[Pkg-rust-maintainers] Bug#1134114: cargo-audit: cargo audit cannot parse current advisory database, missing CVSS 4.0 support
Fiona Klute
fiona.klute at gmx.de
Thu Apr 16 17:45:19 BST 2026
Package: cargo-audit
Version: 0.21.2-1+b2
Severity: important
Running "cargo audit" on any Rust package fails because the currently
packaged version can't handle CVSS 4.0, but it is used in the current
advisory DB. The package being audited does not matter because "cargo
audit" never reaches that point. Updating to a version >= 0.22.0 should
solve the problem [1].
Output:
$ cargo audit
Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
error: error loading advisory database: parse error: error parsing
/home/fiona/.cargo/advisory-db/crates/astral-tokio-tar/RUSTSEC-2026-0066.md:
parse error: TOML parse error at line 5, column 8
|
5 | cvss =
"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U"
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
unsupported CVSS version: 4.0
[1] https://github.com/rustsec/rustsec/issues/1487
-- System Information:
Debian Release: forky/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 6.19.11+deb14-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE
not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages cargo-audit depends on:
ii cargo 1.94.1+dfsg1-1
ii libc6 2.42-14
ii libgcc-s1 16-20260322-1
cargo-audit recommends no packages.
cargo-audit suggests no packages.
-- debconf-show failed
More information about the Pkg-rust-maintainers
mailing list