The security vulnerabilities feature checks for known, publicly disclosed vulnerabilities in the R package being assessed. It is accessed through:
get_security_vulnerabilities() — the exported function
that retrieves advisories for a package.It also runs automatically as part of a full assessment via
risk_assess_pkg() / assess_pkg().
Advisories are retrieved from the Open Source Vulnerabilities
(OSV) database (https://osv.dev) using a POST request to
the query endpoint https://api.osv.dev/v1/query. For R
packages, OSV serves advisories from the R Consortium
r-advisory-database, which carry RSEC-*
identifiers.
The package is queried by name only within the "CRAN"
ecosystem. All advisories for the package are fetched, then filtered
locally against the installed version. Querying by name (rather than
name + version) avoids missing range-based advisories that a
version-scoped OSV query can silently omit.
The function returns a data frame with one row per advisory and the following columns:
id — advisory identifier
(e.g. RSEC-2023-6)summary — short vulnerability typedetails — full descriptionintroduced — version the issue was introducedfixed — version the issue was fixedmodified, published — advisory
timestampsIf no advisories apply, a zero-row data frame with the same columns is returned. Omitting the version returns every advisory known for the package.
When you assess a package, the vulnerabilities are stored in the results object:
Summary report — vulnerabilities appear as a single metric, “Security Vulnerabilities”, showing the count of advisories found. Any count of one or more is scored High risk; zero is scored Low. This contributes to the overall recommendation alongside the other risk metrics.
HTML report — when advisories are found, the report
renders a red-headed, searchable table listing every advisory
(ID, Summary, Details,
Introduced, Fixed, Modified,
Published). When none are found, a green “No security
vulnerabilities” banner is shown instead.
"CRAN" ecosystem is queried; Bioconductor is
not auto-detected.risk-definition.json at the moment.