kalvinparker
3 months ago
19 changed files with 449 additions and 10 deletions
@ -0,0 +1,19 @@ |
|||
FROM rust:1.91-bullseye |
|||
ENV DEBIAN_FRONTEND=noninteractive |
|||
|
|||
# Install OS deps needed for building some crates |
|||
RUN apt-get update && \ |
|||
apt-get install -y --no-install-recommends \ |
|||
pkg-config \ |
|||
libssl-dev \ |
|||
build-essential \ |
|||
ca-certificates \ |
|||
curl && \ |
|||
rm -rf /var/lib/apt/lists/* |
|||
|
|||
# Install cargo tools (compiled into the image so subsequent runs are fast) |
|||
RUN /usr/local/cargo/bin/cargo install cargo-audit cargo-deny |
|||
|
|||
WORKDIR /workspace |
|||
|
|||
CMD ["bash"] |
|||
@ -0,0 +1,14 @@ |
|||
set -euo pipefail |
|||
export PATH="/usr/local/cargo/bin:/usr/local/bin:$PATH" |
|||
echo "=== cargo-audit --version ===" |
|||
/usr/local/cargo/bin/cargo-audit --version || true |
|||
echo "=== cargo-audit report ===" |
|||
# Run cargo-audit on the workspace Cargo.lock if present; local crate otherwise |
|||
/usr/local/cargo/bin/cargo-audit || true |
|||
echo "=== cargo-deny --version ===" |
|||
/usr/local/cargo/bin/cargo-deny --version || true |
|||
echo "=== cargo-deny advisories ===" |
|||
# Use --manifest-path as a global option and run check advisories and licenses |
|||
/usr/local/cargo/bin/cargo-deny --manifest-path Cargo.toml check advisories || true |
|||
echo "=== cargo-deny licenses ===" |
|||
/usr/local/cargo/bin/cargo-deny --manifest-path Cargo.toml check licenses || true |
|||
@ -0,0 +1,12 @@ |
|||
Audit Cargo.lock for crates with security vulnerabilities |
|||
|
|||
Usage: cargo [OPTIONS] <COMMAND> |
|||
|
|||
Commands: |
|||
audit Audit Cargo.lock files for vulnerable crates |
|||
help Print this message or the help of the given subcommand(s) |
|||
|
|||
Options: |
|||
-v, --verbose Increase verbosity |
|||
-h, --help Print help |
|||
-V, --version Print version |
|||
@ -0,0 +1,2 @@ |
|||
{"fields":{"level":"ERROR","message":"failed to fetch crates: failed to run cargo: No such file or directory (os error 2)","timestamp":"2025-11-09T08:15:15.688872215Z"},"type":"log"} |
|||
{"fields":{"level":"ERROR","message":"failed to start `cargo metadata`: No such file or directory (os error 2): No such file or directory (os error 2)","timestamp":"2025-11-09T08:15:15.688872215Z"},"type":"log"} |
|||
@ -0,0 +1,2 @@ |
|||
{"fields":{"level":"ERROR","message":"failed to fetch crates: failed to run cargo: No such file or directory (os error 2)","timestamp":"2025-11-09T08:15:15.498450874Z"},"type":"log"} |
|||
{"fields":{"level":"ERROR","message":"failed to start `cargo metadata`: No such file or directory (os error 2): No such file or directory (os error 2)","timestamp":"2025-11-09T08:15:15.498450874Z"},"type":"log"} |
|||
@ -0,0 +1,7 @@ |
|||
info: syncing channel updates for '1.91.0-x86_64-unknown-linux-gnu' |
|||
info: latest update on 2025-10-30, rust version 1.91.0 (f8297e351 2025-10-28) |
|||
info: downloading component 'clippy' |
|||
info: downloading component 'rustfmt' |
|||
info: installing component 'clippy' |
|||
info: installing component 'rustfmt' |
|||
cargo 1.91.0 (ea2d97820 2025-10-10) |
|||
|
@ -0,0 +1,8 @@ |
