diff --git a/.cargo/audit.toml b/.cargo/audit.toml deleted file mode 100644 index 17406f07..00000000 --- a/.cargo/audit.toml +++ /dev/null @@ -1,7 +0,0 @@ -[advisories] -ignore = [ - # Will be resolved once "surrealdb-jsonwebtoken", a temporary fork - # of "jsonwebtoken", is replaced by the upstream version which no - # longer uses the affected "rsa" crate. - "RUSTSEC-2023-0071" -] diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6528edbf..e17e94ad 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -93,11 +93,11 @@ jobs: - name: Checkout sources uses: actions/checkout@v4 - - name: Install cargo-audit - run: cargo install --debug --locked cargo-audit + - name: Install cargo-deny + run: cargo install --debug --locked cargo-deny - - name: Check dependencies - run: cargo audit + - name: Check dependencies + run: cargo deny check check-wasm: name: Check Wasm @@ -218,7 +218,7 @@ jobs: - name: Run HTTP integration tests run: cargo make ci-http-integration - + ml-support: name: ML integration tests runs-on: ubuntu-latest diff --git a/Cargo.toml b/Cargo.toml index 9ab03cce..d4018a27 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -44,10 +44,10 @@ base64 = "0.21.5" bytes = "1.5.0" ciborium = "0.2.1" clap = { version = "4.4.11", features = [ - "env", - "derive", - "wrap_help", - "unicode", + "env", + "derive", + "wrap_help", + "unicode", ] } futures = "0.3.29" futures-util = "0.3.29" @@ -63,18 +63,18 @@ opentelemetry-otlp = { version = "0.12.0", features = ["metrics"] } pin-project-lite = "0.2.13" rand = "0.8.5" reqwest = { version = "0.11.22", default-features = false, features = [ - "blocking", - "gzip", + "blocking", + "gzip", ] } rmpv = "1.0.1" rustyline = { version = "12.0.0", features = ["derive"] } serde = { version = "1.0.193", features = ["derive"] } serde_json = "1.0.108" serde_pack = { version = "1.1.2", package = "rmp-serde" } -surrealdb = { path = "lib", features = [ - "protocol-http", - "protocol-ws", - "rustls", +surrealdb = { version = "1", path = "lib", features = [ + "protocol-http", + "protocol-ws", + "rustls", ] } surrealml-core = { version = "0.0.7", optional = true } tempfile = "3.8.1" @@ -83,17 +83,17 @@ tokio = { version = "1.34.0", features = ["macros", "signal"] } tokio-util = { version = "0.7.10", features = ["io"] } tower = "0.4.13" tower-http = { version = "0.4.4", features = [ - "trace", - "sensitive-headers", - "auth", - "request-id", - "util", - "catch-panic", - "cors", - "set-header", - "limit", - "add-extension", - "compression-full", + "trace", + "sensitive-headers", + "auth", + "request-id", + "util", + "catch-panic", + "cors", + "set-header", + "limit", + "add-extension", + "compression-full", ] } tracing = "0.1" tracing-opentelemetry = "0.19.0" @@ -117,10 +117,10 @@ jemallocator = "0.5.4" assert_fs = "1.0.13" env_logger = "0.10.1" opentelemetry-proto = { version = "0.2.0", features = [ - "gen-tonic", - "traces", - "metrics", - "logs", + "gen-tonic", + "traces", + "metrics", + "logs", ] } rcgen = "0.11.3" serial_test = "2.0.0" @@ -144,16 +144,16 @@ depends = "$auto" section = "utility" priority = "optional" assets = [ - [ - "target/release/surreal", - "usr/share/surrealdb/surreal", - "755", - ], - [ - "pkg/deb/README", - "usr/share/surrealdb/README", - "644", - ], + [ + "target/release/surreal", + "usr/share/surrealdb/surreal", + "755", + ], + [ + "pkg/deb/README", + "usr/share/surrealdb/README", + "644", + ], ] extended-description = "A scalable, distributed, collaborative, document-graph database, for the realtime web." license-file = ["LICENSE", "4"] diff --git a/SECURITY.md b/SECURITY.md index 2de162d0..96def4f5 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -54,7 +54,8 @@ possible workarounds. Vulnerabilities in third-party dependencies may only be independently published by SurrealDB when they affect a SurrealDB binary or platform. In those cases, the original CVE identifier will be referenced. Vulnerabilities affecting SurrealDB libraries will not be published again by SurrealDB when an advisory already exists for the original dependency -as security tooling (e.g. `cargo audit` or Dependabot) will already be able to track it up the dependency tree. +as security tooling (e.g. `cargo audit`, or `cargo deny check` or Dependabot) will already be able to track it up the +dependency tree. ## Security Updates @@ -79,7 +80,7 @@ changes will only be included in major and minor releases; never in patch releas ### Dependencies Dependencies used by SurrealDB are [checked for known vulnerabilities in -CI](https://github.com/surrealdb/surrealdb/pull/3123) using `cargo audit`. Developers are required to either update, +CI](https://github.com/surrealdb/surrealdb/pull/3386) using `cargo deny check`. Developers