Add configuration and checks for cargo deny
(#3386)
This commit is contained in:
parent
7f39754ec2
commit
8f62a5cf06
5 changed files with 187 additions and 49 deletions
|
@ -1,7 +0,0 @@
|
||||||
[advisories]
|
|
||||||
ignore = [
|
|
||||||
# Will be resolved once "surrealdb-jsonwebtoken", a temporary fork
|
|
||||||
# of "jsonwebtoken", is replaced by the upstream version which no
|
|
||||||
# longer uses the affected "rsa" crate.
|
|
||||||
"RUSTSEC-2023-0071"
|
|
||||||
]
|
|
6
.github/workflows/ci.yml
vendored
6
.github/workflows/ci.yml
vendored
|
@ -93,11 +93,11 @@ jobs:
|
||||||
- name: Checkout sources
|
- name: Checkout sources
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
- name: Install cargo-audit
|
- name: Install cargo-deny
|
||||||
run: cargo install --debug --locked cargo-audit
|
run: cargo install --debug --locked cargo-deny
|
||||||
|
|
||||||
- name: Check dependencies
|
- name: Check dependencies
|
||||||
run: cargo audit
|
run: cargo deny check
|
||||||
|
|
||||||
check-wasm:
|
check-wasm:
|
||||||
name: Check Wasm
|
name: Check Wasm
|
||||||
|
|
|
@ -71,7 +71,7 @@ rustyline = { version = "12.0.0", features = ["derive"] }
|
||||||
serde = { version = "1.0.193", features = ["derive"] }
|
serde = { version = "1.0.193", features = ["derive"] }
|
||||||
serde_json = "1.0.108"
|
serde_json = "1.0.108"
|
||||||
serde_pack = { version = "1.1.2", package = "rmp-serde" }
|
serde_pack = { version = "1.1.2", package = "rmp-serde" }
|
||||||
surrealdb = { path = "lib", features = [
|
surrealdb = { version = "1", path = "lib", features = [
|
||||||
"protocol-http",
|
"protocol-http",
|
||||||
"protocol-ws",
|
"protocol-ws",
|
||||||
"rustls",
|
"rustls",
|
||||||
|
|
|
@ -54,7 +54,8 @@ possible workarounds.
|
||||||
Vulnerabilities in third-party dependencies may only be independently published by SurrealDB when they affect a
|
Vulnerabilities in third-party dependencies may only be independently published by SurrealDB when they affect a
|
||||||
SurrealDB binary or platform. In those cases, the original CVE identifier will be referenced. Vulnerabilities affecting
|
SurrealDB binary or platform. In those cases, the original CVE identifier will be referenced. Vulnerabilities affecting
|
||||||
SurrealDB libraries will not be published again by SurrealDB when an advisory already exists for the original dependency
|
SurrealDB libraries will not be published again by SurrealDB when an advisory already exists for the original dependency
|
||||||
as security tooling (e.g. `cargo audit` or Dependabot) will already be able to track it up the dependency tree.
|
as security tooling (e.g. `cargo audit`, or `cargo deny check` or Dependabot) will already be able to track it up the
|
||||||
|
dependency tree.
|
||||||
|
|
||||||
## Security Updates
|
## Security Updates
|
||||||
|
|
||||||
|
@ -79,7 +80,7 @@ changes will only be included in major and minor releases; never in patch releas
|
||||||
### Dependencies
|
### Dependencies
|
||||||
|
|
||||||
Dependencies used by SurrealDB are [checked for known vulnerabilities in
|
Dependencies used by SurrealDB are [checked for known vulnerabilities in
|
||||||
CI](https://github.com/surrealdb/surrealdb/pull/3123) using `cargo audit`. Developers are required to either update,
|
CI](https://github.com/surrealdb/surrealdb/pull/3386) using `cargo deny check`. Developers are required to either update,
|
||||||
replace or acknowledge vulnerable dependencies found during the approval process of every pull request. Additionally,
|
replace or acknowledge vulnerable dependencies found during the approval process of every pull request. Additionally,
|
||||||
SurrealDB makes use of Github's [Dependabot
|
SurrealDB makes use of Github's [Dependabot
|
||||||
alerts](https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) to continuously
|
alerts](https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) to continuously
|
||||||
|
|
144
deny.toml
Normal file
144
deny.toml
Normal file
|
@ -0,0 +1,144 @@
|
||||||
|
# See all available configuration options at:
|
||||||
|
# https://embarkstudios.github.io/cargo-deny/index.html
|
||||||
|
|
||||||
|
# --------------------------------------------------
|
||||||
|
# General
|
||||||
|
# --------------------------------------------------
|
||||||
|
|
||||||
|
# If true, metadata will be collected with `--all-features`
|
||||||
|
all-features = true
|
||||||
|
# If true, metadata will be collected with `--no-default-features`
|
||||||
|
no-default-features = true
|
||||||
|
|
||||||
|
# --------------------------------------------------
|
||||||
|
# BANS
|
||||||
|
# --------------------------------------------------
|
||||||
|
|
||||||
|
[bans]
|
||||||
|
# The graph highlighting used when creating dotgraphs for crates.
|
||||||
|
highlight = "all"
|
||||||
|
# The lint level for when a crate version requirement is set to `*`.
|
||||||
|
wildcards = "deny"
|
||||||
|
# Lint level for when multiple versions of the same crate are detected.
|
||||||
|
multiple-versions = "allow"
|
||||||
|
# The default lint level for `default` features for workspace crates.
|
||||||
|
workspace-default-features = "allow"
