From 64f402b6afb422034fb39041f95d2e9257169da3 Mon Sep 17 00:00:00 2001 From: kalvinparker <106995826+kalvinparker@users.noreply.github.com> Date: Sun, 9 Nov 2025 17:57:34 +0000 Subject: [PATCH] chore(audit): add Dockerfile and scripts for cargo audit and deny integration --- Cargo.lock | 20 +- docker/audit/Dockerfile | 19 ++ docker/audit/audit.sh | 14 + docker/audit/output/cargo-audit.err | 12 + docker/audit/output/cargo-audit.json | 0 docker/audit/output/cargo-deny-advisories.err | 2 + .../audit/output/cargo-deny-advisories.json | 0 docker/audit/output/cargo-deny-licenses.err | 2 + docker/audit/output/cargo-deny-licenses.json | 0 docker/audit/output/cargo-version.txt | 7 + .../output/license_triage_2025-11-09.csv | 8 + docker/audit/output/licenses.err | 8 + docker/audit/output/licenses.json | 0 docker/audit/output/webauthn-tree.err | 288 ++++++++++++++++++ docker/audit/output/webauthn-tree.txt | 2 + docker/audit/output/webpki-tree.err | 0 docker/audit/output/webpki-tree.txt | 12 + docker/audit/pr-body.txt | 21 ++ docker/audit/run-audit.ps1 | 44 +++ 19 files changed, 449 insertions(+), 10 deletions(-) create mode 100644 docker/audit/Dockerfile create mode 100644 docker/audit/audit.sh create mode 100644 docker/audit/output/cargo-audit.err create mode 100644 docker/audit/output/cargo-audit.json create mode 100644 docker/audit/output/cargo-deny-advisories.err create mode 100644 docker/audit/output/cargo-deny-advisories.json create mode 100644 docker/audit/output/cargo-deny-licenses.err create mode 100644 docker/audit/output/cargo-deny-licenses.json create mode 100644 docker/audit/output/cargo-version.txt create mode 100644 docker/audit/output/license_triage_2025-11-09.csv create mode 100644 docker/audit/output/licenses.err create mode 100644 docker/audit/output/licenses.json create mode 100644 docker/audit/output/webauthn-tree.err create mode 100644 docker/audit/output/webauthn-tree.txt create mode 100644 docker/audit/output/webpki-tree.err create mode 100644 docker/audit/output/webpki-tree.txt create mode 100644 docker/audit/pr-body.txt create mode 100644 docker/audit/run-audit.ps1 diff --git a/Cargo.lock b/Cargo.lock index 778fc373..4ed02e9e 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1738,7 +1738,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb" dependencies = [ "libc", - "windows-sys 0.61.2", + "windows-sys 0.59.0", ] [[package]] @@ -2457,7 +2457,7 @@ dependencies = [ "libc", "percent-encoding", "pin-project-lite", - "socket2 0.6.1", + "socket2 0.5.10", "system-configuration", "tokio", "tower-service", @@ -2672,7 +2672,7 @@ checksum = "3640c1c38b8e4e43584d8df18be5fc6b0aa314ce6ebf51b53313d4306cca8e46" dependencies = [ "hermit-abi", "libc", - "windows-sys 0.61.2", + "windows-sys 0.59.0", ] [[package]] @@ -3098,7 +3098,7 @@ version = "0.50.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7957b9740744892f114936ab4a57b3f487491bbeafaf8083688b16841a4240e5" dependencies = [ - "windows-sys 0.61.2", + "windows-sys 0.59.0", ] [[package]] @@ -3882,7 +3882,7 @@ dependencies = [ "quinn-udp", "rustc-hash", "rustls 0.23.34", - "socket2 0.6.1", + "socket2 0.5.10", "thiserror 2.0.17", "tokio", "tracing", @@ -3919,9 +3919,9 @@ dependencies = [ "cfg_aliases", "libc", "once_cell", - "socket2 0.6.1", + "socket2 0.5.10", "tracing", - "windows-sys 0.60.2", + "windows-sys 0.59.0", ] [[package]] @@ -4416,7 +4416,7 @@ dependencies = [ "errno", "libc", "linux-raw-sys", - "windows-sys 