Add configuration and checks for cargo deny
(#3386)
This commit is contained in:
parent
7f39754ec2
commit
8f62a5cf06
5 changed files with 187 additions and 49 deletions
|
@ -1,7 +0,0 @@
|
|||
[advisories]
|
||||
ignore = [
|
||||
# Will be resolved once "surrealdb-jsonwebtoken", a temporary fork
|
||||
# of "jsonwebtoken", is replaced by the upstream version which no
|
||||
# longer uses the affected "rsa" crate.
|
||||
"RUSTSEC-2023-0071"
|
||||
]
|
10
.github/workflows/ci.yml
vendored
10
.github/workflows/ci.yml
vendored
|
@ -93,11 +93,11 @@ jobs:
|
|||
- name: Checkout sources
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Install cargo-audit
|
||||
run: cargo install --debug --locked cargo-audit
|
||||
- name: Install cargo-deny
|
||||
run: cargo install --debug --locked cargo-deny
|
||||
|
||||
- name: Check dependencies
|
||||
run: cargo audit
|
||||
- name: Check dependencies
|
||||
run: cargo deny check
|
||||
|
||||
check-wasm:
|
||||
name: Check Wasm
|
||||
|
@ -218,7 +218,7 @@ jobs:
|
|||
|
||||
- name: Run HTTP integration tests
|
||||
run: cargo make ci-http-integration
|
||||
|
||||
|
||||
ml-support:
|
||||
name: ML integration tests
|
||||
runs-on: ubuntu-latest
|
||||
|
|
70
Cargo.toml
70
Cargo.toml
|
@ -44,10 +44,10 @@ base64 = "0.21.5"
|
|||
bytes = "1.5.0"
|
||||
ciborium = "0.2.1"
|
||||
clap = { version = "4.4.11", features = [
|
||||
"env",
|
||||
"derive",
|
||||
"wrap_help",
|
||||
"unicode",
|
||||
"env",
|
||||
"derive",
|
||||
"wrap_help",
|
||||
"unicode",
|
||||
] }
|
||||
futures = "0.3.29"
|
||||
futures-util = "0.3.29"
|
||||
|
@ -63,18 +63,18 @@ opentelemetry-otlp = { version = "0.12.0", features = ["metrics"] }
|
|||
pin-project-lite = "0.2.13"
|
||||
rand = "0.8.5"
|
||||
reqwest = { version = "0.11.22", default-features = false, features = [
|
||||
"blocking",
|
||||
"gzip",
|
||||
"blocking",
|
||||
"gzip",
|
||||
] }
|
||||
rmpv = "1.0.1"
|
||||
rustyline = { version = "12.0.0", features = ["derive"] }
|
||||
serde = { version = "1.0.193", features = ["derive"] }
|
||||
serde_json = "1.0.108"
|
||||
serde_pack = { version = "1.1.2", package = "rmp-serde" }
|
||||
surrealdb = { path = "lib", features = [
|
||||
"protocol-http",
|
||||
"protocol-ws",
|
||||
"rustls",
|
||||
surrealdb = { version = "1", path = "lib", features = [
|
||||
"protocol-http",
|
||||
"protocol-ws",
|
||||
"rustls",
|
||||
] }
|
||||
surrealml-core = { version = "0.0.7", optional = true }
|
||||
tempfile = "3.8.1"
|
||||
|
@ -83,17 +83,17 @@ tokio = { version = "1.34.0", features = ["macros", "signal"] }
|
|||
tokio-util = { version = "0.7.10", features = ["io"] }
|
||||
tower = "0.4.13"
|
||||
tower-http = { version = "0.4.4", features = [
|
||||
"trace",
|
||||
"sensitive-headers",
|
||||
"auth",
|
||||
"request-id",
|
||||
"util",
|
||||
"catch-panic",
|
||||
"cors",
|
||||
"set-header",
|
||||
"limit",
|
||||
"add-extension",
|
||||
"compression-full",
|
||||
"trace",
|
||||
"sensitive-headers",
|
||||
"auth",
|
||||
"request-id",
|
||||
"util",
|
||||
"catch-panic",
|
||||
"cors",
|
||||
"set-header",
|
||||
"limit",
|
||||
"add-extension",
|
||||
"compression-full",
|
||||
] }
|
||||
tracing = "0.1"
|
||||
tracing-opentelemetry = "0.19.0"
|
||||
|
@ -117,10 +117,10 @@ jemallocator = "0.5.4"
|
|||
assert_fs = "1.0.13"
|
||||
env_logger = "0.10.1"
|
||||
opentelemetry-proto = { version = "0.2.0", features = [
|
||||
"gen-tonic",
|
||||
"traces",
|
||||
"metrics",
|
||||
"logs",
|
||||
"gen-tonic",
|
||||
"traces",
|
||||
"metrics",
|
||||
"logs",
|
||||
] }
|
||||
rcgen = "0.11.3"
|
||||
serial_test = "2.0.0"
