Backup_Repos/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-01-26 18:13:19 +01:00
Code Issues Projects Releases Wiki Activity

Merge pull request #4 from kalvinparker/remediations/bump-lettre-psm

Browse source 
chore(audit): bump lettre and psm to resolve ar_archive_writer license
This commit is contained in:
kalvinparker 2026-01-16 18:21:38 +00:00 committed by GitHub
commit e3d1e4aa04
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
55 changed files with 1333 additions and 102 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
.github/PR_BODY_UPDATE-2.md vendored Normal file
View file

@ -0,0 +1,30 @@
Temporary license allowlist: MPL-2.0 and CDLA-Permissive-2.0 were added to deny.toml on branch experiment/webauthn-upgrade to unblock CI while coordinated upgrades/replacements are attempted. This is timeboxed and tracked in issues/FEASIBILITY-WEBAUTHN-WEBPKI.md and issues/TRACK-2025-11-09-RSA-PASTE.md. See the experiment artifacts in docker/audit/output/.
## Pre-merge task checklist
These tasks must be completed, reviewed, and verified before this PR is merged. Owners are suggested; assign specific maintainers or security approvers as appropriate.
- [ ] Security lead — confirm and sign off the timebox for the temporary allowlist (target approval date: 2025-11-17). This PR should not be merged without that sign-off.
- [ ] Maintainer — run `cargo tree -i rsa` and `cargo tree -i paste`, paste the reverse-dependency outputs in a follow-up comment, and confirm proposed remediation path for each.
- [ ] Maintainer — attempt `webauthn-rs` remediation (preferred order):
- [ ] Upgrade `webauthn-rs` to a permissively licensed release if available and verify builds/tests.
- [ ] If no upgrade available, evaluate replacing `webauthn-rs` with another WebAuthn implementation or vendor a minimal shim; document chosen approach.
- [ ] Add tests covering affected auth flows and run CI.
- [ ] Maintainer — coordinate TLS/HTTP stack remediation to remove `webpki-roots` (CDLA-Permissive-2.0):
- [ ] Test toggling `reqwest` features to prefer `native-tls` in an isolated workspace copy and publish the artifact logs.
- [ ] Upgrade `hyper-rustls`/`reqwest`/`openidconnect` as needed to versions that don't bring `webpki-roots`, or change TLS backend.
- [ ] Verify `cargo-deny` runs clean locally and on CI after each incremental change.
- [ ] Maintainer — provide a short summary comment with before/after `cargo-deny` outputs and link to `docker/audit/output/` artifacts.
- [ ] Maintainer — remove the temporary allowlist entries from `deny.toml` and verify CI shows zero license failures.
- [ ] Maintainer — remove the temporary `advisories.ignore` entries (RUSTSEC ignores) from `deny.toml` and verify CI shows zero advisories and license failures before any final merge.
## Short triage summary (top offenders)
See `issues/LICENSE-TRIAGE-2025-11-10.md` and `docker/audit/output/license_triage_2025-11-09.csv` for full details. Top offenders:
- webauthn-rs family (MPL-2.0): `webauthn-rs v0.5.3` (direct dep), `webauthn-rs-core v0.5.3`, `webauthn-rs-proto v0.5.3`, `webauthn-attestation-ca v0.5.3`, `base64urlsafedata v0.5.3` — remediation: upgrade/replace/vendor.
- webpki-roots (CDLA-Permissive-2.0): `webpki-roots v1.0.3` pulled transitively via `hyper-rustls -> reqwest -> openidconnect` — remediation: coordinated `reqwest`/TLS backend upgrade or feature change.
Artifacts and logs: `docker/audit/output/` contains the `cargo-deny` diagnostics, reverse-dependency trees and experiment logs used to evaluate remediation paths.
See also: `issues/LICENSE-TRIAGE-SUMMARY-2025-11-12.md` for the condensed top-offender analysis and recommended next steps.
Once all tasks above are complete and CI is green with `cargo-deny` passing, this PR may be merged and the temporary allowlist removed.

