Detecting yanked versions

[jayvdb]

osv-scanner doesnt detect yanked versions, such as yanked crate version https://crates.io/crates/url/2.5.3

deps.dev knows this version is deprecated - see https://deps.dev/cargo/url/2.5.3

There is no CVE listed for this https://osv.dev/list?q=url&ecosystem=crates.io

But given that https://github.com/servo/rust-url/pull/999 is the only PR in v2.5.4 , and it landed in v2.5.3 , there is a good chance that it is the problem.

And very likely that problem is a large one, probably even CVE territory.

And that is commonly why versions are yanked - a problem is found & fixed before a CVE has been created.

And because it is a yanked version, quite likely nobody will invest in creating a CVE.

Note https://github.com/EmbarkStudios/cargo-deny does detect yanked versions in the lock file, and most Rust projects will be using cargo-deny (however I am often asked why we use both cargo-deny and osv-scanner), so it isnt an urgent problem for me. cargo deny output (in red!)

error[yanked]: detected yanked crate (try `cargo update -p url`)
    ┌─ /home/jayvdb/work/rosalind/Cargo.lock:726:1
    │
726 │ url 2.5.3 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ yanked version

That said, the tooling for other ecosystems may not be tuned to treat yanked versions as probable CVEs. NPM's left-pad yanking problem probably still has many people wary of trusting yanks ("unpublish"), so it would be good IMO to have osv-scanner detecting & reporting these.

There is a bit of overlap with https://github.com/google/osv.dev/issues/2407