|||
{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"ar_archive_writer","version":"0.2.0"},"parents":[{"Krate":{"kind":"build","name":"psm","version":"0.1.28"},"parents":[{"Krate":{"name":"stacker","version":"0.1.22"},"parents":[{"Krate":{"name":"chumsky","version":"0.9.3"},"parents":[{"Krate":{"name":"lettre","version":"0.11.19"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}}]}]}]}]}]}],"labels":[{"column":12,"line":22,"message":"","span":"Apache-2.0 WITH LLVM-exception"},{"column":12,"line":22,"message":"rejected: license is not explicitly allowed","span":"Apache-2.0 WITH LLVM-exception"}],"message":"failed to satisfy license requirements","notes":["Apache-2.0 - Apache License 2.0:"," - OSI approved"," - FSF Free/Libre"],"severity":"error"},"type":"diagnostic"} |
|||
{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"base64urlsafedata","version":"0.5.3"},"parents":[{"Krate":{"name":"webauthn-attestation-ca","version":"0.5.3"},"parents":[{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"repeat":true},{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"repeat":true},{"Krate":{"name":"webauthn-rs-proto","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true},{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"repeat":true}]}]}],"labels":[{"column":12,"line":35,"message":"","span":"MPL-2.0"},{"column":12,"line":35,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:"," - OSI approved"," - FSF Free/Libre"," - Copyleft"],"severity":"error"},"type":"diagnostic"} |
|||
{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-attestation-ca","version":"0.5.3"},"parents":[{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]}],"labels":[{"column":12,"line":30,"message":"","span":"MPL-2.0"},{"column":12,"line":30,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:"," - OSI approved"," - FSF Free/Libre"," - Copyleft"],"severity":"error"},"type":"diagnostic"} |
|||
{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}}]}],"labels":[{"column":12,"line":39,"message":"","span":"MPL-2.0"},{"column":12,"line":39,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:"," - OSI approved"," - FSF Free/Libre"," - Copyleft"],"severity":"error"},"type":"diagnostic"} |
|||
{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}],"labels":[{"column":12,"line":38,"message":"","span":"MPL-2.0"},{"column":12,"line":38,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:"," - OSI approved"," - FSF Free/Libre"," - Copyleft"],"severity":"error"},"type":"diagnostic"} |
|||
{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-rs-proto","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]}],"labels":[{"column":12,"line":38,"message":"","span":"MPL-2.0"},{"column":12,"line":38,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:"," - OSI approved"," - FSF Free/Libre"," - Copyleft"],"severity":"error"},"type":"diagnostic"} |
|||
