-
Notifications
You must be signed in to change notification settings - Fork 91
Advisories
crev
's package reviews come with a simple advisory system
A package review can optionally include an advisory. That marks this specific version to contain an important fix, that should urge users of previous versions to upgrade.
Example of a package review containing an advisory:
version: -1
date: "2019-04-22T21:53:15.382584127-07:00"
from:
id-type: crev
id: ZLBAs8cpEy-sIP0ORhOzrxcBxVJQx4Ie6I-b5SLkXE4
url: "https://github.com/dpc/crev-proofs-test"
package:
source: "https://crates.io"
name: base64
version: 0.5.2
digest: wMN3VR6EWaI5i7BCYScLsbC1irWcLsEc3TAouoaGoK8
review:
thoroughness: none
understanding: none
rating: positive
advisory:
affected: major
critical: true
comment: "https://github.com/RustSec/advisory-db/blob/master/crates/base64/RUSTSEC-2017-0004.toml"
This review marks Rust crate base64
in version 0.5.2
as containing an important fix to an issue potentially in all previous versions.
affected
sets the range of versions that might have been affected. major
means "all previous releases in the same major cycle"
critical
should be set to true when the advisory of particular important (typically: security fix).
Both advisories itself and critical
field in particular are left for the authors and community to develop good standards on. Overusing them might lead to people distrusting the author altogether.
With cargo crev
a review can be set to include advisory with:
cargo crev advise major [name [version]]
Advisories will be displayed in cargo crev verify deps
view under its own column. They can also be queried manually with:
cargo crev query advisory [name [version]]