Add configuration and checks for cargo deny
(#3386)
This commit is contained in:
parent
7f39754ec2
commit
8f62a5cf06
5 changed files with 187 additions and 49 deletions
|
@ -1,7 +0,0 @@
|
||||||
[advisories]
|
|
||||||
ignore = [
|
|
||||||
# Will be resolved once "surrealdb-jsonwebtoken", a temporary fork
|
|
||||||
# of "jsonwebtoken", is replaced by the upstream version which no
|
|
||||||
# longer uses the affected "rsa" crate.
|
|
||||||
"RUSTSEC-2023-0071"
|
|
||||||
]
|
|
6
.github/workflows/ci.yml
vendored
6
.github/workflows/ci.yml
vendored
|
@ -93,11 +93,11 @@ jobs:
|
||||||
- name: Checkout sources
|
- name: Checkout sources
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
- name: Install cargo-audit
|
- name: Install cargo-deny
|
||||||
run: cargo install --debug --locked cargo-audit
|
run: cargo install --debug --locked cargo-deny
|
||||||
|
|
||||||
- name: Check dependencies
|
- name: Check dependencies
|
||||||
run: cargo audit
|
run: cargo deny check
|
||||||
|
|
||||||
check-wasm:
|
check-wasm:
|
||||||
name: Check Wasm
|
name: Check Wasm
|
||||||
|
|
70
Cargo.toml
70
Cargo.toml
|
@ -44,10 +44,10 @@ base64 = "0.21.5"
|
||||||
bytes = "1.5.0"
|
bytes = "1.5.0"
|
||||||
ciborium = "0.2.1"
|
ciborium = "0.2.1"
|
||||||
clap = { version = "4.4.11", features = [
|
clap = { version = "4.4.11", features = [
|
||||||
"env",
|
"env",
|
||||||
"derive",
|
"derive",
|
||||||
"wrap_help",
|
"wrap_help",
|
||||||
"unicode",
|
"unicode",
|
||||||
] }
|
] }
|
||||||
futures = "0.3.29"
|
futures = "0.3.29"
|
||||||
futures-util = "0.3.29"
|
futures-util = "0.3.29"
|
||||||
|
@ -63,18 +63,18 @@ opentelemetry-otlp = { version = "0.12.0", features = ["metrics"] }
|
||||||
pin-project-lite = "0.2.13"
|
pin-project-lite = "0.2.13"
|
||||||
rand = "0.8.5"
|
rand = "0.8.5"
|
||||||
reqwest = { version = "0.11.22", default-features = false, features = [
|
reqwest = { version = "0.11.22", default-features = false, features = [
|
||||||
"blocking",
|
"blocking",
|
||||||
"gzip",
|
"gzip",
|
||||||
] }
|
] }
|
||||||
rmpv = "1.0.1"
|
rmpv = "1.0.1"
|
||||||
rustyline = { version = "12.0.0", features = ["derive"] }
|
rustyline = { version = "12.0.0", features = ["derive"] }
|
||||||
serde = { version = "1.0.193", features = ["derive"] }
|
serde = { version = "1.0.193", features = ["derive"] }
|
||||||
serde_json = "1.0.108"
|
serde_json = "1.0.108"
|
||||||
serde_pack = { version = "1.1.2", package = "rmp-serde" }
|
serde_pack = { version = "1.1.2", package = "rmp-serde" }
|
||||||
surrealdb = { path = "lib", features = [
|
surrealdb = { version = "1", path = "lib", features = [
|
||||||
"protocol-http",
|
"protocol-http",
|
||||||
"protocol-ws",
|
"protocol-ws",
|
||||||
"rustls",
|
"rustls",
|
||||||
] }
|
] }
|
||||||
surrealml-core = { version = "0.0.7", optional = true }
|
surrealml-core = { version = "0.0.7", optional = true }
|
||||||
tempfile = "3.8.1"
|
tempfile = "3.8.1"
|
||||||
|
@ -83,17 +83,17 @@ tokio = { version = "1.34.0", features = ["macros", "signal"] }
|
||||||
tokio-util = { version = "0.7.10", features = ["io"] }
|
tokio-util = { version = "0.7.10", features = ["io"] }
|
||||||
