You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
21 lines
1.6 KiB
21 lines
1.6 KiB
security(audit): remediation scaffold + deny policy
|
|
|
|
This draft PR adds cargo-deny policy, a GitHub Actions audit workflow, and a local security audit note. It contains temporary, timeboxed ignore entries to allow iteration while remediation is planned.
|
|
|
|
Key artifacts:
|
|
- Audit note: SECURITY-AUDIT-2025-11-09.md
|
|
- Tracking file: issues/TRACK-2025-11-09-RSA-PASTE.md
|
|
- Exceptions added to deny.toml (advisories.ignore = ["RUSTSEC-2023-0071", "RUSTSEC-2024-0436"]) with expiry 2026-02-01
|
|
|
|
Required checklist before merging:
|
|
- [ ] Assign an owner for TRACK-2025-11-09-RSA-PASTE.md and confirm investigation steps (run `cargo tree -i rsa` and `cargo tree -i paste`).
|
|
- [ ] Agree remediation path for RUSTSEC-2023-0071 (rsa): either a published upstream bump avoiding `rsa`, an alternative crate, or a vetted vendor shim. Attach a follow-up PR when chosen.
|
|
- [ ] Agree remediation path for RUSTSEC-2024-0436 (paste): upgrade or replace the dependency chain (rmp/rmpv) or use a maintained alternative. Attach a follow-up PR when chosen.
|
|
- [ ] Add unit/integration tests verifying replacement behavior (auth/serialization flows) in follow-up PR(s).
|
|
- [ ] Remove the `advisories.ignore` entries from `deny.toml` and re-run the audit in CI to ensure no advisories remain.
|
|
- [ ] Review license failures and add targeted license exceptions or plan replacements for crates with unapproved licenses.
|
|
|
|
Notes:
|
|
- The repository's Issues feature is disabled; use the tracking file in this branch (`issues/TRACK-2025-11-09-RSA-PASTE.md`) and the PR comment for workflow until issues are enabled.
|
|
|
|
This PR is a draft while remediation work is planned and executed.
|
|
|