{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webpki-roots","version":"1.0.3"},"parents":[{"Krate":{"name":"hyper-rustls","version":"0.27.7"},"parents":[{"Krate":{"name":"reqwest","version":"0.12.24"},"parents":[{"Krate":{"name":"oauth2","version":"5.0.0"},"parents":[{"Krate":{"name":"openidconnect","version":"4.0.1"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}}]}]},{"Krate":{"name":"opendal","version":"0.54.1"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]},{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true},{"Krate":{"name":"yubico_ng","version":"0.14.1"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]},{"Krate":{"name":"reqwest","version":"0.12.24"},"repeat":true}]}],"labels":[{"column":12,"line":26,"message":"","span":"CDLA-Permissive-2.0"},{"column":12,"line":26,"message":"rejected: license is not explicitly allowed","span":"CDLA-Permissive-2.0"}],"message":"failed to satisfy license requirements","notes":["CDLA-Permissive-2.0 - Community Data License Agreement Permissive 2.0:"," - No additional metadata available for license"],"severity":"error"},"type":"diagnostic"} |
|||
{"fields":{"licenses":{"errors":7,"helps":530,"notes":0,"warnings":0}},"type":"summary"} |
|||
@ -0,0 +1,288 @@ |
|||
info: syncing channel updates for '1.91.0-x86_64-unknown-linux-gnu' |
|||
info: latest update on 2025-10-30, rust version 1.91.0 (f8297e351 2025-10-28) |
|||
info: downloading component 'clippy' |
|||
info: downloading component 'rustfmt' |
|||
info: installing component 'clippy' |
|||
info: installing component 'rustfmt' |
|||
Updating crates.io index |
|||
Downloading crates ... |
|||
Downloaded ahash v0.8.12 |
|||
Downloaded darling v0.20.11 |
|||
Downloaded chumsky v0.9.3 |
|||
Downloaded kv-log-macro v1.0.7 |
|||
Downloaded http-body v0.4.6 |
|||
Downloaded inlinable_string v0.1.15 |
|||
Downloaded openssl-macros v0.1.1 |
|||
Downloaded asn1-rs-impl v0.2.0 |
|||
Downloaded der-parser v9.0.0 |
|||
Downloaded async-channel v1.9.0 |
|||
Downloaded psl-types v2.0.11 |
|||
Downloaded futures-timer v3.0.3 |
|||
Downloaded httpdate v1.0.3 |
|||
Downloaded binascii v0.1.4 |
|||
Downloaded async-stream-impl v0.3.6 |
|||
Downloaded num_threads v0.1.7 |
|||
Downloaded migrations_internals v2.3.0 |
|||
Downloaded glob v0.3.3 |
|||
Downloaded hex v0.4.3 |
|||
Downloaded hostname v0.4.1 |
|||
Downloaded alloc-stdlib v0.2.2 |
|||
Downloaded pem v3.0.6 |
|||
Downloaded num-order v1.2.0 |
|||
Downloaded phf v0.11.3 |
|||
Downloaded multer v3.1.0 |
|||
Downloaded pear v0.2.9 |
|||
Downloaded phf_macros v0.11.3 |
|||
Downloaded parking v2.2.1 |
|||
Downloaded hyper-tls v0.6.0 |
|||
Downloaded pico-args v0.5.0 |
|||
Downloaded num_cpus v1.17.0 |
|||
Downloaded jetscii v0.5.3 |
|||
Downloaded base64urlsafedata v0.5.3 |
|||
Downloaded cached_proc_macro_types v0.1.1 |
|||
Downloaded oid-registry v0.7.1 |
|||
Downloaded md-5 v0.10.6 |
|||
Downloaded group v0.13.0 |
|||
Downloaded diesel_table_macro_syntax v0.3.0 |
|||
Downloaded num-derive v0.4.2 |
|||
Downloaded async-stream v0.3.6 |
|||
Downloaded num-integer v0.1.46 |
|||
Downloaded darling_macro v0.21.3 |
|||
Downloaded foreign-types-shared v0.1.1 |
|||
Downloaded is-terminal v0.4.17 |
|||
Downloaded devise_codegen v0.4.2 |
|||
Downloaded pear_codegen v0.2.9 |
|||
Downloaded derive_builder_macro v0.20.2 |
|||
Downloaded foreign-types v0.3.2 |
|||
Downloaded darling_macro v0.20.11 |
|||
