diff --git a/.github/PR_BODY_UPDATE-2.md b/.github/PR_BODY_UPDATE-2.md index 96729c97..3b66a4e2 100644 --- a/.github/PR_BODY_UPDATE-2.md +++ b/.github/PR_BODY_UPDATE-2.md @@ -1,11 +1,30 @@ Temporary license allowlist: MPL-2.0 and CDLA-Permissive-2.0 were added to deny.toml on branch experiment/webauthn-upgrade to unblock CI while coordinated upgrades/replacements are attempted. This is timeboxed and tracked in issues/FEASIBILITY-WEBAUTHN-WEBPKI.md and issues/TRACK-2025-11-09-RSA-PASTE.md. See the experiment artifacts in docker/audit/output/. -## Tasks -- [ ] Owner: Security lead — confirm timebox and approve temporary allowlist (by 2025-11-17) -- [ ] Owner: Maintainer — attempt `webauthn-rs` upgrade or replacement; report feasibility (see issues/FEASIBILITY-WEBAUTHN-WEBPKI.md) -- [ ] Owner: Maintainer — coordinate `reqwest`/`hyper-rustls`/`openidconnect` upgrades to remove `webpki-roots` (see docker/audit/output/* and reqwest/webpki trees) -- [ ] Owner: Maintainer — verify cargo-deny clean runs on CI after each change -- [ ] Owner: Maintainer — remove temporary allowlist and update deny.toml when all issues resolved - -## Triage summary -See issues/LICENSE-TRIAGE-2025-11-10.md for a short summary of the top offenders and remediation options. +## Pre-merge task checklist +These tasks must be completed, reviewed, and verified before this PR is merged. Owners are suggested; assign specific maintainers or security approvers as appropriate. + +- [ ] Security lead — confirm and sign off the timebox for the temporary allowlist (target approval date: 2025-11-17). This PR should not be merged without that sign-off. +- [ ] Maintainer — run `cargo tree -i rsa` and `cargo tree -i paste`, paste the reverse-dependency outputs in a follow-up comment, and confirm proposed remediation path for each. +- [ ] Maintainer — attempt `webauthn-rs` remediation (preferred order): + - [ ] Upgrade `webauthn-rs` to a permissively licensed release if available and verify builds/tests. + - [ ] If no upgrade available, evaluate replacing `webauthn-rs` with another WebAuthn implementation or vendor a minimal shim; document chosen approach. + - [ ] Add tests covering affected auth flows and run CI. +- [ ] Maintainer — coordinate TLS/HTTP stack remediation to remove `webpki-roots` (CDLA-Permissive-2.0): + - [ ] Test toggling `reqwest` features to prefer `native-tls` in an isolated workspace copy and publish the artifact logs. + - [ ] Upgrade `hyper-rustls`/`reqwest`/`openidconnect` as needed to versions that don't bring `webpki-roots`, or change TLS backend. + - [ ] Verify `cargo-deny` runs clean locally and on CI after each incremental change. +- [ ] Maintainer — provide a short summary comment with before/after `cargo-deny` outputs and link to `docker/audit/output/` artifacts. +- [ ] Maintainer — remove the temporary allowlist entries from `deny.toml` and verify CI shows zero license failures. +- [ ] Maintainer — remove the temporary `advisories.ignore` entries (RUSTSEC ignores) from `deny.toml` and verify CI shows zero advisories and license failures before any final merge. + +## Short triage summary (top offenders) +See `issues/LICENSE-TRIAGE-2025-11-10.md` and `docker/audit/output/license_triage_2025-11-09.csv` for full details. Top offenders: + +- webauthn-rs family (MPL-2.0): `webauthn-rs v0.5.3` (direct dep), `webauthn-rs-core v0.5.3`, `webauthn-rs-proto v0.5.3`, `webauthn-attestation-ca v0.5.3`, `base64urlsafedata v0.5.3` — remediation: upgrade/replace/vendor. +- webpki-roots (CDLA-Permissive-2.0): `webpki-roots v1.0.3` pulled transitively via `hyper-rustls -> reqwest -> openidconnect` — remediation: coordinated `reqwest`/TLS backend upgrade or feature change. + +Artifacts and logs: `docker/audit/output/` contains the `cargo-deny` diagnostics, reverse-dependency trees and experiment logs used to evaluate remediation paths. + +See also: `issues/LICENSE-TRIAGE-SUMMARY-2025-11-12.md` for the condensed top-offender analysis and recommended next steps. + +Once all tasks above are complete and CI is green with `cargo-deny` passing, this PR may be merged and the temporary allowlist removed. diff --git a/issues/LICENSE-TRIAGE-SUMMARY-2025-11-12.md b/issues/LICENSE-TRIAGE-SUMMARY-2025-11-12.md new file mode 100644 index 00000000..6a378d14 --- /dev/null +++ b/issues/LICENSE-TRIAGE-SUMMARY-2025-11-12.md @@ -0,0 +1,39 @@ +# License triage summary — 2025-11-12 + +This short summary aggregates the highest-impact license failures reported by the audit tooling and gives a quick feasibility recommendation for policy and remediation. + +Source +------ +- Generated from `docker/audit/output/license_triage_2025-11-09.csv` and follow-up experiment artifacts in `docker/audit/output/`. + +Top offenders +------------- +1. webauthn-rs family — MPL-2.0 (direct) + - Crates: `webauthn-rs v0.5.3`, `webauthn-rs-core v0.5.3`, `webauthn-rs-proto v0.5.3`, `webauthn-attestation-ca v0.5.3`, `base64urlsafedata v0.5.3` + - Path: direct dependency from `vaultwarden` to `webauthn-rs`. + - Impact: high (direct dependency). Remediation: upgrade to permissive version, replace crate, or vendor functionality. + +2. webpki-roots — CDLA-Permissive-2.0 (transitive) + - Crate: `webpki-roots v1.0.3` via `hyper-rustls -> reqwest -> openidconnect`. + - Impact: medium. Remediation: prefer `native-tls` or upgrade TLS/reqwest stack to versions that avoid `webpki-roots`. + +3. ar_archive_writer — Apache-2.0 WITH LLVM-exception (transitive) + - Crate: `ar_archive_writer v0.2.0` via `lettre -> psm -> stacker -> chumsky`. + - Impact: small (single remaining blocking error after experiments). Remediation: bump `lettre`/`psm` versions (experiment shows this removes the error) or timebox an allowlist entry while a bump PR is prepared. + +Feasibility and immediate policy guidance +--------------------------------------- +- The webauthn-rs cluster requires direct attention (upgrade/replace); temporarily allowing MPL-2.0 is defensible but should be strictly timeboxed and tracked. +- The webpki-roots issue looks solvable by TLS/reqwest feature/upgrade changes; continue the experiment work and prefer coordinated upgrades rather than allowing CDLA-Permissive-2.0 permanently. +- The ar_archive_writer issue is directly addressable via a `lettre`/`psm` bump. Experiments in a workspace copy removed the error, so preparing a minimal bump PR is recommended. + +Actionable next steps +--------------------- +1. Prepare a minimal PR to bump `lettre` and/or `psm` to the versions validated by the experiment and run CI with cargo-deny. +2. Continue webauthn-rs remediation plan (upgrade/replace/vendor) as the top priority. +3. Keep MPL-2.0 and CDLA-Permissive-2.0 as temporary allowlist entries while the above are addressed; remove them as soon as remediation is merged. + +Artifacts +--------- +- `docker/audit/output/license_triage_2025-11-09.csv` +- Experiment outputs: `docker/audit/output/deny_let_update.*`, `deny_reqwest_native.*`, `deny_licenses.*`