Skip to content

dancewithheart/cabal-plan-submit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

54 Commits
.github/workflows
.github/workflows
 
 
app
app
 
 
src/Hgs
src/Hgs
 
 
test
test
 
 
.coderabbit.yaml
.coderabbit.yaml
 
 
CHANGELOG.md
CHANGELOG.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
cabal-plan-submit.cabal
cabal-plan-submit.cabal
 
 

Repository files navigation

cabal-plan-submit

Haskell dependency intelligence for supply-chain security.

  • submit Cabal plan dependencies to GitHub Dependency Graph
  • explain dependency paths with why
  • classify direct vs transitive dependencies
  • inspect deprecated Hackage packages
  • enrich cabal-audit SARIF with locations and dependency-path metadata

Blog post explaining example use cases.

What it does

cabal-plan-submit reads Cabal's dist-newstyle/cache/plan.json and helps with three practical workflows:

  1. Find deprecated Hackage dependencies and explain why they are present.
cabal run cabal-plan-submit -- why dist-newstyle/cache/plan.json cryptonite
cabal run cabal-plan-submit -- why $PROJECT_PATH/dist-newstyle/cache/plan.json process
  1. Submit Cabal dependency graphs to GitHub Dependency Graph.
cabal-plan-submit render-snapshot dist-newstyle/cache/plan.json "$SHA" "$REF" > snapshot.json

Use in Github Action

To run this action on Github you can re-use config (.github/workflows/submit_deps.yml):

After successful build data should apperar in Insights -> Dependency graph in ecosystem:other e.g. as in here

You can export SBOM (Software Bill of Materials) file on Dependency graph tab.

Fail CI on deprecated dependencies:

cabal-plan-submit inspect-deprecated --fail-on direct dist-newstyle/cache/plan.json deprecated.yaml

Usage

Inspect local project

cabal build
cabal run cabal-plan-submit -- inspect-plan dist-newstyle/cache/plan.json
cabal run cabal-plan-submit -- inspect-graph dist-newstyle/cache/plan.json

Inspect another project

cabal run cabal-plan-submit -- inspect-plan "$PROJECT_PATH/dist-newstyle/cache/plan.json"
cabal run cabal-plan-submit -- inspect-graph "$PROJECT_PATH/dist-newstyle/cache/plan.json"

Render a snapshot JSON file

SHA="${GITHUB_SHA:-$(git rev-parse HEAD)}"
REF="${GITHUB_REF:-refs/heads/$(git branch --show-current)}"

cabal build
SNAPSHOT_BIN="$(cabal list-bin exe:cabal-plan-submit)"
"$SNAPSHOT_BIN" render-snapshot dist-newstyle/cache/plan.json "$SHA" "$REF" > snapshot.json

Validate snapshot:

cabal run cabal-plan-submit -- validate-snapshot snapshot.json

Explain why a package is present:

cabal run cabal-plan-submit -- why dist-newstyle/cache/plan.json cryptonite
cabal run cabal-plan-submit -- why "$PROJECT_PATH/dist-newstyle/cache/plan.json" cryptonite

Detecting deprecated packages

curl -L \
  https://raw.githubusercontent.com/commercialhaskell/all-cabal-metadata/master/deprecated.yaml \
  -o deprecated.yaml

cabal run cabal-plan-submit -- inspect-deprecated dist-newstyle/cache/plan.json deprecated.yaml
cabal run cabal-plan-submit -- inspect-deprecated "$PROJECT_PATH/dist-newstyle/cache/plan.json" deprecated.yaml

Relationship to Renovate / Dependabot / cabal-audit

  • Renovate can update declared .cabal dependency bounds.
  • cabal-audit checks known Haskell security advisories.
  • cabal-plan-submit works from Cabal's solved plan.json, submits the exact resolved graph to GitHub, and explains deprecated dependencies with paths.

Working with code

Running tests:

cabal test

About

Extract a dependency graph for GitHub dependency submission snapshots

Topics

security dependency-graph sarif

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Contributors

Languages