Browse Source
Covers advisories (RustSec), license compliance, duplicate detection, and source allowlist (crates.io only). License allowlist reflects the full transitive dep tree: MIT, Apache-2.0, ISC, BSD-*, 0BSD, Unlicense, Zlib, BSL-1.0, MPL-2.0, Unicode-3.0, LGPL-2.1-or-later (r-efi, Windows-only), CDLA-Permissive-2.0 (webpki-roots). Three known advisories are ignored: - RUSTSEC-2023-0071: rsa Marvin Attack, no upstream fix available - RUSTSEC-2025-0134: rustls-pemfile unmaintained, blocked on rustls upgrade - RUSTSEC-2026-0049: rustls-webpki CRL bug, fix blocked by rustls 0.21.x chain Duplicate versions are warned rather than denied — all are transitive.pull/6992/head
TriplEight
2 weeks ago
1 changed files with 75 additions and 0 deletions
@ -0,0 +1,75 @@ |
|||
# https://embarkstudios.github.io/cargo-deny/ |
|||
|
|||
[graph] |
|||
# Check the full feature set used by CI so all optional dependencies are included. |
|||
features = ["sqlite", "mysql", "postgresql", "enable_mimalloc", "s3"] |
|||
|
|||
# ============================================================================= |
|||
# Advisories — RustSec vulnerability and unmaintained crate database |
|||
# ============================================================================= |
|||
[advisories] |
|||
ignore = [ |
|||
# Marvin Attack: timing side-channel in the `rsa` crate (no fix available). |
|||
# Used only for JWT RS256 signing, not for network-facing RSA decryption, |
|||
# which limits exposure. Track: https://rustsec.org/advisories/RUSTSEC-2023-0071 |
|||
{ id = "RUSTSEC-2023-0071", reason = "No upstream fix available; exposure is limited to JWT signing, not network-facing decryption." }, |
|||
|
|||
# `rustls-pemfile` v1.x is unmaintained (archived Aug 2025). It is a thin |
|||
# wrapper around rustls-pki-types and pulled in transitively via rustls 0.21.x. |
|||
# Removing it requires upstream crates to drop their rustls 0.21 dependency. |
|||
{ id = "RUSTSEC-2025-0134", reason = "Transitive via rustls 0.21.x compat chain; blocked on upstream upgrade." }, |
|||
|
|||
# CRL validation bug in rustls-webpki: fix requires >=0.103.10, but rustls-webpki |
|||
# 0.101.x is pinned by the rustls 0.21.x compatibility stack. |
|||
# Track upstream rustls upgrade to resolve both occurrences. |
|||
{ id = "RUSTSEC-2026-0049", reason = "rustls-webpki 0.101.x locked by rustls 0.21.x compat chain; track upstream rustls upgrade." }, |
|||
] |
|||
|
|||
# ============================================================================= |
|||
# Licenses |
|||
# ============================================================================= |
|||
[licenses] |
|||
# OSI-approved permissive licenses and weak copyleft licenses compatible with |
|||
# distributing vaultwarden (AGPL-3.0-only) as a Docker image. |
|||
allow = [ |
|||
"0BSD", |
|||
"Apache-2.0", |
|||
"Apache-2.0 WITH LLVM-exception", |
|||
"BSD-1-Clause", |
|||
"BSD-2-Clause", |
|||
"BSD-3-Clause", |
|||
"BSL-1.0", # Boost Software License (ryu) |
|||
"CDLA-Permissive-2.0", # Community Data License Agreement (webpki-roots) |
|||
"ISC", |
|||
"LGPL-2.1-or-later", # r-efi (Windows-only UEFI crate; dynamically linked) |
|||
"MIT", |
|||
"MPL-2.0", # webauthn-rs crates (file-level copyleft, compatible) |
|||
"Unicode-3.0", |
|||
"Unlicense", |
|||
"Zlib", |
|||
] |
|||
|
|||
[licenses.private] |
|||
# Skip license checks for unpublished workspace crates (vaultwarden, macros). |
|||
ignore = true |
|||
|
|||
# ============================================================================= |
|||
# Bans — duplicate versions and disallowed crates |
|||
# ============================================================================= |
|||
[bans] |
|||
# Warn on duplicate versions; many arise from transitive deps and require |
|||
# upstream changes to resolve. Promote to "deny" once the dep tree stabilises. |
|||
multiple-versions = "warn" |
|||
# Warn on wildcard version requirements. "deny" would also flag internal |
|||
# workspace path dependencies (macros = { path = "./macros" }), which have |
|||
# no version specifier by design, so "warn" is used instead. |
|||
wildcards = "warn" |
|||
highlight = "all" |
|||
|
|||
# ============================================================================= |
|||
# Sources — only crates.io is an allowed registry |
|||
# ============================================================================= |
|||
[sources] |
|||
unknown-registry = "deny" |
|||
unknown-git = "deny" |
|||
allow-registry = ["https://github.com/rust-lang/crates.io-index"] |
|||
Loading…
Reference in new issue