tower = "0.4.13"
|
tower = "0.4.13"
|
||||||
tower-http = { version = "0.4.4", features = [
|
tower-http = { version = "0.4.4", features = [
|
||||||
"trace",
|
"trace",
|
||||||
"sensitive-headers",
|
"sensitive-headers",
|
||||||
"auth",
|
"auth",
|
||||||
"request-id",
|
"request-id",
|
||||||
"util",
|
"util",
|
||||||
"catch-panic",
|
"catch-panic",
|
||||||
"cors",
|
"cors",
|
||||||
"set-header",
|
"set-header",
|
||||||
"limit",
|
"limit",
|
||||||
"add-extension",
|
"add-extension",
|
||||||
"compression-full",
|
"compression-full",
|
||||||
] }
|
] }
|
||||||
tracing = "0.1"
|
tracing = "0.1"
|
||||||
tracing-opentelemetry = "0.19.0"
|
tracing-opentelemetry = "0.19.0"
|
||||||
|
@ -117,10 +117,10 @@ jemallocator = "0.5.4"
|
||||||
assert_fs = "1.0.13"
|
assert_fs = "1.0.13"
|
||||||
env_logger = "0.10.1"
|
env_logger = "0.10.1"
|
||||||
opentelemetry-proto = { version = "0.2.0", features = [
|
opentelemetry-proto = { version = "0.2.0", features = [
|
||||||
"gen-tonic",
|
"gen-tonic",
|
||||||
"traces",
|
"traces",
|
||||||
"metrics",
|
"metrics",
|
||||||
"logs",
|
"logs",
|
||||||
] }
|
] }
|
||||||
rcgen = "0.11.3"
|
rcgen = "0.11.3"
|
||||||
serial_test = "2.0.0"
|
serial_test = "2.0.0"
|
||||||
|
@ -144,16 +144,16 @@ depends = "$auto"
|
||||||
section = "utility"
|
section = "utility"
|
||||||
priority = "optional"
|
priority = "optional"
|
||||||
assets = [
|
assets = [
|
||||||
[
|
[
|
||||||
"target/release/surreal",
|
"target/release/surreal",
|
||||||
"usr/share/surrealdb/surreal",
|
"usr/share/surrealdb/surreal",
|
||||||
"755",
|
"755",
|
||||||
],
|
],
|
||||||
[
|
[
|
||||||
"pkg/deb/README",
|
"pkg/deb/README",
|
||||||
"usr/share/surrealdb/README",
|
"usr/share/surrealdb/README",
|
||||||
"644",
|
"644",
|
||||||
],
|
],
|
||||||
]
|
]
|
||||||
extended-description = "A scalable, distributed, collaborative, document-graph database, for the realtime web."
|
extended-description = "A scalable, distributed, collaborative, document-graph database, for the realtime web."
|
||||||
license-file = ["LICENSE", "4"]
|
license-file = ["LICENSE", "4"]
|
||||||
|
|
|
@ -54,7 +54,8 @@ possible workarounds.
|
||||||
Vulnerabilities in third-party dependencies may only be independently published by SurrealDB when they affect a
|
Vulnerabilities in third-party dependencies may only be independently published by SurrealDB when they affect a
|
||||||
SurrealDB binary or platform. In those cases, the original CVE identifier will be referenced. Vulnerabilities affecting
|
SurrealDB binary or platform. In those cases, the original CVE identifier will be referenced. Vulnerabilities affecting
|
||||||
SurrealDB libraries will not be published again by SurrealDB when an advisory already exists for the original dependency
|
SurrealDB libraries will not be published again by SurrealDB when an advisory already exists for the original dependency
|
||||||
as security tooling (e.g. `cargo audit` or Dependabot) will already be able to track it up the dependency tree.
|
as security tooling (e.g. `cargo audit`, or `cargo deny check` or Dependabot) will already be able to track it up the
|
||||||
|
dependency tree.