0.61.2", + "windows-sys 0.59.0", ] [[package]] @@ -5127,7 +5127,7 @@ dependencies = [ "getrandom 0.3.4", "once_cell", "rustix", - "windows-sys 0.61.2", + "windows-sys 0.59.0", ] [[package]] @@ -6018,7 +6018,7 @@ version = "0.1.11" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22" dependencies = [ - "windows-sys 0.61.2", + "windows-sys 0.48.0", ] [[package]] diff --git a/docker/audit/Dockerfile b/docker/audit/Dockerfile new file mode 100644 index 00000000..9e88db8f --- /dev/null +++ b/docker/audit/Dockerfile @@ -0,0 +1,19 @@ +FROM rust:1.91-bullseye +ENV DEBIAN_FRONTEND=noninteractive + +# Install OS deps needed for building some crates +RUN apt-get update && \ + apt-get install -y --no-install-recommends \ + pkg-config \ + libssl-dev \ + build-essential \ + ca-certificates \ + curl && \ + rm -rf /var/lib/apt/lists/* + +# Install cargo tools (compiled into the image so subsequent runs are fast) +RUN /usr/local/cargo/bin/cargo install cargo-audit cargo-deny + +WORKDIR /workspace + +CMD ["bash"] diff --git a/docker/audit/audit.sh b/docker/audit/audit.sh new file mode 100644 index 00000000..4cd956ca --- /dev/null +++ b/docker/audit/audit.sh @@ -0,0 +1,14 @@ +set -euo pipefail +export PATH="/usr/local/cargo/bin:/usr/local/bin:$PATH" +echo "=== cargo-audit --version ===" +/usr/local/cargo/bin/cargo-audit --version || true +echo "=== cargo-audit report ===" +# Run cargo-audit on the workspace Cargo.lock if present; local crate otherwise +/usr/local/cargo/bin/cargo-audit || true +echo "=== cargo-deny --version ===" +/usr/local/cargo/bin/cargo-deny --version || true +echo "=== cargo-deny advisories ===" +# Use --manifest-path as a global option and run check advisories and licenses +/usr/local/cargo/bin/cargo-deny --manifest-path Cargo.toml check advisories || true +echo "=== cargo-deny licenses ===" +/usr/local/cargo/bin/cargo-deny --manifest-path Cargo.toml check licenses || true \ No newline at end of file diff --git a/docker/audit/output/cargo-audit.err b/docker/audit/output/cargo-audit.err new file mode 100644 index 00000000..9bab5a6b --- /dev/null +++ b/docker/audit/output/cargo-audit.err @@ -0,0 +1,12 @@ +Audit Cargo.lock for crates with security vulnerabilities + +Usage: cargo [OPTIONS] + +Commands: + audit Audit Cargo.lock files for vulnerable crates + help Print this message or the help of the given subcommand(s) + +Options: + -v, --verbose Increase verbosity + -h, --help Print help + -V, --version Print version diff --git a/docker/audit/output/cargo-audit.json b/docker/audit/output/cargo-audit.json new file mode 100644 index 00000000..e69de29b diff --git a/docker/audit/output/cargo-deny-advisories.err b/docker/audit/output/cargo-deny-advisories.err new file mode 100644 index 00000000..0d09d6bd --- /dev/null +++ b/docker/audit/output/cargo-deny-advisories.err @@ -0,0 +1,2 @@ +{"fields":{"level":"ERROR","message":"failed to fetch crates: failed to run cargo: No such file or directory (os error 2)","timestamp":"2025-11-09T08:15:15.688872215Z"},"type":"log"} +{"fields":{"level":"ERROR","message":"failed to start `cargo metadata`: No such file or directory (os error 2): No such file or directory (os error 2)","timestamp":"2025-11-09T08:15:15.688872215Z"},"type":"log"} diff --git a/docker/audit/output/cargo-deny-advisories.json b/docker/audit/output/cargo-deny-advisories.json new file mode 100644 index 00000000..e69de29b diff --git