vulnera-advisor 0.1.7

Aggregates security advisories from GHSA, NVD, OSV, CISA KEV, and more
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119

# Version Registry API

The Version Registry provides integration with package registries to fetch available versions.

## Types

### VersionRegistry Trait

Trait for fetching package versions from registries.

```rust
#[async_trait]
pub trait VersionRegistry: Send + Sync {
    async fn get_versions(&self, ecosystem: &str, package: &str) -> Result<Vec<String>>;
}
```

### PackageRegistry

Multi-ecosystem registry implementation.

```rust
use vulnera_advisor::PackageRegistry;

let registry = PackageRegistry::new();
let versions = registry.get_versions("npm", "lodash").await?;
```

## Supported Ecosystems

| Ecosystem | Registry URL | Aliases |
|-----------|-------------|---------|
| npm | registry.npmjs.org | - |
| PyPI | pypi.org | `pip` |
| Maven | search.maven.org | - |
| Cargo | crates.io | `crates.io` |
| Go | proxy.golang.org | `golang` |
| Composer | repo.packagist.org | `packagist` |
| RubyGems | rubygems.org | `gem`, `bundler` |
| NuGet | api.nuget.org | - |

## Usage Examples

### Basic Version Fetch

```rust
use vulnera_advisor::PackageRegistry;

let registry = PackageRegistry::new();

// npm packages
let versions = registry.get_versions("npm", "lodash").await?;

// Python packages
let versions = registry.get_versions("pypi", "requests").await?;

// Rust crates
let versions = registry.get_versions("cargo", "serde").await?;
```

### Maven Packages

Maven packages require the `group:artifact` format:

```rust
let versions = registry
    .get_versions("maven", "org.apache.logging.log4j:log4j-core")
    .await?;
```

### Custom HTTP Client

```rust
let client = reqwest::Client::builder()
    .timeout(std::time::Duration::from_secs(60))
    .build()?;

let registry = PackageRegistry::with_client(client);
```

### With Remediation

```rust
use vulnera_advisor::{VulnerabilityManager, PackageRegistry};

let manager = VulnerabilityManager::builder()
    .redis_url("redis://localhost:6379")
    .with_osv_defaults()
    .build()?;

let registry = PackageRegistry::new();

let remediation = manager
    .suggest_remediation_with_registry("npm", "lodash", "4.17.20", &registry)
    .await?;

println!("Safe versions available:");
println!("  Nearest: {:?}", remediation.nearest_safe);
println!("  Latest:  {:?}", remediation.latest_safe);
```

## Custom Registry Implementation

Implement `VersionRegistry` for custom package sources:

```rust
use vulnera_advisor::{VersionRegistry, Result};
use async_trait::async_trait;

struct MyRegistry;

#[async_trait]
impl VersionRegistry for MyRegistry {
    async fn get_versions(&self, ecosystem: &str, package: &str) -> Result<Vec<String>> {
        // Fetch versions from your custom source
        Ok(vec!["1.0.0".to_string(), "1.1.0".to_string()])
    }
}
```