Downloaded argon2 v0.5.3 |
|||
Downloaded alloc-no-stdlib v2.0.4 |
|||
Downloaded cached_proc_macro v0.25.0 |
|||
Downloaded async-global-executor v2.4.1 |
|||
Downloaded asn1-rs-derive v0.5.1 |
|||
Downloaded async-signal v0.2.13 |
|||
Downloaded async-channel v2.5.0 |
|||
Downloaded blocking v1.6.2 |
|||
Downloaded atomic v0.5.3 |
|||
Downloaded devise v0.4.2 |
|||
Downloaded job_scheduler_ng v2.4.0 |
|||
Downloaded pkcs8 v0.10.2 |
|||
Downloaded quanta v0.12.6 |
|||
Downloaded base16ct v0.2.0 |
|||
Downloaded indexmap v1.9.3 |
|||
Downloaded password-hash v0.5.0 |
|||
Downloaded num-iter v0.1.45 |
|||
Downloaded downcast-rs v2.0.2 |
|||
Downloaded ordered-float v2.10.1 |
|||
Downloaded diesel-derive-newtype v2.1.2 |
|||
Downloaded dsl_auto_type v0.2.0 |
|||
Downloaded r2d2 v0.8.10 |
|||
Downloaded ref-cast v1.0.25 |
|||
Downloaded nonzero_ext v0.3.0 |
|||
Downloaded futures-executor v0.3.31 |
|||
Downloaded migrations_macros v2.3.0 |
|||
Downloaded dashmap v5.5.3 |
|||
Downloaded diesel_migrations v2.3.0 |
|||
Downloaded dotenvy v0.15.7 |
|||
Downloaded data-encoding v2.9.0 |
|||
Downloaded ff v0.13.1 |
|||
Downloaded document-features v0.2.12 |
|||
Downloaded native-tls v0.2.14 |
|||
Downloaded pem-rfc7468 v0.7.0 |
|||
Downloaded primeorder v0.13.6 |
|||
Downloaded concurrent-queue v2.5.0 |
|||
Downloaded cron v0.15.0 |
|||
Downloaded piper v0.2.4 |
|||
Downloaded event-listener-strategy v0.5.4 |
|||
Downloaded env_home v0.1.0 |
|||
Downloaded codemap v0.1.3 |
|||
Downloaded devise_core v0.4.2 |
|||
Downloaded quoted_printable v0.5.1 |
|||
Downloaded phf_generator v0.11.3 |
|||
Downloaded event-listener v2.5.3 |
|||
Downloaded phf_shared v0.12.1 |
|||
Downloaded futures-macro v0.3.31 |
|||
Downloaded quick-error v2.0.1 |
|||
Downloaded ar_archive_writer v0.2.0 |
|||
Downloaded curve25519-dalek-derive v0.1.1 |
|||
Downloaded email-encoding v0.4.1 |
|||
Downloaded dyn-clone v1.0.20 |
|||
Downloaded ed25519 v2.2.3 |
|||
Downloaded proc-macro2-diagnostics v0.10.1 |
|||
Downloaded data-url v0.3.2 |
|||
Downloaded phf_shared v0.11.3 |
|||
Downloaded async-task v4.7.1 |
|||
Downloaded blake2 v0.10.6 |
|||
Downloaded resolv-conf v0.7.5 |
|||
Downloaded pastey v0.1.1 |
|||
Downloaded phf v0.12.1 |
|||
Downloaded derive_builder_core v0.20.2 |
|||
Downloaded ref-cast-impl v1.0.25 |
|||
Downloaded rand_core v0.6.4 |
|||
Downloaded rfc6979 v0.4.0 |
|||
Downloaded rand_chacha v0.3.1 |
|||
Downloaded reopen v1.0.3 |
|||
Downloaded hmac v0.12.1 |
|||
Downloaded uncased v0.9.10 |
|||
Downloaded iana-time-zone v0.1.64 |
|||
Downloaded base64ct v1.8.0 |
|||
Downloaded async-process v2.5.0 |
|||
Downloaded serde_plain v1.0.2 |
|||
Downloaded pest_derive v2.8.3 |
|||
Downloaded email_address v0.2.9 |
|||
Downloaded rocket_ws v0.1.1 |
|||
Downloaded async-executor v1.13.3 |
|||
Downloaded ecdsa v0.16.9 |
|||
Downloaded psm v0.1.28 |
|||
Downloaded cookie_store v0.22.0 |
|||
Downloaded litrs v1.0.0 |
|||
Downloaded async-trait v0.1.89 |
|||
Downloaded quote v1.0.41 |
|||
Downloaded enum-as-inner v0.6.1 |
|||
Downloaded critical-section v1.2.0 |
|||
Downloaded dashmap v6.1.0 |
|||
Downloaded cookie_store v0.21.1 |
