advisory-db icon indicating copy to clipboard operation
advisory-db copied to clipboard
verified publisher icon rustsec

Consider add PURL to advisories

Open pombredanne opened this issue 4 months ago • 2 comments

crates.io now list a PURL on each crates page, like pkg:cargo/[email protected] for https://crates.io/crates/aho-corasick

It would be awesome to also adopt PURL in the advisories here, especially since CVE.org is fast tracking adopting PURL in the CVE schema.

Tell me how I can help!

pombredanne avatar Aug 12 '25 08:08 pombredanne

I don't think it make sense to have PURL in the advisory sources as the database only covers crates.io by definition. We already have PURL in the OSV export (cf. https://github.com/rustsec/advisory-db/blob/05d9e27d8aa9c46d5fd793e386fbef9460700eda/crates/RUSTSEC-2016-0002.json#L25).

We could add them on the advisory pages in https://rustsec.org (the source is located in https://github.com/rustsec/rustsec/tree/main/admin)

amousset avatar Aug 12 '25 08:08 amousset

Advisories do have a source field which can be used to file advisories against non-crates.io repos, in case anyone wants an internal deployment of RustSec.

These use the source URL format from Cargo.lock, e.g. source = "registry+https://github.com/rust-lang/crates.io-index"

tarcieri avatar Aug 13 '25 13:08 tarcieri