Struct VulnFinding 

pub struct VulnFinding {
    pub advisory_id: String,
    pub aliases: Vec<String>,
    pub ecosystem: Ecosystem,
    pub title: String,
    pub severity: Severity,
    pub cvss_score: Option<f32>,
    pub url: Option<String>,
    pub occurrences: Vec<Occurrence>,
    pub affected_functions: Vec<String>,
    pub reachable: Option<bool>,
    pub reachability: Option<Reachability>,
    pub exploit: Exploitability,
}

A vulnerability (a real CVE-class advisory), correlated across the fleet.

Fields

advisory_id: String

Canonical RUSTSEC-YYYY-NNNN — the group key.

aliases: Vec<String>

CVE/GHSA ids — metadata for cross-reference, never the key.

ecosystem: Ecosystem

Which ecosystem this finding came from. Additive — omitted from JSON for the common Cargo case, so schema_version: 1 output is unaffected; the fleetreach-go feeder sets Ecosystem::Go so a mixed fleet groups crates and Go modules separately.

title: String

severity: Severity

cvss_score: Option<f32>

CVSS base score (0.0–10.0) behind severity, when one is known — from the advisory’s own CVSS, or backfilled from NVD by --enrich. Additive; omitted from JSON when absent (advisories with no CVSS at all).

url: Option<String>

occurrences: Vec<Occurrence>

At least one; the same advisory may surface in many repos/versions.

affected_functions: Vec<String>

Canonical paths to the specific functions/types the advisory marks vulnerable at the installed version (time::Time::from_hms_nano, …), when the advisory scopes itself that way — so you can check whether you call any of them. Empty when the advisory affects the whole crate. Additive; omitted from JSON when empty.

reachable: Option<bool>

A heuristic (--reachability): does an affected function name appear in the affected repos’ own source? Some(true) = yes, Some(false) = not found in your source (it could still be reached through a dependency — this only scans your code), None = not checked or the advisory names no functions. Never proves absence; never auto-suppresses by default.

reachability: Option<Reachability>

Static reachability (--reachability=static): a sound call-graph verdict over the compiled crate closure, with a witness chain when reachable. Far stronger than reachable (the grep heuristic) — a NotReachable here is trusted enough to suppress. Additive; absent unless the static engine ran.

exploit: Exploitability

Exploit-risk enrichment; default (empty) until --enrich runs.

Trait Implementations

impl Clone for VulnFinding

fn clone(&self) -> VulnFinding

Returns a duplicate of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.

impl Debug for VulnFinding

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl<'de> Deserialize<'de> for VulnFinding

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>

where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer.

impl PartialEq for VulnFinding

fn eq(&self, other: &VulnFinding) -> bool

Tests for self and other values to be equal, and is used by ==.

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl Serialize for VulnFinding

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>

where __S: Serializer,

Serialize this value into the given Serde serializer.

impl StructuralPartialEq for VulnFinding