|||
Downloaded pkcs1 v0.7.5 |
|||
Downloaded stable-pattern v0.1.0 |
|||
Downloaded stacker v0.1.22 |
|||
Downloaded utf-8 v0.7.6 |
|||
Downloaded rustc_version v0.4.1 |
|||
Downloaded rtoolbox v0.0.3 |
|||
Downloaded serde-value v0.7.0 |
|||
Downloaded scheduled-thread-pool v0.2.7 |
|||
Downloaded tagptr v0.2.0 |
|||
Downloaded syslog v7.0.0 |
|||
Downloaded threadpool v1.8.1 |
|||
Downloaded rusticata-macros v4.1.0 |
|||
Downloaded simple_asn1 v0.6.3 |
|||
Downloaded tokio-macros v2.6.0 |
|||
Downloaded thiserror v1.0.69 |
|||
Downloaded totp-lite v2.0.1 |
|||
Downloaded half v2.7.1 |
|||
Downloaded rmpv v1.3.0 |
|||
Downloaded backon v1.6.0 |
|||
Downloaded serde_with_macros v3.15.1 |
|||
Downloaded yubico_ng v0.14.1 |
|||
Downloaded async-lock v3.4.1 |
|||
Downloaded serde_path_to_error v0.1.20 |
|||
Downloaded rustls-pemfile v1.0.4 |
|||
Downloaded sec1 v0.7.3 |
|||
Downloaded futures v0.3.31 |
|||
Downloaded futures-lite v2.6.1 |
|||
Downloaded signature v2.2.0 |
|||
Downloaded async-io v2.6.0 |
|||
Downloaded hickory-resolver v0.25.2 |
|||
Downloaded http v0.2.12 |
|||
Downloaded elliptic-curve v0.13.8 |
|||
Downloaded svg-hush v0.9.5 |
|||
Downloaded spki v0.7.3 |
|||
Downloaded state v0.6.0 |
|||
Downloaded num-modular v0.6.1 |
|||
Downloaded cookie v0.18.1 |
|||
Downloaded ubyte v0.10.4 |
|||
Downloaded jsonwebtoken v9.3.1 |
|||
Downloaded derive_builder v0.20.2 |
|||
Downloaded const-oid v0.9.6 |
|||
Downloaded webauthn-attestation-ca v0.5.3 |
|||
Downloaded tokio-rustls v0.24.1 |
|||
Downloaded tokio-native-tls v0.3.1 |
|||
Downloaded sct v0.7.1 |
|||
Downloaded thiserror-impl v1.0.69 |
|||
Downloaded p256 v0.13.2 |
|||
Downloaded webauthn-rs-proto v0.5.3 |
|||
Downloaded tokio-tungstenite v0.21.0 |
|||
Downloaded tokio-stream v0.1.17 |
|||
Downloaded pest_generator v2.8.3 |
|||
Downloaded web-time v1.1.0 |
|||
Downloaded triomphe v0.1.15 |
|||
Downloaded webauthn-rs v0.5.3 |
|||
Downloaded which v8.0.0 |
|||
Downloaded spinning_top v0.3.0 |
|||
Downloaded siphasher v1.0.1 |
|||
Downloaded spin v0.9.8 |
|||
Downloaded hashbrown v0.12.3 |
|||
Downloaded event-listener v5.4.1 |
|||
Downloaded derive_more v2.0.1 |
|||
Downloaded cached v0.56.0 |
|||
Downloaded darling_core v0.20.11 |
|||
Downloaded lasso v0.7.3 |
|||
Downloaded darling_core v0.21.3 |
|||
Downloaded darling v0.21.3 |
|||
Downloaded serde_cbor_2 v0.13.0 |
|||
Downloaded pest_meta v2.8.3 |
|||
Downloaded mini-moka v0.10.3 |
|||
Downloaded polling v3.11.0 |
|||
Downloaded socket2 v0.5.10 |
|||
Downloaded base64 v0.21.7 |
|||
Downloaded handlebars v6.3.2 |
|||
Downloaded crypto-bigint v0.5.5 |
|||
Downloaded figment v0.10.19 |
|||
Downloaded ucd-trie v0.1.7 |
|||
Downloaded minimal-lexical v0.2.1 |
|||
Downloaded publicsuffix v2.3.0 |
|||
Downloaded oauth2 v5.0.0 |
|||
Downloaded asn1-rs v0.6.2 |
|||
Downloaded html5gum v0.8.0 |
|||
Downloaded xml-rs v0.8.28 |
|||
Downloaded num-bigint v0.4.6 |
|||
Downloaded tungstenite v0.21.0 |
|||
Downloaded openssl-sys v0.9.110 |
|||
Downloaded uuid v1.18.1 |
|||
Downloaded value-bag v1.11.1 |
|||
Downloaded num-bigint-dig v0.8.4 |
|||
Downloaded rsa v0.9.8 |
|||
Downloaded schemars v0.9.0 |