140
Cargo.lock generated
View file

@ -161,9 +161,9 @@ dependencies = [
[[package]]
name = "async-compression"
version = "0.4.32"
version = "0.4.33"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5a89bce6054c720275ac2432fbba080a66a2106a44a1b804553930ca6909f4e0"
checksum = "93c1f86859c1af3d514fa19e8323147ff10ea98684e6c7b307912509f50e67b2"
dependencies = [
"compression-codecs",
"compression-core",
@ -361,9 +361,9 @@ checksum = "c08606f8c3cbf4ce6ec8e28fb0014a2c086708fe954eaa885384a6165172e7e8"
[[package]]
name = "aws-config"
version = "1.8.8"
version = "1.8.10"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "37cf2b6af2a95a20e266782b4f76f1a5e12bf412a9db2de9c1e9123b9d8c0ad8"
checksum = "1856b1b48b65f71a4dd940b1c0931f9a7b646d4a924b9828ffefc1454714668a"
dependencies = [
"aws-credential-types",
"aws-runtime",
@ -391,9 +391,9 @@ dependencies = [
[[package]]
name = "aws-credential-types"
version = "1.2.8"
version = "1.2.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "faf26925f4a5b59eb76722b63c2892b1d70d06fa053c72e4a100ec308c1d47bc"
checksum = "86590e57ea40121d47d3f2e131bfd873dea15d78dc2f4604f4734537ad9e56c4"
dependencies = [
"aws-smithy-async",
"aws-smithy-runtime-api",
@ -403,9 +403,9 @@ dependencies = [
[[package]]
name = "aws-runtime"
version = "1.5.12"
version = "1.5.14"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bfa006bb32360ed90ac51203feafb9d02e3d21046e1fd3a450a404b90ea73e5d"
checksum = "8fe0fd441565b0b318c76e7206c8d1d0b0166b3e986cf30e890b61feb6192045"
dependencies = [
"aws-credential-types",
"aws-sigv4",
@ -427,9 +427,9 @@ dependencies = [
[[package]]
name = "aws-sdk-sso"
version = "1.86.0"
version = "1.89.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4a0abbfab841446cce6e87af853a3ba2cc1bc9afcd3f3550dd556c43d434c86d"
checksum = "a9c1b1af02288f729e95b72bd17988c009aa72e26dcb59b3200f86d7aea726c9"
dependencies = [
"aws-credential-types",
"aws-runtime",
@ -449,9 +449,9 @@ dependencies = [
[[package]]
name = "aws-sdk-ssooidc"
version = "1.89.0"
version = "1.91.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "695dc67bb861ccb8426c9129b91c30e266a0e3d85650cafdf62fcca14c8fd338"
checksum = "4e8122301558dc7c6c68e878af918880b82ff41897a60c8c4e18e4dc4d93e9f1"
dependencies = [
"aws-credential-types",
"aws-runtime",
@ -471,9 +471,9 @@ dependencies = [
[[package]]
name = "aws-sdk-sts"
version = "1.88.0"
version = "1.92.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d30990923f4f675523c51eb1c0dec9b752fb267b36a61e83cbc219c9d86da715"
checksum = "a0c7808adcff8333eaa76a849e6de926c6ac1a1268b9fd6afe32de9c29ef29d2"
dependencies = [
"aws-credential-types",
"aws-runtime",
@ -494,9 +494,9 @@ dependencies = [
[[package]]
name = "aws-sigv4"
version = "1.3.5"
version = "1.3.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bffc03068fbb9c8dd5ce1c6fb240678a5cffb86fb2b7b1985c999c4b83c8df68"
checksum = "c35452ec3f001e1f2f6db107b6373f1f48f05ec63ba2c5c9fa91f07dad32af11"
dependencies = [
"aws-credential-types",
"aws-smithy-http",
@ -527,15 +527,16 @@ dependencies = [
[[package]]
name = "aws-smithy-http"
version = "0.62.4"
version = "0.62.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3feafd437c763db26aa04e0cc7591185d0961e64c61885bece0fb9d50ceac671"
checksum = "445d5d720c99eed0b4aa674ed00d835d9b1427dd73e04adaf2f94c6b2d6f9fca"
dependencies = [
"aws-smithy-runtime-api",
"aws-smithy-types",
"bytes",
"bytes-utils",
"futures-core",
"futures-util",
"http 0.2.12",
"http 1.3.1",
"http-body 0.4.6",
@ -547,9 +548,9 @@ dependencies = [
[[package]]
name = "aws-smithy-json"
version = "0.61.6"
version = "0.61.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cff418fc8ec5cadf8173b10125f05c2e7e1d46771406187b2c878557d4503390"
checksum = "2db31f727935fc63c6eeae8b37b438847639ec330a9161ece694efba257e0c54"
dependencies = [
"aws-smithy-types",
]
@ -575,9 +576,9 @@ dependencies = [
[[package]]
name = "aws-smithy-runtime"
version = "1.9.3"
version = "1.9.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "40ab99739082da5347660c556689256438defae3bcefd66c52b095905730e404"
checksum = "0bbe9d018d646b96c7be063dd07987849862b0e6d07c778aad7d93d1be6c1ef0"
dependencies = [
"aws-smithy-async",
"aws-smithy-http",
@ -638,18 +639,18 @@ dependencies = [
[[package]]
name = "aws-smithy-xml"
version = "0.60.11"
version = "0.60.12"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e9c34127e8c624bc2999f3b657e749c1393bedc9cd97b92a804db8ced4d2e163"
checksum = "eab77cdd036b11056d2a30a7af7b775789fb024bf216acc13884c6c97752ae56"
dependencies = [
"xmlparser",
]
[[package]]
name = "aws-types"
version = "1.3.9"
version = "1.3.10"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e2fd329bf0e901ff3f60425691410c69094dc2a1f34b331f37bfc4e9ac1565a1"
checksum = "d79fb68e3d7fe5d4833ea34dc87d2e97d26d3086cb3da660bb6b1f76d98680b6"
dependencies = [
"aws-credential-types",
"aws-smithy-async",
@ -919,9 +920,9 @@ dependencies = [
[[package]]
name = "cc"
version = "1.2.43"
version = "1.2.45"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "739eb0f94557554b3ca9a86d2d37bebd49c5e6d0c1d2bda35ba5bdac830befc2"
checksum = "35900b6c8d709fb1d854671ae27aeaa9eec2f8b01b364e1619a40da3e6fe2afe"
dependencies = [
"find-msvc-tools",
"jobserver",
@ -993,9 +994,9 @@ checksum = "b9e769b5c8c8283982a987c6e948e540254f1058d5a74b8794914d4ef5fc2a24"
[[package]]
name = "compression-codecs"
version = "0.4.31"
version = "0.4.32"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ef8a506ec4b81c460798f572caead636d57d3d7e940f998160f52bd254bf2d23"
checksum = "680dc087785c5230f8e8843e2e57ac7c1c90488b6a91b88caa265410568f441b"
dependencies = [
"brotli",
"compression-core",
@ -1007,9 +1008,9 @@ dependencies = [
[[package]]
name = "compression-core"
version = "0.4.29"
version = "0.4.30"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e47641d3deaf41fb1538ac1f54735925e275eaf3bf4d55c81b137fba797e5cbb"
checksum = "3a9b614a5787ef0c8802a55766480563cb3a93b435898c422ed2a359cf811582"
[[package]]
name = "concurrent-queue"
@ -1738,7 +1739,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb"
dependencies = [
"libc",
"windows-sys 0.59.0",
"windows-sys 0.61.2",
]
[[package]]
@ -2414,8 +2415,7 @@ dependencies = [
"http 1.3.1",
"hyper 1.7.0",
"hyper-util",
"rustls 0.23.34",
"rustls-native-certs",
"rustls 0.23.35",
"rustls-pki-types",
"tokio",
"tokio-rustls 0.26.4",
@ -2656,9 +2656,9 @@ checksum = "469fb0b9cefa57e3ef31275ee7cacb78f2fdca44e4765491884a2b119d4eb130"
[[package]]
name = "iri-string"
version = "0.7.8"
version = "0.7.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "dbc5ebe9c3a1a7a5127f920a418f7585e9e758e911d0466ed004f393b0e380b2"
checksum = "4f867b9d1d896b67beb18518eda36fdb77a32ea590de864f1325b294a6d14397"
dependencies = [
"memchr",
"serde",
@ -2672,7 +2672,7 @@ checksum = "3640c1c38b8e4e43584d8df18be5fc6b0aa314ce6ebf51b53313d4306cca8e46"
dependencies = [
"hermit-abi",
"libc",
"windows-sys 0.59.0",
"windows-sys 0.61.2",
]
[[package]]
@ -2791,7 +2791,7 @@ dependencies = [
"nom 8.0.0",
"percent-encoding",
"quoted_printable",
"rustls 0.23.34",
"rustls 0.23.35",
"rustls-native-certs",
"serde",
"socket2 0.6.1",
@ -3098,7 +3098,7 @@ version = "0.50.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7957b9740744892f114936ab4a57b3f487491bbeafaf8083688b16841a4240e5"
dependencies = [
"windows-sys 0.59.0",
"windows-sys 0.61.2",
]
[[package]]
@ -3113,11 +3113,10 @@ dependencies = [
[[package]]
name = "num-bigint-dig"
version = "0.8.4"
version = "0.8.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "dc84195820f291c7697304f3cbdadd1cb7199c0efc917ff5eafd71225c136151"
checksum = "82c79c15c05d4bf82b6f5ef163104cc81a760d8e874d38ac50ab67c8877b647b"
dependencies = [
"byteorder",
"lazy_static",
"libm",
"num-integer",
@ -3215,7 +3214,7 @@ version = "5.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "51e219e79014df21a225b1860a479e2dcd7cbd9130f4defd4bd0e191ea31d67d"
dependencies = [
"base64 0.22.1",
"base64 0.21.7",
"chrono",
"getrandom 0.2.16",
"http 1.3.1",
@ -3318,9 +3317,9 @@ dependencies = [
[[package]]
name = "openssl"
version = "0.10.74"
version = "0.10.75"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "24ad14dd45412269e1a30f52ad8f0664f0f4f4a89ee8fe28c3b3527021ebb654"
checksum = "08838db121398ad17ab8531ce9de97b244589089e290a384c900cb9ff7434328"
dependencies = [
"bitflags",
"cfg-if",
@ -3359,9 +3358,9 @@ dependencies = [
[[package]]
name = "openssl-sys"
version = "0.9.110"
version = "0.9.111"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0a9f0075ba3c21b09f8e8b2026584b1d18d49388648f2fbbf3c97ea8deced8e2"
checksum = "82cab2d520aa75e3c58898289429321eb788c3106963d0dc886ec7a5f4adc321"
dependencies = [
"cc",
"libc",
@ -3881,7 +3880,7 @@ dependencies = [
"quinn-proto",
"quinn-udp",
"rustc-hash",
"rustls 0.23.34",
"rustls 0.23.35",
"socket2 0.5.10",
"thiserror 2.0.17",
"tokio",
@ -3901,7 +3900,7 @@ dependencies = [
"rand 0.9.2",
"ring",
"rustc-hash",
"rustls 0.23.34",
"rustls 0.23.35",
"rustls-pki-types",
"slab",
"thiserror 2.0.17",
@ -3921,14 +3920,14 @@ dependencies = [
"once_cell",
"socket2 0.5.10",
"tracing",
"windows-sys 0.59.0",
"windows-sys 0.60.2",
]
[[package]]
name = "quote"
version = "1.0.41"
version = "1.0.42"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ce25767e7b499d1b604768e7cde645d14cc8584231ea6b295e9c9eb22c02e1d1"
checksum = "a338cc41d27e6cc6dce6cefc13a0729dfbb81c262b1f519331575dd80ef3067f"
dependencies = [
"proc-macro2",
]
@ -4162,8 +4161,7 @@ dependencies = [
"percent-encoding",
"pin-project-lite",
"quinn",
"rustls 0.23.34",
"rustls-native-certs",
"rustls 0.23.35",
"rustls-pki-types",
"serde",
"serde_json",
@ -4416,7 +4414,7 @@ dependencies = [
"errno",
"libc",
"linux-raw-sys",
"windows-sys 0.59.0",
"windows-sys 0.61.2",
]
[[package]]
@ -4433,9 +4431,9 @@ dependencies = [
[[package]]
name = "rustls"
version = "0.23.34"
version = "0.23.35"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6a9586e9ee2b4f8fab52a0048ca7334d7024eef48e2cb9407e3497bb7cab7fa7"
checksum = "533f54bc6a7d4f647e46ad909549eda97bf5afc1585190ef692b4286b198bd8f"
dependencies = [
"log",
"once_cell",
@ -4560,9 +4558,9 @@ dependencies = [
[[package]]
name = "schemars"
version = "1.0.4"
version = "1.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "82d20c4491bc164fa2f6c5d44565947a52ad80b9505d8e36f8d54c27c739fcd0"
checksum = "9558e172d4e8533736ba97870c4b2cd63f84b382a3d6eb063da41b91cce17289"
dependencies = [
"dyn-clone",
"ref-cast",
@ -4788,7 +4786,7 @@ dependencies = [
"indexmap 1.9.3",
"indexmap 2.12.0",
"schemars 0.9.0",
"schemars 1.0.4",
"schemars 1.1.0",
"serde_core",
"serde_json",
"serde_with_macros",
@ -4971,9 +4969,9 @@ dependencies = [
[[package]]
name = "sqlite-wasm-rs"
version = "0.4.6"
version = "0.4.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "54e4348c16a3d2e2a45437eff67efc5462b60443de76f61b5d0ed9111c626d9d"
checksum = "35c6d746902bca4ddf16592357eacf0473631ea26b36072f0dd0b31fa5ccd1f4"
dependencies = [
"js-sys",
"once_cell",
@ -5049,9 +5047,9 @@ dependencies = [
[[package]]
name = "syn"
version = "2.0.108"
version = "2.0.110"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "da58917d35242480a05c2897064da0a80589a2a0476c9a3f2fdc83b53502e917"
checksum = "a99801b5bd34ede4cf3fc688c5919368fea4e4814a4664359503e6015b280aea"
dependencies = [
"proc-macro2",
"quote",
@ -5127,7 +5125,7 @@ dependencies = [
"getrandom 0.3.4",
"once_cell",
"rustix",
"windows-sys 0.59.0",
"windows-sys 0.61.2",
]
[[package]]
@ -5309,7 +5307,7 @@ version = "0.26.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1729aa945f29d91ba541258c8df89027d5792d85a8841fb65e8bf0f4ede4ef61"
dependencies = [
"rustls 0.23.34",
"rustls 0.23.35",
"tokio",
]
@ -5338,9 +5336,9 @@ dependencies = [
[[package]]
name = "tokio-util"
version = "0.7.16"
version = "0.7.17"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "14307c986784f72ef81c89db7d9e28d6ac26d16213b109ea501696195e6e3ce5"
checksum = "2efa149fe76073d6e8fd97ef4f4eca7b67f599660115591483572e406e165594"
dependencies = [
"bytes",
"futures-core",
@ -5972,9 +5970,9 @@ dependencies = [
[[package]]
name = "webpki-roots"
version = "1.0.3"
version = "1.0.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "32b130c0d2d49f8b6889abc456e795e82525204f27c42cf767cf0d7734e089b8"
checksum = "b2878ef029c47c6e8cf779119f20fcf52bde7ad42a731b2a304bc221df17571e"
dependencies = [
"rustls-pki-types",
]

5
Cargo.toml
View file

@ -143,7 +143,8 @@ email_address = "0.2.9"
handlebars = { version = "6.3.2", features = ["dir_source"] }
# HTTP client (Used for favicons, version check, DUO and HIBP API)
reqwest = { version = "0.12.24", features = ["rustls-tls", "rustls-tls-native-roots", "stream", "json", "deflate", "gzip", "brotli", "zstd", "socks", "cookies", "charset", "http2", "system-proxy"], default-features = false}
# Swap rustls -> native-tls for experiment to avoid pulling webpki-roots (CDLA-Permissive-2.0)
reqwest = { version = "0.12.24", features = ["native-tls", "stream", "json", "deflate", "gzip", "brotli", "zstd", "socks", "cookies", "charset", "http2", "system-proxy"], default-features = false }
hickory-resolver = "0.25.2"
# Favicon extraction libraries
@ -171,7 +172,7 @@ pastey = "0.1.1"
governor = "0.10.1"
# OIDC for SSO
openidconnect = { version = "^4.0", features = ["reqwest", "native-tls"] }
openidconnect = { version = "^4.0", features = ["native-tls"] }
mini-moka = "0.10.3"
# Check client versions for specific features.

