Expand description
Exploit-risk enrichment from external feeds: the CISA Known Exploited Vulnerabilities (KEV) catalog, FIRST’s EPSS scores, and NVD CVSS severity.
This crosses the lockfile/rustsec trust boundary into external HTTP feeds, so
it is opt-in (--enrich, or implied by --fail-on-kev/--min-epss) and
best-effort. Every feed is authoritative, structured JSON, parsed-not-trusted.
--kev-file/--epss-file use local copies for offline/CI use.
Advisories are matched by their CVE aliases: KEV, EPSS, and NVD are keyed by CVE.
NVD CVSS is a severity backfill: RustSec advisories for vendored C
libraries (e.g. openssl-src) carry no CVSS of their own, so they scan as
unknown even when the underlying CVE is HIGH (RUSTSEC-2022-0014 =
CVE-2022-0778, CVSS 7.5). When a finding is unknown but has a CVE alias, we
pull the CVSS base score from NVD and fill the real severity. An optional
NVD_API_KEY env var raises NVD’s rate limit.
Structs§
- Enrichment
- CVE → exploit signals, used to annotate findings.
Functions§
- rank
- Re-rank by exploit risk: KEV first, then EPSS desc, then severity desc, then id — the action queue.