are required to either update, replace or acknowledge vulnerable dependencies found during the approval process of every pull request. Additionally, SurrealDB makes use of Github's [Dependabot alerts](https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) to continuously diff --git a/deny.toml b/deny.toml new file mode 100644 index 00000000..23739434 --- /dev/null +++ b/deny.toml @@ -0,0 +1,144 @@ +# See all available configuration options at: +# https://embarkstudios.github.io/cargo-deny/index.html + +# -------------------------------------------------- +# General +# -------------------------------------------------- + +# If true, metadata will be collected with `--all-features` +all-features = true +# If true, metadata will be collected with `--no-default-features` +no-default-features = true + +# -------------------------------------------------- +# BANS +# -------------------------------------------------- + +[bans] +# The graph highlighting used when creating dotgraphs for crates. +highlight = "all" +# The lint level for when a crate version requirement is set to `*`. +wildcards = "deny" +# Lint level for when multiple versions of the same crate are detected. +multiple-versions = "allow" +# The default lint level for `default` features for workspace crates. +workspace-default-features = "allow" +# The default lint level for `default` features for external crates. +external-default-features = "allow" + +# -------------------------------------------------- +# SOURCES +# -------------------------------------------------- + +[sources] +# What to do when encountering a repository from a host not in the allow list. +unknown-git = "deny" +# What to do when encountering a crate from a registry not in the allow list. +unknown-registry = "deny" +# List of URLs for allowed crate registries. Defaults to the crates.io index +# if not specified. If it is specified but empty, no registries are allowed. +allow-registry = ["https://github.com/rust-lang/crates.io-index"] +# List of URLs for allowed Git repositories +allow-git = [] + +# -------------------------------------------------- +# ADVISORIES +# -------------------------------------------------- + +[advisories] +# The url(s) of the advisory databases to use. +db-urls = ["https://github.com/rustsec/advisory-db"] +# The path where the advisory database is cloned/fetched into. +db-path = "~/.cargo/advisory-db" +# The lint level for security vulnerabilities. +vulnerability = "deny" +# The lint level for crates which are unmaintained. +unmaintained = "warn" +# The lint level for crates that have been yanked. +yanked = "warn" +# The lint level for crates with security notices. +notice = "warn" +# Threshold for security vulnerabilities: None, Low, Medium, High, Critical. +severity-threshold = "None" +# A list of security advisory identifiers to ignore. +ignore = [ + # Will be resolved once "surrealdb-jsonwebtoken", a temporary fork + # of "jsonwebtoken", is replaced by the upstream version which no + # longer uses the affected "rsa" crate. + "RUSTSEC-2023-0071", +] + +# -------------------------------------------------- +# LICENSES +# -------------------------------------------------- + +[licenses] +# Deny licenses which are not listed here explicitly. +default = "deny" +# Lint level for licenses which are considered copyleft. +copyleft = "warn" +# Deny source code which does not have a license specified. +unlicensed = "deny" +# List of explicitly allowed licenses from https://spdx.org/licenses +allow = [ + "MIT", + "ISC", + "Zlib", + "BSL-1.0", + "CC0-1.0", + "MPL-2.0", + "Apache-2.0", + "BSD-3-Clause", + "Unlicense", +] +# The confidence threshold for detecting a license from license text. +confidence-threshold = 0.95 + +# Allow specific licenses on a per-crate basis, instead of globally. + +[[licenses.exceptions]] +name = "ring" +version = "*" +allow = ["OpenSSL"] + +[[licenses.exceptions]] +name = "surreal" +version = "*" +allow = ["BUSL-1.1"] + +[[licenses.exceptions]] +name = "surrealdb" +version = "*" +allow = ["BUSL-1.1"] + +[[licenses.exceptions]] +name = "surrealml-core" +version = "*" +allow = ["Apache-2.0"] + +[[licenses.exceptions]] +name = "unicode-ident" +version = "*" +allow = ["Unicode-DFS-2016"] + +# Specify overrides for crates where licenses are hard to guess. + +[[licenses.clarify]] +name = "surreal" +expression = "BUSL-1.1" +license-files = [] + +[[licenses.clarify]] +name = "surrealdb" +expression = "BUSL-1.1" +license-files = [] + +[[licenses.clarify]] +name = "surrealml-core" +expression = "Apache-2.0" +license-files = [] + +[[licenses.clarify]] +name = "ring" +expression = "MIT AND ISC AND OpenSSL" +license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }]