RustSec Advisory Database
The RustSec Advisory Database is a repository of security advisories filed against Rust crates published via https://crates.io
Advisory metadata is stored in TOML format (see below). The following tools consume the data and can be used for auditing and reporing (send PRs to add yours):
- cargo-audit: Audit
Cargo.lockfiles for crates with security vulnerabilities
To report a new vulnerability, open a pull request using the template below. See CONTRIBUTING.md for more information.
Each advisory contains information in TOML format:
[advisory] # Identifier for the advisory (mandatory). Will be assigned a "RUSTSEC-YYYY-NNNN" # identifier e.g. RUSTSEC-2018-0001. Please use "RUSTSEC-0000-0000" in PRs. id = "RUSTSEC-0000-0000" # Name of the affected crate (mandatory) package = "mycrate" # Disclosure date of the advisory as an RFC 3339 date (mandatory) date = "2017-02-25" # Single-line description of a vulnerability (mandatory) title = "Flaw in X allows Y" # Enter a short-form description of the vulnerability here (mandatory) description = """ Affected versions of this crate did not properly X. This allows an attacker to Y. The flaw was corrected by Z. """ # Versions which include fixes for this vulnerability (mandatory) patched_versions = [">= 1.2.0"] # Versions which were never vulnerable (optional) #unaffected_versions = ["< 1.1.0"] # URL to a long-form description of this issue, e.g. a GitHub issue/PR, # a change log entry, or a blogpost announcing the release (optional) url = "https://github.com/mystuff/mycrate/issues/123" # Keywords which describe this vulnerability, similar to Cargo (optional) keywords = ["ssl", "mitm"] # Vulnerability aliases, e.g. CVE IDs (optional but recommended) # Request a CVE for your RustSec vulns: https://iwantacve.org/ #aliases = ["CVE-2018-XXXX"] # References to related vulnerabilities (optional) # e.g. CVE for a C library wrapped by a -sys crate) #references = ["CVE-2018-YYYY", "CVE-2018-ZZZZ"] # CPU architectures impacted by this vulnerability (optional) # For a list of CPU architecture strings, see the "platforms" crate: # <https://docs.rs/platforms/latest/platforms/target/enum.Arch.html> #affected_arch = ["x86", "x86_64"] # Operating systems impacted by this vulnerability (optional) # For a list of OS strings, see the "platforms" crate: # <https://docs.rs/platforms/latest/platforms/target/enum.OS.html> #affected_os = ["windows"]
All content in this repository is placed in the public domain.