rustsec/advisory/
metadata.rs

1//! Advisory information (i.e. the `[advisory]` section)
2
3use super::{
4    category::Category, date::Date, id::Id, informational::Informational, keyword::Keyword,
5};
6use crate::advisory::license::License;
7use crate::{SourceId, collection::Collection, package};
8use serde::{Deserialize, Serialize};
9use url::Url;
10
11/// The `[advisory]` section of a RustSec security advisory
12#[derive(Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
13pub struct Metadata {
14    /// Security advisory ID (e.g. RUSTSEC-YYYY-NNNN)
15    pub id: Id,
16
17    /// Name of affected crate
18    pub package: package::Name,
19
20    /// One-liner description of a vulnerability
21    #[serde(default)]
22    pub title: String,
23
24    /// Extended description of a vulnerability
25    #[serde(default)]
26    pub description: String,
27
28    /// Date the underlying issue was reported
29    pub date: Date,
30
31    /// Advisory IDs in other databases which point to the same advisory
32    #[serde(default)]
33    pub aliases: Vec<Id>,
34
35    /// Advisory IDs which are related to this advisory.
36    /// (use `aliases` for the same vulnerability syndicated to other databases)
37    #[serde(default)]
38    pub related: Vec<Id>,
39
40    /// Collection this advisory belongs to. This isn't intended to be
41    /// explicitly specified in the advisory, but rather is auto-populated
42    /// based on the location
43    pub collection: Option<Collection>,
44
45    /// RustSec vulnerability categories: one of a fixed list of vulnerability
46    /// categorizations accepted by the project.
47    #[serde(default)]
48    pub categories: Vec<Category>,
49
50    /// Freeform keywords which succinctly describe this vulnerability (e.g. "ssl", "rce", "xss")
51    #[serde(default)]
52    pub keywords: Vec<Keyword>,
53
54    /// CVSS v3.1 Base Metrics vector string containing severity information.
55    ///
56    /// Example:
57    ///
58    /// ```text
59    /// CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
60    /// ```
61    pub cvss: Option<cvss::v3::Base>,
62
63    /// Informational advisories can be used to warn users about issues
64    /// affecting a particular crate without failing the build.
65    pub informational: Option<Informational>,
66
67    /// Additional reference URLs with more information related to this advisory
68    #[serde(default)]
69    pub references: Vec<Url>,
70
71    /// Source URL where the vulnerable package is located/published.
72    ///
73    /// Defaults to crates.io, i.e. `registry+https://github.com/rust-lang/crates.io-index`
74    pub source: Option<SourceId>,
75
76    /// URL with an announcement (e.g. blog post, PR, disclosure issue, CVE)
77    pub url: Option<Url>,
78
79    /// Was this advisory (i.e. itself, regardless of the crate) withdrawn?
80    /// If yes, when?
81    ///
82    /// This can be used to soft-delete advisories which were filed in error.
83    #[serde(default)]
84    pub withdrawn: Option<Date>,
85
86    /// License under which the advisory content is available
87    #[serde(default)]
88    pub license: License,
89}