|
||||
|
@ -144,16 +144,16 @@ depends = "$auto"
|
|||
section = "utility"
|
||||
priority = "optional"
|
||||
assets = [
|
||||
[
|
||||
"target/release/surreal",
|
||||
"usr/share/surrealdb/surreal",
|
||||
"755",
|
||||
],
|
||||
[
|
||||
"pkg/deb/README",
|
||||
"usr/share/surrealdb/README",
|
||||
"644",
|
||||
],
|
||||
[
|
||||
"target/release/surreal",
|
||||
"usr/share/surrealdb/surreal",
|
||||
"755",
|
||||
],
|
||||
[
|
||||
"pkg/deb/README",
|
||||
"usr/share/surrealdb/README",
|
||||
"644",
|
||||
],
|
||||
]
|
||||
extended-description = "A scalable, distributed, collaborative, document-graph database, for the realtime web."
|
||||
license-file = ["LICENSE", "4"]
|
||||
|
|
|
@ -54,7 +54,8 @@ possible workarounds.
|
|||
Vulnerabilities in third-party dependencies may only be independently published by SurrealDB when they affect a
|
||||
SurrealDB binary or platform. In those cases, the original CVE identifier will be referenced. Vulnerabilities affecting
|
||||
SurrealDB libraries will not be published again by SurrealDB when an advisory already exists for the original dependency
|
||||
as security tooling (e.g. `cargo audit` or Dependabot) will already be able to track it up the dependency tree.
|
||||
as security tooling (e.g. `cargo audit`, or `cargo deny check` or Dependabot) will already be able to track it up the
|
||||
dependency tree.
|
||||
|
||||
## Security Updates
|
||||
|
||||
|
@ -79,7 +80,7 @@ changes will only be included in major and minor releases; never in patch releas
|
|||
### Dependencies
|
||||
|
||||
Dependencies used by SurrealDB are [checked for known vulnerabilities in
|
||||
CI](https://github.com/surrealdb/surrealdb/pull/3123) using `cargo audit`. Developers are required to either update,
|
||||
CI](https://github.com/surrealdb/surrealdb/pull/3386) using `cargo deny check`. Developers are required to either update,
|
||||
replace or acknowledge vulnerable dependencies found during the approval process of every pull request. Additionally,
|
||||
SurrealDB makes use of Github's [Dependabot
|
||||
alerts](https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) to continuously
|
||||
|
|
144
deny.toml
Normal file
144
deny.toml
Normal file
|
@ -0,0 +1,144 @@
|
|||
# See all available configuration options at:
|
||||
# https://embarkstudios.github.io/cargo-deny/index.html
|
||||
|
||||
# --------------------------------------------------
|
||||
# General
|
||||
# --------------------------------------------------
|
||||
|
||||
# If true, metadata will be collected with `--all-features`
|
||||
all-features = true
|
||||
# If true, metadata will be collected with `--no-default-features`
|
||||
no-default-features = true
|
||||
|
||||
# --------------------------------------------------
|
||||
# BANS
|
||||
# --------------------------------------------------
|
||||
|
||||
[bans]
|
||||
# The graph highlighting used when creating dotgraphs for crates.
|
||||
highlight = "all"
|
||||
# The lint level for when a crate version requirement is set to `*`.
|
||||
wildcards = "deny"
|
||||
# Lint level for when multiple versions of the same crate are detected.
|
||||
multiple-versions = "allow"
|
||||
# The default lint level for `default` features for workspace crates.
|
||||
workspace-default-features = "allow"
|
||||
# The default lint level for `default` features for external crates.
|
||||
external-default-features = "allow"
|
||||
|
||||
# --------------------------------------------------
|
||||
# SOURCES
|
||||
# --------------------------------------------------
|
||||
|
||||
[sources]
