The RustSec Advisory Database is a repository of security advisories filed against Rust crates published via https://crates.io. A human-readable version of the advisory database can be found at https://rustsec.org/advisories/.
We also export data to the OSV format. All our data is available on osv.dev and through their API.
GitHub Advisory Database imports our advisories.
The following tools consume this advisory database and can be used for auditing and reporting (send PRs to add yours):
- cargo-audit: Audit
Cargo.lock
files for crates with security vulnerabilities - cargo-deny: Audit
Cargo.lock
files for crates with security vulnerabilities, limit the usage of particular dependencies, their licenses, sources to download from, detect multiple versions of same packages in the dependency tree and more. - trivy: A simple and comprehensive vulnerability/misconfiguration/secret scanner for containers and other artifacts. Trivy detects vulnerabilities of OS packages and language-specific packages. Works via OSV.
- dependabot: Dependabot can fix vulnerable dependencies for you by raising pull requests with security updates. Works via GHSA.
To report a new vulnerability, open a pull request using the template below. See CONTRIBUTING.md for more information.
See HOWTO_UNMAINTAINED.md before filing an advisory for an unmaintained crate.
See EXAMPLE_ADVISORY.md for a template.
Advisories are formatted in Markdown with TOML "front matter".
Below is the schema of the TOML "front matter" section of an advisory:
# Before you submit a PR using this template, **please delete the comments**
# explaining each field, as well as any unused fields.
[advisory]
# Identifier for the advisory (mandatory). Will be assigned a "RUSTSEC-YYYY-NNNN"
# identifier e.g. RUSTSEC-2018-0001. Please use "RUSTSEC-0000-0000" in PRs.
id = "RUSTSEC-0000-0000"
# Name of the affected crate (mandatory)
package = "mycrate"
# Disclosure date of the advisory as an RFC 3339 date (mandatory)
date = "2021-01-31"
# Whether the advisory is withdrawn (optional)
#withdrawn = "YYYY-MM-DD"
# URL to a long-form description of this issue, e.g. a GitHub issue/PR,
# a change log entry, or a blogpost announcing the release (optional, except
# for advisories using a license that requires attribution).
url = "https://github.com/mystuff/mycrate/issues/123"
# URL to additional helpful references regarding the advisory (optional)
#references = ["https://github.com/mystuff/mycrate/discussions/1"]
# Optional: Indicates the type of informational security advisory
# - "unsound" for soundness issues
# - "unmaintained" for crates that are no longer maintained
# - "notice" for other informational notices
#informational = "unmaintained"
# Optional: Categories this advisory falls under. Valid categories are:
# "code-execution", "crypto-failure", "denial-of-service", "file-disclosure"
# "format-injection", "memory-corruption", "memory-exposure", "privilege-escalation"
categories = ["crypto-failure"]
# Optional: a Common Vulnerability Scoring System score. More information
# can be found on the CVSS website, https://www.first.org/cvss/.
#cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
# Freeform keywords which describe this vulnerability, similar to Cargo (optional)
keywords = ["ssl", "mitm"]
# Vulnerability aliases, e.g. CVE IDs (optional but recommended)
#aliases = ["CVE-2018-XXXX"]
# Related vulnerabilities (optional)
# e.g. CVE for a C library wrapped by a -sys crate)
#related = ["CVE-2018-YYYY", "CVE-2018-ZZZZ"]
# Optional: the advisory license as an SPDX identifier. The default is "CC0-1.0".
# Accepted values are "CC0-1.0" and "CC-BY-4.0".
# When using "CC-BY-4.0", the `url` field must contain the link to the source
# advisory. This should only be used for advisories imported for the GitHub
# Advisory database ("GHSA").
#license = "CC-BY-4.0"
# Optional: metadata which narrows the scope of what this advisory affects
[affected]
# CPU architectures impacted by this vulnerability (optional).
# Only use this if the vulnerability is specific to a particular CPU architecture,
# e.g. the vulnerability is in x86 assembly.
# For a list of CPU architecture strings, see the "platforms" crate:
# <https://docs.rs/platforms/latest/platforms/target/enum.Arch.html>
#arch = ["x86", "x86_64"]
# Operating systems impacted by this vulnerability (optional)
# Only use this if the vulnerable is specific to a particular OS, e.g. it was
# located in a binding to a Windows-specific API.
# For a list of OS strings, see the "platforms" crate:
# <https://docs.rs/platforms/latest/platforms/target/enum.OS.html>
#os = ["windows"]
# Table of canonical paths to vulnerable functions (optional)
# mapping to which versions impacted by this advisory used that particular
# name (e.g. if the function was renamed between versions).
# The path syntax is `cratename::path::to::function`, without any
# parameters or additional information, followed by a list of version reqs.
functions = { "mycrate::MyType::vulnerable_function" = ["< 1.2.0, >= 1.1.0"] }
# Versions which include fixes for this vulnerability (mandatory)
# All selectors supported by Cargo are supported here:
# https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html
# use patched = [] e.g. in case of unmaintained where there is no fix
[versions]
patched = [">= 1.2.0"]
# Versions which were never vulnerable (optional)
#unaffected = ["< 1.1.0"]
The above TOML "front matter" is followed by the long description in Markdown format.
All content in this repository is placed in the public domain, except otherwise specified.
The exceptions are advisories imported from GitHub Advisory Database,
placed under CC-BY 4.0 license.
They contain a license
field explicitly indicating their license and a url
field pointing to the original advisory for proper attribution.