All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
registry::CachedIndex
which is orders of magnitude faster thanregistry::Index
when scanning multipleCargo.lock
files or binaries (#730)
- Fixed
withdrawn
(#642)
- Deprecate
yanked
(#631)
- Bump
git2
dependency to v0.14; MSRV 1.57 (#524) - Bump
platforms
dependency to v3.0 (#532) - Update to 2021 edition (#538)
- Use
Query::crate_scope()
as theDefault
(#544) - Bump
cvss
dependency to v2.0 (#550) - Bump
cargo-lock
dependency to v8.0 (#561) - Flatten
warnings
module; renameWarningKind
(#572) - Flatten
advisory::id
module; renameIdKind
(#573)
- Legacy database scopes (#541)
- Bump
platforms
dependency to v2.0.0 (#485)
- Bump
cargo-edit
dependency from 0.7.0 to 0.8.0 (#439) - Make
advisory::id::Kind
lowercase (#471) - Bump MSRV to 1.52 (#476)
- Flatten API: make modules with one type non-
pub
; re-export type from parent (#478)
vendored-libgit2
feature (#432)
- OSV v1.0 (#421)
- Support
~
and=
operators in version specification (#402) - Bump
crates-index
from 0.16.7 to 0.17.0 (#403)
- Do not lint year in CVE IDs (#393)
- OSV export (#366)
- Bump
cargo-lock
to v7.0 (#379)
- Workaround for stale git refs
- Rename advisory-db
master
branch tomain
- Parsing error on Windows
- Advisory
references
as a URL list - Support for omitting leading
[advisory]
table thread-safety
category
- Rename previous
references
field torelated
- Use
url
crate to parse metadata URL - Bump
smol_str
to v0.1.17; MSRV 1.46+ - Replace
chrono
withhumantime
- Mark enums as non_exhaustive
- Use
SystemTime
instead of agit::Timestamp
type - Rename
fetch
Cargo feature togit
- Rename
repository::GitRepository
torepository::git::Repository
markdown
feature
- Revert "Refactor Advisory type handling"
- Refactor
Advisory
andVulnerabilityInfo
fetch
feature
- Bump
cargo-lock
to v6;semver
to v0.11 - Make
advisory.title
andadvisory.description
struct fields - Remove support for the V2 advisory format
- Mark the
advisory::parser
module aspub
- Bump
cargo-edit
to 0.7.0 - Bump
crates-index
from 0.15.4 to 0.16.0 advisory
: laxer function path handlinglinter
: fully deprecateobsolete
in favor ofyanked
advisory
:markdown
feature andAdvisory::description_html
linter
: add support for V3 advisory format- MSRV 1.41+
- Bump
platforms
crate to v1
linter
: correctly handle crates with dashes in names
advisory.metadata.title
andadvisory.metadata.description
year
,month
, andday
methods toadvisory::Date
unsound
informational advisory kind
- Bump
crates-index
from 0.14 to 0.15 - Rename
obsolete
advisories toyanked
- Rename
warning::Kind::Informational
to::Notice
- Make
warning::Kind
a#[non_exhausive]
enum - Make
Informational
a#[non_exhausive]
enum
- Legacy
patched_versions
andunaffected_versions
advisory::Id::numerical_part()
- Make
WarningInfo
into a simple type alias
- Refactor package scopes
- Prototype V3 Advisory Format
- Bump dependencies to link
libgit2
dynamically - Add
WarningInfo
and modifyWarning
struct - Drop support for the V1 advisory format
- Move yanked crate auditing to
cargo-audit
- Update
cargo-lock
requirement from 3.0 to 4.0
- Bump MSRV to 1.39
- Extract
cargo audit fix
logic intoFixer
- Warn for yanked crates
- Add
vendored-openssl
feature - Support crate sources as a vulnerability query attribute
- Try to auto-detect proxy setting
- Remove
support.toml
parsing
- version: Fix matching bug for
>
version requirements
- linter: Add
informational
as an allowable[advisory]
key - repository: Expose
authentication
module
- Upgrade to
cargo-lock
crate v3.0
- Upgrade to
cargo-lock
crate v2.0
- warning: Extract into module; make more like
Vulnerability
- Upgrade to
cvss
crate v1.0 - Upgrade to
cargo-lock
crate v1.0
- linter: Ensure advisory date's year matches year in advisory ID
- Use the
cargo-lock
crate - lockfile: Add (optional) DependencyGraph analysis
- Rename
rustsec::db
module torustsec::database
- report: Generate warnings for selected informational advisories
- vulnerability: Add
affected_functions()
- Add
rustsec::advisory::Linter
- package: Parse dependencies from Cargo.lock
- Initial
report
module and built-in report-generating - Basic query support
- Index the
rust
advisory directory fromRustSec/advisory-db
- Add first-class support for GitHub Security Advisories (GHSA)
- Re-vendor Cargo's git authentication code
support.toml
for indicating supported versions- Add support for "informational" advisories
- Add
rustsec::advisory::Category
- Refactor advisory types: add
[affected]
and[versions]
sections - advisory: Add (optional)
cvss
field with CVSS v3.1 score - Freshen deps: add
home
, removedirectories
andfailure
- Improved handling of prereleases; MSRV 1.35+
- Add
Version
andVersionReq
newtypes
- Use new inclusive range syntax
- Update dependencies and use 2018 import conventions; Rust 1.32+
- Re-export all types in
advisory::paths::*
- Cargo.toml: Update
platforms
crate to v0.2 - Redo advisory's
affected_functions
asaffected_paths
- Implement
affected_functions
advisory attribute - Fix handling of
unaffected_versions
- Update to Rust 2018 edition
- Create parents of the
advisory-db
repo dir
- Handle cloning
advisory-db
into existing, empty dir
- Use Cargo's git authentication helper
- Use
platforms
crate for platform-related functionality
- Advisory platform requirements
- Cargo-like keyword support
- Allow
AdvisoryId::new()
to parseRUSTSEC-0000-0000
- Add link to logo image for docs.rs
- Fix builds with
--no-default-features
- README.md: Badge fixups, add gitter badge
- Cargo.toml: Formatting fixups, add
readme
attribute
- Validate dates are well-formed
- Add
AdvisoryIdKind
and limited support for parsing advisory IDs - Add a
Vulnerabilities
collection struct - Parse aliases, references, and unaffected versions
- Parse (but do not yet verify) signatures on advisory-db commits
- Parse individual advisory
.toml
files rather than Advisories.toml - Switch to
git2
-based fetcher foradvisory-db
- Use serde to parse advisories TOML and
Cargo.lock
files - Use
failure
crate for error handling
- Use
semver::Version
forlockfile::Package
versions - Move
AdvisoryDatabase
under the::db
module - Lockfile support
- Add
AdvisoryDatabase::fetch_from_url()
- Make
advisory
anderror
modules public
- Use str version param for
AdvisoryDatabase::find_vulns_for_crate()
- Add
AdvisoryDatabase::find_vulns_for_crate()
- Rename
crate_name
TOML attribute back topackage
- Rename
package
TOML attribute tocrate_name
- Add iterator support to
AdvisoryDatabase
- Initial release