{"id":13846596,"url":"https://github.com/RustSec/advisory-db","last_synced_at":"2025-07-12T07:33:04.433Z","repository":{"id":37415164,"uuid":"83153561","full_name":"rustsec/advisory-db","owner":"rustsec","description":"Security advisory database for Rust crates published through crates.io","archived":false,"fork":false,"pushed_at":"2024-05-21T09:55:31.000Z","size":13225,"stargazers_count":870,"open_issues_count":54,"forks_count":331,"subscribers_count":44,"default_branch":"main","last_synced_at":"2024-05-22T01:14:55.452Z","etag":null,"topics":["rust","security","security-advisories","security-audit","vulnerabilities"],"latest_commit_sha":null,"homepage":"https://rustsec.org","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rustsec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.txt","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":"support.toml","governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2017-02-25T18:38:08.000Z","updated_at":"2024-05-30T04:34:34.465Z","dependencies_parsed_at":"2023-02-17T19:16:10.393Z","dependency_job_id":"48fd5e43-dae8-4c41-8912-41a04a5c759c","html_url":"https://github.com/rustsec/advisory-db","commit_stats":{"total_commits":1550,"total_committers":288,"mean_commits":5.381944444444445,"dds":0.7787096774193548,"last_synced_commit":"57d5993efb037c1f9518b7be7ab3a01b4ad475af"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rustsec%2Fadvisory-db","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rustsec%2Fadvisory-db/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rustsec%2Fadvisory-db/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rustsec%2Fadvisory-db/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rustsec","download_url":"https://codeload.github.com/rustsec/advisory-db/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225807339,"owners_count":17527235,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["rust","security","security-advisories","security-audit","vulnerabilities"],"created_at":"2024-08-04T18:00:41.927Z","updated_at":"2025-07-12T07:33:04.428Z","avatar_url":"https://github.com/rustsec.png","language":null,"readme":"# RustSec Advisory Database\n\n[![Build Status][build-image]][build-link]\n![Maintained: Q1 2024][maintained-image]\n[![Project Chat][chat-image]][chat-link]\n\nThe RustSec Advisory Database is a repository of security advisories filed\nagainst Rust crates published via https://crates.io. A human-readable version\nof the advisory database can be found at https://rustsec.org/advisories/.\n\nWe also [export](https://github.com/rustsec/advisory-db/tree/osv) data to the [OSV](https://github.com/ossf/osv-schema) format.\nAll our data is available on [osv.dev](https://osv.dev/list?ecosystem=crates.io\u0026q=)\nand through their [API](https://osv.dev/#use-the-api).\n\n[GitHub Advisory Database](https://github.com/advisories/) imports our advisories.\n\nThe following tools consume this advisory database and can be used for auditing\nand reporting (send PRs to add yours):\n\n* [cargo-audit]: Audit `Cargo.lock` files for crates with security vulnerabilities\n* [cargo-deny]: Audit `Cargo.lock` files for crates with security vulnerabilities,\n  limit the usage of particular dependencies, their licenses, sources to download\n  from, detect multiple versions of same packages in the dependency tree and more.\n* [trivy]: A simple and comprehensive vulnerability/misconfiguration/secret scanner for containers and other artifacts. Trivy detects vulnerabilities of OS packages and language-specific packages. Works via [OSV](https://osv.dev).\n* [dependabot]: Dependabot can fix vulnerable dependencies for you by raising pull requests with security updates. Works via [GHSA](https://github.com/advisories).\n\n## Reporting Vulnerabilities\n\nTo report a new vulnerability, open a pull request using the template below.\nSee [CONTRIBUTING.md] for more information.\n\nSee [HOWTO_UNMAINTAINED.md] before filing an advisory for an unmaintained crate.\n\n\u003ca href=\"https://github.com/RustSec/advisory-db/blob/main/CONTRIBUTING.md\"\u003e\n  \u003cimg alt=\"Report Vulnerability\" width=\"250px\" height=\"60px\" src=\"https://rustsec.org/img/report-vuln-button.svg\"\u003e\n\u003c/a\u003e\n\n## Advisory Format\n\nSee [EXAMPLE_ADVISORY.md] for a template.\n\nAdvisories are formatted in [Markdown] with [TOML] \"front matter\".\n\nBelow is the schema of the [TOML] \"front matter\" section of an advisory:\n\n```toml\n# Before you submit a PR using this template, **please delete the comments**\n# explaining each field, as well as any unused fields.\n\n[advisory]\n# Identifier for the advisory (mandatory). Will be assigned a \"RUSTSEC-YYYY-NNNN\"\n# identifier e.g. RUSTSEC-2018-0001. Please use \"RUSTSEC-0000-0000\" in PRs.\nid = \"RUSTSEC-0000-0000\"\n\n# Name of the affected crate (mandatory)\npackage = \"mycrate\"\n\n# Disclosure date of the advisory as an RFC 3339 date (mandatory)\ndate = \"2021-01-31\"\n\n# Whether the advisory is withdrawn (optional)\n#withdrawn = \"YYYY-MM-DD\"\n\n# URL to a long-form description of this issue, e.g. a GitHub issue/PR,\n# a change log entry, or a blogpost announcing the release (optional, except\n# for advisories using a license that requires attribution).