Sergey "Shnatsel" Davidoff

How do I disable caching? Remove the cache job from the CI specification of this branch?

Most jobs don't seem to use cache as it is. I have dropped it from the one job that did have it, but that had no effect.

Dropping Cargo.lock from the tree did help, but I don't understand why.

To which command should I pass `--locked`?

Well, writing tests has caught a genuine bug: the --db parameter is not honored by the `bin` subcommand. That's a blocker.

> I don't know how much fuzz testing is/was done for ring, rustls, and reqwest. Merely feeding real-world data to `ring` has already [revealed issues](https://github.com/briansmith/ring/issues/929), so I do not expect...

I've opened a PR that should fix that: https://github.com/rustsec/advisory-db/pull/1332

We really need something like this! Thanks for writing it! I have been [experimenting](https://github.com/rustsec/rustsec/tree/ghsa) with this as well, although I was querying the GHSA API, not OSV data. I was...

Example of poor version specification when exporting from GHSA to OSV: https://github.com/paritytech/frontier/security/advisories/GHSA-mjvm-mhgc-q4gp gets exported to https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/08/GHSA-mjvm-mhgc-q4gp/GHSA-mjvm-mhgc-q4gp.json which omits the Git ranges, then (rightfully) shows up on OSV website as "no...

GHSA is [actually under CC-BY](https://docs.github.com/en/site-policy/github-terms/github-terms-for-additional-products-and-features#advisory-database), and yes, that's possible. We would need to add a license field and a field for the attribution link, and also display those on the...