A vulnerability database for the Rust ecosystem
Tooling
cargo-audit
Audit
Cargo.lock
files for crates with security vulnerabilities.
> cargo audit
Scanning Cargo.lock for vulnerabilities (4 crate dependencies)
Crate: lz4-sys
Version: 1.9.3
Title: Memory corruption in liblz4
Date: 2022-08-25
ID: RUSTSEC-2022-0051
URL: https://rustsec.org/advisories/RUSTSEC-2022-0051
Solution: Upgrade to >=1.9.4
Dependency tree:
lz4-sys 1.9.3
└── crate 0.1.0
error: 1 vulnerability found!
cargo-deny
Audit
Cargo.lock files for crates with security
vulnerabilities, limit the usage of particular dependencies, their licenses, sources to download
from, detect multiple versions of same packages in the dependency tree and more.
cargo-auditable
Embed the dependency tree into compiled executables, to make production Rust binaries auditable by cargo-audit.
cargo-audit Github action
Audit changes, schedule dependencies audits and open issues for found vulnerabilities using cargo-audit with the
rust-audit-check Github action.
cargo-deny Github action
Audit changes and schedule dependencies audits
using cargo-deny with the cargo-deny-action Github action.
Data Interchange
We export all our data to Open Source Vulnerabilities in real time. This enables many other tools, such as Trivy, to access RustSec advisories.
You can access RustSec advisories in the OSV format either directly as a zip archive or using the OSV API.
The Github Advisory Database imports our advisories and makes then available in its public API.
This allows dependabot to fix vulnerable dependencies for you by raising pull requests with security updates.
About
The RustSec Advisory Database is a repository of security advisories filed against Rust crates published via crates.io maintained by the Rust Secure Code Working Group.