dahjah/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-04-09 11:01:39 -06:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

docs(audit): add license triage summary and PR body update file

Browse Source
This commit is contained in:
kalvinparker 2025-11-10 22:05:58 +00:00
parent 56e7b76db1
commit 6befc36448
2 changed files with 47 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
.github/PR_BODY_UPDATE-2.md vendored Normal file
View File

@ -0,0 +1,11 @@
Temporary license allowlist: MPL-2.0 and CDLA-Permissive-2.0 were added to deny.toml on branch experiment/webauthn-upgrade to unblock CI while coordinated upgrades/replacements are attempted. This is timeboxed and tracked in issues/FEASIBILITY-WEBAUTHN-WEBPKI.md and issues/TRACK-2025-11-09-RSA-PASTE.md. See the experiment artifacts in docker/audit/output/.
## Tasks
- [ ] Owner: Security lead — confirm timebox and approve temporary allowlist (by 2025-11-17)
- [ ] Owner: Maintainer — attempt `webauthn-rs` upgrade or replacement; report feasibility (see issues/FEASIBILITY-WEBAUTHN-WEBPKI.md)
- [ ] Owner: Maintainer — coordinate `reqwest`/`hyper-rustls`/`openidconnect` upgrades to remove `webpki-roots` (see docker/audit/output/* and reqwest/webpki trees)
- [ ] Owner: Maintainer — verify cargo-deny clean runs on CI after each change
- [ ] Owner: Maintainer — remove temporary allowlist and update deny.toml when all issues resolved
## Triage summary
See issues/LICENSE-TRIAGE-2025-11-10.md for a short summary of the top offenders and remediation options.

36
issues/LICENSE-TRIAGE-2025-11-10.md Normal file
View File

@ -0,0 +1,36 @@
# License triage summary (2025-11-10)
Summary
-------
This short report summarizes the top remaining license failures reported by `cargo-deny` after temporary allowlist adjustments and initial experiments.
Top offenders (extracted from `docker/audit/output/license_triage_2025-11-09.csv`):
- webauthn-rs family (MPL-2.0):
- `webauthn-rs v0.5.3` (direct dependency)
- `webauthn-rs-core v0.5.3`
- `webauthn-rs-proto v0.5.3`
- `webauthn-attestation-ca v0.5.3`
- `base64urlsafedata v0.5.3`
- webpki-roots (CDLA-Permissive-2.0):
- `webpki-roots v1.0.3` pulled via `hyper-rustls v0.27.7` -> `reqwest v0.12.24` -> `openidconnect v4.0.1` (and also via `opendal`/`yubico_ng`).
Counts and impact
-----------------
- cargo-deny reported 7 license errors in the most recent run. The list above represents the full set of failing crates.
Short remediation guidance
------------------------
- `webauthn-rs`: direct dependency. Options: (a) upgrade (if a permissively licensed version exists), (b) replace with an alternative WebAuthn crate, or (c) vendor minimal functionality. Immediate step: contact upstream and search for forks/relicensing.
- `webpki-roots`: transitive via the TLS/HTTP stack. Options: (a) coordinated upgrade of `reqwest`/`hyper-rustls`/`openidconnect` or (b) switch TLS backend/features to avoid `webpki-roots`.
Artifacts
---------
- Full diagnostics and experiment artifacts: `docker/audit/output/` (files: `*_deny.err`, `*_deny.json`, `*_build.err`).
Next steps
----------
1. Owner assignment and tasking in PR checklist (see draft PR #2).
2. Continue coordinated upgrades for `reqwest` chain and attempt to upgrade/replace `webauthn-rs`.
3. Remove temporary allowlist once all offenders are resolved.