a/docker/audit/output/cargo-deny-licenses.err b/docker/audit/output/cargo-deny-licenses.err new file mode 100644 index 00000000..cf191a0c --- /dev/null +++ b/docker/audit/output/cargo-deny-licenses.err @@ -0,0 +1,2 @@ +{"fields":{"level":"ERROR","message":"failed to fetch crates: failed to run cargo: No such file or directory (os error 2)","timestamp":"2025-11-09T08:15:15.498450874Z"},"type":"log"} +{"fields":{"level":"ERROR","message":"failed to start `cargo metadata`: No such file or directory (os error 2): No such file or directory (os error 2)","timestamp":"2025-11-09T08:15:15.498450874Z"},"type":"log"} diff --git a/docker/audit/output/cargo-deny-licenses.json b/docker/audit/output/cargo-deny-licenses.json new file mode 100644 index 00000000..e69de29b diff --git a/docker/audit/output/cargo-version.txt b/docker/audit/output/cargo-version.txt new file mode 100644 index 00000000..1182443b --- /dev/null +++ b/docker/audit/output/cargo-version.txt @@ -0,0 +1,7 @@ +info: syncing channel updates for '1.91.0-x86_64-unknown-linux-gnu' +info: latest update on 2025-10-30, rust version 1.91.0 (f8297e351 2025-10-28) +info: downloading component 'clippy' +info: downloading component 'rustfmt' +info: installing component 'clippy' +info: installing component 'rustfmt' +cargo 1.91.0 (ea2d97820 2025-10-10) diff --git a/docker/audit/output/license_triage_2025-11-09.csv b/docker/audit/output/license_triage_2025-11-09.csv new file mode 100644 index 00000000..63867ebf --- /dev/null +++ b/docker/audit/output/license_triage_2025-11-09.csv @@ -0,0 +1,8 @@ +crate,version,license,top_level_dependency +ar_archive_writer,0.2.0,"Apache-2.0 WITH LLVM-exception",lettre +base64urlsafedata,0.5.3,MPL-2.0,webauthn-rs +webauthn-attestation-ca,0.5.3,MPL-2.0,webauthn-rs +webauthn-rs,0.5.3,MPL-2.0,vaultwarden +webauthn-rs-core,0.5.3,MPL-2.0,vaultwarden +webauthn-rs-proto,0.5.3,MPL-2.0,vaultwarden +webpki-roots,1.0.3,CDLA-Permissive-2.0,openidconnect diff --git a/docker/audit/output/licenses.err b/docker/audit/output/licenses.err new file mode 100644 index 00000000..c1ac372f --- /dev/null +++ b/docker/audit/output/licenses.err @@ -0,0 +1,8 @@ +{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"ar_archive_writer","version":"0.2.0"},"parents":[{"Krate":{"kind":"build","name":"psm","version":"0.1.28"},"parents":[{"Krate":{"name":"stacker","version":"0.1.22"},"parents":[{"Krate":{"name":"chumsky","version":"0.9.3"},"parents":[{"Krate":{"name":"lettre","version":"0.11.19"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}}]}]}]}]}]}],"labels":[{"column":12,"line":22,"message":"","span":"Apache-2.0 WITH LLVM-exception"},{"column":12,"line":22,"message":"rejected: license is not explicitly allowed","span":"Apache-2.0 WITH LLVM-exception"}],"message":"failed to satisfy license requirements","notes":["Apache-2.0 - Apache License 2.0:"," - OSI approved"," - FSF Free/Libre"],"severity":"error"},"type":"diagnostic"} +{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"base64urlsafedata","version":"0.5.3"},"parents":[{"Krate":{"name":"webauthn-attestation-ca","version":"0.5.3"},"parents":[{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"repeat":true},{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"repeat":true},{"Krate":{"name":"webauthn-rs-proto","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true},{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"repeat":true}]}]}],"labels":[{"column":12,"line":35,"message":"","span":"MPL-2.0"},{"column":12,"line":35,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:"," - OSI