|
||||
# What to do when encountering a repository from a host not in the allow list.
|
||||
unknown-git = "deny"
|
||||
# What to do when encountering a crate from a registry not in the allow list.
|
||||
unknown-registry = "deny"
|
||||
# List of URLs for allowed crate registries. Defaults to the crates.io index
|
||||
# if not specified. If it is specified but empty, no registries are allowed.
|
||||
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
|
||||
# List of URLs for allowed Git repositories
|
||||
allow-git = []
|
||||
|
||||
# --------------------------------------------------
|
||||
# ADVISORIES
|
||||
# --------------------------------------------------
|
||||
|
||||
[advisories]
|
||||
# The url(s) of the advisory databases to use.
|
||||
db-urls = ["https://github.com/rustsec/advisory-db"]
|
||||
# The path where the advisory database is cloned/fetched into.
|
||||
db-path = "~/.cargo/advisory-db"
|
||||
# The lint level for security vulnerabilities.
|
||||
vulnerability = "deny"
|
||||
# The lint level for crates which are unmaintained.
|
||||
unmaintained = "warn"
|
||||
# The lint level for crates that have been yanked.
|
||||
yanked = "warn"
|
||||
# The lint level for crates with security notices.
|
||||
notice = "warn"
|
||||
# Threshold for security vulnerabilities: None, Low, Medium, High, Critical.
|
||||
severity-threshold = "None"
|
||||
# A list of security advisory identifiers to ignore.
|
||||
ignore = [
|
||||
# Will be resolved once "surrealdb-jsonwebtoken", a temporary fork
|
||||
# of "jsonwebtoken", is replaced by the upstream version which no
|
||||
# longer uses the affected "rsa" crate.
|
||||
"RUSTSEC-2023-0071",
|
||||
]
|
||||
|
||||
# --------------------------------------------------
|
||||
# LICENSES
|
||||
# --------------------------------------------------
|
||||
|
||||
[licenses]
|
||||
# Deny licenses which are not listed here explicitly.
|
||||
default = "deny"
|
||||
# Lint level for licenses which are considered copyleft.
|
||||
copyleft = "warn"
|
||||
# Deny source code which does not have a license specified.
|
||||
unlicensed = "deny"
|
||||
# List of explicitly allowed licenses from https://spdx.org/licenses
|
||||
allow = [
|
||||
"MIT",
|
||||
"ISC",
|
||||
"Zlib",
|
||||
"BSL-1.0",
|
||||
"CC0-1.0",
|
||||
"MPL-2.0",
|
||||
"Apache-2.0",
|
||||
"BSD-3-Clause",
|
||||
"Unlicense",
|
||||
]
|
||||
# The confidence threshold for detecting a license from license text.
|
||||
confidence-threshold = 0.95
|
||||
|
||||
# Allow specific licenses on a per-crate basis, instead of globally.
|
||||
|
||||
[[licenses.exceptions]]
|
||||
name = "ring"
|
||||
version = "*"
|
||||
allow = ["OpenSSL"]
|
||||
|
||||
[[licenses.exceptions]]
|
||||
name = "surreal"
|
||||
version = "*"
|
||||
allow = ["BUSL-1.1"]
|
||||
|
||||
[[licenses.exceptions]]
|
||||
name = "surrealdb"
|
||||
version = "*"
|
||||
allow = ["BUSL-1.1"]
|
||||
|
||||
[[licenses.exceptions]]
|
||||
name = "surrealml-core"
|
||||
version = "*"
|
||||
allow = ["Apache-2.0"]
|
||||
|
||||
[[licenses.exceptions]]
|
||||
name = "unicode-ident"
|
||||
version = "*"
|
||||
allow = ["Unicode-DFS-2016"]
|
||||
|
||||
# Specify overrides for crates where licenses are hard to guess.
|
||||
|
||||
[[licenses.clarify]]
|
||||
name = "surreal"
|
||||
expression = "BUSL-1.1"
|
||||
license-files = []
|
||||
|
||||
[[licenses.clarify]]
|
||||
name = "surrealdb"
|
||||
expression = "BUSL-1.1"
|
||||
license-files = []
|
||||
|
||||
[[licenses.clarify]]
|
||||
name = "surrealml-core"
|
||||
expression = "Apache-2.0"
|
||||
license-files = []
|
||||
|
||||
[[licenses.clarify]]
|
||||
name = "ring"
|
||||
expression = "MIT AND ISC AND OpenSSL"
|
||||
license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }]
|
Loading…
Reference in a new issue