rustsec 0.32.0

Client library for the RustSec security advisory database
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76

//! The `[versions]` subsection of an advisory.

use crate::{Error, osv};
use semver::{Version, VersionReq};
use serde::{Deserialize, Serialize};

/// The `[versions]` subsection of an advisory: future home to information
/// about which versions are patched and/or unaffected.
#[derive(Clone, Debug, Default, Deserialize, Eq, PartialEq, Serialize)]
#[serde(try_from = "RawVersions")]
pub struct Versions {
    /// Versions which are patched and not vulnerable (expressed as semantic version requirements)
    patched: Vec<VersionReq>,

    /// Versions which were never affected in the first place
    #[serde(default)]
    unaffected: Vec<VersionReq>,
}

impl Versions {
    /// Is the given version of a package vulnerable?
    pub fn is_vulnerable(&self, version: &Version) -> bool {
        for range in osv::ranges_for_advisory(self).iter() {
            if range.affects(version) {
                return true;
            }
        }
        false
    }

    /// Creates a new `[versions]` entry.
    /// Checks consistency of the passed version requirements.
    pub fn new(patched: Vec<VersionReq>, unaffected: Vec<VersionReq>) -> Result<Self, Error> {
        RawVersions {
            patched,
            unaffected,
        }
        .try_into()
    }

    /// Versions which are patched and not vulnerable (expressed as semantic version requirements)
    pub fn patched(&self) -> &[VersionReq] {
        self.patched.as_slice()
    }

    /// Versions which were never affected in the first place
    pub fn unaffected(&self) -> &[VersionReq] {
        self.unaffected.as_slice()
    }
}

impl TryFrom<RawVersions> for Versions {
    type Error = Error;

    fn try_from(raw: RawVersions) -> Result<Self, Self::Error> {
        validate_ranges(&raw)?;
        Ok(Versions {
            patched: raw.patched,
            unaffected: raw.unaffected,
        })
    }
}

#[derive(Clone, Debug, Default, Deserialize, Eq, PartialEq, Serialize)]
/// Raw deserialized data that didn't pass validation yet
pub(crate) struct RawVersions {
    pub patched: Vec<VersionReq>,

    #[serde(default)]
    pub unaffected: Vec<VersionReq>,
}

fn validate_ranges(versions: &RawVersions) -> Result<(), Error> {
    let _ = osv::ranges_for_unvalidated_advisory(versions)?;
    Ok(())
}