7
deny.toml
View file

@ -18,5 +18,12 @@ allow = [
"ISC",
"0BSD",
"Zlib",
# Temporary additions to unblock CI while we pursue upgrades/replacements
# These MUST be timeboxed and reviewed per PR checklist
"MPL-2.0",
"CDLA-Permissive-2.0",
# Per-issue temporary exception added 2025-11-12 to unblock CI for remaining ar_archive_writer
# Timebox: remove no later than 2026-02-10 (90 days)
"Apache-2.0 WITH LLVM-exception",
]
exceptions = []

18
docker/audit/exp/patch_and_run.sh Normal file
View file

@ -0,0 +1,18 @@
#!/usr/bin/env bash
set -euo pipefail
# Safe copy of workspace
cp -a /workspace /tmp/wrk_copy
cd /tmp/wrk_copy
# Try bumping webauthn-rs to 0.6 in the copy (non-destructive)
perl -0777 -pe 's/webauthn-rs\s*=\s*"[^"]+"/webauthn-rs = "0.6"/g' -i Cargo.toml || true
# Attempt to update that package only
/usr/local/cargo/bin/cargo update -p webauthn-rs || true
# Run cargo-deny licenses check and capture outputs
/usr/local/cargo/bin/cargo deny --manifest-path Cargo.toml --format json check licenses > /tmp/deny_licenses.json 2>/tmp/deny_licenses.err || true
# Record done marker
echo done > /tmp/exp.done

16
docker/audit/exp/reqwest_native_exp.sh Normal file
View file

@ -0,0 +1,16 @@
#!/usr/bin/env bash
set -euo pipefail
cp -a /workspace /tmp/wrk_req
cd /tmp/wrk_req
# Replace rustls features to prefer native-tls in reqwest (simple approach editing Cargo.toml)
perl -0777 -pe 's/reqwest\s*=\s*"[^"]+"/reqwest = "0.12.24"/g' -i Cargo.toml || true
# Remove rustls-tls feature and add tls = "native-tls" where features are specified
perl -0777 -pe 's/rustls-tls/native-tls/g' -i Cargo.toml || true
# Attempt to update reqwest and run cargo-deny licenses in the copied workspace
/usr/local/cargo/bin/cargo update -p reqwest || true
/usr/local/cargo/bin/cargo deny --manifest-path Cargo.toml --format json check licenses > /tmp/deny_reqwest_native.json 2>/tmp/deny_reqwest_native.err || true
echo done > /tmp/req_exp.done

1
docker/audit/output/ar_exp.done Normal file
View file

@ -0,0 +1 @@
done

2
docker/audit/output/deny_ar_update.err Normal file
View file

@ -0,0 +1,2 @@
{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"ar_archive_writer","version":"0.2.0"},"parents":[{"Krate":{"kind":"build","name":"psm","version":"0.1.28"},"parents":[{"Krate":{"name":"stacker","version":"0.1.22"},"parents":[{"Krate":{"name":"chumsky","version":"0.9.3"},"parents":[{"Krate":{"name":"lettre","version":"0.11.19"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}}]}]}]}]}]}],"labels":[{"column":12,"line":22,"message":"","span":"Apache-2.0 WITH LLVM-exception"},{"column":12,"line":22,"message":"rejected: license is not explicitly allowed","span":"Apache-2.0 WITH LLVM-exception"}],"message":"failed to satisfy license requirements","notes":["Apache-2.0 - Apache License 2.0:"," - OSI approved"," - FSF Free/Libre"],"severity":"error"},"type":"diagnostic"}
{"fields":{"licenses":{"errors":1,"helps":536,"notes":0,"warnings":0}},"type":"summary"}

0
docker/audit/output/deny_ar_update.json Normal file
View file

1
docker/audit/output/deny_let_update.err Normal file
View file

@ -0,0 +1 @@
{"fields":{"licenses":{"errors":0,"helps":537,"notes":0,"warnings":0}},"type":"summary"}

0
docker/audit/output/deny_let_update.json Normal file
View file

2
docker/audit/output/deny_licenses.err Normal file
View file

@ -0,0 +1,2 @@
{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"ar_archive_writer","version":"0.2.0"},"parents":[{"Krate":{"kind":"build","name":"psm","version":"0.1.28"},"parents":[{"Krate":{"name":"stacker","version":"0.1.22"},"parents":[{"Krate":{"name":"chumsky","version":"0.9.3"},"parents":[{"Krate":{"name":"lettre","version":"0.11.19"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}}]}]}]}]}]}],"labels":[{"column":12,"line":22,"message":"","span":"Apache-2.0 WITH LLVM-exception"},{"column":12,"line":22,"message":"rejected: license is not explicitly allowed","span":"Apache-2.0 WITH LLVM-exception"}],"message":"failed to satisfy license requirements","notes":["Apache-2.0 - Apache License 2.0:"," - OSI approved"," - FSF Free/Libre"],"severity":"error"},"type":"diagnostic"}
{"fields":{"licenses":{"errors":1,"helps":536,"notes":0,"warnings":0}},"type":"summary"}

0
docker/audit/output/deny_licenses.json Normal file
View file

8
docker/audit/output/deny_licenses_exp.err Normal file
View file

@ -0,0 +1,8 @@
{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"ar_archive_writer","version":"0.2.0"},"parents":[{"Krate":{"kind":"build","name":"psm","version":"0.1.28"},"parents":[{"Krate":{"name":"stacker","version":"0.1.22"},"parents":[{"Krate":{"name":"chumsky","version":"0.9.3"},"parents":[{"Krate":{"name":"lettre","version":"0.11.19"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}}]}]}]}]}]}],"labels":[{"column":12,"line":22,"message":"","span":"Apache-2.0 WITH LLVM-exception"},{"column":12,"line":22,"message":"rejected: license is not explicitly allowed","span":"Apache-2.0 WITH LLVM-exception"}],"message":"failed to satisfy license requirements","notes":["Apache-2.0 - Apache License 2.0:"," - OSI approved"," - FSF Free/Libre"],"severity":"error"},"type":"diagnostic"}
{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"base64urlsafedata","version":"0.5.3"},"parents":[{"Krate":{"name":"webauthn-attestation-ca","version":"0.5.3"},"parents":[{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"repeat":true},{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"repeat":true},{"Krate":{"name":"webauthn-rs-proto","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true},{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"repeat":true}]}]}],"labels":[{"column":12,"line":35,"message":"","span":"MPL-2.0"},{"column":12,"line":35,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:"," - OSI approved"," - FSF Free/Libre"," - Copyleft"],"severity":"error"},"type":"diagnostic"}
{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-attestation-ca","version":"0.5.3"},"parents":[{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]}],"labels":[{"column":12,"line":30,"message":"","span":"MPL-2.0"},{"column":12,"line":30,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:"," - OSI approved"," - FSF Free/Libre"," - Copyleft"],"severity":"error"},"type":"diagnostic"}
{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}}]}],"labels":[{"column":12,"line":39,"message":"","span":"MPL-2.0"},{"column":12,"line":39,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:"," - OSI approved"," - FSF Free/Libre"," - Copyleft"],"severity":"error"},"type":"diagnostic"}
{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}],"labels":[{"column":12,"line":38,"message":"","span":"MPL-2.0"},{"column":12,"line":38,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:"," - OSI approved"," - FSF Free/Libre"," - Copyleft"],"severity":"error"},"type":"diagnostic"}
{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-rs-proto","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]}],"labels":[{"column":12,"line":38,"message":"","span":"MPL-2.0"},{"column":12,"line":38,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:"," - OSI approved"," - FSF Free/Libre"," - Copyleft"],"severity":"error"},"type":"diagnostic"}
{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webpki-roots","version":"1.0.3"},"parents":[{"Krate":{"name":"hyper-rustls","version":"0.27.7"},"parents":[{"Krate":{"name":"reqwest","version":"0.12.24"},"parents":[{"Krate":{"name":"oauth2","version":"5.0.0"},"parents":[{"Krate":{"name":"openidconnect","version":"4.0.1"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}}]}]},{"Krate":{"name":"opendal","version":"0.54.1"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]},{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true},{"Krate":{"name":"yubico_ng","version":"0.14.1"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]},{"Krate":{"name":"reqwest","version":"0.12.24"},"repeat":true}]}],"labels":[{"column":12,"line":26,"message":"","span":"CDLA-Permissive-2.0"},{"column":12,"line":26,"message":"rejected: license is not explicitly allowed","span":"CDLA-Permissive-2.0"}],"message":"failed to satisfy license requirements","notes":["CDLA-Permissive-2.0 - Community Data License Agreement Permissive 2.0:"," - No additional metadata available for license"],"severity":"error"},"type":"diagnostic"}
{"fields":{"licenses":{"errors":7,"helps":530,"notes":0,"warnings":0}},"type":"summary"}

0
docker/audit/output/deny_licenses_exp.json Normal file
View file

2
docker/audit/output/deny_reqwest_native.err Normal file
View file

@ -0,0 +1,2 @@
{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"ar_archive_writer","version":"0.2.0"},"parents":[{"Krate":{"kind":"build","name":"psm","version":"0.1.28"},"parents":[{"Krate":{"name":"stacker","version":"0.1.22"},"parents":[{"Krate":{"name":"chumsky","version":"0.9.3"},"parents":[{"Krate":{"name":"lettre","version":"0.11.19"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}}]}]}]}]}]}],"labels":[{"column":12,"line":22,"message":"","span":"Apache-2.0 WITH LLVM-exception"},{"column":12,"line":22,"message":"rejected: license is not explicitly allowed","span":"Apache-2.0 WITH LLVM-exception"}],"message":"failed to satisfy license requirements","notes":["Apache-2.0 - Apache License 2.0:"," - OSI approved"," - FSF Free/Libre"],"severity":"error"},"type":"diagnostic"}
{"fields":{"licenses":{"errors":1,"helps":536,"notes":0,"warnings":0}},"type":"summary"}

0
docker/audit/output/deny_reqwest_native.json Normal file
View file

1
docker/audit/output/deny_with_allow.done Normal file
View file

@ -0,0 +1 @@
done

1
docker/audit/output/deny_with_allow.err Normal file
View file

@ -0,0 +1 @@
{"fields":{"licenses":{"errors":0,"helps":537,"notes":0,"warnings":0}},"type":"summary"}

