[Bug 291851] security/cargo-audit: unsupported CVSS version: 4.0

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Sun, 21 Dec 2025 01:55:12 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=291851

            Bug ID: 291851
           Summary: security/cargo-audit: unsupported CVSS version: 4.0
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: bofh@freebsd.org
          Reporter: asomers@FreeBSD.org
          Assignee: bofh@freebsd.org
             Flags: maintainer-feedback?(bofh@freebsd.org)

RustSec recently, within the last few days I think, published a vulnerability
alert for cap-primitives (RUSTSEC-2024-0445) that uses CVSS version 4.  That
causes cargo-audit 0.21.2 to crash with the below error message.  It doesn't
matter what crate the tool is running on; it will crash for every crate.

CVSS version 4 is already supported by cargo-audit 0.22.0, which is in the
ports main branch.  But it isn't in 2025Q4.  So this port is completely broken
in any stable release of FreeBSD.  Can we please MFH version 0.22.0?

> cargo-audit audit
    Fetching advisory database from
`https://github.com/RustSec/advisory-db.git`
error: error loading advisory database: parse error: error parsing
/home/somers/.cargo/advisory-db/crates/cap-primitives/RUSTSEC-2024-0445.md:
parse error: TOML parse error at line 8, column 8
  |
8 | cvss = "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N"
  |        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
unsupported CVSS version: 4.0

-- 
You are receiving this mail because:
You are the assignee for the bug.