Consider add PURL to advisories

[pombredanne]

crates.io now list a PURL on each crates page, like pkg:cargo/aho-corasick@1.1.3 for https://crates.io/crates/aho-corasick

It would be awesome to also adopt PURL in the advisories here, especially since CVE.org is fast tracking adopting PURL in the CVE schema.

Tell me how I can help!

[amousset]

I don't think it make sense to have PURL in the advisory sources as the database only covers crates.io by definition. We already have PURL in the OSV export (cf.

advisory-db/crates/RUSTSEC-2016-0002.json

Line 25 in 05d9e27

"purl": "pkg:cargo/hyper"

).

We could add them on the advisory pages in https://rustsec.org (the source is located in https://github.com/rustsec/rustsec/tree/main/admin)

[tarcieri]

Advisories do have a source field which can be used to file advisories against non-crates.io repos, in case anyone wants an internal deployment of RustSec.

These use the source URL format from Cargo.lock, e.g. source = "registry+https://github.com/rust-lang/crates.io-index"