Skip to content
Dawid Ciężarkiewicz edited this page Apr 26, 2019 · 4 revisions

crev's package reviews come with a simple advisory system

A package review can optionally include an advisory. That marks this specific version to contain an important fix, that should urge users of previous versions to upgrade.

Explanation

Example of a package review containing an advisory:

version: -1
date: "2019-04-22T21:53:15.382584127-07:00"
from:
  id-type: crev
  id: ZLBAs8cpEy-sIP0ORhOzrxcBxVJQx4Ie6I-b5SLkXE4
  url: "https://github.com/dpc/crev-proofs-test"
package:
  source: "https://crates.io"
  name: base64
  version: 0.5.2
  digest: wMN3VR6EWaI5i7BCYScLsbC1irWcLsEc3TAouoaGoK8
review:
  thoroughness: none
  understanding: none
  rating: positive
advisory:
  affected: major
  critical: true
comment: "https://github.com/RustSec/advisory-db/blob/master/crates/base64/RUSTSEC-2017-0004.toml"

This review marks Rust crate base64 in version 0.5.2 as containing an important fix to an issue potentially in all previous versions.

affected sets the range of versions that might have been affected. major means "all previous releases in the same major cycle"

critical should be set to true when the advisory of particular important (typically: security fix).

Both advisories itself and critical field in particular are left for the authors and community to develop good standards on. Overusing them might lead to people distrusting the author altogether.

Usage

With cargo crev a review can be set to include advisory with:

cargo crev advise major [name [version]]

Advisories will be displayed in cargo crev verify deps view under its own column. They can also be queried manually with:

cargo crev query advisory [name [version]]
Clone this wiki locally