-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathdeny.toml
111 lines (93 loc) · 3.56 KB
/
deny.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
# This file configures `cargo deny` for validating that dependencies are secure
# (do not have security advisories), exclusively using licenses that we allow,
# and are not in our banned crates list.
#
# It is worth calling out that `cargo deny` only looks at metadata of packages,
# `cargo audit` performs the same security advisory checks but performs deep
# scans on the content of the code as well to provide additional detections on
# whether a vulnerability is present. The two tools should be used together.
# Collect metadata using all the features available in this repository. We do
# not want security vulnerabilities in any of our subset of builds.
all-features = true
[advisories]
vulnerability = "deny"
unmaintained = "deny"
yanked = "deny"
notice = "deny"
# If we accept an advisory either because no fix is available and we need to
# continue development, or because a vulnerability doesn't effect how we use
# the other crate their identifier should be added to this list. It should be
# periodically reviewed and cleaned out as fixes become available.
ignore = [
# This is an unsoundness bug in atty that has been ignored for the CI baseline
"RUSTSEC-2021-0145",
# This is a bug in the rsa crate which is dependended on by jwt-simple, we
# don't use the rsa features in jwt-simple, there isn't an upstream fix for
# it, and there isn't a feature flag to disable support for rsa on the
# crate.
"RUSTSEC-2023-0071",
]
[licenses]
unlicensed = "deny"
# Licenses we always allow without any additional thoughts, this list should
# only be updated when we encounter a dependency using a license we want to
# include here rather than trying to proactively enumerate all acceptable
# licenses.
allow = [
"Apache-2.0",
"0BSD",
"BSD-2-Clause",
"BSD-3-Clause",
"CC0-1.0",
"ISC",
"MIT",
"MIT-0",
"Zlib",
# Additional licenses that need to actually be reviewed but have been allowed for CI expediency
"BSL-1.0",
"LGPL-3.0",
"MPL-2.0",
"Unicode-DFS-2016",
]
# We don't care what these organization think of the license, we are making our
# own assessments as to whether they are fit for our project.
allow-osi-fsf-free = "neither"
# Licenses that we have reviewed and chosen to explicitly reject.
deny = []
# If a license is considered copyleft, we want to consider them carefully as
# they may violate our license or goals by their use. Copy left licenses should
# be reviewed
copyleft = "deny"
# If we haven't approved it, explicitly deny it
default = "deny"
# If we need to use a crate that violates our general policy, we can add that
# to the list here to accept it.
exceptions = [
{ name = "tomb-crypt", allow = ["LicenseRef-LICENSE.txt"] },
]
[bans]
multiple-versions = "allow"
wildcards = "deny"
# Crates/versions that are always allowed regardless of which checks they trigger
allow = [
# Usage example:
#{ name = "ansi_term", version = "=0.11.0" },
]
# Crates and versions that are explicitly denied from use in this project
deny = [
# Usage example:
#{ name = "ansi_term", version = "=0.11.0" },
]
# Certain crates/versions that will be skipped when doing duplicate detection.
# They just couldn't be resolved ourselves.
skip = []
[sources]
# We do not allow registries other than the official crates one which is known
# by default.
unknown-registry = "deny"
# Using a git repository as a crate source is denied by default, to use a git
# repo as a dependency source they must be reviewed and approved
unknown-git = "deny"
# Allow all crates that we have made
[sources.allow-org]
github = ["banyancomputer"]