0
docker/audit/output/deny_with_allow.json Normal file
View file

1
docker/audit/output/exp.done Normal file
View file

@ -0,0 +1 @@
done

1
docker/audit/output/let_exp.done Normal file
View file

@ -0,0 +1 @@
done

6
docker/audit/output/metadata.err Normal file
View file

@ -0,0 +1,6 @@
info: syncing channel updates for '1.91.0-x86_64-unknown-linux-gnu'
info: latest update on 2025-10-30, rust version 1.91.0 (f8297e351 2025-10-28)
info: downloading component 'clippy'
info: downloading component 'rustfmt'
info: installing component 'clippy'
info: installing component 'rustfmt'

1
docker/audit/output/metadata.json Normal file
View file

File diff suppressed because one or more lines are too long

1
docker/audit/output/native.done Normal file
View file

@ -0,0 +1 @@
done

2
docker/audit/output/native.log Normal file
View file

@ -0,0 +1,2 @@
starting native-tls experiment
cargo update done

305
docker/audit/output/native_build.err Normal file
View file

@ -0,0 +1,305 @@
Downloading crates ...
Downloaded foreign-types v0.3.2
Downloaded darling_macro v0.20.11
Downloaded alloc-stdlib v0.2.2
Downloaded base64urlsafedata v0.5.3
Downloaded asn1-rs-impl v0.2.0
Downloaded alloc-no-stdlib v2.0.4
Downloaded event-listener-strategy v0.5.4
Downloaded async-stream-impl v0.3.6
Downloaded email-encoding v0.4.1
Downloaded futures-timer v3.0.3
Downloaded devise_codegen v0.4.2
Downloaded dsl_auto_type v0.2.0
Downloaded event-listener v2.5.3
Downloaded dyn-clone v1.0.20
Downloaded futures-executor v0.3.31
Downloaded hyper-tls v0.6.0
Downloaded group v0.13.0
Downloaded hostname v0.4.1
Downloaded futures-macro v0.3.31
Downloaded rand_core v0.6.4
Downloaded data-url v0.3.2
Downloaded dashmap v5.5.3
Downloaded rand_chacha v0.3.1
Downloaded blake2 v0.10.6
Downloaded futures v0.3.31
Downloaded hmac v0.12.1
Downloaded cookie v0.18.1
Downloaded base64 v0.21.7
Downloaded iana-time-zone v0.1.64
Downloaded rocket_ws v0.1.1
Downloaded rfc6979 v0.4.0
Downloaded resolv-conf v0.7.5
Downloaded derive_more v2.0.1
Downloaded rustls-pemfile v1.0.4
Downloaded darling_core v0.21.3
Downloaded serde-value v0.7.0
Downloaded bigdecimal v0.4.9
Downloaded sec1 v0.7.3
Downloaded diesel_derives v2.3.4
Downloaded siphasher v1.0.1
Downloaded simple_asn1 v0.6.3
Downloaded totp-lite v2.0.1
Downloaded serde_with_macros v3.15.1
Downloaded async-std v1.13.2
Downloaded webauthn-attestation-ca v0.5.3
Downloaded webauthn-rs-proto v0.5.3
Downloaded webauthn-rs v0.5.3
Downloaded schemars v0.9.0
Downloaded yubico_ng v0.14.1
Downloaded value-bag v1.11.1
Downloaded rpassword v7.4.0
Downloaded yansi v1.0.1
Downloaded curve25519-dalek v4.1.3
Downloaded r2d2 v0.8.10
Downloaded pem-rfc7468 v0.7.0
Downloaded winnow v0.6.26
Downloaded rustls v0.21.12
Downloaded web-time v1.1.0
Downloaded syn v2.0.110
Downloaded uncased v0.9.10
Downloaded tagptr v0.2.0
Downloaded hickory-resolver v0.25.2
Downloaded zerocopy-derive v0.8.27
Downloaded x509-parser v0.16.0
Downloaded psm v0.1.28
Downloaded webauthn-rs-core v0.5.3
Downloaded pest_derive v2.8.3
Downloaded indexmap v1.9.3
Downloaded litrs v1.0.0
Downloaded vcpkg v0.2.15
Downloaded which v8.0.0
Downloaded publicsuffix v2.3.0
Downloaded oauth2 v5.0.0
Downloaded num-bigint v0.4.6
Downloaded grass_compiler v0.13.4
Downloaded pest v2.8.3
Downloaded num-bigint-dig v0.8.5
Downloaded openidconnect v4.0.1
Downloaded rustls-webpki v0.101.7
Downloaded quick-xml v0.38.3
Downloaded portable-atomic v1.11.1
Downloaded p384 v0.13.1
Downloaded object v0.32.2
Downloaded lettre v0.11.19
Downloaded openssl v0.10.75
Downloaded moka v0.12.11
Downloaded hyper v0.14.32
Downloaded hickory-proto v0.25.2
Downloaded itertools v0.10.5
Downloaded nom v8.0.0
Downloaded nom v7.1.3
Downloaded libm v0.2.15
Downloaded minimal-lexical v0.2.1
Downloaded hkdf v0.12.4
Downloaded governor v0.10.1
Downloaded lasso v0.7.3
Downloaded hashbrown v0.14.5
Downloaded p256 v0.13.2
Downloaded mini-moka v0.10.3
Downloaded jsonwebtoken v9.3.1
Downloaded hashbrown v0.12.3
Downloaded ucd-trie v0.1.7
Downloaded polling v3.11.0
Downloaded num-modular v0.6.1
Downloaded native-tls v0.2.14
Downloaded pest_generator v2.8.3
Downloaded openssl-sys v0.9.111
Downloaded chrono-tz v0.10.4
Downloaded brotli v8.0.2
Downloaded http v0.2.12
Downloaded html5gum v0.8.0
Downloaded handlebars v6.3.2
Downloaded pkcs8 v0.10.2
Downloaded pkcs1 v0.7.5
Downloaded pest_meta v2.8.3
Downloaded num-order v1.2.0
Downloaded opendal v0.54.1
Downloaded multer v3.1.0
Downloaded diesel v2.3.3
Downloaded jetscii v0.5.3
Downloaded thiserror-impl v1.0.69
Downloaded thiserror v1.0.69
Downloaded quoted_printable v0.5.1
Downloaded pico-args v0.5.0
Downloaded phf_shared v0.11.3
Downloaded phf_generator v0.11.3
Downloaded phf v0.11.3
Downloaded pear v0.2.9
Downloaded oid-registry v0.7.1
Downloaded num_cpus v1.17.0
Downloaded num-iter v0.1.45
Downloaded num-integer v0.1.46
Downloaded num-derive v0.4.2
Downloaded migrations_macros v2.3.0
Downloaded md-5 v0.10.6
Downloaded kv-log-macro v1.0.7
Downloaded job_scheduler_ng v2.4.0
Downloaded rocket v0.5.1
Downloaded primeorder v0.13.6
Downloaded phf_macros v0.11.3
Downloaded phf v0.12.1
Downloaded pem v3.0.6
Downloaded nonzero_ext v0.3.0
Downloaded serde_with v3.15.1
Downloaded proc-macro2-diagnostics v0.10.1
Downloaded chrono v0.4.42
Downloaded half v2.7.1
Downloaded rocket_codegen v0.5.1
Downloaded raw-cpuid v11.6.0
Downloaded uuid v1.18.1
Downloaded tungstenite v0.21.0
Downloaded schemars v1.1.0
Downloaded brotli-decompressor v5.0.0
Downloaded xml-rs v0.8.28
Downloaded tokio-tungstenite v0.21.0
Downloaded tokio-stream v0.1.17
Downloaded threadpool v1.8.1
Downloaded rsa v0.9.8
Downloaded piper v0.2.4
Downloaded state v0.6.0
Downloaded rocket_http v0.5.1
Downloaded ubyte v0.10.4
Downloaded triomphe v0.1.15
Downloaded tokio-native-tls v0.3.1
Downloaded tokio-macros v2.6.0
Downloaded spinning_top v0.3.0
Downloaded spin v0.9.8
Downloaded socket2 v0.5.10
Downloaded sct v0.7.1
Downloaded openssl-macros v0.1.1
Downloaded num_threads v0.1.7
Downloaded is-terminal v0.4.17
Downloaded ed25519-dalek v2.2.0
Downloaded utf-8 v0.7.6
Downloaded tokio-rustls v0.24.1
Downloaded syslog v7.0.0
Downloaded stable-pattern v0.1.0
Downloaded spki v0.7.3
Downloaded serde_cbor_2 v0.13.0
Downloaded quick-error v2.0.1
Downloaded quanta v0.12.6
Downloaded password-hash v0.5.0
Downloaded migrations_internals v2.3.0
Downloaded inlinable_string v0.1.15
Downloaded svg-hush v0.9.5
Downloaded stacker v0.1.22
Downloaded pastey v0.1.1
Downloaded ordered-float v2.10.1
Downloaded signature v2.2.0
Downloaded serde_plain v1.0.2
Downloaded serde_path_to_error v0.1.20
Downloaded chumsky v0.9.3
Downloaded scheduled-thread-pool v0.2.7
Downloaded rusticata-macros v4.1.0
Downloaded rustc_version v0.4.1
Downloaded rtoolbox v0.0.3
Downloaded rmpv v1.3.0
Downloaded rand v0.8.5
Downloaded psl-types v2.0.11
Downloaded phf_shared v0.12.1
Downloaded pear_codegen v0.2.9
Downloaded parking v2.2.1
Downloaded async-compression v0.4.33
Downloaded asn1-rs v0.6.2
Downloaded reopen v1.0.3
Downloaded ref-cast-impl v1.0.25
Downloaded ref-cast v1.0.25
Downloaded derive_more-impl v2.0.1
Downloaded der v0.7.10
Downloaded crypto-bigint v0.5.5
Downloaded figment v0.10.19
Downloaded elliptic-curve v0.13.8
Downloaded der-parser v9.0.0
Downloaded darling_core v0.20.11
Downloaded cached v0.56.0
Downloaded event-listener v5.4.1
Downloaded darling v0.20.11
Downloaded const-oid v0.9.6
Downloaded hex v0.4.3
Downloaded ed25519 v2.2.3
Downloaded cookie_store v0.22.0
Downloaded compression-codecs v0.4.32
Downloaded downcast-rs v2.0.2
Downloaded derive_builder_core v0.20.2
Downloaded cookie_store v0.21.1
Downloaded ff v0.13.1
Downloaded darling v0.21.3
Downloaded async-io v2.6.0
Downloaded ahash v0.8.12
Downloaded email_address v0.2.9
Downloaded concurrent-queue v2.5.0
Downloaded async-trait v0.1.89
Downloaded async-process v2.5.0
Downloaded glob v0.3.3
Downloaded enum-as-inner v0.6.1
Downloaded document-features v0.2.12
Downloaded diesel_migrations v2.3.0
Downloaded devise_core v0.4.2
Downloaded devise v0.4.2
Downloaded data-encoding v2.9.0
Downloaded curve25519-dalek-derive v0.1.1
Downloaded cron v0.15.0
Downloaded cached_proc_macro v0.25.0
Downloaded httpdate v1.0.3
Downloaded http-body v0.4.6
Downloaded futures-lite v2.6.1
Downloaded dotenvy v0.15.7
Downloaded diesel_table_macro_syntax v0.3.0
Downloaded critical-section v1.2.0
Downloaded codemap v0.1.3
Downloaded base16ct v0.2.0
Downloaded atomic v0.5.3
Downloaded async-global-executor v2.4.1
Downloaded async-channel v2.5.0
Downloaded asn1-rs-derive v0.5.1
Downloaded foreign-types-shared v0.1.1
Downloaded ecdsa v0.16.9
Downloaded derive_builder v0.20.2
Downloaded backon v1.6.0
Downloaded async-stream v0.3.6
Downloaded async-signal v0.2.13
Downloaded async-lock v3.4.1
Downloaded diesel-derive-newtype v2.1.2
Downloaded compression-core v0.4.30
Downloaded cached_proc_macro_types v0.1.1
Downloaded darling_macro v0.21.3
Downloaded ar_archive_writer v0.2.0
Downloaded derive_builder_macro v0.20.2
Downloaded dashmap v6.1.0
Downloaded blocking v1.6.2
Downloaded base64ct v1.8.0
Downloaded env_home v0.1.0
Downloaded binascii v0.1.4
Downloaded async-task v4.7.1
Downloaded async-executor v1.13.3
Downloaded async-channel v1.9.0
Downloaded argon2 v0.5.3
Compiling proc-macro2 v1.0.103
Compiling unicode-ident v1.0.22
Compiling quote v1.0.42
Compiling libc v0.2.177
Compiling cfg-if v1.0.4
Compiling version_check v0.9.5
Compiling serde_core v1.0.228
Compiling memchr v2.7.6
Compiling smallvec v1.15.1
Compiling find-msvc-tools v0.1.4
Compiling shlex v1.3.0
Compiling serde v1.0.228
Compiling pin-project-lite v0.2.16
Compiling itoa v1.0.15
Compiling zeroize v1.8.2
Compiling portable-atomic v1.11.1
error: linker `cc` not found
|
= note: No such file or directory (os error 2)
error: could not compile `serde` (build script) due to 1 previous error
warning: build failed, waiting for other jobs to finish...
error: could not compile `proc-macro2` (build script) due to 1 previous error
error: could not compile `quote` (build script) due to 1 previous error
error: could not compile `serde_core` (build script) due to 1 previous error
error: could not compile `libc` (build script) due to 1 previous error
error: could not compile `portable-atomic` (build script) due to 1 previous error

