From 177f2fbf9aaee4480aeb84b5f791c6db5d1826b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois?= Date: Mon, 17 May 2021 23:07:18 +0000 Subject: [PATCH] enable cargo deny (#2101) https://github.com/EmbarkStudios/cargo-deny cargo-deny is a tool that can issue errors for dependency issues, among other: * security issues in a crate * duplicated dependencies with different versions * unauthorised license Added cargo-deny with an opinionated configuration: * No middle ground with warnings, either allow or deny * Not added to Bors, we probably don't want to block a PR on something that may happen from outside * Different github workflow than CI to run only when Cargo.toml files are changed, or on a schedule * Each check in its own job to help readability * Initial config makes Bevy pass all check Pushing a first commit with commented config to show errors --- .github/workflows/dependencies.yml | 54 ++++++++++++++++++++++++ deny.toml | 66 ++++++++++++++++++++++++++++++ 2 files changed, 120 insertions(+) create mode 100644 .github/workflows/dependencies.yml create mode 100644 deny.toml diff --git a/.github/workflows/dependencies.yml b/.github/workflows/dependencies.yml new file mode 100644 index 0000000000..36e38b00e0 --- /dev/null +++ b/.github/workflows/dependencies.yml @@ -0,0 +1,54 @@ +name: Dependencies + +on: + pull_request: + paths: + - '**/Cargo.toml' + - 'deny.toml' + push: + branches: [main, staging, trying] + paths: + - '**/Cargo.toml' + - 'deny.toml' + schedule: + - cron: "0 0 * * 0" + +env: + CARGO_TERM_COLOR: always + +jobs: + check-advisories: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Install cargo-deny + run: cargo install cargo-deny + - name: Check for security advisories and unmaintained crates + run: cargo deny check advisories + + check-bans: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Install cargo-deny + run: cargo install cargo-deny + - name: Check for banned and duplicated dependencies + run: cargo deny check bans + + check-licenses: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Install cargo-deny + run: cargo install cargo-deny + - name: Check for unauthorized licenses + run: cargo deny check licenses + + check-sources: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Install cargo-deny + run: cargo install cargo-deny + - name: Checked for unauthorized crate sources + run: cargo deny check sources diff --git a/deny.toml b/deny.toml new file mode 100644 index 0000000000..79c33279bc --- /dev/null +++ b/deny.toml @@ -0,0 +1,66 @@ +[advisories] +db-path = "~/.cargo/advisory-db" +db-urls = ["https://github.com/rustsec/advisory-db"] +vulnerability = "deny" +unmaintained = "deny" +yanked = "deny" +notice = "deny" +ignore = [ + "RUSTSEC-2020-0016", # net2 deprecated - https://github.com/deprecrated/net2-rs/commit/3350e3819adf151709047e93f25583a5df681091 + "RUSTSEC-2020-0056", # stdweb unmaintained - https://github.com/koute/stdweb/issues/403 + "RUSTSEC-2021-0047", # security issue - https://github.com/gnzlbg/slice_deque/issues/90 +] + +[licenses] +unlicensed = "deny" +copyleft = "deny" +allow = [ + "MIT", + "Apache-2.0", + "BSD-3-Clause", + "ISC", + "Zlib", + "0BSD", + "BSD-2-Clause", + "CC0-1.0", + "MPL-2.0", +] +default = "deny" + +[[licenses.clarify]] +name = "stretch" +expression = "MIT" +license-files = [] + +[bans] +multiple-versions = "deny" +wildcards = "deny" +highlight = "all" +# Certain crates/versions that will be skipped when doing duplicate detection. +skip = [ + { name = "ahash", version = "0.4" }, + { name = "android_log-sys", version = "0.1" }, + { name = "cfg-if", version = "0.1" }, # https://github.com/rustwasm/console_error_panic_hook/pull/18 + { name = "core-foundation", version = "0.6" }, + { name = "core-foundation", version = "0.7" }, + { name = "core-foundation-sys", version = "0.6" }, + { name = "core-foundation-sys", version = "0.7" }, + { name = "core-graphics", version = "0.19" }, + { name = "fixedbitset", version = "0.2" }, + { name = "libm", version = "0.1" }, + { name = "mach", version = "0.2" }, + { name = "mio", version = "0.6" }, + { name = "miow", version = "0.2" }, + { name = "ndk", version = "0.2" }, + { name = "ndk-glue", version = "0.2" }, + { name = "num_enum", version = "0.4" }, + { name = "num_enum_derive", version = "0.4" }, + { name = "stdweb", version = "0.1" }, + { name = "winapi", version = "0.2" }, +] + +[sources] +unknown-registry = "deny" +unknown-git = "deny" +allow-registry = ["https://github.com/rust-lang/crates.io-index"] +allow-git = []