rustsec_admin

Module synchronizer

Source
Expand description

RustSec Advisory DB Synchronizer

Update the RustSec advisories from external sources. We use the OSV format as input, as it is the interoperable standard.

§GitHub Advisory Database

Our unique source of external information is the GitHub Advisory Database. Their Rust vulnerabilities have various possible origins:

  • Reported directly to GitHub using their build-in security advisories feature
  • imported from a CVE, using metadata from NVD
  • imported from RustSec. When importing a RustSec inventory, they assign it a GHSA and CVE IDs.

The data from this database allows us to:

  • Find advisories missing in RustSec
    • We want to manually review those before importing them, to ensure the content match our standards and processes.
  • Add GHSA and CVE aliases to our vulnerabilities. CVE are specially important as they are the most use ID for vulnerabilities.
  • Add missing metadata to our advisories

GitHub exposes a GraphQL API, but we chose to use their OSV export as a source.

§osv.dev

osv.dev imports from both GitHub Security Advisories and RustSec, and exposes its advisories through both an HTTP API and ZIP files.

Workflow:

         ┌───────────────────────────────────┐
         │                                   │
    ┌────┴────┐         ┌─────────┐        ┌─▼────┐
    │ RustSec │─────────▶ OSV.dev ◀────────│ GHSA │
    └────▲────┘         └────┬────┘        └──────┘
         │                   │
         └───────────────────┘

We use the ZIP file export as a source as we need all advisories at once.

The file containing crates.io vulnerabilities is available with:

gsutil cp gs://osv-vulnerabilities/crates.io/all.zip .
# or
curl -o advisories.zip https://osv-vulnerabilities.storage.googleapis.com/crates.io/all.zip

§Sync process

§Get aliases for advisories imported from RustSec

We can detect advisories imported from RustSec quite reliabilly by looking for a reference to the advisory file in the advisory-db repository. In this case, we can also check if there is only one RustSec advisory to make sure it is really an alias.

Then we can add the GHSA id and the CVE id as aliases in the RustSec advisory.

§List missing advisories

When an advisory contains no reference to an existing RustSec advisory, it is likely missing.

Structs§

Synchronizer
Advisory synchronizer