kalvinparker
3 months ago
3 changed files with 98 additions and 0 deletions
@ -0,0 +1,37 @@ |
|||||
|
name: dependency-audit |
||||
|
|
||||
|
on: |
||||
|
push: |
||||
|
branches: [ main ] |
||||
|
pull_request: |
||||
|
branches: [ main ] |
||||
|
|
||||
|
jobs: |
||||
|
audit: |
||||
|
name: Cargo Audit & License Checks |
||||
|
runs-on: ubuntu-latest |
||||
|
steps: |
||||
|
- name: Checkout |
||||
|
uses: actions/checkout@v4 |
||||
|
|
||||
|
- name: Install Rust toolchain |
||||
|
uses: dtolnay/rust-toolchain@v1 |
||||
|
with: |
||||
|
toolchain: 1.91.0 |
||||
|
|
||||
|
- name: Install cargo-audit and cargo-deny |
||||
|
run: | |
||||
|
cargo install cargo-audit --version 0.22.0 || true |
||||
|
cargo install cargo-deny --version 0.11.0 || true |
||||
|
|
||||
|
- name: Run cargo-audit |
||||
|
run: | |
||||
|
cargo audit || true |
||||
|
|
||||
|
- name: Run cargo-deny advisories |
||||
|
run: | |
||||
|
cargo deny --manifest-path Cargo.toml check advisories || true |
||||
|
|
||||
|
- name: Run cargo-deny licenses |
||||
|
run: | |
||||
|
cargo deny --manifest-path Cargo.toml check licenses || true |
||||
@ -0,0 +1,46 @@ |
|||||
|
# Local Dependency Audit — 2025-11-09 |
||||
|
|
||||
|
Summary |
||||
|
------- |
||||
|
|
||||
|
This repository was audited locally using the Docker-based audit tooling in `docker/audit`. The audit ran `cargo-audit` and `cargo-deny` and produced the following notable findings: |
||||
|
|
||||
|
- RUSTSEC-2023-0071 (rsa 0.9.8) — a timing side-channel vulnerability ("Marvin Attack") affecting the `rsa` crate. No safe upgrade was available at the time of the audit; the crate is transitive (via `openidconnect`). |
||||
|
- RUSTSEC-2024-0436 (paste 1.0.15) — crate marked as unmaintained (transitive via `rmp`/`rmpv`). |
||||
|
- License checks reported numerous rejections (many transitive crates), see `docker/audit/output/cargo-deny-licenses.err` for full diagnostics. |
||||
|
|
||||
|
Artifacts |
||||
|
--------- |
||||
|
|
||||
|
The raw audit captures are available in `docker/audit/output/` in this working copy (they were copied from the audit container): |
||||
|
|
||||
|
- `cargo-version.txt` — cargo version captured from the audit container |
||||
|
- `cargo-audit.err` — cargo-audit stderr (contains CLI errors/diagnostics or JSON when supported) |
||||
|
- `cargo-deny-advisories.err` — cargo-deny advisories diagnostics (JSON preferred) |
||||
|
- `cargo-deny-licenses.err` — cargo-deny license diagnostics (large) |
||||
|
|
||||
|
Recommended next steps |
||||
|
---------------------- |
||||
|
|
||||
|
1. Triage RUSTSEC-2023-0071 (rsa) |
||||
|
- Use `cargo tree -i rsa` to confirm the top-level crate(s) that bring in `rsa` (expected: `openidconnect`). |
||||
|
- Try upgrading `openidconnect` to a newer version that does not bring `rsa`, or replace the OIDC/JWT dependency with an alternative that uses a constant-time crypto implementation (e.g., ring/openssl-backed option). |
||||
|
- If the dependency cannot be removed immediately, document the exception and create a tracking issue to replace the transitive dependency. |
||||
|
|
||||
|
2. Triage `paste` unmaintained advisory |
||||
|
- Identify the top-level dependency chain and attempt to upgrade or replace the dependency (rmp/rmpv) or migrate to a maintained fork. |
||||
|
|
||||
|
3. License policy |
||||
|
- Review `deny.toml` added to the repository as a starting policy. Adjust `licenses.allowed` to match project licensing policy. |
||||
|
- For crates that are necessary but have unapproved licenses, add specific exceptions with justification and target remediation dates. |
||||
|
|
||||
|
4. CI integration |
||||
|
- The PR adds a GitHub Actions workflow `.github/workflows/audit.yml` which runs `cargo-audit` and `cargo-deny`. Tweak versions and failure behavior to match your release policy (block PRs or open warnings). |
||||
|
|
||||
|
5. Follow-up work |
||||
|
- If replacements require code changes (e.g., replacing OIDC crate), create small follow-up PRs with unit tests and integration tests for auth flows. |
||||
|
|
||||
|
Contact / Tracking |
||||
|
------------------ |
||||
|
|
||||
|
Open a follow-up issue for each remediation item (e.g., "Replace transitive rsa usage" and "Replace unmaintained paste dependency"). Link those issues from this note and the PR. |
||||
@ -0,0 +1,15 @@ |
|||||
|
[tool.cargo-deny] |
||||
|
# Minimal cargo-deny configuration to start explicit license and advisory checks. |
||||
|
|
||||
|
[advisories] |
||||
|
# Use the default advisory database (rustsec) |
||||
|
ignore = [] |
||||
|
|
||||
|
[licenses] |
||||
|
# Start with an allowlist of licenses acceptable for this project. Adjust as policy. |
||||
|
allowed = ["AGPL-3.0-only", "MIT", "Apache-2.0", "BSD-3-Clause"] |
||||
|
replace = [] |
||||
|
|
||||
|
[licenses.exceptions] |
||||
|
# Temporary exceptions: list crate names and a short rationale |
||||
|
# example: "some-crate" = "Temporary exception while replacement is planned (issue #NNN)" |
||||
Loading…
Reference in new issue