0
docker/audit/output/native_build.out Normal file
View file

8
docker/audit/output/native_deny.err Normal file
View file

@ -0,0 +1,8 @@
{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"ar_archive_writer","version":"0.2.0"},"parents":[{"Krate":{"kind":"build","name":"psm","version":"0.1.28"},"parents":[{"Krate":{"name":"stacker","version":"0.1.22"},"parents":[{"Krate":{"name":"chumsky","version":"0.9.3"},"parents":[{"Krate":{"name":"lettre","version":"0.11.19"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}}]}]}]}]}]}],"labels":[{"column":12,"line":22,"message":"","span":"Apache-2.0 WITH LLVM-exception"},{"column":12,"line":22,"message":"rejected: license is not explicitly allowed","span":"Apache-2.0 WITH LLVM-exception"}],"message":"failed to satisfy license requirements","notes":["Apache-2.0 - Apache License 2.0:"," - OSI approved"," - FSF Free/Libre"],"severity":"error"},"type":"diagnostic"}
{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"base64urlsafedata","version":"0.5.3"},"parents":[{"Krate":{"name":"webauthn-attestation-ca","version":"0.5.3"},"parents":[{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"repeat":true},{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"repeat":true},{"Krate":{"name":"webauthn-rs-proto","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true},{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"repeat":true}]}]}],"labels":[{"column":12,"line":35,"message":"","span":"MPL-2.0"},{"column":12,"line":35,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:"," - OSI approved"," - FSF Free/Libre"," - Copyleft"],"severity":"error"},"type":"diagnostic"}
{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-attestation-ca","version":"0.5.3"},"parents":[{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]}],"labels":[{"column":12,"line":30,"message":"","span":"MPL-2.0"},{"column":12,"line":30,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:"," - OSI approved"," - FSF Free/Libre"," - Copyleft"],"severity":"error"},"type":"diagnostic"}
{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}}]}],"labels":[{"column":12,"line":39,"message":"","span":"MPL-2.0"},{"column":12,"line":39,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:"," - OSI approved"," - FSF Free/Libre"," - Copyleft"],"severity":"error"},"type":"diagnostic"}
{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}],"labels":[{"column":12,"line":38,"message":"","span":"MPL-2.0"},{"column":12,"line":38,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:"," - OSI approved"," - FSF Free/Libre"," - Copyleft"],"severity":"error"},"type":"diagnostic"}
{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-rs-proto","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]}],"labels":[{"column":12,"line":38,"message":"","span":"MPL-2.0"},{"column":12,"line":38,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:"," - OSI approved"," - FSF Free/Libre"," - Copyleft"],"severity":"error"},"type":"diagnostic"}
{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webpki-roots","version":"1.0.4"},"parents":[{"Krate":{"name":"hyper-rustls","version":"0.27.7"},"parents":[{"Krate":{"name":"reqwest","version":"0.12.24"},"parents":[{"Krate":{"name":"oauth2","version":"5.0.0"},"parents":[{"Krate":{"name":"openidconnect","version":"4.0.1"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}}]}]},{"Krate":{"name":"opendal","version":"0.54.1"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]},{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true},{"Krate":{"name":"yubico_ng","version":"0.14.1"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]},{"Krate":{"name":"reqwest","version":"0.12.24"},"repeat":true}]}],"labels":[{"column":12,"line":26,"message":"","span":"CDLA-Permissive-2.0"},{"column":12,"line":26,"message":"rejected: license is not explicitly allowed","span":"CDLA-Permissive-2.0"}],"message":"failed to satisfy license requirements","notes":["CDLA-Permissive-2.0 - Community Data License Agreement Permissive 2.0:"," - No additional metadata available for license"],"severity":"error"},"type":"diagnostic"}
{"fields":{"licenses":{"errors":7,"helps":530,"notes":0,"warnings":0}},"type":"summary"}