approved"," - FSF Free/Libre"," - Copyleft"],"severity":"error"},"type":"diagnostic"} +{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-attestation-ca","version":"0.5.3"},"parents":[{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]}],"labels":[{"column":12,"line":30,"message":"","span":"MPL-2.0"},{"column":12,"line":30,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:"," - OSI approved"," - FSF Free/Libre"," - Copyleft"],"severity":"error"},"type":"diagnostic"} +{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}}]}],"labels":[{"column":12,"line":39,"message":"","span":"MPL-2.0"},{"column":12,"line":39,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:"," - OSI approved"," - FSF Free/Libre"," - Copyleft"],"severity":"error"},"type":"diagnostic"} +{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}],"labels":[{"column":12,"line":38,"message":"","span":"MPL-2.0"},{"column":12,"line":38,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:"," - OSI approved"," - FSF Free/Libre"," - Copyleft"],"severity":"error"},"type":"diagnostic"} +{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-rs-proto","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]}],"labels":[{"column":12,"line":38,"message":"","span":"MPL-2.0"},{"column":12,"line":38,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:"," - OSI approved"," - FSF Free/Libre"," - Copyleft"],"severity":"error"},"type":"diagnostic"} +{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webpki-roots","version":"1.0.3"},"parents":[{"Krate":{"name":"hyper-rustls","version":"0.27.7"},"parents":[{"Krate":{"name":"reqwest","version":"0.12.24"},"parents":[{"Krate":{"name":"oauth2","version":"5.0.0"},"parents":[{"Krate":{"name":"openidconnect","version":"4.0.1"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}}]}]},{"Krate":{"name":"opendal","version":"0.54.1"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]},{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true},{"Krate":{"name":"yubico_ng","version":"0.14.1"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]},{"Krate":{"name":"reqwest","version":"0.12.24"},"repeat":true}]}],"labels":[{"column":12,"line":26,"message":"","span":"CDLA-Permissive-2.0"},{"column":12,"line":26,"message":"rejected: license is not explicitly allowed","span":"CDLA-Permissive-2.0"}],"message":"failed to satisfy license requirements","notes":["CDLA-Permissive-2.0 - Community Data License Agreement Permissive 2.0:"," - No additional metadata available for license"],"severity":"error"},"type":"diagnostic"} +{"fields":{"licenses":{"errors":7,"helps":530,"notes":0,"warnings":0}},"type":"summary"} diff --git a/docker/audit/output/licenses.json b/docker/audit/output/licenses.json new file mode 100644 index 00000000..e69de29b diff --git a/docker/audit/output/webauthn-tree.err b/docker/audit/output/webauthn-tree.err new file mode 100644 index 00000000..4a6b6ff7 --- /dev/null +++ b/docker/audit/output/webauthn-tree.err @@ -0,0 +1,288 @@ +info: syncing channel updates for '1.91.0-x86_64-unknown-linux-gnu' +info: latest update on 2025-10-30, rust version 1.91.0 (f8297e351 2025-10-28) +info: downloading component 'clippy' +info: downloading component 'rustfmt' +info: installing component 'clippy' +info: installing component 'rustfmt' + Updating