Add configuration and checks for cargo deny (#3386)

This commit is contained in:
Tobie Morgan Hitchcock 2024-01-23 10:03:25 +00:00 committed by GitHub
parent 7f39754ec2
commit 8f62a5cf06
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 187 additions and 49 deletions

View file

@ -1,7 +0,0 @@
[advisories]
ignore = [
# Will be resolved once "surrealdb-jsonwebtoken", a temporary fork
# of "jsonwebtoken", is replaced by the upstream version which no
# longer uses the affected "rsa" crate.
"RUSTSEC-2023-0071"
]

View file

@ -93,11 +93,11 @@ jobs:
- name: Checkout sources
uses: actions/checkout@v4
- name: Install cargo-audit
run: cargo install --debug --locked cargo-audit
- name: Install cargo-deny
run: cargo install --debug --locked cargo-deny
- name: Check dependencies
run: cargo audit
- name: Check dependencies
run: cargo deny check
check-wasm:
name: Check Wasm
@ -218,7 +218,7 @@ jobs:
- name: Run HTTP integration tests
run: cargo make ci-http-integration
ml-support:
name: ML integration tests
runs-on: ubuntu-latest

View file

@ -44,10 +44,10 @@ base64 = "0.21.5"
bytes = "1.5.0"
ciborium = "0.2.1"
clap = { version = "4.4.11", features = [
"env",
"derive",
"wrap_help",
"unicode",
"env",
"derive",
"wrap_help",
"unicode",
] }
futures = "0.3.29"
futures-util = "0.3.29"
@ -63,18 +63,18 @@ opentelemetry-otlp = { version = "0.12.0", features = ["metrics"] }
pin-project-lite = "0.2.13"
rand = "0.8.5"
reqwest = { version = "0.11.22", default-features = false, features = [
"blocking",
"gzip",
"blocking",
"gzip",
] }
rmpv = "1.0.1"
rustyline = { version = "12.0.0", features = ["derive"] }
serde = { version = "1.0.193", features = ["derive"] }
serde_json = "1.0.108"
serde_pack = { version = "1.1.2", package = "rmp-serde" }
surrealdb = { path = "lib", features = [
"protocol-http",
"protocol-ws",
"rustls",
surrealdb = { version = "1", path = "lib", features = [
"protocol-http",
"protocol-ws",
"rustls",
] }
surrealml-core = { version = "0.0.7", optional = true }
tempfile = "3.8.1"
@ -83,17 +83,17 @@ tokio = { version = "1.34.0", features = ["macros", "signal"] }
tokio-util = { version = "0.7.10", features = ["io"] }
tower = "0.4.13"
tower-http = { version = "0.4.4", features = [
"trace",
"sensitive-headers",
"auth",
"request-id",
"util",
"catch-panic",
"cors",
"set-header",
"limit",
"add-extension",
"compression-full",
"trace",
"sensitive-headers",
"auth",
"request-id",
"util",
"catch-panic",
"cors",
"set-header",
"limit",
"add-extension",
"compression-full",
] }
tracing = "0.1"
tracing-opentelemetry = "0.19.0"
@ -117,10 +117,10 @@ jemallocator = "0.5.4"
assert_fs = "1.0.13"
env_logger = "0.10.1"
opentelemetry-proto = { version = "0.2.0", features = [
"gen-tonic",
"traces",
"metrics",
"logs",
"gen-tonic",
"traces",
"metrics",
"logs",
] }
rcgen = "0.11.3"
serial_test = "2.0.0"
@ -144,16 +144,16 @@ depends = "$auto"
section = "utility"
priority = "optional"
assets = [
[
"target/release/surreal",
"usr/share/surrealdb/surreal",
"755",
],
[
"pkg/deb/README",
"usr/share/surrealdb/README",
"644",
],
[
"target/release/surreal",
"usr/share/surrealdb/surreal",
"755",
],
[
"pkg/deb/README",
"usr/share/surrealdb/README",
"644",
],
]
extended-description = "A scalable, distributed, collaborative, document-graph database, for the realtime web."
license-file = ["LICENSE", "4"]

