Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/RustSec/advisory-db

Security advisory database for Rust crates published through crates.io
https://github.com/RustSec/advisory-db

rust security security-advisories security-audit vulnerabilities

Last synced: 29 days ago
JSON representation

Security advisory database for Rust crates published through crates.io

Host: GitHub
URL: https://github.com/RustSec/advisory-db
Owner: rustsec
License: other
Created: 2017-02-25T18:38:08.000Z (over 7 years ago)
Default Branch: main
Last Pushed: 2024-05-21T09:55:31.000Z (about 1 month ago)
Last Synced: 2024-05-22T01:14:55.452Z (about 1 month ago)
Topics: rust, security, security-advisories, security-audit, vulnerabilities
Homepage: https://rustsec.org
Size: 12.6 MB
Stars: 870
Watchers: 44
Forks: 331
Open Issues: 54
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE.txt
- Code of conduct: CODE_OF_CONDUCT.md
- Support: support.toml

Lists

awesome-software-supply-chain-security - RustSec/advisory-db - ![GitHub stars](https://img.shields.io/github/stars/RustSec/advisory-db?style=flat-square) - Security advisory database for Rust crates published through crates.io (Vulnerabilities Database & Tools)

README

        # RustSec Advisory Database

[![Build Status][build-image]][build-link]

![Maintained: Q1 2024][maintained-image]

[![Project Chat][chat-image]][chat-link]

The RustSec Advisory Database is a repository of security advisories filed

against Rust crates published via https://crates.io. A human-readable version

of the advisory database can be found at https://rustsec.org/advisories/.

We also [export](https://github.com/rustsec/advisory-db/tree/osv) data to the [OSV](https://github.com/ossf/osv-schema) format.

All our data is available on [osv.dev](https://osv.dev/list?ecosystem=crates.io&q=)

and through their [API](https://osv.dev/#use-the-api).

[GitHub Advisory Database](https://github.com/advisories/) imports our advisories.

The following tools consume this advisory database and can be used for auditing

and reporting (send PRs to add yours):

* [cargo-audit]: Audit `Cargo.lock` files for crates with security vulnerabilities

* [cargo-deny]: Audit `Cargo.lock` files for crates with security vulnerabilities,

  limit the usage of particular dependencies, their licenses, sources to download

  from, detect multiple versions of same packages in the dependency tree and more.

* [trivy]: A simple and comprehensive vulnerability/misconfiguration/secret scanner for containers and other artifacts. Trivy detects vulnerabilities of OS packages and language-specific packages. Works via [OSV](https://osv.dev).

* [dependabot]: Dependabot can fix vulnerable dependencies for you by raising pull requests with security updates. Works via [GHSA](https://github.com/advisories).

## Reporting Vulnerabilities

To report a new vulnerability, open a pull request using the template below.

See [CONTRIBUTING.md] for more information.

See [HOWTO_UNMAINTAINED.md] before filing an advisory for an unmaintained crate.



  



## Advisory Format

See [EXAMPLE_ADVISORY.md] for a template.

Advisories are formatted in [Markdown] with [TOML] "front matter".

