Merge 5bc2f1401f into f21a3adae2

2026-05-07 03:55:24 +02:00 · 2026-05-03 19:39:07 +02:00 · 2026-05-03 19:39:07 +02:00 · e3caeeb671
commit e3caeeb671
parent f21a3adae2 5bc2f1401f
2 changed files with 74 additions and 0 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -179,6 +179,15 @@ jobs:
      # End Run cargo fmt


+      # Run cargo deny (supply-chain: advisories, licenses, bans, sources)
+      # Only run on rust-toolchain channel — deny.toml pins the feature set.
+      - name: "cargo deny"
+        id: deny
+        if: ${{ !cancelled() && matrix.channel == 'rust-toolchain' }}
+        uses: EmbarkStudios/cargo-deny-action@175dc7fd4fb85ec8f46948fb98f44db001149081 # v2.0.16
+      # End Run cargo deny
+
+
      # Check for any previous failures, if there are stop, else continue.
      # This is useful so all test/clippy/fmt actions are done, and they can all be addressed
      - name: "Some checks failed"
@ -192,6 +201,7 @@ jobs:
          TEST_POSTGRESQL: ${{ steps.test_postgresql.outcome }}
          CLIPPY: ${{ steps.clippy.outcome }}
          FMT: ${{ steps.formatting.outcome }}
+          DENY: ${{ steps.deny.outcome }}
        run: |
          echo "### :x: Checks Failed!" >> "${GITHUB_STEP_SUMMARY}"
          echo "" >> "${GITHUB_STEP_SUMMARY}"
@ -205,6 +215,7 @@ jobs:
          echo "|test (postgresql)|${TEST_POSTGRESQL}|" >> "${GITHUB_STEP_SUMMARY}"
          echo "|clippy (sqlite,mysql,postgresql,enable_mimalloc,s3)|${CLIPPY}|" >> "${GITHUB_STEP_SUMMARY}"
          echo "|fmt|${FMT}|" >> "${GITHUB_STEP_SUMMARY}"
+          echo "|cargo deny|${DENY}|" >> "${GITHUB_STEP_SUMMARY}"
          echo "" >> "${GITHUB_STEP_SUMMARY}"
          echo "Please check the failed jobs and fix where needed." >> "${GITHUB_STEP_SUMMARY}"
          echo "" >> "${GITHUB_STEP_SUMMARY}"
--- a/deny.toml
+++ b/deny.toml
@ -0,0 +1,63 @@
+# https://embarkstudios.github.io/cargo-deny/
+
+[graph]
+# Check the full feature set used by CI so all optional dependencies are included.
+features = ["sqlite", "mysql", "postgresql", "enable_mimalloc", "s3"]
+
+# =============================================================================
+# Advisories — RustSec vulnerability and unmaintained crate database
+# =============================================================================
+[advisories]
+ignore = [
+    # Marvin Attack: timing side-channel in the `rsa` crate (no fix available).
+    # Used only for JWT RS256 signing, not for network-facing RSA decryption,
+    # which limits exposure. Track: https://rustsec.org/advisories/RUSTSEC-2023-0071
+    { id = "RUSTSEC-2023-0071", reason = "No upstream fix available; exposure is limited to JWT signing, not network-facing decryption." },
+
+    # `rustls-pemfile` v1.x is unmaintained (archived Aug 2025). It is a thin
+    # wrapper around rustls-pki-types and pulled in transitively via rustls 0.21.x.
+    # Removing it requires upstream crates to drop their rustls 0.21 dependency.
+    { id = "RUSTSEC-2025-0134", reason = "Transitive via rustls 0.21.x compat chain; blocked on upstream upgrade." },
+]
+
+# =============================================================================
+# Licenses
+# =============================================================================
+[licenses]
+# OSI-approved permissive licenses and weak copyleft licenses compatible with
+# distributing vaultwarden (AGPL-3.0-only) as a Docker image.
+allow = [
+    "0BSD",
+    "Apache-2.0",
+    "BSD-3-Clause",
+    "CC0-1.0",
+    "CDLA-Permissive-2.0",
+    "ISC",
+    "MIT",
+    "MPL-2.0",
+    "Unicode-3.0",
+    "Zlib",
+]
+
+[licenses.private]
+# Skip license checks for unpublished workspace crates (vaultwarden, macros).
+ignore = true
+
+# =============================================================================
+# Bans — duplicate versions and disallowed crates
+# =============================================================================
+[bans]
+# Warn on duplicate versions; many arise from transitive deps and require
+# upstream changes to resolve. Promote to "deny" once the dep tree stabilises.
+multiple-versions = "allow"
+wildcards = "deny"
+allow-wildcard-paths = true
+highlight = "all"
+
+# =============================================================================
+# Sources — only crates.io is an allowed registry
+# =============================================================================
+[sources]
+unknown-registry = "deny"
+unknown-git = "deny"
+allow-registry = ["https://github.com/rust-lang/crates.io-index"]