topaLE
/
vaultwarden
mirror of https://github.com/dani-garcia/vaultwarden
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

docs(audit): add license triage summary and update PR body

pull/6727/head
kalvinparker 2 months ago
parent
15153e8505
commit
0b3872d474
2 changed files with 67 additions and 9 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 37
      .github/PR_BODY_UPDATE-2.md
  2. 39
      issues/LICENSE-TRIAGE-SUMMARY-2025-11-12.md

37
.github/PR_BODY_UPDATE-2.md
View File

@ -1,11 +1,30 @@
Temporary license allowlist: MPL-2.0 and CDLA-Permissive-2.0 were added to deny.toml on branch experiment/webauthn-upgrade to unblock CI while coordinated upgrades/replacements are attempted. This is timeboxed and tracked in issues/FEASIBILITY-WEBAUTHN-WEBPKI.md and issues/TRACK-2025-11-09-RSA-PASTE.md. See the experiment artifacts in docker/audit/output/.
## Tasks
- [ ] Owner: Security lead — confirm timebox and approve temporary allowlist (by 2025-11-17)
- [ ] Owner: Maintainer — attempt `webauthn-rs` upgrade or replacement; report feasibility (see issues/FEASIBILITY-WEBAUTHN-WEBPKI.md)
- [ ] Owner: Maintainer — coordinate `reqwest`/`hyper-rustls`/`openidconnect` upgrades to remove `webpki-roots` (see docker/audit/output/* and reqwest/webpki trees)
- [ ] Owner: Maintainer — verify cargo-deny clean runs on CI after each change
- [ ] Owner: Maintainer — remove temporary allowlist and update deny.toml when all issues resolved
## Triage summary
See issues/LICENSE-TRIAGE-2025-11-10.md for a short summary of the top offenders and remediation options.
## Pre-merge task checklist
These tasks must be completed, reviewed, and verified before this PR is merged. Owners are suggested; assign specific maintainers or security approvers as appropriate.
- [ ] Security lead — confirm and sign off the timebox for the temporary allowlist (target approval date: 2025-11-17). This PR should not be merged without that sign-off.
- [ ] Maintainer — run `cargo tree -i rsa` and `cargo tree -i paste`, paste the reverse-dependency outputs in a follow-up comment, and confirm proposed remediation path for each.
- [ ] Maintainer — attempt `webauthn-rs` remediation (preferred order):
- [ ] Upgrade `webauthn-rs` to a permissively licensed release if available and verify builds/tests.
- [ ] If no upgrade available, evaluate replacing `webauthn-rs` with another WebAuthn implementation or vendor a minimal shim; document chosen approach.
- [ ] Add tests covering affected auth flows and run CI.
- [ ] Maintainer — coordinate TLS/HTTP stack remediation to remove `webpki-roots` (CDLA-Permissive-2.0):
- [ ] Test toggling `reqwest` features to prefer `native-tls` in an isolated workspace copy and publish the artifact logs.
- [ ] Upgrade `hyper-rustls`/`reqwest`/`openidconnect` as needed to versions that don't bring `webpki-roots`, or change TLS backend.
- [ ] Verify `cargo-deny` runs clean locally and on CI after each incremental change.
- [ ] Maintainer — provide a short summary comment with before/after `cargo-deny` outputs and link to `docker/audit/output/` artifacts.
- [ ] Maintainer — remove the temporary allowlist entries from `deny.toml` and verify CI shows zero license failures.
- [ ] Maintainer — remove the temporary `advisories.ignore` entries (RUSTSEC ignores) from `deny.toml` and verify CI shows zero advisories and license failures before any final merge.
## Short triage summary (top offenders)
See `issues/LICENSE-TRIAGE-2025-11-10.md` and `docker/audit/output/license_triage_2025-11-09.csv` for full details. Top offenders:
- webauthn-rs family (MPL-2.0): `webauthn-rs v0.5.3` (direct dep), `webauthn-rs-core v0.5.3`, `webauthn-rs-proto v0.5.3`, `webauthn-attestation-ca v0.5.3`, `base64urlsafedata v0.5.3` — remediation: upgrade/replace/vendor.
- webpki-roots (CDLA-Permissive-2.0): `webpki-roots v1.0.3` pulled transitively via `hyper-rustls -> reqwest -> openidconnect` — remediation: coordinated `reqwest`/TLS backend upgrade or feature change.
Artifacts and logs: `docker/audit/output/` contains the `cargo-deny` diagnostics, reverse-dependency trees and experiment logs used to evaluate remediation paths.
See also: `issues/LICENSE-TRIAGE-SUMMARY-2025-11-12.md` for the condensed top-offender analysis and recommended next steps.
Once all tasks above are complete and CI is green with `cargo-deny` passing, this PR may be merged and the temporary allowlist removed.

39
issues/LICENSE-TRIAGE-SUMMARY-2025-11-12.md
View File

@ -0,0 +1,39 @@
# License triage summary — 2025-11-12
This short summary aggregates the highest-impact license failures reported by the audit tooling and gives a quick feasibility recommendation for policy and remediation.
Source
------
- Generated from `docker/audit/output/license_triage_2025-11-09.csv` and follow-up experiment artifacts in `docker/audit/output/`.
Top offenders
-------------
1. webauthn-rs family — MPL-2.0 (direct)
- Crates: `webauthn-rs v0.5.3`, `webauthn-rs-core v0.5.3`, `webauthn-rs-proto v0.5.3`, `webauthn-attestation-ca v0.5.3`, `base64urlsafedata v0.5.3`
- Path: direct dependency from `vaultwarden` to `webauthn-rs`.
- Impact: high (direct dependency). Remediation: upgrade to permissive version, replace crate, or vendor functionality.
2. webpki-roots — CDLA-Permissive-2.0 (transitive)
- Crate: `webpki-roots v1.0.3` via `hyper-rustls -> reqwest -> openidconnect`.
- Impact: medium. Remediation: prefer `native-tls` or upgrade TLS/reqwest stack to versions that avoid `webpki-roots`.
3. ar_archive_writer — Apache-2.0 WITH LLVM-exception (transitive)
- Crate: `ar_archive_writer v0.2.0` via `lettre -> psm -> stacker -> chumsky`.
- Impact: small (single remaining blocking error after experiments). Remediation: bump `lettre`/`psm` versions (experiment shows this removes the error) or timebox an allowlist entry while a bump PR is prepared.
Feasibility and immediate policy guidance
---------------------------------------
- The webauthn-rs cluster requires direct attention (upgrade/replace); temporarily allowing MPL-2.0 is defensible but should be strictly timeboxed and tracked.
- The webpki-roots issue looks solvable by TLS/reqwest feature/upgrade changes; continue the experiment work and prefer coordinated upgrades rather than allowing CDLA-Permissive-2.0 permanently.
- The ar_archive_writer issue is directly addressable via a `lettre`/`psm` bump. Experiments in a workspace copy removed the error, so preparing a minimal bump PR is recommended.
Actionable next steps
---------------------
1. Prepare a minimal PR to bump `lettre` and/or `psm` to the versions validated by the experiment and run CI with cargo-deny.
2. Continue webauthn-rs remediation plan (upgrade/replace/vendor) as the top priority.
3. Keep MPL-2.0 and CDLA-Permissive-2.0 as temporary allowlist entries while the above are addressed; remove them as soon as remediation is merged.
Artifacts
---------
- `docker/audit/output/license_triage_2025-11-09.csv`
- Experiment outputs: `docker/audit/output/deny_let_update.*`, `deny_reqwest_native.*`, `deny_licenses.*`
Write Preview
Loading…
Cancel
Save