1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89

//! Advisory information (i.e. the `[advisory]` section)

use super::{
    category::Category, date::Date, id::Id, informational::Informational, keyword::Keyword,
};
use crate::advisory::license::License;
use crate::{collection::Collection, package, SourceId};
use serde::{Deserialize, Serialize};
use url::Url;

/// The `[advisory]` section of a RustSec security advisory
#[derive(Clone, Debug, Deserialize, Eq, PartialEq, Serialize)]
pub struct Metadata {
    /// Security advisory ID (e.g. RUSTSEC-YYYY-NNNN)
    pub id: Id,

    /// Name of affected crate
    pub package: package::Name,

    /// One-liner description of a vulnerability
    #[serde(default)]
    pub title: String,

    /// Extended description of a vulnerability
    #[serde(default)]
    pub description: String,

    /// Date the underlying issue was reported
    pub date: Date,

    /// Advisory IDs in other databases which point to the same advisory
    #[serde(default)]
    pub aliases: Vec<Id>,

    /// Advisory IDs which are related to this advisory.
    /// (use `aliases` for the same vulnerability syndicated to other databases)
    #[serde(default)]
    pub related: Vec<Id>,

    /// Collection this advisory belongs to. This isn't intended to be
    /// explicitly specified in the advisory, but rather is auto-populated
    /// based on the location
    pub collection: Option<Collection>,

    /// RustSec vulnerability categories: one of a fixed list of vulnerability
    /// categorizations accepted by the project.
    #[serde(default)]
    pub categories: Vec<Category>,

    /// Freeform keywords which succinctly describe this vulnerability (e.g. "ssl", "rce", "xss")
    #[serde(default)]
    pub keywords: Vec<Keyword>,

    /// CVSS v3.1 Base Metrics vector string containing severity information.
    ///
    /// Example:
    ///
    /// ```text
    /// CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    /// ```
    pub cvss: Option<cvss::v3::Base>,

    /// Informational advisories can be used to warn users about issues
    /// affecting a particular crate without failing the build.
    pub informational: Option<Informational>,

    /// Additional reference URLs with more information related to this advisory
    #[serde(default)]
    pub references: Vec<Url>,

    /// Source URL where the vulnerable package is located/published.
    ///
    /// Defaults to crates.io, i.e. `registry+https://github.com/rust-lang/crates.io-index`
    pub source: Option<SourceId>,

    /// URL with an announcement (e.g. blog post, PR, disclosure issue, CVE)
    pub url: Option<Url>,

    /// Was this advisory (i.e. itself, regardless of the crate) withdrawn?
    /// If yes, when?
    ///
    /// This can be used to soft-delete advisories which were filed in error.
    #[serde(default)]
    pub withdrawn: Option<Date>,

    /// License under which the advisory content is available
    #[serde(default)]
    pub license: License,
}