summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
-rw-r--r--.github/workflows/testframework-rust-supply-chain.yml25
-rw-r--r--test/deny.toml98
2 files changed, 123 insertions, 0 deletions
diff --git a/.github/workflows/testframework-rust-supply-chain.yml b/.github/workflows/testframework-rust-supply-chain.yml
new file mode 100644
index 0000000000..2a7a7fa44f
--- /dev/null
+++ b/.github/workflows/testframework-rust-supply-chain.yml
@@ -0,0 +1,25 @@
+---
+name: Rust - Supply chain (Test framework)
+on:
+ pull_request:
+ paths:
+ - .github/workflows/testframework-rust-supply-chain.yml
+ - ./test/deny.toml
+ - 'test/**/Cargo.toml'
+ - 'test/**/Cargo.lock'
+ - 'test/**/*.rs'
+ workflow_dispatch:
+jobs:
+ check-test-framework-supply-chain:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v3
+
+ - name: Run cargo deny (test workspace)
+ uses: EmbarkStudios/cargo-deny-action@v1
+ with:
+ manifest-path: ./test/Cargo.toml
+ log-level: warn
+ rust-version: stable
+ command: check all
diff --git a/test/deny.toml b/test/deny.toml
new file mode 100644
index 0000000000..598cff2643
--- /dev/null
+++ b/test/deny.toml
@@ -0,0 +1,98 @@
+# This section is considered when running `cargo deny check advisories`
+# More documentation for the advisories section can be found here:
+# https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html
+[advisories]
+version = 2 # https://github.com/EmbarkStudios/cargo-deny/pull/611
+db-path = "~/.cargo/advisory-db"
+db-urls = ["https://github.com/rustsec/advisory-db"]
+
+ignore = [
+ # Ignored audit issues. This list should be kept short, and effort should be
+ # put into removing items from the list.
+ # RUSTSEC-2023-0081 - `safemem` is unmaintained: https://github.com/ebarnard/rust-plist/pull/134
+ "RUSTSEC-2023-0081"
+]
+
+#severity-threshold =
+
+
+# This section is considered when running `cargo deny check licenses`
+# More documentation for the licenses section can be found here:
+# https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html
+[licenses]
+version = 2 # https://github.com/EmbarkStudios/cargo-deny/pull/611
+
+# Adding a license here has to be done carefully. Should not be changed
+# by individual developers.
+allow = [
+ "GPL-3.0",
+ "Apache-2.0",
+ "MIT",
+ "WTFPL",
+ "ISC",
+ "BSD-3-Clause",
+ "BSD-2-Clause",
+ "CC0-1.0",
+ "MPL-2.0",
+ # https://github.com/briansmith/ring/issues/902
+ "LicenseRef-ring",
+ "Unicode-DFS-2016"
+]
+
+confidence-threshold = 0.8
+
+exceptions = []
+
+[[licenses.clarify]]
+name = "ring"
+expression = "LicenseRef-ring"
+license-files = [
+ { path = "LICENSE", hash = 0xbd0eed23 }
+]
+
+[licenses.private]
+ignore = false
+registries = []
+
+# This section is considered when running `cargo deny check bans`.
+# More documentation about the 'bans' section can be found here:
+# https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html
+[bans]
+multiple-versions = "warn"
+wildcards = "warn"
+highlight = "all"
+
+allow = []
+deny = [
+ { name = "clap", version = "2" },
+ { name = "clap", version = "3" },
+ # `atty` is an unmaintained crate with a CVE: RUSTSEC-2021-0145
+ { name = "atty" },
+ { name = "time", version = "0.1"},
+]
+skip = []
+skip-tree = []
+
+# This section is considered when running `cargo deny check sources`.
+# More documentation about the 'sources' section can be found here:
+# https://embarkstudios.github.io/cargo-deny/checks/sources/cfg.html
+[sources]
+unknown-registry = "deny"
+unknown-git = "deny"
+allow-registry = ["https://github.com/rust-lang/crates.io-index"]
+# If we need to temporarily depend on a git repository in our Rust dependency tree,
+# it has to be added here. We should try to keep this list minimal. Having git
+# dependencies is not recommended.
+allow-git = []
+
+[sources.allow-org]
+# 1 or more github.com organizations to allow git sources for
+github = ["mullvad"]
+
+[graph]
+targets = [
+ { triple = "x86_64-unknown-linux-gnu" },
+ { triple = "x86_64-pc-windows-gnu" },
+ { triple = "x86_64-apple-darwin" },
+ { triple = "aarch64-apple-darwin" }
+]