Backup_Repos/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-05-09 05:21:23 +02:00
Code Issues Projects Releases Wiki Activity

docs(audit): add short license-failure analysis

Browse source
This commit is contained in:
kalvinparker 2025-11-10 22:10:57 +00:00
parent 6befc36448
commit 9679613cfa
1 changed files with 36 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
issues/SHORT-LICENSE-ANALYSIS-2025-11-10.md Normal file
View file

@ -0,0 +1,36 @@
# Short license-failure analysis (2025-11-10)
Purpose
-------
This short analysis summarizes the top offenders that caused the recent license failures (537 total failures reported across the full audit) and provides a quick feasibility assessment of whether the temporary allowlist can be narrowed or must remain in place while remediation proceeds.
Key findings
------------
- The top failing crates (from `docker/audit/output/license_triage_2025-11-09.csv`) are:
- webauthn-rs family (MPL-2.0): `webauthn-rs v0.5.3` (direct dep), `webauthn-rs-core v0.5.3`, `webauthn-rs-proto v0.5.3`, `webauthn-attestation-ca v0.5.3`, `base64urlsafedata v0.5.3`.
- `webpki-roots v1.0.3` (CDLA-Permissive-2.0) pulled transitively via `hyper-rustls -> reqwest -> openidconnect`.
- `ar_archive_writer v0.2.0` (Apache-2.0 WITH LLVM-exception) reported via `lettre` (present in CSV but not blocking if Apache+LLVM-exception is in your allowlist policy).
Feasibility of policy adjustment
--------------------------------
- MPL-2.0 cluster (webauthn-rs):
- Because `webauthn-rs` is a direct dependency for `vaultwarden`, allowing MPL-2.0 in the policy would immediately remove this class of failures.
- Trade-off: MPL-2.0 is a copyleft-style license with obligations different from Apache/MIT; adding it to an allowlist should be treated as temporary and timeboxed while an upgrade/replacement is pursued.
- Recommendation: Keep restrictive stance (do not permanently allow MPL-2.0). Use timeboxed temporary allowlist and expedite `webauthn-rs` remediation.
- CDLA-Permissive-2.0 cluster (webpki-roots):
- This is transitive via TLS stacks; often solvable by switching TLS backend (native-tls) or upgrading `reqwest`/`hyper-rustls`/`openidconnect` chain.
- Feasibility: Medium — requires coordination across multiple crates; experimenting with toggling features or bumping versions may remove webpki-roots without wider policy changes.
- Recommendation: Prioritize a targeted experiment (already started) to prefer `native-tls` or bump specific dependencies; avoid permanently allowing CDLA-Permissive-2.0 unless remediation proves infeasible.
Quick action items
------------------
1. Apply targeted experiments (in separate ephemeral branches):
- Toggle `reqwest` to prefer `native-tls` in a workspace copy and run `cargo-deny`.
- Attempt upgrading/removing `openidconnect`'s `reqwest` feature as done in previous experiments and record before/after diffs.
2. Attempt `webauthn-rs` remediation (upgrade, replace, or vendor) as top priority; the direct dependency makes this the highest-impact remediation.
3. Keep temporary allowlist timeboxed and document progress in `issues/TRACK-2025-11-09-RSA-PASTE.md`.
Conclusion
----------
Short-term policy change (temporary allowlist for MPL-2.0 and CDLA-Permissive-2.0) is defensible as a timeboxed mitigation while focused remediation proceeds. The high-impact targets are `webauthn-rs` (direct dep) and the transitive `webpki-roots` via the TLS stack. Prioritize `webauthn-rs` remediation and coordinated TLS-stack experiments; if they succeed, remove the temporary allowlist.