0
docker/audit/output/native_deny.json Normal file
View file

1
docker/audit/output/openid.done Normal file
View file

@ -0,0 +1 @@
done

302
docker/audit/output/openid_build.err Normal file
View file

@ -0,0 +1,302 @@
Downloading crates ...
Downloaded ar_archive_writer v0.2.0
Downloaded futures-timer v3.0.3
Downloaded codemap v0.1.3
Downloaded futures-lite v2.6.1
Downloaded derive_builder_macro v0.20.2
Downloaded data-url v0.3.2
Downloaded diesel_table_macro_syntax v0.3.0
Downloaded dsl_auto_type v0.2.0
Downloaded kv-log-macro v1.0.7
Downloaded jsonwebtoken v9.3.1
Downloaded mini-moka v0.10.3
Downloaded migrations_internals v2.3.0
Downloaded native-tls v0.2.14
Downloaded nonzero_ext v0.3.0
Downloaded migrations_macros v2.3.0
Downloaded hex v0.4.3
Downloaded hyper-tls v0.6.0
Downloaded async-global-executor v2.4.1
Downloaded data-encoding v2.9.0
Downloaded indexmap v1.9.3
Downloaded md-5 v0.10.6
Downloaded glob v0.3.3
Downloaded hmac v0.12.1
Downloaded compression-codecs v0.4.32
Downloaded futures v0.3.31
Downloaded multer v3.1.0
Downloaded ff v0.13.1
Downloaded dotenvy v0.15.7
Downloaded futures-executor v0.3.31
Downloaded async-compression v0.4.33
Downloaded elliptic-curve v0.13.8
Downloaded env_home v0.1.0
Downloaded brotli-decompressor v5.0.0
Downloaded dashmap v6.1.0
Downloaded darling_core v0.21.3
Downloaded darling_core v0.20.11
Downloaded ref-cast-impl v1.0.25
Downloaded ref-cast v1.0.25
Downloaded crypto-bigint v0.5.5
Downloaded oid-registry v0.7.1
Downloaded pkcs8 v0.10.2
Downloaded phf_shared v0.11.3
Downloaded phf_macros v0.11.3
Downloaded parking v2.2.1
Downloaded der v0.7.10
Downloaded num-integer v0.1.46
Downloaded litrs v1.0.0
Downloaded rustc_version v0.4.1
Downloaded rustls-pemfile v1.0.4
Downloaded rusticata-macros v4.1.0
Downloaded sct v0.7.1
Downloaded serde-value v0.7.0
Downloaded async-std v1.13.2
Downloaded thiserror-impl v1.0.69
Downloaded tokio-macros v2.6.0
Downloaded tokio-tungstenite v0.21.0
Downloaded utf-8 v0.7.6
Downloaded tungstenite v0.21.0
Downloaded hyper v0.14.32
Downloaded handlebars v6.3.2
Downloaded pear v0.2.9
Downloaded schemars v0.9.0
Downloaded triomphe v0.1.15
Downloaded yubico_ng v0.14.1
Downloaded webauthn-attestation-ca v0.5.3
Downloaded grass_compiler v0.13.4
Downloaded web-time v1.1.0
Downloaded uncased v0.9.10
Downloaded minimal-lexical v0.2.1
Downloaded rocket v0.5.1
Downloaded portable-atomic v1.11.1
Downloaded num-bigint v0.4.6
Downloaded quick-error v2.0.1
Downloaded pico-args v0.5.0
Downloaded vcpkg v0.2.15
Downloaded zerocopy-derive v0.8.27
Downloaded p384 v0.13.1
Downloaded oauth2 v5.0.0
Downloaded webauthn-rs-core v0.5.3
Downloaded object v0.32.2
Downloaded hickory-proto v0.25.2
Downloaded publicsuffix v2.3.0
Downloaded openidconnect v4.0.1
Downloaded num-bigint-dig v0.8.5
Downloaded nom v8.0.0
Downloaded moka v0.12.11
Downloaded libm v0.2.15
Downloaded lasso v0.7.3
Downloaded http v0.2.12
Downloaded html5gum v0.8.0
Downloaded hkdf v0.12.4
Downloaded hickory-resolver v0.25.2
Downloaded which v8.0.0
Downloaded webauthn-rs-proto v0.5.3
Downloaded value-bag v1.11.1
Downloaded totp-lite v2.0.1
Downloaded opendal v0.54.1
Downloaded threadpool v1.8.1
Downloaded tagptr v0.2.0
Downloaded syslog v7.0.0
Downloaded syn v2.0.110
Downloaded svg-hush v0.9.5
Downloaded state v0.6.0
Downloaded stacker v0.1.22
Downloaded stable-pattern v0.1.0
Downloaded scheduled-thread-pool v0.2.7
Downloaded quick-xml v0.38.3
Downloaded pest_meta v2.8.3
Downloaded resolv-conf v0.7.5
Downloaded openssl-sys v0.9.111
Downloaded quanta v0.12.6
Downloaded openssl v0.10.75
Downloaded itertools v0.10.5
Downloaded diesel v2.3.3
Downloaded chrono-tz v0.10.4
Downloaded pest v2.8.3
Downloaded ubyte v0.10.4
Downloaded spinning_top v0.3.0
Downloaded schemars v1.1.0
Downloaded rsa v0.9.8
Downloaded rpassword v7.4.0
Downloaded rocket_http v0.5.1
Downloaded rocket_codegen v0.5.1
Downloaded raw-cpuid v11.6.0
Downloaded r2d2 v0.8.10
Downloaded quoted_printable v0.5.1
Downloaded psm v0.1.28
Downloaded psl-types v2.0.11
Downloaded proc-macro2-diagnostics v0.10.1
Downloaded piper v0.2.4
Downloaded phf_shared v0.12.1
Downloaded phf v0.12.1
Downloaded pest_generator v2.8.3
Downloaded pest_derive v2.8.3
Downloaded pear_codegen v0.2.9
Downloaded yansi v1.0.1
Downloaded xml-rs v0.8.28
Downloaded x509-parser v0.16.0
Downloaded winnow v0.6.26
Downloaded webauthn-rs v0.5.3
Downloaded uuid v1.18.1
Downloaded serde_with_macros v3.15.1
Downloaded serde_with v3.15.1
Downloaded serde_plain v1.0.2
Downloaded serde_cbor_2 v0.13.0
Downloaded rustls v0.21.12
Downloaded rtoolbox v0.0.3
Downloaded rocket_ws v0.1.1
Downloaded rmpv v1.3.0
Downloaded rfc6979 v0.4.0
Downloaded figment v0.10.19
Downloaded diesel_derives v2.3.4
Downloaded derive_more-impl v2.0.1
Downloaded derive_more v2.0.1
Downloaded tokio-native-tls v0.3.1
Downloaded sec1 v0.7.3
Downloaded rustls-webpki v0.101.7
Downloaded lettre v0.11.19
Downloaded pastey v0.1.1
Downloaded password-hash v0.5.0
Downloaded p256 v0.13.2
Downloaded ordered-float v2.10.1
Downloaded num_threads v0.1.7
Downloaded num-order v1.2.0
Downloaded num-modular v0.6.1
Downloaded num-iter v0.1.45
Downloaded num-derive v0.4.2
Downloaded hashbrown v0.12.3
Downloaded ucd-trie v0.1.7
Downloaded tokio-stream v0.1.17
Downloaded tokio-rustls v0.24.1
Downloaded nom v7.1.3
Downloaded hashbrown v0.14.5
Downloaded governor v0.10.1
Downloaded rand v0.8.5
Downloaded iana-time-zone v0.1.64
Downloaded cached v0.56.0
Downloaded brotli v8.0.2
Downloaded bigdecimal v0.4.9
Downloaded reopen v1.0.3
Downloaded pem-rfc7468 v0.7.0
Downloaded num_cpus v1.17.0
Downloaded half v2.7.1
Downloaded chumsky v0.9.3
Downloaded thiserror v1.0.69
Downloaded spki v0.7.3
Downloaded spin v0.9.8
Downloaded socket2 v0.5.10
Downloaded siphasher v1.0.1
Downloaded simple_asn1 v0.6.3
Downloaded signature v2.2.0
Downloaded serde_path_to_error v0.1.20
Downloaded primeorder v0.13.6
Downloaded polling v3.11.0
Downloaded phf_generator v0.11.3
Downloaded pem v3.0.6
Downloaded openssl-macros v0.1.1
Downloaded event-listener v5.4.1
Downloaded document-features v0.2.12
Downloaded pkcs1 v0.7.5
Downloaded phf v0.11.3
Downloaded curve25519-dalek v4.1.3
Downloaded ed25519-dalek v2.2.0
Downloaded rand_core v0.6.4
Downloaded rand_chacha v0.3.1
Downloaded chrono v0.4.42
Downloaded base64 v0.21.7
Downloaded asn1-rs v0.6.2
Downloaded dashmap v5.5.3
Downloaded cron v0.15.0
Downloaded critical-section v1.2.0
Downloaded cookie v0.18.1
Downloaded foreign-types-shared v0.1.1
Downloaded event-listener-strategy v0.5.4
Downloaded event-listener v2.5.3
Downloaded email-encoding v0.4.1
Downloaded ecdsa v0.16.9
Downloaded compression-core v0.4.30
Downloaded const-oid v0.9.6
Downloaded async-lock v3.4.1
Downloaded async-channel v2.5.0
Downloaded async-channel v1.9.0
Downloaded argon2 v0.5.3
Downloaded httpdate v1.0.3
Downloaded group v0.13.0
Downloaded email_address v0.2.9
Downloaded der-parser v9.0.0
Downloaded futures-macro v0.3.31
Downloaded enum-as-inner v0.6.1
Downloaded ed25519 v2.2.3
Downloaded dyn-clone v1.0.20
Downloaded darling v0.20.11
Downloaded base64ct v1.8.0
Downloaded derive_builder_core v0.20.2
Downloaded derive_builder v0.20.2
Downloaded async-trait v0.1.89
Downloaded darling v0.21.3
Downloaded concurrent-queue v2.5.0
Downloaded ahash v0.8.12
Downloaded job_scheduler_ng v2.4.0
Downloaded jetscii v0.5.3
Downloaded is-terminal v0.4.17
Downloaded inlinable_string v0.1.15
Downloaded http-body v0.4.6
Downloaded hostname v0.4.1
Downloaded foreign-types v0.3.2
Downloaded curve25519-dalek-derive v0.1.1
Downloaded atomic v0.5.3
Downloaded async-stream v0.3.6
Downloaded downcast-rs v2.0.2
Downloaded diesel_migrations v2.3.0
Downloaded diesel-derive-newtype v2.1.2
Downloaded devise_core v0.4.2
Downloaded devise_codegen v0.4.2
Downloaded devise v0.4.2
Downloaded darling_macro v0.21.3
Downloaded cookie_store v0.22.0
Downloaded cookie_store v0.21.1
Downloaded darling_macro v0.20.11
Downloaded base16ct v0.2.0
Downloaded async-stream-impl v0.3.6
Downloaded asn1-rs-impl v0.2.0
Downloaded asn1-rs-derive v0.5.1
Downloaded alloc-stdlib v0.2.2
Downloaded alloc-no-stdlib v2.0.4
Downloaded cached_proc_macro_types v0.1.1
Downloaded cached_proc_macro v0.25.0
Downloaded blocking v1.6.2
Downloaded blake2 v0.10.6
Downloaded binascii v0.1.4
Downloaded backon v1.6.0
Downloaded base64urlsafedata v0.5.3
Downloaded async-task v4.7.1
Downloaded async-signal v0.2.13
Downloaded async-process v2.5.0
Downloaded async-io v2.6.0
Downloaded async-executor v1.13.3
Compiling proc-macro2 v1.0.103
Compiling unicode-ident v1.0.22
Compiling quote v1.0.42
Compiling libc v0.2.177
Compiling cfg-if v1.0.4
Compiling version_check v0.9.5
Compiling serde_core v1.0.228
Compiling memchr v2.7.6
Compiling smallvec v1.15.1
Compiling shlex v1.3.0
Compiling find-msvc-tools v0.1.4
Compiling pin-project-lite v0.2.16
Compiling serde v1.0.228
error: linker `cc` not found
|
= note: No such file or directory (os error 2)
Compiling itoa v1.0.15
error: could not compile `serde_core` (build script) due to 1 previous error
warning: build failed, waiting for other jobs to finish...
error: could not compile `quote` (build script) due to 1 previous error
error: could not compile `proc-macro2` (build script) due to 1 previous error
error: could not compile `libc` (build script) due to 1 previous error
error: could not compile `serde` (build script) due to 1 previous error

0
docker/audit/output/openid_build.out Normal file
View file

2
docker/audit/output/openid_deny.err Normal file
View file

@ -0,0 +1,2 @@
{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"ar_archive_writer","version":"0.2.0"},"parents":[{"Krate":{"kind":"build","name":"psm","version":"0.1.28"},"parents":[{"Krate":{"name":"stacker","version":"0.1.22"},"parents":[{"Krate":{"name":"chumsky","version":"0.9.3"},"parents":[{"Krate":{"name":"lettre","version":"0.11.19"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}}]}]}]}]}]}],"labels":[{"column":12,"line":22,"message":"","span":"Apache-2.0 WITH LLVM-exception"},{"column":12,"line":22,"message":"rejected: license is not explicitly allowed","span":"Apache-2.0 WITH LLVM-exception"}],"message":"failed to satisfy license requirements","notes":["Apache-2.0 - Apache License 2.0:"," - OSI approved"," - FSF Free/Libre"],"severity":"error"},"type":"diagnostic"}
{"fields":{"licenses":{"errors":1,"helps":536,"notes":0,"warnings":0}},"type":"summary"}

