As proposed in #240 and tracked in #414, this PR translates all
advisories into the new "V3" advisory format, which is based on Markdown
with leading TOML front matter.
This format makes it easier to see rendered Markdown syntax
descriptions, whether rendered by an IDE or GitHub. This should help
with both crafting advisories initially as well as review, and ideally
encourages more lengthy descriptions.
Support for this format shipped in `cargo-audit` v0.12.0 on
May 6th, 2020.
The vulnerability description for advisory RUSTSEC-2020-0008, "Flaw in
hyper allows request smuggling by sending a body in GET requests", lists
an incorrect patched version. The advisory states that the vulnerability
was fixed in `hyper` 0.12.35, but `hyper`'s changelog [shows][1] that
the patch (hyperium/hyper@23fc8b0) was published in 0.12.34. I believe
that this means that `cargo audit` will incorrectly report patched
versions as vulnerable.
This PR corrects the listed version.
[1]: https://github.com/hyperium/hyper/blob/master/CHANGELOG.md#v01234-2019-09-04
As announced in #228, this commit migrates all advisories to the new V2
format, which splits version information into a separate section, and
now has a structure which corresponds to the internal code structure of
the `rustsec` crate.
This is a breaking change for users of `cargo-audit` < 0.9, and anyone
who has written a 3rd party advisory format parser.
Nobody knows what "dwf" is, and the data isn't presently consumed or
surfaced by the `rustsec` crate, so we (hopefully) can rename it without
breaking anything.
