "pki", "historical"]
 
 [[affected]]

advisories/hackage/xml-conduit/HSEC-2023-0004.md

@@ -1,7 +1,7 @@
 ```toml
 [advisory]
 id = "HSEC-2023-0004"
-cwe = [776]
+cwe = ["776: Improper Restriction of Recursive Entity References in DTDs"]
 keywords = ["xml", "dos", "historical"]
 aliases = ["CVE-2021-4249", "VDB-216204"]
 

advisories/hackage/xmonad-contrib/HSEC-2023-0003.md

@@ -1,7 +1,7 @@
 ```toml
 [advisory]
 id = "HSEC-2023-0003"
-cwe = [94]
+cwe = ["94: Improper Control of Generation of Code"]
 keywords = ["code", "injection", "historical"]
 aliases = ["CVE-2013-1436"]
 

cabal.project

@@ -3,4 +3,5 @@ packages: code/*/*.cabal
 package hsec-core
 package hsec-tools
 package cvss
+package cwe
 package osv

code/cvss/cvss.cabal

@@ -10,7 +10,9 @@ author:          Tristan de Cacqueray
 maintainer:      [email protected]
 category:        Data
 extra-doc-files: CHANGELOG.md
-tested-with:     GHC ==8.10.7 || ==9.0.2 || ==9.2.8 || ==9.4.8 || ==9.6.3 || ==9.8.1
+
+tested-with:
+  GHC ==8.10.7 || ==9.0.2 || ==9.2.8 || ==9.4.8 || ==9.6.3 || ==9.8.1
 
 library
   exposed-modules:  Security.CVSS

code/cwe/CHANGELOG.md

@@ -0,0 +1,5 @@
+# Changelog
+
+## 0.1
+
+- Initial version

code/cwe/RenderCsvData.hs

@@ -0,0 +1,60 @@
+#!/usr/bin/env cabal
+{- cabal:
+build-depends: base, xml
+-}
+{-# LANGUAGE NamedFieldPuns, PatternSynonyms #-}
+-- | Use this script to update the Security.CWE.Data module:
+-- Download and extract https://cwe.mitre.org/data/xml/cwec_latest.xml.zip
+-- Run the following command: cat cwec_v4.12.xml | ./RenderCsvData.hs | fourmolu --stdin-input-file ./src/Security/CWE/Data.hs > src/Security/CWE/Data.hs
+module Main where
+
+import Data.List
+import Data.Maybe
+import Text.Read
+
+import qualified Text.XML.Light as XML
+
+main :: IO ()
+main = do
+    db <- readXML <$> getContents
+    putStrLn $ unlines $ renderSource $ db
+
+data Weakness = Weakness
+    { wid :: Word
+    , wname :: String
+    }
+
+pattern XElement name content <- XML.Element (XML.QName name _ _) _ content _
+
+readXML :: String -> [Weakness]
+readXML str = case XML.parseXMLDoc str of
+    Just (XElement "Weakness_Catalog" (_ : (XML.Elem (XElement "Weaknesses" xs)) : _)) ->
+        mapMaybe toWeakness xs
+    n -> error $ "Couldn't match: " <> take 512 (show n)
+  where
+    toWeakness (XML.Elem (XML.Element (XML.QName "Weakness" _ _) attrs _ _)) = Just (Weakness{wid, wname})
+      where
+        wid = fromMaybe (error "invalid num") $ readMaybe =<< XML.lookupAttrBy ((==) "ID" . XML.qName) attrs
+        wname = fromMaybe (error "missing name") $ XML.lookupAttrBy ((==) "Name" . XML.qName) attrs
+    toWeakness e = Nothing
+
+renderSource :: [Weakness] -> [String]
+renderSource xs =
+    [ "{-# LANGUAGE OverloadedStrings #-}"
+    , "module Security.CWE.Data where"
+    , "import Data.Text"
+    , "cweData :: [(Word, Text)]"
+    , "cweData = ["
+    ]
+        <> map renderEntry (zip [0 ..] (sortOn wid xs))
+        <> ["  ]"]
+  where
+    renderEntry (pos, weakness) = "  " <> sep <> " (" <> show (wid weakness) <> ", \"" <> name <> "\")"
+      where
+        sep = if pos == 0 then " " else ","
+        -- Remove extra info in parenthesis
+        name = dropWhileEnd (== ' ') $ takeWhile (/= '(') $ escape $ wname weakness
+        escape ('\\':rest) = '\\' : '\\' : escape rest
+        escape (x:rest) = x : escape rest
+        escape [] = []
+    renderEntry _ = ""

code/cwe/cwe.cabal

@@ -0,0 +1,27 @@
+cabal-version:   2.4
+name:            cwe
+version:         0.1
+synopsis:        Common Weakness Enumaration database
+description:     Use this library to lookup or validate CWE numbers.
+license:         BSD-3-Clause
+author:          Tristan de Cacqueray
+maintainer:      [email protected]
+category:        Data
+extra-doc-files: CHANGELOG.md
+
+tested-with:
+  GHC ==8.10.7 || ==9.0.2 || ==9.2.8 || ==9.4.8 || ==9.6.3 || ==9.8.1
+
+library
+  exposed-modules:  Security.CWE
+  other-modules:    Security.CWE.Data
+  build-depends:
+    , base        >=4.14 && <5
+    , containers  >=0.6  && <0.7
+    , text        >=1.2  && <3
+
+  hs-source-dirs:   src
+  default-language: Haskell2010
+  ghc-options:
+    -Wall -Wcompat -Widentities -Wincomplete-record-updates
+    -Wincomplete-uni-patterns -Wpartial-fields -Wredundant-constraints

code/cwe/src/Security/CWE.hs

@@ -0,0 +1,28 @@
+{-# LANGUAGE DerivingStrategies #-}
+{-# LANGUAGE GeneralizedNewtypeDeriving #-}
+module Security.CWE (CWEID, unCWEID, mkCWEID, cweNames, cweIds) where
+
+import Security.CWE.Data
+import Data.Text (Text)
+import Data.Coerce
+import Data.Map.Strict as Map
+import Data.Bits
+
+-- | A CWE identifier.
+newtype CWEID = CWEID Word
+  deriving newtype (Eq, Ord, Show)
+
+-- | Access the underlying data.
+unCWEID :: CWEID -> Word
+unCWEID (CWEID cwe) = cwe
+
+mkCWEID :: (Integral a, Bits a) => a -> Maybe CWEID
+mkCWEID num = CWEID <$> toIntegralSized num
+
+-- | A map to lookup CWE names.
+cweNames :: Map CWEID Text
+cweNames = Map.fromList (coerce cweData)
+
+-- | A map to lookup CWEID.
+cweIds :: Map Text CWEID
+cweIds = Map.fromList $ (\(k, v) -> (v, k)) <$> coerce cweData