0
docker/audit/output/openid_deny.json Normal file
View file

1
docker/audit/output/req_exp.done Normal file
View file

@ -0,0 +1 @@
done

0
docker/audit/output/reqwest-tree_post_native.err Normal file
View file

9
docker/audit/output/reqwest-tree_post_native.txt Normal file
View file

@ -0,0 +1,9 @@
reqwest v0.12.24
├── oauth2 v5.0.0
│ └── openidconnect v4.0.1
│ └── vaultwarden v1.0.0 (/workspace)
├── opendal v0.54.1
│ └── vaultwarden v1.0.0 (/workspace)
├── vaultwarden v1.0.0 (/workspace)
└── yubico_ng v0.14.1
└── vaultwarden v1.0.0 (/workspace)

1
docker/audit/output/upgrade.done Normal file
View file

@ -0,0 +1 @@
done

4
docker/audit/output/upgrade.log Normal file
View file

@ -0,0 +1,4 @@
1: starting updates
2: updated reqwest
3: updated hyper-rustls
4: attempted webauthn update

309
docker/audit/output/upgrade_build.err Normal file
View file

@ -0,0 +1,309 @@
Downloading crates ...
Downloaded async-stream-impl v0.3.6
Downloaded alloc-stdlib v0.2.2
Downloaded darling_macro v0.21.3
Downloaded devise_codegen v0.4.2
Downloaded derive_builder_macro v0.20.2
Downloaded binascii v0.1.4
Downloaded foreign-types-shared v0.1.1
Downloaded blocking v1.6.2
Downloaded async-stream v0.3.6
Downloaded glob v0.3.3
Downloaded futures-timer v3.0.3
Downloaded event-listener v2.5.3
Downloaded devise v0.4.2
Downloaded darling_macro v0.20.11
Downloaded diesel_table_macro_syntax v0.3.0
Downloaded async-global-executor v2.4.1
Downloaded inlinable_string v0.1.15
Downloaded alloc-no-stdlib v2.0.4
Downloaded async-channel v1.9.0
Downloaded pear_codegen v0.2.9
Downloaded dashmap v5.5.3
Downloaded ff v0.13.1
Downloaded md-5 v0.10.6
Downloaded hyper-tls v0.6.0
Downloaded is-terminal v0.4.17
Downloaded async-io v2.6.0
Downloaded num-iter v0.1.45
Downloaded piper v0.2.4
Downloaded rand_chacha v0.3.1
Downloaded num_threads v0.1.7
Downloaded ahash v0.8.12
Downloaded futures v0.3.31
Downloaded cookie v0.18.1
Downloaded migrations_internals v2.3.0
Downloaded openssl-macros v0.1.1
Downloaded darling v0.20.11
Downloaded rfc6979 v0.4.0
Downloaded rustc_version v0.4.1
Downloaded crypto-bigint v0.5.5
Downloaded serde-value v0.7.0
Downloaded der-parser v9.0.0
Downloaded quick-error v2.0.1
Downloaded psl-types v2.0.11
Downloaded rmpv v1.3.0
Downloaded sec1 v0.7.3
Downloaded asn1-rs-derive v0.5.1
Downloaded siphasher v1.0.1
Downloaded stacker v0.1.22
Downloaded thiserror v1.0.69
Downloaded tokio-native-tls v0.3.1
Downloaded syslog v7.0.0
Downloaded signature v2.2.0
Downloaded asn1-rs v0.6.2
Downloaded tagptr v0.2.0
Downloaded threadpool v1.8.1
Downloaded serde_with_macros v3.15.1
Downloaded ubyte v0.10.4
Downloaded primeorder v0.13.6
Downloaded serde_path_to_error v0.1.20
Downloaded num-integer v0.1.46
Downloaded sct v0.7.1
Downloaded phf_shared v0.12.1
Downloaded tokio-tungstenite v0.21.0
Downloaded darling_core v0.21.3
Downloaded rand v0.8.5
Downloaded yubico_ng v0.14.1
Downloaded diesel_derives v2.3.4
Downloaded value-bag v1.11.1
Downloaded webauthn-rs v0.5.3
Downloaded which v8.0.0
Downloaded utf-8 v0.7.6
Downloaded rocket_http v0.5.1
Downloaded webauthn-attestation-ca v0.5.3
Downloaded bigdecimal v0.4.9
Downloaded phf_macros v0.11.3
Downloaded ucd-trie v0.1.7
Downloaded darling_core v0.20.11
Downloaded xml-rs v0.8.28
Downloaded spin v0.9.8
Downloaded webauthn-rs-proto v0.5.3
Downloaded web-time v1.1.0
Downloaded serde_plain v1.0.2
Downloaded schemars v1.0.4
Downloaded yansi v1.0.1
Downloaded x509-parser v0.16.0
Downloaded rocket_codegen v0.5.1
Downloaded zerocopy-derive v0.8.27
Downloaded webauthn-rs-core v0.5.3
Downloaded tokio-util v0.7.16
Downloaded winnow v0.6.26
Downloaded jetscii v0.5.3
Downloaded serde_with v3.15.1
Downloaded pkcs8 v0.10.2
Downloaded vcpkg v0.2.15
Downloaded totp-lite v2.0.1
Downloaded tokio-macros v2.6.0
Downloaded webpki-roots v1.0.3
Downloaded syn v2.0.108
Downloaded pest_derive v2.8.3
Downloaded password-hash v0.5.0
Downloaded indexmap v1.9.3
Downloaded group v0.13.0
Downloaded diesel v2.3.3
Downloaded jsonwebtoken v9.3.1
Downloaded half v2.7.1
Downloaded litrs v1.0.0
Downloaded native-tls v0.2.14
Downloaded rustls v0.21.12
Downloaded rocket v0.5.1
Downloaded triomphe v0.1.15
Downloaded tokio-rustls v0.24.1
Downloaded state v0.6.0
Downloaded polling v3.11.0
Downloaded handlebars v6.3.2
Downloaded quote v1.0.41
Downloaded lasso v0.7.3
Downloaded publicsuffix v2.3.0
Downloaded brotli v8.0.2
Downloaded pest_meta v2.8.3
Downloaded hickory-resolver v0.25.2
Downloaded chrono-tz v0.10.4
Downloaded hashbrown v0.12.3
Downloaded pest_generator v2.8.3
Downloaded mini-moka v0.10.3
Downloaded socket2 v0.5.10
Downloaded p256 v0.13.2
Downloaded quanta v0.12.6
Downloaded psm v0.1.28
Downloaded pkcs1 v0.7.5
Downloaded phf_generator v0.11.3
Downloaded pem-rfc7468 v0.7.0
Downloaded pear v0.2.9
Downloaded num-order v1.2.0
Downloaded num-modular v0.6.1
Downloaded multer v3.1.0
Downloaded curve25519-dalek v4.1.3
Downloaded tungstenite v0.21.0
Downloaded http v0.2.12
Downloaded num-bigint v0.4.6
Downloaded html5gum v0.8.0
Downloaded oauth2 v5.0.0
Downloaded openssl-sys v0.9.110
Downloaded uuid v1.18.1
Downloaded rsa v0.9.8
Downloaded itertools v0.10.5
Downloaded minimal-lexical v0.2.1
Downloaded hashbrown v0.14.5
Downloaded hex v0.4.3
Downloaded rusticata-macros v4.1.0
Downloaded hostname v0.4.1
Downloaded rustls-webpki v0.101.7
Downloaded raw-cpuid v11.6.0
Downloaded nom v7.1.3
Downloaded num-bigint-dig v0.8.4
Downloaded chrono v0.4.42
Downloaded async-std v1.13.2
Downloaded pest v2.8.3
Downloaded governor v0.10.1
Downloaded lettre v0.11.19
Downloaded phf v0.12.1
Downloaded brotli-decompressor v5.0.0
Downloaded nom v8.0.0
Downloaded libm v0.2.15
Downloaded hyper v0.14.32
Downloaded openidconnect v4.0.1
Downloaded hkdf v0.12.4
Downloaded portable-atomic v1.11.1
Downloaded grass_compiler v0.13.4
Downloaded p384 v0.13.1
Downloaded quick-xml v0.38.3
Downloaded iri-string v0.7.8
Downloaded rtoolbox v0.0.3
Downloaded rpassword v7.4.0
Downloaded r2d2 v0.8.10
Downloaded iana-time-zone v0.1.64
Downloaded moka v0.12.11
Downloaded schemars v0.9.0
Downloaded object v0.32.2
Downloaded openssl v0.10.74
Downloaded rustls-pemfile v1.0.4
Downloaded nonzero_ext v0.3.0
Downloaded hmac v0.12.1
Downloaded base64 v0.21.7
Downloaded rustls v0.23.34
Downloaded pico-args v0.5.0
Downloaded hickory-proto v0.25.2
Downloaded oid-registry v0.7.1
Downloaded cc v1.2.43
Downloaded tokio-stream v0.1.17
Downloaded thiserror-impl v1.0.69
Downloaded svg-hush v0.9.5
Downloaded spinning_top v0.3.0
Downloaded pem v3.0.6
Downloaded ordered-float v2.10.1
Downloaded uncased v0.9.10
Downloaded quoted_printable v0.5.1
Downloaded proc-macro2-diagnostics v0.10.1
Downloaded phf v0.11.3
Downloaded pastey v0.1.1
Downloaded num_cpus v1.17.0
Downloaded serde_cbor_2 v0.13.0
Downloaded parking v2.2.1
Downloaded kv-log-macro v1.0.7
Downloaded stable-pattern v0.1.0
Downloaded spki v0.7.3
Downloaded job_scheduler_ng v2.4.0
Downloaded event-listener-strategy v0.5.4
Downloaded simple_asn1 v0.6.3
Downloaded opendal v0.54.1
Downloaded scheduled-thread-pool v0.2.7
Downloaded rocket_ws v0.1.1
Downloaded num-derive v0.4.2
Downloaded ed25519-dalek v2.2.0
Downloaded der v0.7.10
Downloaded env_home v0.1.0
Downloaded elliptic-curve v0.13.8
Downloaded data-encoding v2.9.0
Downloaded cookie_store v0.21.1
Downloaded async-task v4.7.1
Downloaded const-oid v0.9.6
Downloaded async-lock v3.4.1
Downloaded migrations_macros v2.3.0
Downloaded http-body v0.4.6
Downloaded futures-lite v2.6.1
Downloaded devise_core v0.4.2
Downloaded derive_more-impl v2.0.1
Downloaded chumsky v0.9.3
Downloaded resolv-conf v0.7.5
Downloaded reopen v1.0.3
Downloaded ref-cast-impl v1.0.25
Downloaded ref-cast v1.0.25
Downloaded rand_core v0.6.4
Downloaded ed25519 v2.2.3
Downloaded figment v0.10.19
Downloaded derive_more v2.0.1
Downloaded cached v0.56.0
Downloaded argon2 v0.5.3
Downloaded ar_archive_writer v0.2.0
Downloaded base64ct v1.8.0
Downloaded atomic v0.5.3
Downloaded asn1-rs-impl v0.2.0
Downloaded foreign-types v0.3.2
Downloaded dyn-clone v1.0.20
Downloaded darling v0.21.3
Downloaded base64urlsafedata v0.5.3
Downloaded event-listener v5.4.1
Downloaded ecdsa v0.16.9
Downloaded backon v1.6.0
Downloaded phf_shared v0.11.3
Downloaded httpdate v1.0.3
Downloaded derive_builder v0.20.2
Downloaded dashmap v6.1.0
Downloaded cookie_store v0.22.0
Downloaded futures-macro v0.3.31
Downloaded diesel-derive-newtype v2.1.2
Downloaded derive_builder_core v0.20.2
Downloaded data-url v0.3.2
Downloaded cached_proc_macro v0.25.0
Downloaded blake2 v0.10.6
Downloaded async-channel v2.5.0
Downloaded email_address v0.2.9
Downloaded email-encoding v0.4.1
Downloaded downcast-rs v2.0.2
Downloaded concurrent-queue v2.5.0
Downloaded cached_proc_macro_types v0.1.1
Downloaded futures-executor v0.3.31
Downloaded dsl_auto_type v0.2.0
Downloaded document-features v0.2.12
Downloaded base16ct v0.2.0
Downloaded async-trait v0.1.89
Downloaded async-process v2.5.0
Downloaded async-executor v1.13.3
Downloaded enum-as-inner v0.6.1
Downloaded dotenvy v0.15.7
Downloaded diesel_migrations v2.3.0
Downloaded curve25519-dalek-derive v0.1.1
Downloaded critical-section v1.2.0
Downloaded codemap v0.1.3
Downloaded async-signal v0.2.13
Downloaded cron v0.15.0
Compiling proc-macro2 v1.0.103
Compiling quote v1.0.41
Compiling unicode-ident v1.0.22
Compiling libc v0.2.177
Compiling cfg-if v1.0.4
Compiling version_check v0.9.5
Compiling serde_core v1.0.228
Compiling memchr v2.7.6
Compiling smallvec v1.15.1
Compiling shlex v1.3.0
Compiling find-msvc-tools v0.1.4
Compiling serde v1.0.228
Compiling pin-project-lite v0.2.16
Compiling itoa v1.0.15
Compiling zeroize v1.8.2
Compiling portable-atomic v1.11.1
error: linker `cc` not found
|
= note: No such file or directory (os error 2)
Compiling fnv v1.0.7
error: could not compile `proc-macro2` (build script) due to 1 previous error
warning: build failed, waiting for other jobs to finish...
error: could not compile `serde` (build script) due to 1 previous error
error: could not compile `serde_core` (build script) due to 1 previous error
error: could not compile `quote` (build script) due to 1 previous error
error: could not compile `libc` (build script) due to 1 previous error
error: could not compile `portable-atomic` (build script) due to 1 previous error