crates.io index + Downloading crates ... + Downloaded ahash v0.8.12 + Downloaded darling v0.20.11 + Downloaded chumsky v0.9.3 + Downloaded kv-log-macro v1.0.7 + Downloaded http-body v0.4.6 + Downloaded inlinable_string v0.1.15 + Downloaded openssl-macros v0.1.1 + Downloaded asn1-rs-impl v0.2.0 + Downloaded der-parser v9.0.0 + Downloaded async-channel v1.9.0 + Downloaded psl-types v2.0.11 + Downloaded futures-timer v3.0.3 + Downloaded httpdate v1.0.3 + Downloaded binascii v0.1.4 + Downloaded async-stream-impl v0.3.6 + Downloaded num_threads v0.1.7 + Downloaded migrations_internals v2.3.0 + Downloaded glob v0.3.3 + Downloaded hex v0.4.3 + Downloaded hostname v0.4.1 + Downloaded alloc-stdlib v0.2.2 + Downloaded pem v3.0.6 + Downloaded num-order v1.2.0 + Downloaded phf v0.11.3 + Downloaded multer v3.1.0 + Downloaded pear v0.2.9 + Downloaded phf_macros v0.11.3 + Downloaded parking v2.2.1 + Downloaded hyper-tls v0.6.0 + Downloaded pico-args v0.5.0 + Downloaded num_cpus v1.17.0 + Downloaded jetscii v0.5.3 + Downloaded base64urlsafedata v0.5.3 + Downloaded cached_proc_macro_types v0.1.1 + Downloaded oid-registry v0.7.1 + Downloaded md-5 v0.10.6 + Downloaded group v0.13.0 + Downloaded diesel_table_macro_syntax v0.3.0 + Downloaded num-derive v0.4.2 + Downloaded async-stream v0.3.6 + Downloaded num-integer v0.1.46 + Downloaded darling_macro v0.21.3 + Downloaded foreign-types-shared v0.1.1 + Downloaded is-terminal v0.4.17 + Downloaded devise_codegen v0.4.2 + Downloaded pear_codegen v0.2.9 + Downloaded derive_builder_macro v0.20.2 + Downloaded foreign-types v0.3.2 + Downloaded darling_macro v0.20.11 + Downloaded argon2 v0.5.3 + Downloaded alloc-no-stdlib v2.0.4 + Downloaded cached_proc_macro v0.25.0 + Downloaded async-global-executor v2.4.1 + Downloaded asn1-rs-derive v0.5.1 + Downloaded async-signal v0.2.13 + Downloaded async-channel v2.5.0 + Downloaded blocking v1.6.2 + Downloaded atomic v0.5.3 + Downloaded devise v0.4.2 + Downloaded job_scheduler_ng v2.4.0 + Downloaded pkcs8 v0.10.2 + Downloaded quanta v0.12.6 + Downloaded base16ct v0.2.0 + Downloaded indexmap v1.9.3 + Downloaded password-hash v0.5.0 + Downloaded num-iter v0.1.45 + Downloaded downcast-rs v2.0.2 + Downloaded ordered-float v2.10.1 + Downloaded diesel-derive-newtype v2.1.2 + Downloaded dsl_auto_type v0.2.0 + Downloaded r2d2 v0.8.10 + Downloaded ref-cast v1.0.25 + Downloaded nonzero_ext v0.3.0 + Downloaded futures-executor v0.3.31 + Downloaded migrations_macros v2.3.0 + Downloaded dashmap v5.5.3 + Downloaded diesel_migrations v2.3.0 + Downloaded dotenvy v0.15.7 + Downloaded data-encoding v2.9.0 + Downloaded ff v0.13.1 + Downloaded document-features v0.2.12 + Downloaded native-tls v0.2.14 + Downloaded pem-rfc7468 v0.7.0 + Downloaded primeorder v0.13.6 + Downloaded concurrent-queue v2.5.0 + Downloaded cron v0.15.0 + Downloaded piper v0.2.4 + Downloaded event-listener-strategy v0.5.4 + Downloaded env_home v0.1.0 + Downloaded codemap v0.1.3 + Downloaded devise_core v0.4.2 + Downloaded quoted_printable v0.5.1 + Downloaded phf_generator v0.11.3 + Downloaded event-listener v2.5.3 + Downloaded phf_shared v0.12.1 + Downloaded futures-macro v0.3.31 + Downloaded quick-error v2.0.1 + Downloaded ar_archive_writer v0.2.0 + Downloaded curve25519-dalek-derive v0.1.1 + Downloaded email-encoding v0.4.1 + Downloaded dyn-clone v1.0.20 + Downloaded ed25519 v2.2.3 + Downloaded proc-macro2-diagnostics v0.10.1 + Downloaded data-url v0.3.2 + Downloaded phf_shared v0.11.3 + Downloaded async-task v4.7.1 + Downloaded blake2 v0.10.6 + Downloaded resolv-conf v0.7.5 + Downloaded pastey v0.1.1 + Downloaded phf v0.12.1 + Downloaded derive_builder_core v0.20.2 + Downloaded ref-cast-impl v1.0.25 + Downloaded rand_core v0.6.4 + Downloaded rfc6979 v0.4.0 + Downloaded rand_chacha v0.3.1 + Downloaded reopen v1.0.3 + Downloaded hmac v0.12.1 + Downloaded uncased v0.9.10 + Downloaded iana-time-zone v0.1.64 + Downloaded base64ct v1.8.0 + Downloaded async-process v2.5.0 + Downloaded serde_plain v1.0.2 + Downloaded pest_derive v2.8.3 + Downloaded email_address v0.2.9 + Downloaded rocket_ws v0.1.1 + Downloaded async-executor v1.13.3 + Downloaded ecdsa v0.16.9 + Downloaded psm v0.1.28 + Downloaded cookie_store v0.22.0 + Downloaded litrs v1.0.0 + Downloaded async-trait v0.1.89 + Downloaded quote v1.0.41 + Downloaded enum-as-inner v0.6.1 + Downloaded critical-section v1.2.0 + Downloaded dashmap v6.1.0 + Downloaded cookie_store v0.21.1 + Downloaded pkcs1 v0.7.5 + Downloaded stable-pattern v0.1.0 + Downloaded stacker v0.1.22 + Downloaded utf-8 v0.7.6 + Downloaded rustc_version v0.4.1 + Downloaded rtoolbox v0.0.3 + Downloaded serde-value v0.7.0 + Downloaded scheduled-thread-pool v0.2.7 + Downloaded tagptr v0.2.0 + Downloaded syslog v7.0.0 + Downloaded threadpool v1.8.1 + Downloaded rusticata-macros v4.1.0 + Downloaded simple_asn1 v0.6.3 + Downloaded tokio-macros v2.6.0 + Downloaded thiserror v1.0.69 + Downloaded totp-lite v2.0.1 + Downloaded half v2.7.1 + Downloaded rmpv v1.3.0 + Downloaded backon v1.6.0 + Downloaded serde_with_macros v3.15.1 + Downloaded yubico_ng v0.14.1 + Downloaded async-lock v3.4.1 + Downloaded serde_path_to_error v0.1.20 + Downloaded rustls-pemfile v1.0.4 + Downloaded sec1 v0.7.3 + Downloaded futures v0.3.31 + Downloaded futures-lite v2.6.1 + Downloaded signature v2.2.0 + Downloaded async-io v2.6.0 + Downloaded hickory-resolver v0.25.2 + Downloaded http v0.2.12 + Downloaded elliptic-curve v0.13.8 + Downloaded svg-hush v0.9.5 + Downloaded spki v0.7.3 + Downloaded state v0.6.0 + Downloaded num-modular v0.6.1 + Downloaded cookie v0.18.1 + Downloaded ubyte v0.10.4 + Downloaded jsonwebtoken v9.3.1 + Downloaded derive_builder v0.20.2 + Downloaded const-oid v0.9.6 + Downloaded webauthn-attestation-ca v0.5.3 + Downloaded tokio-rustls v0.24.1 + Downloaded tokio-native-tls v0.3.1 + Downloaded sct v0.7.1 + Downloaded thiserror-impl v1.0.69 + Downloaded p256 v0.13.2 + Downloaded webauthn-rs-proto v0.5.3 + Downloaded tokio-tungstenite v0.21.0 + Downloaded tokio-stream v0.1.17 + Downloaded pest_generator v2.8.3 + Downloaded web-time v1.1.0 + Downloaded triomphe v0.1.15 + Downloaded webauthn-rs v0.5.3 + Downloaded which v8.0.0 + Downloaded spinning_top v0.3.0 + Downloaded siphasher v1.0.1 + Downloaded spin v0.9.8 + Downloaded hashbrown v0.12.3 + Downloaded event-listener v5.4.1 + Downloaded derive_more v2.0.1 + Downloaded cached v0.56.0 + Downloaded darling_core v0.20.11 + Downloaded lasso v0.7.3 + Downloaded darling_core v0.21.3 + Downloaded darling v0.21.3 + Downloaded serde_cbor_2 v0.13.0 + Downloaded pest_meta v2.8.3 + Downloaded mini-moka v0.10.3 + Downloaded polling v3.11.0 + Downloaded socket2 v0.5.10 + Downloaded base64 v0.21.7 + Downloaded handlebars v6.3.2 + Downloaded crypto-bigint v0.5.5 + Downloaded figment v0.10.19 + Downloaded ucd-trie v0.1.7 + Downloaded minimal-lexical v0.2.1 + Downloaded publicsuffix