|
||||||
|
|
||||||
## Security Updates
|
## Security Updates
|
||||||
|
|
||||||
|
@ -79,7 +80,7 @@ changes will only be included in major and minor releases; never in patch releas
|
||||||
### Dependencies
|
### Dependencies
|
||||||
|
|
||||||
Dependencies used by SurrealDB are [checked for known vulnerabilities in
|
Dependencies used by SurrealDB are [checked for known vulnerabilities in
|
||||||
CI](https://github.com/surrealdb/surrealdb/pull/3123) using `cargo audit`. Developers are required to either update,
|
CI](https://github.com/surrealdb/surrealdb/pull/3386) using `cargo deny check`. Developers are required to either update,
|
||||||
replace or acknowledge vulnerable dependencies found during the approval process of every pull request. Additionally,
|
replace or acknowledge vulnerable dependencies found during the approval process of every pull request. Additionally,
|
||||||
SurrealDB makes use of Github's [Dependabot
|
SurrealDB makes use of Github's [Dependabot
|
||||||
alerts](https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) to continuously
|
alerts](https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) to continuously
|
||||||
|
|
144
deny.toml
Normal file
144
deny.toml
Normal file
|
@ -0,0 +1,144 @@
|
||||||
|
# See all available configuration options at:
|
||||||
|
# https://embarkstudios.github.io/cargo-deny/index.html
|
||||||
|
|
||||||
|
# --------------------------------------------------
|
||||||
|
# General
|
||||||
|
# --------------------------------------------------
|
||||||
|
|
||||||
|
# If true, metadata will be collected with `--all-features`
|
||||||
|
all-features = true
|
||||||
|
# If true, metadata will be collected with `--no-default-features`
|
||||||
|
no-default-features = true
|
||||||
|
|
||||||
|
# --------------------------------------------------
|
||||||
|
# BANS
|
||||||
|
# --------------------------------------------------
|
||||||
|
|
||||||
|
[bans]
|
||||||
|
# The graph highlighting used when creating dotgraphs for crates.
|
||||||
|
highlight = "all"
|
||||||
|
# The lint level for when a crate version requirement is set to `*`.
|
||||||
|
wildcards = "deny"
|
||||||
|
# Lint level for when multiple versions of the same crate are detected.
|
||||||
|
multiple-versions = "allow"
|
||||||
|
# The default lint level for `default` features for workspace crates.
|
||||||
|
workspace-default-features = "allow"
|
||||||
|
# The default lint level for `default` features for external crates.
|
||||||
|
external-default-features = "allow"
|
||||||
|
|
||||||
|
# --------------------------------------------------
|
||||||
|
# SOURCES
|
||||||
|
# --------------------------------------------------
|
||||||
|
|
||||||
|
[sources]
|
||||||
|
# What to do when encountering a repository from a host not in the allow list.
|
||||||
|
unknown-git = "deny"
|
||||||
|
# What to do when encountering a crate from a registry not in the allow list.
|
||||||
|
unknown-registry = "deny"
|
||||||
|
# List of URLs for allowed crate registries. Defaults to the crates.io index
|
||||||
|
# if not specified. If it is specified but empty, no registries are allowed.
|
||||||
|
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
|
||||||
|
# List of URLs for allowed Git repositories
|
||||||
|
allow-git = []
|
||||||
|
|
||||||
|
# --------------------------------------------------
|
||||||
|
# ADVISORIES
|
||||||
|
# --------------------------------------------------
|
||||||
|
|
||||||
|
[advisories]
|
||||||
|
# The url(s) of the advisory databases to use.
|
||||||
|
db-urls = ["https://github.com/rustsec/advisory-db"]
|
||||||
|
# The path where the advisory database is cloned/fetched into.
|
||||||
|
db-path = "~/.cargo/advisory-db"
|
||||||
|
# The lint level for security vulnerabilities.
|
||||||
|
vulnerability = "deny"
|
||||||
|
# The lint level for crates which are unmaintained.
|
||||||
|
unmaintained = "warn"
