mirror of https://github.com/OMGeeky/advisory-db.git synced 2025-12-30 08:13:58 +01:00

Go to file

Tony Arcieri c28b7ceb38 Separate "unaffected_versions" and "patched_versions"

Taking a cue from RubySec, this splits the original "versions" attribute into
separate ones for versions which were never vulnerable, and ones which include
an explicit fix for a vulnerability.

2017-02-25 15:35:43 -08:00

LICENSE.txt

Dedicate advisory database to the public domain

2017-02-25 15:10:28 -08:00

README.md

Separate "unaffected_versions" and "patched_versions"

2017-02-25 15:35:43 -08:00

README.md

RustSec Advisory Database

The RustSec Advisory Database is a repository of security advisories filed against Rust crates published via https://crates.io

Advisory metadata is stored in TOML format for cargo-audit and other automated tools to consume.

Format

Each advisory contains information in TOML format:

[vulnerability]
package = "mypackage"

# Versions which were never vulnerable
unaffected_versions = ["< 1.1.0"]

# Versions which include fixes for this vulnerability
patched_versions = [">= 1.2.0"]

# It is strongly recommended to request a CVE, or alternatively a DWF, and
# reference the assigned number here.
# - CVE: https://iwantacve.org/
# - DWF: https://distributedweaknessfiling.org/
dwf = []
# dwf = ["CVE-YYYY-XXXX"]
# dwf = ["CVE-YYYY-XXXX", "CVE-ZZZZ-WWWW"]

# URL to a long-form description of this issue, e.g. a blogpost announcing
# the release or a changelog entry (optional)
url = false

# Enter a short-form description of the vulnerability here (required)
description = """
Affected versions of this crate did not properly X.

This allows an attacker to Y.
 
The flaw was corrected by Z.
"""

License

All content in this repository is placed in the public domain.