Below is the schema of the [TOML] "front matter" section of an advisory:

```toml

# Before you submit a PR using this template, **please delete the comments**

# explaining each field, as well as any unused fields.

[advisory]

# Identifier for the advisory (mandatory). Will be assigned a "RUSTSEC-YYYY-NNNN"

# identifier e.g. RUSTSEC-2018-0001. Please use "RUSTSEC-0000-0000" in PRs.

id = "RUSTSEC-0000-0000"

# Name of the affected crate (mandatory)

package = "mycrate"

# Disclosure date of the advisory as an RFC 3339 date (mandatory)

date = "2021-01-31"

# Whether the advisory is withdrawn (optional)

#withdrawn = "YYYY-MM-DD"

# URL to a long-form description of this issue, e.g. a GitHub issue/PR,

# a change log entry, or a blogpost announcing the release (optional, except

# for advisories using a license that requires attribution).

url = "https://github.com/mystuff/mycrate/issues/123"

# URL to additional helpful references regarding the advisory (optional)

#references = ["https://github.com/mystuff/mycrate/discussions/1"]

# Optional: Indicates the type of informational security advisory

#  - "unsound" for soundness issues

#  - "unmaintained" for crates that are no longer maintained

#  - "notice" for other informational notices

#informational = "unmaintained"

# Optional: Categories this advisory falls under. Valid categories are:

# "code-execution", "crypto-failure", "denial-of-service", "file-disclosure"

# "format-injection", "memory-corruption", "memory-exposure", "privilege-escalation"

categories = ["crypto-failure"]

# Optional: a Common Vulnerability Scoring System score. More information

# can be found on the CVSS website, https://www.first.org/cvss/.

#cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"

# Freeform keywords which describe this vulnerability, similar to Cargo (optional)

keywords = ["ssl", "mitm"]

# Vulnerability aliases, e.g. CVE IDs (optional but recommended)

#aliases = ["CVE-2018-XXXX"]

# Related vulnerabilities (optional)

# e.g. CVE for a C library wrapped by a -sys crate)

#related = ["CVE-2018-YYYY", "CVE-2018-ZZZZ"]

# Optional: the advisory license as an SPDX identifier. The default is "CC0-1.0".

# Accepted values are "CC0-1.0" and "CC-BY-4.0".

# When using "CC-BY-4.0", the `url` field must constain the link to the source

# advisory. This should only be used for advisories imported for the GitHub

# Advisory database ("GHSA").

#license = "CC-BY-4.0"

# Optional: metadata which narrows the scope of what this advisory affects

[affected]

# CPU architectures impacted by this vulnerability (optional).

# Only use this if the vulnerability is specific to a particular CPU architecture,

# e.g. the vulnerability is in x86 assembly.

# For a list of CPU architecture strings, see the "platforms" crate:

# 

#arch = ["x86", "x86_64"]

# Operating systems impacted by this vulnerability (optional)

# Only use this if the vulnerable is specific to a particular OS, e.g. it was

# located in a binding to a Windows-specific API.

# For a list of OS strings, see the "platforms" crate:

# 

#os = ["windows"]

# Table of canonical paths to vulnerable functions (optional)

# mapping to which versions impacted by this advisory used that particular

# name (e.g. if the function was renamed between versions). 

# The path syntax is `cratename::path::to::function`, without any

# parameters or additional information, followed by a list of version reqs.

functions = { "mycrate::MyType::vulnerable_function" = ["< 1.2.0, >= 1.1.0"] }

# Versions which include fixes for this vulnerability (mandatory)

# All selectors supported by Cargo are supported here:

# https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html

# use patched = [] e.g. in case of unmaintained where there is no fix

[versions]

patched = [">= 1.2.0"]

# Versions which were never vulnerable (optional)

#unaffected = ["< 1.1.0"]

```

The above [TOML] "front matter" is followed by the long description in [Markdown] format.

## License

All content in this repository is placed in the public domain, except otherwise specified.

[![Public Domain](http://i.creativecommons.org/p/zero/1.0/88x31.png)](https://github.com/RustSec/advisory-db/blob/main/LICENSES/CC0-1.0.txt)

The exceptions are advisories imported from [GitHub Advisory Database](https://docs.github.com/en/site-policy/github-terms/github-terms-for-additional-products-and-features#advisory-database),

placed under CC-BY 4.0 license.

They contain a `license` field explicitly indicating their license and a `url` field pointing to the original advisory for proper attribution.

[![Creative Commons Attribution](https://licensebuttons.net/l/by/4.0/88x31.png)](https://github.com/RustSec/advisory-db/blob/main/LICENSES/CC-BY-4.0.txt)

[//]: # (badges)

[build-image]: https://github.com/rustsec/advisory-db/workflows/Validate/badge.svg

[build-link]: https://github.com/rustsec/advisory-db/actions

[maintained-image]: https://img.shields.io/maintenance/yes/2024.svg

[chat-image]: https://img.shields.io/badge/zulip-join_chat-blue.svg

[chat-link]: https://rust-lang.zulipchat.com/#narrow/stream/146229-wg-secure-code/

[//]: # (general links)

[EXAMPLE_ADVISORY.md]: https://github.com/RustSec/advisory-db/blob/main/EXAMPLE_ADVISORY.md

[Markdown]: https://www.markdownguide.org/

[TOML]: https://github.com/toml-lang/toml

[cargo-audit]: https://github.com/rustsec/cargo-audit

[cargo-deny]: https://github.com/EmbarkStudios/cargo-deny

[trivy]: https://aquasecurity.github.io/trivy/

[dependabot]: https://docs.github.com/en/code-security/dependabot/dependabot-security-updates/about-dependabot-security-updates

[CONTRIBUTING.md]: https://github.com/RustSec/advisory-db/blob/main/CONTRIBUTING.md

[HOWTO_UNMAINTAINED.md]: ./HOWTO_UNMAINTAINED.md