|||
Downloaded itertools v0.10.5 |
|||
Downloaded der v0.7.10 |
|||
Downloaded rand v0.8.5 |
|||
Downloaded derive_more-impl v2.0.1 |
|||
Downloaded rocket_http v0.5.1 |
|||
Downloaded yansi v1.0.1 |
|||
Downloaded zerocopy-derive v0.8.27 |
|||
Downloaded cc v1.2.43 |
|||
Downloaded diesel_derives v2.3.4 |
|||
Downloaded ed25519-dalek v2.2.0 |
|||
Downloaded schemars v1.0.4 |
|||
Downloaded nom v8.0.0 |
|||
Downloaded bigdecimal v0.4.9 |
|||
Downloaded rpassword v7.4.0 |
|||
Downloaded tokio-util v0.7.16 |
|||
Downloaded nom v7.1.3 |
|||
Downloaded x509-parser v0.16.0 |
|||
Downloaded hashbrown v0.14.5 |
|||
Downloaded raw-cpuid v11.6.0 |
|||
Downloaded governor v0.10.1 |
|||
Downloaded rocket_codegen v0.5.1 |
|||
Downloaded libm v0.2.15 |
|||
Downloaded pest v2.8.3 |
|||
Downloaded hkdf v0.12.4 |
|||
Downloaded grass_compiler v0.13.4 |
|||
Downloaded brotli-decompressor v5.0.0 |
|||
Downloaded iri-string v0.7.8 |
|||
Downloaded webauthn-rs-core v0.5.3 |
|||
Downloaded winnow v0.6.26 |
|||
Downloaded lettre v0.11.19 |
|||
Downloaded chrono v0.4.42 |
|||
Downloaded async-std v1.13.2 |
|||
Downloaded vcpkg v0.2.15 |
|||
Downloaded portable-atomic v1.11.1 |
|||
Downloaded openidconnect v4.0.1 |
|||
Downloaded quick-xml v0.38.3 |
|||
Downloaded p384 v0.13.1 |
|||
Downloaded rustls-webpki v0.101.7 |
|||
Downloaded hyper v0.14.32 |
|||
Downloaded curve25519-dalek v4.1.3 |
|||
Downloaded diesel v2.3.3 |
|||
Downloaded serde_with v3.15.1 |
|||
Downloaded rustls v0.23.34 |
|||
Downloaded moka v0.12.11 |
|||
Downloaded brotli v8.0.2 |
|||
Downloaded chrono-tz v0.10.4 |
|||
Downloaded openssl v0.10.74 |
|||
Downloaded webpki-roots v1.0.3 |
|||
Downloaded object v0.32.2 |
|||
Downloaded rustls v0.21.12 |
|||
Downloaded rocket v0.5.1 |
|||
Downloaded syn v2.0.108 |
|||
Downloaded hickory-proto v0.25.2 |
|||
Downloaded opendal v0.54.1 |
|||
@ -0,0 +1,2 @@ |
|||
webauthn-rs v0.5.3 |
|||
└── vaultwarden v1.0.0 (/workspace) |
|||
@ -0,0 +1,12 @@ |
|||
webpki-roots v1.0.3 |
|||
├── hyper-rustls v0.27.7 |
|||
│ └── reqwest v0.12.24 |
|||
│ ├── oauth2 v5.0.0 |
|||
│ │ └── openidconnect v4.0.1 |
|||
│ │ └── vaultwarden v1.0.0 (/workspace) |
|||
│ ├── opendal v0.54.1 |
|||
│ │ └── vaultwarden v1.0.0 (/workspace) |
|||
│ ├── vaultwarden v1.0.0 (/workspace) |
|||
│ └── yubico_ng v0.14.1 |
|||
│ └── vaultwarden v1.0.0 (/workspace) |
|||
└── reqwest v0.12.24 (*) |
|||
@ -0,0 +1,21 @@ |
|||
security(audit): remediation scaffold + deny policy |
|||
|
|||
This draft PR adds cargo-deny policy, a GitHub Actions audit workflow, and a local security audit note. It contains temporary, timeboxed ignore entries to allow iteration while remediation is planned. |
|||
|
|||
Key artifacts: |
|||
- Audit note: SECURITY-AUDIT-2025-11-09.md |
|||
- Tracking file: issues/TRACK-2025-11-09-RSA-PASTE.md |
|||
- Exceptions added to deny.toml (advisories.ignore = ["RUSTSEC-2023-0071", "RUSTSEC-2024-0436"]) with expiry 2026-02-01 |
|||
|
|||
Required checklist before merging: |
|||
- [ ] Assign an owner for TRACK-2025-11-09-RSA-PASTE.md and confirm investigation steps (run `cargo tree -i rsa` and `cargo tree -i paste`). |
|||