v2.3.0 + Downloaded oauth2 v5.0.0 + Downloaded asn1-rs v0.6.2 + Downloaded html5gum v0.8.0 + Downloaded xml-rs v0.8.28 + Downloaded num-bigint v0.4.6 + Downloaded tungstenite v0.21.0 + Downloaded openssl-sys v0.9.110 + Downloaded uuid v1.18.1 + Downloaded value-bag v1.11.1 + Downloaded num-bigint-dig v0.8.4 + Downloaded rsa v0.9.8 + Downloaded schemars v0.9.0 + Downloaded itertools v0.10.5 + Downloaded der v0.7.10 + Downloaded rand v0.8.5 + Downloaded derive_more-impl v2.0.1 + Downloaded rocket_http v0.5.1 + Downloaded yansi v1.0.1 + Downloaded zerocopy-derive v0.8.27 + Downloaded cc v1.2.43 + Downloaded diesel_derives v2.3.4 + Downloaded ed25519-dalek v2.2.0 + Downloaded schemars v1.0.4 + Downloaded nom v8.0.0 + Downloaded bigdecimal v0.4.9 + Downloaded rpassword v7.4.0 + Downloaded tokio-util v0.7.16 + Downloaded nom v7.1.3 + Downloaded x509-parser v0.16.0 + Downloaded hashbrown v0.14.5 + Downloaded raw-cpuid v11.6.0 + Downloaded governor v0.10.1 + Downloaded rocket_codegen v0.5.1 + Downloaded libm v0.2.15 + Downloaded pest v2.8.3 + Downloaded hkdf v0.12.4 + Downloaded grass_compiler v0.13.4 + Downloaded brotli-decompressor v5.0.0 + Downloaded iri-string v0.7.8 + Downloaded webauthn-rs-core v0.5.3 + Downloaded winnow v0.6.26 + Downloaded lettre v0.11.19 + Downloaded chrono v0.4.42 + Downloaded async-std v1.13.2 + Downloaded vcpkg v0.2.15 + Downloaded portable-atomic v1.11.1 + Downloaded openidconnect v4.0.1 + Downloaded quick-xml v0.38.3 + Downloaded p384 v0.13.1 + Downloaded rustls-webpki v0.101.7 + Downloaded hyper v0.14.32 + Downloaded curve25519-dalek v4.1.3 + Downloaded diesel v2.3.3 + Downloaded serde_with v3.15.1 + Downloaded rustls v0.23.34 + Downloaded moka v0.12.11 + Downloaded brotli v8.0.2 + Downloaded chrono-tz v0.10.4 + Downloaded openssl v0.10.74 + Downloaded webpki-roots v1.0.3 + Downloaded object v0.32.2 + Downloaded rustls v0.21.12 + Downloaded rocket v0.5.1 + Downloaded syn v2.0.108 + Downloaded hickory-proto v0.25.2 + Downloaded opendal v0.54.1 diff --git a/docker/audit/output/webauthn-tree.txt b/docker/audit/output/webauthn-tree.txt new file mode 100644 index 00000000..386699fb --- /dev/null +++ b/docker/audit/output/webauthn-tree.txt @@ -0,0 +1,2 @@ +webauthn-rs v0.5.3 +└── vaultwarden v1.0.0 (/workspace) diff --git a/docker/audit/output/webpki-tree.err b/docker/audit/output/webpki-tree.err new file mode 100644 index 00000000..e69de29b diff --git a/docker/audit/output/webpki-tree.txt b/docker/audit/output/webpki-tree.txt new file mode 100644 index 00000000..1aae12b6 --- /dev/null +++ b/docker/audit/output/webpki-tree.txt @@ -0,0 +1,12 @@ +webpki-roots v1.0.3 +├── hyper-rustls v0.27.7 +│ └── reqwest v0.12.24 +│ ├── oauth2 v5.0.0 +│ │ └── openidconnect v4.0.1 +│ │ └── vaultwarden v1.0.0 (/workspace) +│ ├── opendal v0.54.1 +│ │ └── vaultwarden v1.0.0 (/workspace) +│ ├── vaultwarden v1.0.0 (/workspace) +│ └── yubico_ng v0.14.1 +│ └── vaultwarden v1.0.0 (/workspace) +└── reqwest v0.12.24 (*) diff --git a/docker/audit/pr-body.txt b/docker/audit/pr-body.txt new file mode 100644 index 00000000..f4fe363b --- /dev/null +++ b/docker/audit/pr-body.txt @@ -0,0 +1,21 @@ +security(audit): remediation scaffold + deny policy + +This draft PR adds cargo-deny policy, a GitHub Actions audit workflow, and a local security audit note. It contains temporary, timeboxed ignore entries to allow iteration while remediation is planned. + +Key artifacts: +- Audit note: SECURITY-AUDIT-2025-11-09.md +- Tracking file: issues/TRACK-2025-11-09-RSA-PASTE.md +- Exceptions added to deny.toml (advisories.ignore = ["RUSTSEC-2023-0071", "RUSTSEC-2024-0436"]) with expiry 2026-02-01 + +Required checklist before merging: +- [ ] Assign an owner for TRACK-2025-11-09-RSA-PASTE.md and confirm investigation steps (run `cargo tree -i rsa` and `cargo tree -i paste`). +- [ ] Agree remediation path for RUSTSEC-2023-0071 (rsa): either a published upstream bump avoiding `rsa`, an alternative crate, or a vetted vendor shim. Attach a follow-up PR when chosen. +- [ ] Agree remediation path for RUSTSEC-2024-0436 (paste): upgrade or replace the dependency chain (rmp/rmpv) or use a maintained alternative. Attach a follow-up PR when chosen. +- [ ] Add unit/integration tests verifying replacement behavior (auth/serialization flows) in follow-up PR(s). +- [ ] Remove the `advisories.ignore` entries from `deny.toml` and re-run the audit in CI to ensure no advisories remain. +- [ ] Review license failures and add targeted license exceptions or plan replacements for crates with unapproved licenses. + +Notes: +- The repository's Issues feature is disabled; use the tracking file in this branch (`issues/TRACK-2025-11-09-RSA-PASTE.md`) and the PR comment for workflow until issues are enabled. + +This PR is a draft while remediation work is planned and executed. diff --git a/docker/audit/run-audit.ps1 b/docker/audit/run-audit.ps1 new file mode 100644 index 00000000..56a08fe7 --- /dev/null +++ b/docker/audit/run-audit.ps1 @@ -0,0 +1,44 @@ +param( + [string]$Workspace = "$PSScriptRoot\..\..", + [string]$ImageName = "vaultwarden-audit:latest" +) + +Push-Location $PSScriptRoot +try { + Write-Host "Building Docker image '$ImageName' (this may take several minutes)..." + docker build -t $ImageName . + + Write-Host "Running audit container... outputs will be written to: $Workspace" + + # Create a small LF-only shell script to avoid CRLF issues when passing + # multi-line commands into bash on Linux containers from Windows hosts. + $auditScriptPath = Join-Path $PSScriptRoot 'audit.sh' + $scriptContent = @' +set -euo pipefail +export PATH="/usr/local/cargo/bin:/usr/local/bin:$PATH" +echo "=== cargo-audit --version ===" +/usr/local/cargo/bin/cargo-audit --version || true +echo "=== cargo-audit report ===" +# Run cargo-audit on the workspace Cargo.lock if present; local crate otherwise +/usr/local/cargo/bin/cargo-audit || true +echo "=== cargo-deny --version ===" +/usr/local/cargo/bin/cargo-deny --version || true +echo "=== cargo-deny advisories ===" +# Use --manifest-path as a global option and run check advisories and licenses +/usr/local/cargo/bin/cargo-deny --manifest-path Cargo.toml check advisories || true +echo "=== cargo-deny licenses ===" +/usr/local/cargo/bin/cargo-deny --manifest-path Cargo.toml check licenses || true +'@ + + # Ensure the script uses LF-only line endings by replacing CRLF with LF + $scriptContent = $scriptContent -replace "`r`n", "`n" + # Write bytes directly to ensure exact newlines (UTF8 without BOM) + $bytes = [System.Text.Encoding]::UTF8.GetBytes($scriptContent) + [System.IO.File]::WriteAllBytes($auditScriptPath, $bytes) + + # Run the audit script inside the container by mounting it read-only + docker run --rm -v "${Workspace}:/workspace" -v "${auditScriptPath}:/audit.sh:ro" -w /workspace $ImageName bash -lc 'bash /audit.sh' +} +finally { + Pop-Location +}