|
||||||
|
# The default lint level for `default` features for external crates.
|
||||||
|
external-default-features = "allow"
|
||||||
|
|
||||||
|
# --------------------------------------------------
|
||||||
|
# SOURCES
|
||||||
|
# --------------------------------------------------
|
||||||
|
|
||||||
|
[sources]
|
||||||
|
# What to do when encountering a repository from a host not in the allow list.
|
||||||
|
unknown-git = "deny"
|
||||||
|
# What to do when encountering a crate from a registry not in the allow list.
|
||||||
|
unknown-registry = "deny"
|
||||||
|
# List of URLs for allowed crate registries. Defaults to the crates.io index
|
||||||
|
# if not specified. If it is specified but empty, no registries are allowed.
|
||||||
|
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
|
||||||
|
# List of URLs for allowed Git repositories
|
||||||
|
allow-git = []
|
||||||
|
|
||||||
|
# --------------------------------------------------
|
||||||
|
# ADVISORIES
|
||||||
|
# --------------------------------------------------
|
||||||
|
|
||||||
|
[advisories]
|
||||||
|
# The url(s) of the advisory databases to use.
|
||||||
|
db-urls = ["https://github.com/rustsec/advisory-db"]
|
||||||
|
# The path where the advisory database is cloned/fetched into.
|
||||||
|
db-path = "~/.cargo/advisory-db"
|
||||||
|
# The lint level for security vulnerabilities.
|
||||||
|
vulnerability = "deny"
|
||||||
|
# The lint level for crates which are unmaintained.
|
||||||
|
unmaintained = "warn"
|
||||||
|
# The lint level for crates that have been yanked.
|
||||||
|
yanked = "warn"
|
||||||
|
# The lint level for crates with security notices.
|
||||||
|
notice = "warn"
|
||||||
|
# Threshold for security vulnerabilities: None, Low, Medium, High, Critical.
|
||||||
|
severity-threshold = "None"
|
||||||
|
# A list of security advisory identifiers to ignore.
|
||||||
|
ignore = [
|
||||||
|
# Will be resolved once "surrealdb-jsonwebtoken", a temporary fork
|
||||||
|
# of "jsonwebtoken", is replaced by the upstream version which no
|
||||||
|
# longer uses the affected "rsa" crate.
|
||||||
|
"RUSTSEC-2023-0071",
|
||||||
|
]
|
||||||
|
|
||||||
|
# --------------------------------------------------
|
||||||
|
# LICENSES
|
||||||
|
# --------------------------------------------------
|
||||||
|
|
||||||
|
[licenses]
|
||||||
|
# Deny licenses which are not listed here explicitly.
|
||||||
|
default = "deny"
|
||||||
|
# Lint level for licenses which are considered copyleft.
|
||||||
|
copyleft = "warn"
|
||||||
|
# Deny source code which does not have a license specified.
|
||||||
|
unlicensed = "deny"
|
||||||
|
# List of explicitly allowed licenses from https://spdx.org/licenses
|
||||||
|
allow = [
|
||||||
|
"MIT",
|
||||||
|
"ISC",
|
||||||
|
"Zlib",
|
||||||
|
"BSL-1.0",
|
||||||
|
"CC0-1.0",
|
||||||
|
"MPL-2.0",
|
||||||
|
"Apache-2.0",
|
||||||
|
"BSD-3-Clause",
|
||||||
|
"Unlicense",
|
||||||
|
]
|
||||||
|
# The confidence threshold for detecting a license from license text.
|
||||||
|
confidence-threshold = 0.95
|
||||||
|
|
||||||
|
# Allow specific licenses on a per-crate basis, instead of globally.
|
||||||
|
|
||||||
|
[[licenses.exceptions]]
|
||||||
|
name = "ring"
|
||||||
|
version = "*"
|
||||||
|
allow = ["OpenSSL"]
|
||||||
|
|
||||||
|
[[licenses.exceptions]]
|
||||||
|
name = "surreal"
|
||||||
|
version = "*"
|
||||||
|
allow = ["BUSL-1.1"]
|
||||||
|
|
||||||
|
[[licenses.exceptions]]
|
||||||
|
name = "surrealdb"
|
||||||
|
version = "*"
|
||||||
|
allow = ["BUSL-1.1"]
|
||||||
|
|
||||||
|
[[licenses.exceptions]]
|
||||||
|
name = "surrealml-core"
|
||||||
|
version = "*"
|
||||||
|
allow = ["Apache-2.0"]
|
||||||
|
|
||||||
|
[[licenses.exceptions]]
|
||||||
|
name = "unicode-ident"
|
||||||
|
version = "*"
|
||||||
|
allow = ["Unicode-DFS-2016"]
|
||||||
|
|
||||||
|
# Specify overrides for crates where licenses are hard to guess.
|
||||||
|
|
||||||
|
[[licenses.clarify]]
|
||||||
|
name = "surreal"
|
||||||
|
expression = "BUSL-1.1"
|
||||||
|
license-files = []
|
||||||
|
|
||||||
|
[[licenses.clarify]]
|
||||||
|
name = "surrealdb"
|
||||||
|
expression = "BUSL-1.1"
|
||||||
|
license-files = []
|
||||||
|
|
||||||
|
[[licenses.clarify]]
|
||||||
|
name = "surrealml-core"
|
||||||
|
expression = "Apache-2.0"
|
||||||
|
license-files = []
|
||||||
|
|
||||||
|
[[licenses.clarify]]
|
||||||
|
name = "ring"
|
||||||
|
expression = "MIT AND ISC AND OpenSSL"
|
||||||
|
license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }]
|
Loading…
Reference in a new issue