ci: add cargo-deny config for supply-chain checks.

Covers advisories (RustSec), license compliance, duplicate detection, and source allowlist (crates.io only). License allowlist reflects the full transitive dep tree: MIT, Apache-2.0, ISC, BSD-*, 0BSD, Unlicense, Zlib, BSL-1.0, MPL-2.0, Unicode-3.0, LGPL-2.1-or-later (r-efi, Windows-only), CDLA-Permissive-2.0 (webpki-roots). Three known advisories are ignored: - RUSTSEC-2023-0071: rsa Marvin Attack, no upstream fix available - RUSTSEC-2025-0134: rustls-pemfile unmaintained, blocked on rustls upgrade - RUSTSEC-2026-0049: rustls-webpki CRL bug, fix blocked by rustls 0.21.x chain Duplicate versions are warned rather than denied — all are transitive.
2026-04-08 18:31:36 -06:00 · 2026-03-22 10:56:08 +01:00 · 2026-03-22 10:56:08 +01:00 · 097cb1daaf
commit 097cb1daaf
parent 2b3736802d
1 changed files with 75 additions and 0 deletions
--- a/deny.toml
+++ b/deny.toml
@ -0,0 +1,75 @@
+# https://embarkstudios.github.io/cargo-deny/
+
+[graph]
+# Check the full feature set used by CI so all optional dependencies are included.
+features = ["sqlite", "mysql", "postgresql", "enable_mimalloc", "s3"]
+
+# =============================================================================
+# Advisories — RustSec vulnerability and unmaintained crate database
+# =============================================================================
+[advisories]
+ignore = [
+    # Marvin Attack: timing side-channel in the `rsa` crate (no fix available).
+    # Used only for JWT RS256 signing, not for network-facing RSA decryption,
+    # which limits exposure. Track: https://rustsec.org/advisories/RUSTSEC-2023-0071
+    { id = "RUSTSEC-2023-0071", reason = "No upstream fix available; exposure is limited to JWT signing, not network-facing decryption." },
+
+    # `rustls-pemfile` v1.x is unmaintained (archived Aug 2025). It is a thin
+    # wrapper around rustls-pki-types and pulled in transitively via rustls 0.21.x.
+    # Removing it requires upstream crates to drop their rustls 0.21 dependency.
+    { id = "RUSTSEC-2025-0134", reason = "Transitive via rustls 0.21.x compat chain; blocked on upstream upgrade." },
+
+    # CRL validation bug in rustls-webpki: fix requires >=0.103.10, but rustls-webpki
+    # 0.101.x is pinned by the rustls 0.21.x compatibility stack.
+    # Track upstream rustls upgrade to resolve both occurrences.
+    { id = "RUSTSEC-2026-0049", reason = "rustls-webpki 0.101.x locked by rustls 0.21.x compat chain; track upstream rustls upgrade." },
+]
+
+# =============================================================================
+# Licenses
+# =============================================================================
+[licenses]
+# OSI-approved permissive licenses and weak copyleft licenses compatible with
+# distributing vaultwarden (AGPL-3.0-only) as a Docker image.
+allow = [
+    "0BSD",
+    "Apache-2.0",
+    "Apache-2.0 WITH LLVM-exception",
+    "BSD-1-Clause",
+    "BSD-2-Clause",
+    "BSD-3-Clause",
+    "BSL-1.0",           # Boost Software License (ryu)
+    "CDLA-Permissive-2.0", # Community Data License Agreement (webpki-roots)
+    "ISC",
+    "LGPL-2.1-or-later", # r-efi (Windows-only UEFI crate; dynamically linked)
+    "MIT",
+    "MPL-2.0",           # webauthn-rs crates (file-level copyleft, compatible)
+    "Unicode-3.0",
+    "Unlicense",
+    "Zlib",
+]
+
+[licenses.private]
+# Skip license checks for unpublished workspace crates (vaultwarden, macros).
+ignore = true
+
+# =============================================================================
+# Bans — duplicate versions and disallowed crates
+# =============================================================================
+[bans]
+# Warn on duplicate versions; many arise from transitive deps and require
+# upstream changes to resolve. Promote to "deny" once the dep tree stabilises.
+multiple-versions = "warn"
+# Warn on wildcard version requirements. "deny" would also flag internal
+# workspace path dependencies (macros = { path = "./macros" }), which have
+# no version specifier by design, so "warn" is used instead.
+wildcards = "warn"
+highlight = "all"
+
+# =============================================================================
+# Sources — only crates.io is an allowed registry
+# =============================================================================
+[sources]
+unknown-registry = "deny"
+unknown-git = "deny"
+allow-registry = ["https://github.com/rust-lang/crates.io-index"]