mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2026-03-24 20:38:28 -06:00
docs(audit): add license triage summary and update PR body
This commit is contained in:
kalvinparker
parent
15153e8505
commit
0b3872d474
35
.github/PR_BODY_UPDATE-2.md
vendored
35
.github/PR_BODY_UPDATE-2.md
vendored
@ -1,11 +1,30 @@
|
||||
Temporary license allowlist: MPL-2.0 and CDLA-Permissive-2.0 were added to deny.toml on branch experiment/webauthn-upgrade to unblock CI while coordinated upgrades/replacements are attempted. This is timeboxed and tracked in issues/FEASIBILITY-WEBAUTHN-WEBPKI.md and issues/TRACK-2025-11-09-RSA-PASTE.md. See the experiment artifacts in docker/audit/output/.
|
||||
|
||||
## Tasks
|
||||
- [ ] Owner: Security lead — confirm timebox and approve temporary allowlist (by 2025-11-17)
|
||||
- [ ] Owner: Maintainer — attempt `webauthn-rs` upgrade or replacement; report feasibility (see issues/FEASIBILITY-WEBAUTHN-WEBPKI.md)
|
||||
- [ ] Owner: Maintainer — coordinate `reqwest`/`hyper-rustls`/`openidconnect` upgrades to remove `webpki-roots` (see docker/audit/output/* and reqwest/webpki trees)
|
||||
- [ ] Owner: Maintainer — verify cargo-deny clean runs on CI after each change
|
||||
- [ ] Owner: Maintainer — remove temporary allowlist and update deny.toml when all issues resolved
|
||||
## Pre-merge task checklist
|
||||
These tasks must be completed, reviewed, and verified before this PR is merged. Owners are suggested; assign specific maintainers or security approvers as appropriate.
|
||||
|
||||
## Triage summary
|
||||
See issues/LICENSE-TRIAGE-2025-11-10.md for a short summary of the top offenders and remediation options.
|
||||
- [ ] Security lead — confirm and sign off the timebox for the temporary allowlist (target approval date: 2025-11-17). This PR should not be merged without that sign-off.
|
||||
- [ ] Maintainer — run `cargo tree -i rsa` and `cargo tree -i paste`, paste the reverse-dependency outputs in a follow-up comment, and confirm proposed remediation path for each.
|
||||
- [ ] Maintainer — attempt `webauthn-rs` remediation (preferred order):
|
||||
- [ ] Upgrade `webauthn-rs` to a permissively licensed release if available and verify builds/tests.
|
||||
- [ ] If no upgrade available, evaluate replacing `webauthn-rs` with another WebAuthn implementation or vendor a minimal shim; document chosen approach.
|
||||
- [ ] Add tests covering affected auth flows and run CI.
|
||||
- [ ] Maintainer — coordinate TLS/HTTP stack remediation to remove `webpki-roots` (CDLA-Permissive-2.0):
|
||||
- [ ] Test toggling `reqwest` features to prefer `native-tls` in an isolated workspace copy and publish the artifact logs.
|
||||
- [ ] Upgrade `hyper-rustls`/`reqwest`/`openidconnect` as needed to versions that don't bring `webpki-roots`, or change TLS backend.
|
||||
- [ ] Verify `cargo-deny` runs clean locally and on CI after each incremental change.
|
||||
- [ ] Maintainer — provide a short summary comment with before/after `cargo-deny` outputs and link to `docker/audit/output/` artifacts.
|
||||
- [ ] Maintainer — remove the temporary allowlist entries from `deny.toml` and verify CI shows zero license failures.
|
||||
- [ ] Maintainer — remove the temporary `advisories.ignore` entries (RUSTSEC ignores) from `deny.toml` and verify CI shows zero advisories and license failures before any final merge.
|
||||
|
||||
## Short triage summary (top offenders)
|
||||
See `issues/LICENSE-TRIAGE-2025-11-10.md` and `docker/audit/output/license_triage_2025-11-09.csv` for full details. Top offenders:
|
||||
|
||||
- webauthn-rs family (MPL-2.0): `webauthn-rs v0.5.3` (direct dep), `webauthn-rs-core v0.5.3`, `webauthn-rs-proto v0.5.3`, `webauthn-attestation-ca v0.5.3`, `base64urlsafedata v0.5.3` — remediation: upgrade/replace/vendor.
