Check dependencies more exhaustively, using cargo-deny
This commit is contained in:
Jonas Platte
parent
1229fa4461
commit
2d23af2f98
69
.deny.toml
Normal file
69
.deny.toml
Normal file
@ -0,0 +1,69 @@
|
|||||||
|
# https://embarkstudios.github.io/cargo-deny/checks/cfg.html
|
||||||
|
|
||||||
|
all-features = true
|
||||||
|
exclude = [
|
||||||
|
# dev only dependency
|
||||||
|
"criterion"
|
||||||
|
]
|
||||||
|
|
||||||
|
[advisories]
|
||||||
|
vulnerability = "deny"
|
||||||
|
unmaintained = "deny"
|
||||||
|
|
||||||
|
[licenses]
|
||||||
|
default = "deny"
|
||||||
|
unlicensed = "deny"
|
||||||
|
allow = [
|
||||||
|
"Apache-2.0",
|
||||||
|
"BSD-3-Clause",
|
||||||
|
"ISC",
|
||||||
|
"MIT",
|
||||||
|
"OpenSSL",
|
||||||
|
"Unicode-DFS-2016",
|
||||||
|
"Zlib",
|
||||||
|
]
|
||||||
|
# MPL-2.0 is copyleft but not "infectuous" like GPL
|
||||||
|
copyleft = "allow"
|
||||||
|
private = { ignore = true }
|
||||||
|
|
||||||
|
[[licenses.clarify]]
|
||||||
|
name = "ring"
|
||||||
|
version = "*"
|
||||||
|
expression = "MIT AND ISC AND OpenSSL"
|
||||||
|
license-files = [
|
||||||
|
{ path = "LICENSE", hash = 0xbd0eed23 },
|
||||||
|
]
|
||||||
|
|
||||||
|
[bans]
|
||||||
|
multiple-versions = "deny"
|
||||||
|
wildcards = "deny"
|
||||||
|
skip = [
|
||||||
|
# not a big deal, exotic OS support
|
||||||
|
{ name = "hermit-abi" },
|
||||||
|
{ name = "redox_syscall" },
|
||||||
|
# headers depends on old version
|
||||||
|
{ name = "base64" },
|
||||||
|
# many crates haven't upgraded to 2.0 yet
|
||||||
|
{ name = "syn" },
|
||||||
|
|
||||||
|
# ed25519-dalek issues...
|
||||||
|
{ name = "block-buffer" },
|
||||||
|
{ name = "digest" },
|
||||||
|
{ name = "getrandom" },
|
||||||
|
{ name = "rand" },
|
||||||
|
{ name = "rand_core" },
|
||||||
|
{ name = "rand_chacha" },
|
||||||
|
{ name = "sha2" },
|
||||||
|
]
|
||||||
|
skip-tree = [
|
||||||
|
# happens often and not a huge deal
|
||||||
|
{ name = "wasi" },
|
||||||
|
{ name = "windows-sys" },
|
||||||
|
|
||||||
|
# markup5ever needs to upgrade
|
||||||
|
{ name = "phf" },
|
||||||
|
]
|
||||||
|
|
||||||
|
[sources]
|
||||||
|
unknown-registry = "deny"
|
||||||
|
unknown-git = "deny"
|
||||||
20
.github/workflows/audit.yml
vendored
20
.github/workflows/audit.yml
vendored
@ -1,20 +0,0 @@
|
|||||||
name: Dependencies
|
|
||||||
|
|
||||||
env:
|
|
||||||
CARGO_TERM_COLOR: always
|
|
||||||
|
|
||||||
on:
|
|
||||||
schedule:
|
|
||||||
# every monday at 4AM (UTC?)
|
|
||||||
- cron: '0 4 * * 1'
|
|
||||||
jobs:
|
|
||||||
audit:
|
|
||||||
name: Security Audit
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- name: Checkout repo
|
|
||||||
uses: actions/checkout@v2
|
|
||||||
|
|
||||||
- uses: actions-rs/audit-check@v1
|
|
||||||
with:
|
|
||||||
token: ${{ secrets.GITHUB_TOKEN }}
|
|
||||||
35
.github/workflows/deps.yml
vendored
Normal file
35
.github/workflows/deps.yml
vendored
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
name: Dependencies
|
||||||
|
|
||||||
|
env:
|
||||||
|
CARGO_TERM_COLOR: always
|
||||||
|
|
||||||
|
on:
|
||||||
|
schedule:
|
||||||
|
# every monday at 4AM (UTC?)
|
||||||
|
- cron: '0 4 * * 1'
|
||||||
|
push:
|
||||||
|
branches: [main]
|
||||||
|
pull_request:
|
||||||
|
branches: [main]
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
bans-licenses-sources:
|
||||||
|
name: Bans, Licenses, Sources
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
if: github.event.name != 'schedule'
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v3
|
||||||
|
- uses: EmbarkStudios/cargo-deny-action@v1
|
||||||
|
with:
|
||||||
|
command: check bans licenses sources
|
||||||
|
|
||||||
|
advisories:
|
||||||
|
name: Advisories
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- uses: actions/checkout@v3
|
||||||
|
- uses: EmbarkStudios/cargo-deny-action@v1
|
||||||
|
with:
|
||||||
|
command: check advisories
|
||||||
Loading…
x
Reference in New Issue
Block a user