influxdb/deny.toml

# Configuration documentation:
#   https://embarkstudios.github.io/cargo-deny/index.html

[advisories]
vulnerability = "deny"
yanked = "deny"
unmaintained = "warn"
notice = "warn"
ignore = [
    # potential unalinged read in atty
    # https://rustsec.org/advisories/RUSTSEC-2021-0145
    # Acceptable because only dependencies are dev/test (not used in prod code).
    "RUSTSEC-2021-0145",

    # "It was sometimes possible for SQLite versions >= 1.0.12, < 3.39.2 to allow an array-bounds overflow when large
    # string were input into SQLite's printf function."
    #
    # We are not using `printf` with untrusted inputs.
    #
    # This is currently blocked by upstream:
    # https://github.com/launchbadge/sqlx/issues/2346
    "RUSTSEC-2022-0090",
]
git-fetch-with-cli = true

[licenses]
allow-osi-fsf-free = "either"
copyleft = "deny"
unlicensed = "deny"
default = "deny"

exceptions = [
    # We should probably NOT bundle CA certs but use the OS ones.
    { name = "webpki-roots", allow = ["MPL-2.0"] },
    # Currently needed for testing only via mockito.
    { name = "colored", allow = ["MPL-2.0"] },
]

[[licenses.clarify]]
name = "ring"
expression = "BSD-4-Clause AND ISC AND MIT AND OpenSSL"
license-files = [
    # https://github.com/briansmith/ring/blob/95948b3977013aed16db92ae32e6b8384496a740/LICENSE
    { path = "LICENSE", hash = 0xbd0eed23 },
]

[sources.allow-org]
github = ["influxdata", "apache"]

[bans]
multiple-versions = "warn"
deny = [
    # We are using rustls as the TLS implementation, so we shouldn't be linking
    # in OpenSSL too.
    #
    # If you're hitting this, you might want to take a look at what new
    # dependencies you have introduced and check if there's a way to depend on
    # rustls instead of OpenSSL (tip: check the crate's feature flags).
    { name = "openssl-sys" }
]
-												ci: cargo-deny config

Adds a config file for cargo-deny[1] that runs the following checks:

    * advisory-db[2] RUSTSEC checks for deps (like cargo-audit)
    * errors if a dependency has been "yanked" from crates.io
    * errors if attempting to use OpenSSL as a dependency.

The RUSTSEC checks copy over the whitelist from the current cargo-audit
config.

[1]: https://github.com/EmbarkStudios/cargo-deny
[2]: https://github.com/rustsec/advisory-db

											
										
										
											2022-03-07 15:20:55 +00:00
+								# Configuration documentation:
 								#   https://embarkstudios.github.io/cargo-deny/index.html
 								[advisories]
 								vulnerability = "deny"
 								yanked = "deny"
 								unmaintained = "warn"
 								notice = "warn"
 								ignore = [
-												ci: whitelist RUSTSEC-2021-0145

atty is used by criterion and mockito, both dev-only dependencies.

											
										
										
											2023-01-09 15:16:04 +00:00
+								    # potential unalinged read in atty
 								    # https://rustsec.org/advisories/RUSTSEC-2021-0145
 								    # Acceptable because only dependencies are dev/test (not used in prod code).
 								    "RUSTSEC-2021-0145",
-												chore: ignore `RUSTSEC-2022-0090` (#6983)


											
										
										
											2023-02-14 15:12:11 +00:00
 								    # "It was sometimes possible for SQLite versions >= 1.0.12, < 3.39.2 to allow an array-bounds overflow when large
 								    # string were input into SQLite's printf function."
 								    #
 								    # We are not using `printf` with untrusted inputs.
 								    #
 								    # This is currently blocked by upstream:
 								    # https://github.com/launchbadge/sqlx/issues/2346
 								    "RUSTSEC-2022-0090",
-												ci: cargo-deny config

Adds a config file for cargo-deny[1] that runs the following checks:

    * advisory-db[2] RUSTSEC checks for deps (like cargo-audit)
    * errors if a dependency has been "yanked" from crates.io
    * errors if attempting to use OpenSSL as a dependency.

The RUSTSEC checks copy over the whitelist from the current cargo-audit
config.

[1]: https://github.com/EmbarkStudios/cargo-deny
[2]: https://github.com/rustsec/advisory-db

											
										
										
											2022-03-07 15:20:55 +00:00
+								]
-												ci: simplify cargo deny (#4640)

Taken from https://github.com/influxdata/object_store_rs/pull/5

Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com>
											
										
										
											2022-05-19 09:51:15 +00:00
+								git-fetch-with-cli = true
-												ci: cargo-deny config

Adds a config file for cargo-deny[1] that runs the following checks:

    * advisory-db[2] RUSTSEC checks for deps (like cargo-audit)
    * errors if a dependency has been "yanked" from crates.io
    * errors if attempting to use OpenSSL as a dependency.

The RUSTSEC checks copy over the whitelist from the current cargo-audit
config.

[1]: https://github.com/EmbarkStudios/cargo-deny
[2]: https://github.com/rustsec/advisory-db

											
										
										
											2022-03-07 15:20:55 +00:00
 								[licenses]
-												chore: deny unknown and copyleft licenses (#7556)

I just don't wanna rip out parts of our software stack because
someone gets cold feet.

Co-authored-by: kodiakhq[bot] <49736102+kodiakhq[bot]@users.noreply.github.com>
											
										
										
											2023-04-17 08:08:48 +00:00
+								allow-osi-fsf-free = "either"
 								copyleft = "deny"
 								unlicensed = "deny"
 								default = "deny"
 								exceptions = [
 								    # We should probably NOT bundle CA certs but use the OS ones.
 								    { name = "webpki-roots", allow = ["MPL-2.0"] },
 								    # Currently needed for testing only via mockito.
 								    { name = "colored", allow = ["MPL-2.0"] },
 								]
 								[[licenses.clarify]]
 								name = "ring"
 								expression = "BSD-4-Clause AND ISC AND MIT AND OpenSSL"
 								license-files = [
 								    # https://github.com/briansmith/ring/blob/95948b3977013aed16db92ae32e6b8384496a740/LICENSE
 								    { path = "LICENSE", hash = 0xbd0eed23 },
 								]
-												ci: cargo-deny config

Adds a config file for cargo-deny[1] that runs the following checks:

    * advisory-db[2] RUSTSEC checks for deps (like cargo-audit)
    * errors if a dependency has been "yanked" from crates.io
    * errors if attempting to use OpenSSL as a dependency.

The RUSTSEC checks copy over the whitelist from the current cargo-audit
config.

[1]: https://github.com/EmbarkStudios/cargo-deny
[2]: https://github.com/rustsec/advisory-db

											
										
										
											2022-03-07 15:20:55 +00:00
 								[sources.allow-org]
 								github = ["influxdata", "apache"]
 								[bans]
 								multiple-versions = "warn"
 								deny = [
 								    # We are using rustls as the TLS implementation, so we shouldn't be linking
 								    # in OpenSSL too.
 								    #
 								    # If you're hitting this, you might want to take a look at what new
 								    # dependencies you have introduced and check if there's a way to depend on
 								    # rustls instead of OpenSSL (tip: check the crate's feature flags).
 								    { name = "openssl-sys" }
 								]