|
||||
- webpki-roots (CDLA-Permissive-2.0): `webpki-roots v1.0.3` pulled transitively via `hyper-rustls -> reqwest -> openidconnect` — remediation: coordinated `reqwest`/TLS backend upgrade or feature change.
|
||||
|
||||
Artifacts and logs: `docker/audit/output/` contains the `cargo-deny` diagnostics, reverse-dependency trees and experiment logs used to evaluate remediation paths.
|
||||
|
||||
See also: `issues/LICENSE-TRIAGE-SUMMARY-2025-11-12.md` for the condensed top-offender analysis and recommended next steps.
|
||||
|
||||
Once all tasks above are complete and CI is green with `cargo-deny` passing, this PR may be merged and the temporary allowlist removed.
|
||||
|
||||
39
issues/LICENSE-TRIAGE-SUMMARY-2025-11-12.md
Normal file
39
issues/LICENSE-TRIAGE-SUMMARY-2025-11-12.md
Normal file
@ -0,0 +1,39 @@
|
||||
# License triage summary — 2025-11-12
|
||||
|
||||
This short summary aggregates the highest-impact license failures reported by the audit tooling and gives a quick feasibility recommendation for policy and remediation.
|
||||
|
||||
Source
|
||||
------
|
||||
- Generated from `docker/audit/output/license_triage_2025-11-09.csv` and follow-up experiment artifacts in `docker/audit/output/`.
|
||||
|
||||
Top offenders
|
||||
-------------
|
||||
1. webauthn-rs family — MPL-2.0 (direct)
|
||||
- Crates: `webauthn-rs v0.5.3`, `webauthn-rs-core v0.5.3`, `webauthn-rs-proto v0.5.3`, `webauthn-attestation-ca v0.5.3`, `base64urlsafedata v0.5.3`
|
||||
- Path: direct dependency from `vaultwarden` to `webauthn-rs`.
|
||||
- Impact: high (direct dependency). Remediation: upgrade to permissive version, replace crate, or vendor functionality.
|
||||
|
||||
2. webpki-roots — CDLA-Permissive-2.0 (transitive)
|
||||
- Crate: `webpki-roots v1.0.3` via `hyper-rustls -> reqwest -> openidconnect`.
|
||||
- Impact: medium. Remediation: prefer `native-tls` or upgrade TLS/reqwest stack to versions that avoid `webpki-roots`.
|
||||
|
||||
3. ar_archive_writer — Apache-2.0 WITH LLVM-exception (transitive)
|
||||
- Crate: `ar_archive_writer v0.2.0` via `lettre -> psm -> stacker -> chumsky`.
|
||||
- Impact: small (single remaining blocking error after experiments). Remediation: bump `lettre`/`psm` versions (experiment shows this removes the error) or timebox an allowlist entry while a bump PR is prepared.
|
||||
|
||||
Feasibility and immediate policy guidance
|
||||
---------------------------------------
|
||||
- The webauthn-rs cluster requires direct attention (upgrade/replace); temporarily allowing MPL-2.0 is defensible but should be strictly timeboxed and tracked.
|
||||
- The webpki-roots issue looks solvable by TLS/reqwest feature/upgrade changes; continue the experiment work and prefer coordinated upgrades rather than allowing CDLA-Permissive-2.0 permanently.
|
||||
- The ar_archive_writer issue is directly addressable via a `lettre`/`psm` bump. Experiments in a workspace copy removed the error, so preparing a minimal bump PR is recommended.
|
||||
|
||||
Actionable next steps
|
||||
---------------------
|
||||
1. Prepare a minimal PR to bump `lettre` and/or `psm` to the versions validated by the experiment and run CI with cargo-deny.
|
||||
2. Continue webauthn-rs remediation plan (upgrade/replace/vendor) as the top priority.
|
||||
3. Keep MPL-2.0 and CDLA-Permissive-2.0 as temporary allowlist entries while the above are addressed; remove them as soon as remediation is merged.
|
||||
|
||||
Artifacts
|
||||
---------
|
||||
- `docker/audit/output/license_triage_2025-11-09.csv`
|
||||
- Experiment outputs: `docker/audit/output/deny_let_update.*`, `deny_reqwest_native.*`, `deny_licenses.*`
|
||||
Loading…
Reference in New Issue
Block a user