|
||||||
|
# The lint level for crates that have been yanked.
|
||||||
|
yanked = "warn"
|
||||||
|
# The lint level for crates with security notices.
|
||||||
|
notice = "warn"
|
||||||
|
# Threshold for security vulnerabilities: None, Low, Medium, High, Critical.
|
||||||
|
severity-threshold = "None"
|
||||||
|
# A list of security advisory identifiers to ignore.
|
||||||
|
ignore = [
|
||||||
|
# Will be resolved once "surrealdb-jsonwebtoken", a temporary fork
|
||||||
|
# of "jsonwebtoken", is replaced by the upstream version which no
|
||||||
|
# longer uses the affected "rsa" crate.
|
||||||
|
"RUSTSEC-2023-0071",
|
||||||
|
]
|
||||||
|
|
||||||
|
# --------------------------------------------------
|
||||||
|
# LICENSES
|
||||||
|
# --------------------------------------------------
|
||||||
|
|
||||||
|
[licenses]
|
||||||
|
# Deny licenses which are not listed here explicitly.
|
||||||
|
default = "deny"
|
||||||
|
# Lint level for licenses which are considered copyleft.
|
||||||
|
copyleft = "warn"
|
||||||
|
# Deny source code which does not have a license specified.
|
||||||
|
unlicensed = "deny"
|
||||||
|
# List of explicitly allowed licenses from https://spdx.org/licenses
|
||||||
|
allow = [
|
||||||
|
"MIT",
|
||||||
|
"ISC",
|
||||||
|
"Zlib",
|
||||||
|
"BSL-1.0",
|
||||||
|
"CC0-1.0",
|
||||||
|
"MPL-2.0",
|
||||||
|
"Apache-2.0",
|
||||||
|
"BSD-3-Clause",
|
||||||
|
"Unlicense",
|
||||||
|
]
|
||||||
|
# The confidence threshold for detecting a license from license text.
|
||||||
|
confidence-threshold = 0.95
|
||||||
|
|
||||||
|
# Allow specific licenses on a per-crate basis, instead of globally.
|
||||||
|
|
||||||
|
[[licenses.exceptions]]
|
||||||
|
name = "ring"
|
||||||
|
version = "*"
|
||||||
|
allow = ["OpenSSL"]
|
||||||
|
|
||||||
|
[[licenses.exceptions]]
|
||||||
|
name = "surreal"
|
||||||
|
version = "*"
|
||||||
|
allow = ["BUSL-1.1"]
|
||||||
|
|
||||||
|
[[licenses.exceptions]]
|
||||||
|
name = "surrealdb"
|
||||||
|
version = "*"
|
||||||
|
allow = ["BUSL-1.1"]
|
||||||
|
|
||||||
|
[[licenses.exceptions]]
|
||||||
|
name = "surrealml-core"
|
||||||
|
version = "*"
|
||||||
|
allow = ["Apache-2.0"]
|
||||||
|
|
||||||
|
[[licenses.exceptions]]
|
||||||
|
name = "unicode-ident"
|
||||||
|
version = "*"
|
||||||
|
allow = ["Unicode-DFS-2016"]
|
||||||
|
|
||||||
|
# Specify overrides for crates where licenses are hard to guess.
|
||||||
|
|
||||||
|
[[licenses.clarify]]
|
||||||
|
name = "surreal"
|
||||||
|
expression = "BUSL-1.1"
|
||||||
|
license-files = []
|
||||||
|
|
||||||
|
[[licenses.clarify]]
|
||||||
|
name = "surrealdb"
|
||||||
|
expression = "BUSL-1.1"
|
||||||
|
license-files = []
|
||||||
|
|
||||||
|
[[licenses.clarify]]
|
||||||
|
name = "surrealml-core"
|
||||||
|
expression = "Apache-2.0"
|
||||||
|
license-files = []
|
||||||
|
|
||||||
|
[[licenses.clarify]]
|
||||||
|
name = "ring"
|
||||||
|
expression = "MIT AND ISC AND OpenSSL"
|
||||||
|
license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }]
|
Loading…
Reference in a new issue