The hardware and bandwidth for this mirror is donated by METANET, the Webhosting and Full Service-Cloud Provider.
If you wish to report a bug, or if you are interested in having us mirror your free-software or open-source project, please feel free to contact us at mirror[@]metanet.ch.
The security vulnerabilities feature checks for known, publicly disclosed vulnerabilities in the R package being assessed. It is accessed through:
get_security_vulnerabilities() — the exported function
that retrieves advisories for a package.It also runs automatically as part of a full assessment via
risk_assess_pkg() / assess_pkg().
Advisories are retrieved from the Open Source Vulnerabilities
(OSV) database (https://osv.dev) using a POST request to
the query endpoint https://api.osv.dev/v1/query. For R
packages, OSV serves advisories from the R Consortium
r-advisory-database, which carry RSEC-*
identifiers.
The package is queried by name only within the "CRAN"
ecosystem. All advisories for the package are fetched, then filtered
locally against the installed version. Querying by name (rather than
name + version) avoids missing range-based advisories that a
version-scoped OSV query can silently omit.
The function returns a data frame with one row per advisory and the following columns:
id — advisory identifier
(e.g. RSEC-2023-6)summary — short vulnerability typedetails — full descriptionintroduced — version the issue was introducedfixed — version the issue was fixedmodified, published — advisory
timestampsIf no advisories apply, a zero-row data frame with the same columns is returned. Omitting the version returns every advisory known for the package.
When you assess a package, the vulnerabilities are stored in the results object:
Summary report — vulnerabilities appear as a single metric, “Security Vulnerabilities”, showing the count of advisories found. Any count of one or more is scored High risk; zero is scored Low. This contributes to the overall recommendation alongside the other risk metrics.
HTML report — when advisories are found, the report
renders a red-headed, searchable table listing every advisory
(ID, Summary, Details,
Introduced, Fixed, Modified,
Published). When none are found, a green “No security
vulnerabilities” banner is shown instead.
"CRAN" ecosystem is queried; Bioconductor is
not auto-detected.risk-definition.json at the moment.These binaries (installable software) and packages are in development.
They may not be fully stable and should be used with caution. We make no claims about them.