From f766cbf345cfb1219e80e3e375f94866048d9450 Mon Sep 17 00:00:00 2001 From: Lars Wirzenius Date: Sat, 20 Nov 2021 09:43:18 +0200 Subject: chore: add config for "cargo deny" With this configuration, "cargo deny check" is happy. This is achieved by ignoring specific advisories, and setting advisories.yanked is set to allow, for now. We'll need to work on upgrading dependencies to fixed versions, and then make the deny policy stricter. Sponsored-by: author --- deny.toml | 78 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 78 insertions(+) create mode 100644 deny.toml diff --git a/deny.toml b/deny.toml new file mode 100644 index 0000000..ad52788 --- /dev/null +++ b/deny.toml @@ -0,0 +1,78 @@ +# Note that all fields that take a lint level have these possible values: +# * deny - An error will be produced and the check will fail +# * warn - A warning will be produced, but the check will not fail +# * allow - No warning or error will be produced, though in some cases a note +# will be + +[advisories] +db-path = "~/.cargo/advisory-db" +db-urls = ["https://github.com/rustsec/advisory-db"] +vulnerability = "deny" +unmaintained = "warn" +yanked = "allow" +notice = "warn" +ignore = [ + "RUSTSEC-2020-0027", + "RUSTSEC-2020-0071", + "RUSTSEC-2020-0159", + "RUSTSEC-2021-0072", + "RUSTSEC-2021-0078", + "RUSTSEC-2021-0079", + "RUSTSEC-2021-0124", +] + +[licenses] +unlicensed = "deny" +allow = [ + "Apache-2.0", + "Apache-2.0 WITH LLVM-exception", + "BSD-3-Clause", + "ISC", + "LicenseRef-ring", + "MIT", +] +deny = [ + #"Nokia", +] +copyleft = "allow" +default = "deny" +exceptions = [ + # Each entry is the crate and version constraint, and its specific allow + # list + #{ allow = ["Zlib"], name = "adler32", version = "*" }, +] + +[[licenses.clarify]] +name = "ring" +expression = "LicenseRef-ring" +license-files = [ + { path = "LICENSE", hash = 0xbd0eed23 }, +] + +[bans] +multiple-versions = "allow" +wildcards = "allow" +highlight = "all" +allow = [ + #{ name = "ansi_term", version = "=0.11.0" }, +] +deny = [ + # Each entry the name of a crate and a version range. If version is + # not specified, all versions will be matched. + #{ name = "ansi_term", version = "=0.11.0" }, + # + # Wrapper crates can optionally be specified to allow the crate when it + # is a direct dependency of the otherwise banned crate + #{ name = "ansi_term", version = "=0.11.0", wrappers = [] }, +] +skip = [ + #{ name = "ansi_term", version = "=0.11.0" }, +] +skip-tree = [ + #{ name = "ansi_term", version = "=0.11.0", depth = 20 }, +] + +[sources] +unknown-registry = "warn" +unknown-git = "warn" +allow-git = [] -- cgit v1.2.1