View file

@ -54,7 +54,8 @@ possible workarounds.
Vulnerabilities in third-party dependencies may only be independently published by SurrealDB when they affect a
SurrealDB binary or platform. In those cases, the original CVE identifier will be referenced. Vulnerabilities affecting
SurrealDB libraries will not be published again by SurrealDB when an advisory already exists for the original dependency
as security tooling (e.g. `cargo audit` or Dependabot) will already be able to track it up the dependency tree.
as security tooling (e.g. `cargo audit`, or `cargo deny check` or Dependabot) will already be able to track it up the
dependency tree.
## Security Updates
@ -79,7 +80,7 @@ changes will only be included in major and minor releases; never in patch releas
### Dependencies
Dependencies used by SurrealDB are [checked for known vulnerabilities in
CI](https://github.com/surrealdb/surrealdb/pull/3123) using `cargo audit`. Developers are required to either update,
CI](https://github.com/surrealdb/surrealdb/pull/3386) using `cargo deny check`. Developers are required to either update,
replace or acknowledge vulnerable dependencies found during the approval process of every pull request. Additionally,
SurrealDB makes use of Github's [Dependabot
alerts](https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts) to continuously

144
deny.toml Normal file
View file

@ -0,0 +1,144 @@
# See all available configuration options at:
# https://embarkstudios.github.io/cargo-deny/index.html
# --------------------------------------------------
# General
# --------------------------------------------------
# If true, metadata will be collected with `--all-features`
all-features = true
# If true, metadata will be collected with `--no-default-features`
no-default-features = true
# --------------------------------------------------
# BANS
# --------------------------------------------------
[bans]
# The graph highlighting used when creating dotgraphs for crates.
highlight = "all"
# The lint level for when a crate version requirement is set to `*`.
wildcards = "deny"
# Lint level for when multiple versions of the same crate are detected.
multiple-versions = "allow"
# The default lint level for `default` features for workspace crates.
workspace-default-features = "allow"
# The default lint level for `default` features for external crates.
external-default-features = "allow"
# --------------------------------------------------
# SOURCES
# --------------------------------------------------
[sources]
# What to do when encountering a repository from a host not in the allow list.
unknown-git = "deny"
# What to do when encountering a crate from a registry not in the allow list.
unknown-registry = "deny"
# List of URLs for allowed crate registries. Defaults to the crates.io index
# if not specified. If it is specified but empty, no registries are allowed.
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
# List of URLs for allowed Git repositories
allow-git = []
# --------------------------------------------------
# ADVISORIES
# --------------------------------------------------
[advisories]
# The url(s) of the advisory databases to use.
db-urls = ["https://github.com/rustsec/advisory-db"]
# The path where the advisory database is cloned/fetched into.
db-path = "~/.cargo/advisory-db"
# The lint level for security vulnerabilities.
vulnerability = "deny"
# The lint level for crates which are unmaintained.
unmaintained = "warn"
# The lint level for crates that have been yanked.
yanked = "warn"
# The lint level for crates with security notices.
notice = "warn"
# Threshold for security vulnerabilities: None, Low, Medium, High, Critical.
severity-threshold = "None"
# A list of security advisory identifiers to ignore.
ignore = [
# Will be resolved once "surrealdb-jsonwebtoken", a temporary fork
# of "jsonwebtoken", is replaced by the upstream version which no
# longer uses the affected "rsa" crate.
"RUSTSEC-2023-0071",
]
# --------------------------------------------------
# LICENSES
# --------------------------------------------------
[licenses]
# Deny licenses which are not listed here explicitly.
default = "deny"
# Lint level for licenses which are considered copyleft.
copyleft = "warn"
# Deny source code which does not have a license specified.
unlicensed = "deny"
# List of explicitly allowed licenses from https://spdx.org/licenses
allow = [
"MIT",
"ISC",
"Zlib",
"BSL-1.0",
"CC0-1.0",
"MPL-2.0",
"Apache-2.0",
"BSD-3-Clause",
"Unlicense",
]
# The confidence threshold for detecting a license from license text.
confidence-threshold = 0.95
# Allow specific licenses on a per-crate basis, instead of globally.
[[licenses.exceptions]]
name = "ring"
version = "*"
allow = ["OpenSSL"]
[[licenses.exceptions]]
name = "surreal"
version = "*"
allow = ["BUSL-1.1"]
[[licenses.exceptions]]
name = "surrealdb"
version = "*"
allow = ["BUSL-1.1"]
[[licenses.exceptions]]
name = "surrealml-core"
version = "*"
allow = ["Apache-2.0"]
[[licenses.exceptions]]
name = "unicode-ident"
version = "*"
allow = ["Unicode-DFS-2016"]
# Specify overrides for crates where licenses are hard to guess.
[[licenses.clarify]]
name = "surreal"
expression = "BUSL-1.1"
license-files = []
[[licenses.clarify]]
name = "surrealdb"
expression = "BUSL-1.1"
license-files = []
[[licenses.clarify]]
name = "surrealml-core"
expression = "Apache-2.0"
license-files = []
[[licenses.clarify]]
name = "ring"
expression = "MIT AND ISC AND OpenSSL"
license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }]