pub struct Advisory {
pub source: &'static str,
pub id: String,
pub aliases: Vec<String>,
pub package: String,
pub vulnerable_range: String,
pub severity: Option<Severity>,
pub title: String,
pub url: Option<String>,
pub cwe: Vec<String>,
pub cvss_score: Option<f64>,
pub cvss_vector: Option<String>,
pub matched_version: String,
}Expand description
One vulnerability advisory, normalized across sources into a single shape.
Fields§
§source: &'static strThe reporting source’s name ("npm", "osv", …) — matches AdvisorySource::name.
id: StringThe source-native id — a GHSA-… for both v1 sources (npm’s numeric id is folded away when a
GHSA is recoverable).
aliases: Vec<String>Cross-reference ids (GHSA-…, CVE-…) used to recognize the same vulnerability across
sources — the key dedup_advisories joins on.
package: StringThe package name this advisory concerns.
vulnerable_range: StringThe affected version range, as a string the npm/Range grammar accepts — npm’s raw
vulnerable_versions, or a >=/< range synthesized from OSV’s structured events.
severity: Option<Severity>Normalized severity, when the source provides one.
title: StringShort human title / summary.
url: Option<String>A canonical advisory URL, when known.
cwe: Vec<String>CWE identifiers (CWE-79, …).
cvss_score: Option<f64>CVSS base score, when the source provides a numeric one (npm does; OSV usually doesn’t).
cvss_vector: Option<String>CVSS vector string, when present.
matched_version: StringThe installed version this advisory was matched against — set by build_report; empty
until then.