topaLE
/
vaultwarden
mirror of https://github.com/dani-garcia/vaultwarden
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

docs(audit): add license triage summary and PR body update file

pull/6727/head
kalvinparker 3 months ago
parent
56e7b76db1
commit
6befc36448
2 changed files with 47 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 11
      .github/PR_BODY_UPDATE-2.md
  2. 36
      issues/LICENSE-TRIAGE-2025-11-10.md

11
.github/PR_BODY_UPDATE-2.md
View File

@ -0,0 +1,11 @@
Temporary license allowlist: MPL-2.0 and CDLA-Permissive-2.0 were added to deny.toml on branch experiment/webauthn-upgrade to unblock CI while coordinated upgrades/replacements are attempted. This is timeboxed and tracked in issues/FEASIBILITY-WEBAUTHN-WEBPKI.md and issues/TRACK-2025-11-09-RSA-PASTE.md. See the experiment artifacts in docker/audit/output/.
## Tasks
- [ ] Owner: Security lead — confirm timebox and approve temporary allowlist (by 2025-11-17)
- [ ] Owner: Maintainer — attempt `webauthn-rs` upgrade or replacement; report feasibility (see issues/FEASIBILITY-WEBAUTHN-WEBPKI.md)
- [ ] Owner: Maintainer — coordinate `reqwest`/`hyper-rustls`/`openidconnect` upgrades to remove `webpki-roots` (see docker/audit/output/* and reqwest/webpki trees)
- [ ] Owner: Maintainer — verify cargo-deny clean runs on CI after each change
- [ ] Owner: Maintainer — remove temporary allowlist and update deny.toml when all issues resolved
## Triage summary
See issues/LICENSE-TRIAGE-2025-11-10.md for a short summary of the top offenders and remediation options.

36
issues/LICENSE-TRIAGE-2025-11-10.md
View File

@ -0,0 +1,36 @@
# License triage summary (2025-11-10)
Summary
-------
This short report summarizes the top remaining license failures reported by `cargo-deny` after temporary allowlist adjustments and initial experiments.
Top offenders (extracted from `docker/audit/output/license_triage_2025-11-09.csv`):
- webauthn-rs family (MPL-2.0):
- `webauthn-rs v0.5.3` (direct dependency)
- `webauthn-rs-core v0.5.3`
- `webauthn-rs-proto v0.5.3`
- `webauthn-attestation-ca v0.5.3`
- `base64urlsafedata v0.5.3`
- webpki-roots (CDLA-Permissive-2.0):
- `webpki-roots v1.0.3` pulled via `hyper-rustls v0.27.7` -> `reqwest v0.12.24` -> `openidconnect v4.0.1` (and also via `opendal`/`yubico_ng`).
Counts and impact
-----------------
- cargo-deny reported 7 license errors in the most recent run. The list above represents the full set of failing crates.
Short remediation guidance
------------------------
- `webauthn-rs`: direct dependency. Options: (a) upgrade (if a permissively licensed version exists), (b) replace with an alternative WebAuthn crate, or (c) vendor minimal functionality. Immediate step: contact upstream and search for forks/relicensing.
- `webpki-roots`: transitive via the TLS/HTTP stack. Options: (a) coordinated upgrade of `reqwest`/`hyper-rustls`/`openidconnect` or (b) switch TLS backend/features to avoid `webpki-roots`.
Artifacts
---------
- Full diagnostics and experiment artifacts: `docker/audit/output/` (files: `*_deny.err`, `*_deny.json`, `*_build.err`).
Next steps
----------
1. Owner assignment and tasking in PR checklist (see draft PR #2).
2. Continue coordinated upgrades for `reqwest` chain and attempt to upgrade/replace `webauthn-rs`.
3. Remove temporary allowlist once all offenders are resolved.
Write Preview
Loading…
Cancel
Save