A vulnerability database for the Rust ecosystem

Tooling

cargo-audit

Audit Cargo.lock files for crates with security vulnerabilities.

Get started

> cargo audit
    Scanning Cargo.lock for vulnerabilities (4 crate dependencies)
Crate:     lz4-sys
Version:   1.9.3
Title:     Memory corruption in liblz4
Date:      2022-08-25
ID:        RUSTSEC-2022-0051
URL:       https://rustsec.org/advisories/RUSTSEC-2022-0051
Solution:  Upgrade to >=1.9.4
Dependency tree:
lz4-sys 1.9.3
└── crate 0.1.0

error: 1 vulnerability found!
    

cargo-deny

Audit Cargo.lock files for crates with security vulnerabilities, limit the usage of particular dependencies, their licenses, sources to download from, detect multiple versions of same packages in the dependency tree and more.

Get started

cargo-auditable

Embed the dependency tree into compiled executables, to make production Rust binaries auditable by cargo-audit.

Get started

cargo-audit Github action

Audit changes, schedule dependencies audits and open issues for found vulnerabilities using cargo-audit with the rust-audit-check Github action.

Get started

cargo-deny Github action

Audit changes and schedule dependencies audits using cargo-deny with the cargo-deny-action Github action.

Get started

Data Interchange

We export all our data to Open Source Vulnerabilities in real time. This enables many other tools, such as Trivy, to access RustSec advisories.

You can access RustSec advisories in the OSV format either directly as a zip archive or using the OSV API.

The Github Advisory Database imports our advisories and makes then available in its public API.

This allows dependabot to fix vulnerable dependencies for you by raising pull requests with security updates.

About

The RustSec Advisory Database is a repository of security advisories filed against Rust crates published via crates.io maintained by the Rust Secure Code Working Group.