topaLE
/
vaultwarden
mirror of https://github.com/dani-garcia/vaultwarden
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Merge 5bc2f1401f into 7cf0c5d67e

pull/6992/merge
Denis Pisarev 1 day ago
committed by GitHub
parent
7cf0c5d67e 5bc2f1401f
commit
a26471d74f
No known key found for this signature in database GPG Key ID: B5690EEEBB952194
2 changed files with 74 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 11
      .github/workflows/build.yml
  2. 63
      deny.toml

11
.github/workflows/build.yml
View File

@ -179,6 +179,15 @@ jobs:
# End Run cargo fmt
# Run cargo deny (supply-chain: advisories, licenses, bans, sources)
# Only run on rust-toolchain channel — deny.toml pins the feature set.
- name: "cargo deny"
id: deny
if: ${{ !cancelled() && matrix.channel == 'rust-toolchain' }}
uses: EmbarkStudios/cargo-deny-action@175dc7fd4fb85ec8f46948fb98f44db001149081 # v2.0.16
# End Run cargo deny
# Check for any previous failures, if there are stop, else continue.
# This is useful so all test/clippy/fmt actions are done, and they can all be addressed
- name: "Some checks failed"
@ -192,6 +201,7 @@ jobs:
TEST_POSTGRESQL: ${{ steps.test_postgresql.outcome }}
CLIPPY: ${{ steps.clippy.outcome }}
FMT: ${{ steps.formatting.outcome }}
DENY: ${{ steps.deny.outcome }}
run: |
echo "### :x: Checks Failed!" >> "${GITHUB_STEP_SUMMARY}"
echo "" >> "${GITHUB_STEP_SUMMARY}"
@ -205,6 +215,7 @@ jobs:
echo "|test (postgresql)|${TEST_POSTGRESQL}|" >> "${GITHUB_STEP_SUMMARY}"
echo "|clippy (sqlite,mysql,postgresql,enable_mimalloc,s3)|${CLIPPY}|" >> "${GITHUB_STEP_SUMMARY}"
echo "|fmt|${FMT}|" >> "${GITHUB_STEP_SUMMARY}"
echo "|cargo deny|${DENY}|" >> "${GITHUB_STEP_SUMMARY}"
echo "" >> "${GITHUB_STEP_SUMMARY}"
echo "Please check the failed jobs and fix where needed." >> "${GITHUB_STEP_SUMMARY}"
echo "" >> "${GITHUB_STEP_SUMMARY}"

63
deny.toml
View File

@ -0,0 +1,63 @@
# https://embarkstudios.github.io/cargo-deny/
[graph]
# Check the full feature set used by CI so all optional dependencies are included.
features = ["sqlite", "mysql", "postgresql", "enable_mimalloc", "s3"]
# =============================================================================
# Advisories — RustSec vulnerability and unmaintained crate database
# =============================================================================
[advisories]
ignore = [
# Marvin Attack: timing side-channel in the `rsa` crate (no fix available).
# Used only for JWT RS256 signing, not for network-facing RSA decryption,
# which limits exposure. Track: https://rustsec.org/advisories/RUSTSEC-2023-0071
{ id = "RUSTSEC-2023-0071", reason = "No upstream fix available; exposure is limited to JWT signing, not network-facing decryption." },
# `rustls-pemfile` v1.x is unmaintained (archived Aug 2025). It is a thin
# wrapper around rustls-pki-types and pulled in transitively via rustls 0.21.x.
# Removing it requires upstream crates to drop their rustls 0.21 dependency.
{ id = "RUSTSEC-2025-0134", reason = "Transitive via rustls 0.21.x compat chain; blocked on upstream upgrade." },
]
# =============================================================================
# Licenses
# =============================================================================
[licenses]
# OSI-approved permissive licenses and weak copyleft licenses compatible with
# distributing vaultwarden (AGPL-3.0-only) as a Docker image.
allow = [
"0BSD",
"Apache-2.0",
"BSD-3-Clause",
"CC0-1.0",
"CDLA-Permissive-2.0",
"ISC",
"MIT",
"MPL-2.0",
"Unicode-3.0",
"Zlib",
]
[licenses.private]
# Skip license checks for unpublished workspace crates (vaultwarden, macros).
ignore = true
# =============================================================================
# Bans — duplicate versions and disallowed crates
# =============================================================================
[bans]
# Warn on duplicate versions; many arise from transitive deps and require
# upstream changes to resolve. Promote to "deny" once the dep tree stabilises.
multiple-versions = "allow"
wildcards = "deny"
allow-wildcard-paths = true
highlight = "all"
# =============================================================================
# Sources — only crates.io is an allowed registry
# =============================================================================
[sources]
unknown-registry = "deny"
unknown-git = "deny"
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
Write Preview
Loading…
Cancel
Save