- [ ] Agree remediation path for RUSTSEC-2023-0071 (rsa): either a published upstream bump avoiding `rsa`, an alternative crate, or a vetted vendor shim. Attach a follow-up PR when chosen. |
|||
- [ ] Agree remediation path for RUSTSEC-2024-0436 (paste): upgrade or replace the dependency chain (rmp/rmpv) or use a maintained alternative. Attach a follow-up PR when chosen. |
|||
- [ ] Add unit/integration tests verifying replacement behavior (auth/serialization flows) in follow-up PR(s). |
|||
- [ ] Remove the `advisories.ignore` entries from `deny.toml` and re-run the audit in CI to ensure no advisories remain. |
|||
- [ ] Review license failures and add targeted license exceptions or plan replacements for crates with unapproved licenses. |
|||
|
|||
Notes: |
|||
- The repository's Issues feature is disabled; use the tracking file in this branch (`issues/TRACK-2025-11-09-RSA-PASTE.md`) and the PR comment for workflow until issues are enabled. |
|||
|
|||
This PR is a draft while remediation work is planned and executed. |
|||
@ -0,0 +1,44 @@ |
|||
param( |
|||
[string]$Workspace = "$PSScriptRoot\..\..", |
|||
[string]$ImageName = "vaultwarden-audit:latest" |
|||
) |
|||
|
|||
Push-Location $PSScriptRoot |
|||
try { |
|||
Write-Host "Building Docker image '$ImageName' (this may take several minutes)..." |
|||
docker build -t $ImageName . |
|||
|
|||
Write-Host "Running audit container... outputs will be written to: $Workspace" |
|||
|
|||
# Create a small LF-only shell script to avoid CRLF issues when passing |
|||
# multi-line commands into bash on Linux containers from Windows hosts. |
|||
$auditScriptPath = Join-Path $PSScriptRoot 'audit.sh' |
|||
$scriptContent = @' |
|||
set -euo pipefail |
|||
export PATH="/usr/local/cargo/bin:/usr/local/bin:$PATH" |
|||
echo "=== cargo-audit --version ===" |
|||
/usr/local/cargo/bin/cargo-audit --version || true |
|||
echo "=== cargo-audit report ===" |
|||
# Run cargo-audit on the workspace Cargo.lock if present; local crate otherwise |
|||
/usr/local/cargo/bin/cargo-audit || true |
|||
echo "=== cargo-deny --version ===" |
|||
/usr/local/cargo/bin/cargo-deny --version || true |
|||
echo "=== cargo-deny advisories ===" |
|||
# Use --manifest-path as a global option and run check advisories and licenses |
|||
/usr/local/cargo/bin/cargo-deny --manifest-path Cargo.toml check advisories || true |
|||
echo "=== cargo-deny licenses ===" |
|||
/usr/local/cargo/bin/cargo-deny --manifest-path Cargo.toml check licenses || true |
|||
'@ |
|||
|
|||
# Ensure the script uses LF-only line endings by replacing CRLF with LF |
|||
$scriptContent = $scriptContent -replace "`r`n", "`n" |
|||
# Write bytes directly to ensure exact newlines (UTF8 without BOM) |
|||
$bytes = [System.Text.Encoding]::UTF8.GetBytes($scriptContent) |
|||
[System.IO.File]::WriteAllBytes($auditScriptPath, $bytes) |
|||
|
|||
# Run the audit script inside the container by mounting it read-only |
|||
docker run --rm -v "${Workspace}:/workspace" -v "${auditScriptPath}:/audit.sh:ro" -w /workspace $ImageName bash -lc 'bash /audit.sh' |
|||
} |
|||
finally { |
|||
Pop-Location |
|||
} |
|||
Loading…
Reference in new issue