Add solution to Advisory diagnostics report

src/advisories/diags.rs

@@ -2,7 +2,7 @@ use crate::{
     diag::{Check, Diag, Diagnostic, KrateCoord, Label, Pack, Severity},
     Krate, LintLevel,
 };
-use rustsec::advisory::{informational::Informational, metadata::Metadata, Id};
+use rustsec::advisory::{informational::Informational, metadata::Metadata, versions::Versions, Id};
 
 fn get_notes_from_advisory(advisory: &Metadata) -> Vec<String> {
     let mut n = Vec::new();
@@ -26,6 +26,7 @@ impl<'a> crate::CheckCtx<'a, super::cfg::ValidConfig> {
         krate: &crate::Krate,
         krate_index: krates::NodeId,
         advisory: &Metadata,
+        versions: Option<&Versions>,
         mut on_ignore: F,
     ) -> Pack
     where
@@ -97,7 +98,24 @@ impl<'a> crate::CheckCtx<'a, super::cfg::ValidConfig> {
             )
         };
 
-        let notes = get_notes_from_advisory(&advisory);
+        let mut notes = get_notes_from_advisory(&advisory);
+
+        if let Some(versions) = versions {
+            if versions.patched.is_empty() {
+                notes.push(String::from("Solution: No safe upgrade is available!"))
+            } else {
+                notes.push(format!(
+                    "Solution: Upgrade to {}",
+                    versions
+                        .patched
+                        .iter()
+                        .map(ToString::to_string)
+                        .collect::<Vec<_>>()
+                        .as_slice()
+                        .join(" OR ")
+                ))
+            }
+        };
 
         let mut pack = Pack::with_kid(Check::Advisories, krate.id.clone());
 

src/advisories/mod.rs

@@ -37,7 +37,7 @@ pub fn check<R>(
 ) where
     R: AuditReporter,
 {
-    use rustsec::{advisory::metadata::Metadata, package::Package};
+    use rustsec::{advisory::metadata::Metadata, advisory::versions::Versions, package::Package};
 
     let emit_audit_compatible_reports = audit_compatible_reporter.is_some();
 
@@ -65,34 +65,38 @@ pub fn check<R>(
     use bitvec::prelude::*;
     let mut ignore_hits = bitvec![0; ctx.cfg.ignore.len()];
 
-    let mut send_diag = |pkg: &Package, advisory: &Metadata| match krate_for_pkg(&ctx.krates, pkg) {
-        Some((i, krate)) => {
-            let diag = ctx.diag_for_advisory(krate, i, advisory, |index| {
-                ignore_hits.as_mut_bitslice().set(index, true)
-            });
-
-            sink.push(diag);
-        }
-        None => {
-            unreachable!(
-                "the advisory database report contained an advisory 
+    let mut send_diag =
+        |pkg: &Package, advisory: &Metadata, versions: Option<&Versions>| match krate_for_pkg(
+            &ctx.krates,
+            pkg,
+        ) {
+            Some((i, krate)) => {
+                let diag = ctx.diag_for_advisory(krate, i, advisory, versions, |index| {
+                    ignore_hits.as_mut_bitslice().set(index, true)
+                });
+
+                sink.push(diag);
+            }
+            None => {
+                unreachable!(
+                    "the advisory database report contained an advisory
                     that somehow matched a crate we don't know about:\n{:#?}",
-                advisory
-            );
-        }
-    };
+                    advisory
+                );
+            }
+        };
 
     // Emit diagnostics for any vulnerabilities that were found
     for vuln in &report.vulnerabilities {
-        send_diag(&vuln.package, &vuln.advisory);
+        send_diag(&vuln.package, &vuln.advisory, Some(&vuln.versions));
     }
 
     // Emit diagnostics for informational advisories for crates, including unmaintained and unsound
     for (warning, advisory) in report
         .iter_warnings()
         .filter_map(|(_, wi)| wi.advisory.as_ref().map(|wia| (wi, wia)))
     {
-        send_diag(&warning.package, &advisory);
+        send_diag(&warning.package, &advisory, warning.versions.as_ref());
     }
 
     match yanked {