Skip to content

Proposed "V3" advisory format: move to Markdown + (TOML) "front matter" #240

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
tarcieri opened this issue Mar 4, 2020 · 5 comments
Closed

Proposed "V3" advisory format: move to Markdown + (TOML) "front matter" #240

tarcieri opened this issue Mar 4, 2020 · 5 comments

Comments

@tarcieri
Copy link
Member

tarcieri commented Mar 4, 2020

Right now advisories are TOML documents with large amounts of Markdown crammed into the description field. Here are a couple examples:

This is suboptimal for a couple reasons:

  • Anyone editing Markdown crammed into the description field can't take advantage of their editor's Markdown syntax highlighting or preview features
  • Likewise the Markdown is not rendered when viewing advisories on GitHub, which is useful in the PR process to ensure Markdown is well-formatted, but also for anyone browsing the advisory DB's git repo on GitHub
  • It makes advisory metadata located below the description field harder to see. As of the move to the new V2 advisory format, this is all version information, which is some of the most important information in advisories.

This issue proposes what is hopefully the last change to the advisory format before freezing it and releasing 1.0 versions of cargo-audit and the rustsec crate: moving to a Markdown advisory format.

Markdown (unofficially) supports the notion of "front matter": typically a YAML document embedded at the beginning of a Markdown file like so:

---
id: CVE-2019-16760
package: cargo
date: 2019-09-30
...
---

The Rust team was recently notified of a security concern when using older
versions of Cargo to build crates which use the package rename feature added in
newer versions of Cargo. If you're using Rust 1.26.0, released on 2018-05-10,
or later you're not affected.

...

This proposal is to migrate advisories from .toml files to .md files which leverage Markdown "front matter" to store advisory metadata.

If this happens, it may make sense to switch the advisory format from TOML to YAML as this is better supported in the Markdown ecosystem (e.g. GitHub will apply syntax highlighting and/or render it as a table).

However, that doesn't necessarily have to be the case: we could also continue to use TOML front matter, which enjoys some support:

---
[advisory]
id = "CVE-2019-16760"
package = "cargo"
date = "2019-09-30"
...
---

The Rust team was recently notified of a security concern when using older
versions of Cargo to build crates which use the package rename feature added in
newer versions of Cargo. If you're using Rust 1.26.0, released on 2018-05-10,
or later you're not affected.

...
@8573
Copy link
Contributor

8573 commented Mar 16, 2020

Besides the migration diff being greater, what disadvantages do you see in using YAML for the metadata?

@tarcieri
Copy link
Member Author

YAML is a more loosely structured format, but has better support for this particular purpose

@tarcieri
Copy link
Member Author

tarcieri commented May 3, 2020
edited
Loading

Opened a draft PR with a new proposed V3 advisory format.

https://github.com/RustSec/rustsec-crate/pull/167

Edit: merged

@tarcieri tarcieri mentioned this issue May 6, 2020
Closed
@tarcieri
Copy link
Member Author

tarcieri commented Sep 21, 2020
edited
Loading

Support for the new format implemented in the PR above shipped in rustsec crate v0.19.0, which was released in May 2020. cargo-audit v0.12 was also released in May 2020 and supports the format.

I would suggest attempting to switch over to the new format on October 1st, 2020 (next Thursday).

@tarcieri tarcieri mentioned this issue Oct 1, 2020
Closed
@tarcieri
Copy link
Member Author

tarcieri commented Oct 1, 2020

We'll attempt a migration today. The migration is tracked in #414.

@tarcieri tarcieri closed this as completed Oct 1, 2020
tarcieri added a commit that referenced this issue Oct 2, 2020
@tarcieri
Translate database into V3 advisory format
10ff660 
As proposed in #240 and tracked in #414, this PR translates all
advisories into the new "V3" advisory format, which is based on Markdown
with leading TOML front matter.

This format makes it easier to see rendered Markdown syntax
descriptions, whether rendered by an IDE or GitHub. This should help
with both crafting advisories initially as well as review, and ideally
encourages more lengthy descriptions.

Support for this format shipped in `cargo-audit` v0.12.0 on
May 6th, 2020.
tarcieri added a commit that referenced this issue Oct 2, 2020
@tarcieri
Translate database into V3 advisory format (#420)
ac125ee 
As proposed in #240 and tracked in #414, this PR translates all
advisories into the new "V3" advisory format, which is based on Markdown
with leading TOML front matter.

This format makes it easier to see rendered Markdown syntax
descriptions, whether rendered by an IDE or GitHub. This should help
with both crafting advisories initially as well as review, and ideally
encourages more lengthy descriptions.

Support for this format shipped in `cargo-audit` v0.12.0 on
May 6th, 2020.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tarcieri @8573