dahjah/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-04-29 23:31:07 -06:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
12de0c828a
vaultwarden/deny.toml
TriplEight 097cb1daaf
ci: add cargo-deny config for supply-chain checks. 
Covers advisories (RustSec), license compliance, duplicate detection,
  and source allowlist (crates.io only).

  License allowlist reflects the full transitive dep tree: MIT, Apache-2.0,
  ISC, BSD-*, 0BSD, Unlicense, Zlib, BSL-1.0, MPL-2.0, Unicode-3.0,
  LGPL-2.1-or-later (r-efi, Windows-only), CDLA-Permissive-2.0 (webpki-roots).

  Three known advisories are ignored:
  - RUSTSEC-2023-0071: rsa Marvin Attack, no upstream fix available
  - RUSTSEC-2025-0134: rustls-pemfile unmaintained, blocked on rustls upgrade
  - RUSTSEC-2026-0049: rustls-webpki CRL bug, fix blocked by rustls 0.21.x chain

  Duplicate versions are warned rather than denied — all are transitive.
2026-03-22 14:30:44 +01:00

76 lines
3.4 KiB
TOML
Raw Blame History

# https://embarkstudios.github.io/cargo-deny/
[graph]
# Check the full feature set used by CI so all optional dependencies are included.
features = ["sqlite", "mysql", "postgresql", "enable_mimalloc", "s3"]
# =============================================================================
# Advisories — RustSec vulnerability and unmaintained crate database
# =============================================================================
[advisories]
ignore = [
# Marvin Attack: timing side-channel in the `rsa` crate (no fix available).
# Used only for JWT RS256 signing, not for network-facing RSA decryption,
# which limits exposure. Track: https://rustsec.org/advisories/RUSTSEC-2023-0071
{ id = "RUSTSEC-2023-0071", reason = "No upstream fix available; exposure is limited to JWT signing, not network-facing decryption." },
# `rustls-pemfile` v1.x is unmaintained (archived Aug 2025). It is a thin
# wrapper around rustls-pki-types and pulled in transitively via rustls 0.21.x.
# Removing it requires upstream crates to drop their rustls 0.21 dependency.
{ id = "RUSTSEC-2025-0134", reason = "Transitive via rustls 0.21.x compat chain; blocked on upstream upgrade." },
# CRL validation bug in rustls-webpki: fix requires >=0.103.10, but rustls-webpki
# 0.101.x is pinned by the rustls 0.21.x compatibility stack.
# Track upstream rustls upgrade to resolve both occurrences.
{ id = "RUSTSEC-2026-0049", reason = "rustls-webpki 0.101.x locked by rustls 0.21.x compat chain; track upstream rustls upgrade." },
]
# =============================================================================
# Licenses
# =============================================================================
[licenses]
# OSI-approved permissive licenses and weak copyleft licenses compatible with
# distributing vaultwarden (AGPL-3.0-only) as a Docker image.
allow = [
"0BSD",
"Apache-2.0",
"Apache-2.0 WITH LLVM-exception",
"BSD-1-Clause",
"BSD-2-Clause",
"BSD-3-Clause",
"BSL-1.0", # Boost Software License (ryu)
"CDLA-Permissive-2.0", # Community Data License Agreement (webpki-roots)
"ISC",
"LGPL-2.1-or-later", # r-efi (Windows-only UEFI crate; dynamically linked)
"MIT",
"MPL-2.0", # webauthn-rs crates (file-level copyleft, compatible)
"Unicode-3.0",
"Unlicense",
"Zlib",
]
[licenses.private]
# Skip license checks for unpublished workspace crates (vaultwarden, macros).
ignore = true
# =============================================================================
# Bans — duplicate versions and disallowed crates
# =============================================================================
[bans]
# Warn on duplicate versions; many arise from transitive deps and require
# upstream changes to resolve. Promote to "deny" once the dep tree stabilises.
multiple-versions = "warn"
# Warn on wildcard version requirements. "deny" would also flag internal
# workspace path dependencies (macros = { path = "./macros" }), which have
# no version specifier by design, so "warn" is used instead.
wildcards = "warn"
highlight = "all"
# =============================================================================
# Sources — only crates.io is an allowed registry
# =============================================================================
[sources]
unknown-registry = "deny"
unknown-git = "deny"
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
Reference in New Issue View Git Blame Copy Permalink