\nurl = \"https://github.com/mystuff/mycrate/issues/123\"\n\n# URL to additional helpful references regarding the advisory (optional)\n#references = [\"https://github.com/mystuff/mycrate/discussions/1\"]\n\n# Optional: Indicates the type of informational security advisory\n#  - \"unsound\" for soundness issues\n#  - \"unmaintained\" for crates that are no longer maintained\n#  - \"notice\" for other informational notices\n#informational = \"unmaintained\"\n\n# Optional: Categories this advisory falls under. Valid categories are:\n# \"code-execution\", \"crypto-failure\", \"denial-of-service\", \"file-disclosure\"\n# \"format-injection\", \"memory-corruption\", \"memory-exposure\", \"privilege-escalation\"\ncategories = [\"crypto-failure\"]\n\n# Optional: a Common Vulnerability Scoring System score. More information\n# can be found on the CVSS website, https://www.first.org/cvss/.\n#cvss = \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\"\n\n# Freeform keywords which describe this vulnerability, similar to Cargo (optional)\nkeywords = [\"ssl\", \"mitm\"]\n\n# Vulnerability aliases, e.g. CVE IDs (optional but recommended)\n#aliases = [\"CVE-2018-XXXX\"]\n\n# Related vulnerabilities (optional)\n# e.g. CVE for a C library wrapped by a -sys crate)\n#related = [\"CVE-2018-YYYY\", \"CVE-2018-ZZZZ\"]\n\n# Optional: the advisory license as an SPDX identifier. The default is \"CC0-1.0\".\n# Accepted values are \"CC0-1.0\" and \"CC-BY-4.0\".\n# When using \"CC-BY-4.0\", the `url` field must contain the link to the source\n# advisory. This should only be used for advisories imported for the GitHub\n# Advisory database (\"GHSA\").\n#license = \"CC-BY-4.0\"\n\n# Optional: metadata which narrows the scope of what this advisory affects\n[affected]\n# CPU architectures impacted by this vulnerability (optional).\n# Only use this if the vulnerability is specific to a particular CPU architecture,\n# e.g. the vulnerability is in x86 assembly.\n# For a list of CPU architecture strings, see the \"platforms\" crate:\n# \u003chttps://docs.rs/platforms/latest/platforms/target/enum.Arch.html\u003e\n#arch = [\"x86\", \"x86_64\"]\n\n# Operating systems impacted by this vulnerability (optional)\n# Only use this if the vulnerable is specific to a particular OS, e.g. it was\n# located in a binding to a Windows-specific API.\n# For a list of OS strings, see the \"platforms\" crate:\n# \u003chttps://docs.rs/platforms/latest/platforms/target/enum.OS.html\u003e\n#os = [\"windows\"]\n\n# Table of canonical paths to vulnerable functions (optional)\n# mapping to which versions impacted by this advisory used that particular\n# name (e.g. if the function was renamed between versions). \n# The path syntax is `cratename::path::to::function`, without any\n# parameters or additional information, followed by a list of version reqs.\n[affected.functions]\n\"mycrate::MyType::vulnerable_function\" = [\"\u003c 1.2.0, \u003e= 1.1.0\"]\n\n# Versions which include fixes for this vulnerability (mandatory)\n# All selectors supported by Cargo are supported here:\n# https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html\n# use patched = [] e.g. in case of unmaintained where there is no fix\n[versions]\npatched = [\"\u003e= 1.2.0\"]\n\n# Versions which were never vulnerable (optional)\n#unaffected = [\"\u003c 1.1.0\"]\n```\n\nThe above [TOML] \"front matter\" is followed by the long description in [Markdown] format.\n\n## License\n\nAll content in this repository is placed in the public domain, except otherwise specified.\n\n[![Public Domain](http://i.creativecommons.org/p/zero/1.0/88x31.png)](https://github.com/RustSec/advisory-db/blob/main/LICENSES/CC0-1.0.txt)\n\nThe exceptions are advisories imported from [GitHub Advisory Database](https://docs.github.com/en/site-policy/github-terms/github-terms-for-additional-products-and-features#advisory-database),\nplaced under CC-BY 4.0 license.\nThey contain a `license` field explicitly indicating their license and a `url` field pointing to the original advisory for proper attribution.\n\n[![Creative Commons Attribution](https://licensebuttons.net/l/by/4.0/88x31.png)](https://github.com/RustSec/advisory-db/blob/main/LICENSES/CC-BY-4.0.txt)\n\n[//]: # (badges)\n\n[build-image]: https://github.com/rustsec/advisory-db/workflows/Validate/badge.svg\n[build-link]: https://github.com/rustsec/advisory-db/actions\n[maintained-image]: https://img.shields.io/maintenance/yes/2025.svg\n[chat-image]: https://img.shields.io/badge/zulip-join_chat-blue.svg\n[chat-link]: https://rust-lang.zulipchat.com/#narrow/stream/146229-wg-secure-code/\n\n[//]: # (general links)\n\n[EXAMPLE_ADVISORY.md]: https://github.com/RustSec/advisory-db/blob/main/EXAMPLE_ADVISORY.md\n[Markdown]: https://www.markdownguide.org/\n[TOML]: https://github.com/toml-lang/toml\n[cargo-audit]: https://github.com/rustsec/cargo-audit\n[cargo-deny]: https://github.com/EmbarkStudios/cargo-deny\n[trivy]: https://aquasecurity.github.io/trivy/\n[dependabot]: https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates\n[CONTRIBUTING.md]: https://github.com/RustSec/advisory-db/blob/main/CONTRIBUTING.md\n[HOWTO_UNMAINTAINED.md]: ./HOWTO_UNMAINTAINED.md\n","funding_links":[],"categories":["Vulnerabilities Database \u0026 Tools"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FRustSec%2Fadvisory-db","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FRustSec%2Fadvisory-db","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FRustSec%2Fadvisory-db/lists"}