0
docker/audit/output/upgrade_build.out Normal file
View file

8
docker/audit/output/upgrade_deny.err Normal file
View file

@ -0,0 +1,8 @@
{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"ar_archive_writer","version":"0.2.0"},"parents":[{"Krate":{"kind":"build","name":"psm","version":"0.1.28"},"parents":[{"Krate":{"name":"stacker","version":"0.1.22"},"parents":[{"Krate":{"name":"chumsky","version":"0.9.3"},"parents":[{"Krate":{"name":"lettre","version":"0.11.19"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}}]}]}]}]}]}],"labels":[{"column":12,"line":22,"message":"","span":"Apache-2.0 WITH LLVM-exception"},{"column":12,"line":22,"message":"rejected: license is not explicitly allowed","span":"Apache-2.0 WITH LLVM-exception"}],"message":"failed to satisfy license requirements","notes":["Apache-2.0 - Apache License 2.0:"," - OSI approved"," - FSF Free/Libre"],"severity":"error"},"type":"diagnostic"}
{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"base64urlsafedata","version":"0.5.3"},"parents":[{"Krate":{"name":"webauthn-attestation-ca","version":"0.5.3"},"parents":[{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"repeat":true},{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"repeat":true},{"Krate":{"name":"webauthn-rs-proto","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true},{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"repeat":true}]}]}],"labels":[{"column":12,"line":35,"message":"","span":"MPL-2.0"},{"column":12,"line":35,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:"," - OSI approved"," - FSF Free/Libre"," - Copyleft"],"severity":"error"},"type":"diagnostic"}
{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-attestation-ca","version":"0.5.3"},"parents":[{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]}],"labels":[{"column":12,"line":30,"message":"","span":"MPL-2.0"},{"column":12,"line":30,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:"," - OSI approved"," - FSF Free/Libre"," - Copyleft"],"severity":"error"},"type":"diagnostic"}
{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}}]}],"labels":[{"column":12,"line":39,"message":"","span":"MPL-2.0"},{"column":12,"line":39,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:"," - OSI approved"," - FSF Free/Libre"," - Copyleft"],"severity":"error"},"type":"diagnostic"}
{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}],"labels":[{"column":12,"line":38,"message":"","span":"MPL-2.0"},{"column":12,"line":38,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:"," - OSI approved"," - FSF Free/Libre"," - Copyleft"],"severity":"error"},"type":"diagnostic"}
{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webauthn-rs-proto","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}},{"Krate":{"name":"webauthn-rs-core","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true},{"Krate":{"name":"webauthn-rs","version":"0.5.3"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]}],"labels":[{"column":12,"line":38,"message":"","span":"MPL-2.0"},{"column":12,"line":38,"message":"rejected: license is not explicitly allowed","span":"MPL-2.0"}],"message":"failed to satisfy license requirements","notes":["MPL-2.0 - Mozilla Public License 2.0:"," - OSI approved"," - FSF Free/Libre"," - Copyleft"],"severity":"error"},"type":"diagnostic"}
{"fields":{"code":"rejected","graphs":[{"Krate":{"name":"webpki-roots","version":"1.0.3"},"parents":[{"Krate":{"name":"hyper-rustls","version":"0.27.7"},"parents":[{"Krate":{"name":"reqwest","version":"0.12.24"},"parents":[{"Krate":{"name":"oauth2","version":"5.0.0"},"parents":[{"Krate":{"name":"openidconnect","version":"4.0.1"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"}}]}]},{"Krate":{"name":"opendal","version":"0.54.1"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]},{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true},{"Krate":{"name":"yubico_ng","version":"0.14.1"},"parents":[{"Krate":{"name":"vaultwarden","version":"1.0.0"},"repeat":true}]}]}]},{"Krate":{"name":"reqwest","version":"0.12.24"},"repeat":true}]}],"labels":[{"column":12,"line":26,"message":"","span":"CDLA-Permissive-2.0"},{"column":12,"line":26,"message":"rejected: license is not explicitly allowed","span":"CDLA-Permissive-2.0"}],"message":"failed to satisfy license requirements","notes":["CDLA-Permissive-2.0 - Community Data License Agreement Permissive 2.0:"," - No additional metadata available for license"],"severity":"error"},"type":"diagnostic"}
{"fields":{"licenses":{"errors":7,"helps":530,"notes":0,"warnings":0}},"type":"summary"}

0
docker/audit/output/upgrade_deny.json Normal file
View file

7
docker/audit/output/webauthn_search.err Normal file
View file

@ -0,0 +1,7 @@
info: syncing channel updates for '1.91.0-x86_64-unknown-linux-gnu'
info: latest update on 2025-10-30, rust version 1.91.0 (f8297e351 2025-10-28)
info: downloading component 'clippy'
info: downloading component 'rustfmt'
info: installing component 'clippy'
info: installing component 'rustfmt'
note: to learn more about a package, run `cargo info <name>`

9
docker/audit/output/webauthn_search.txt Normal file
View file

@ -0,0 +1,9 @@
webauthn-rs = "0.5.3" # Webauthn Framework for Rust Web Servers
cable-tunnel-server-common = "0.1.0" # Common components for webauthn-rs' caBLE tunnel server backend and frontend
cable-tunnel-server-backend = "0.1.0" # webauthn-rs caBLE tunnel server backend
cable-tunnel-server-frontend = "0.1.0" # webauthn-rs caBLE tunnel server frontend
webauthn-rs-proto = "0.5.3" # Webauthn Specification Bindings
webauthn-rs-core = "0.5.3" # Webauthn Cryptographic Operation Handling
tmuntaner-webauthn = "0.1.0-alpha.18" # A webauthn client
webauthn-rp-proxy = "0.5.0" # Webauthn RP CLI Proxy
webauthn-rs-device-catalog = "0.5.0-20230418" # Webauthn RS Device Catalog

0
docker/audit/output/webpki-tree_post_native.err Normal file
View file

12
docker/audit/output/webpki-tree_post_native.txt Normal file
View file

@ -0,0 +1,12 @@
webpki-roots v1.0.3
├── hyper-rustls v0.27.7
│ └── reqwest v0.12.24
│ ├── oauth2 v5.0.0
│ │ └── openidconnect v4.0.1
│ │ └── vaultwarden v1.0.0 (/workspace)
│ ├── opendal v0.54.1
│ │ └── vaultwarden v1.0.0 (/workspace)
│ ├── vaultwarden v1.0.0 (/workspace)
│ └── yubico_ng v0.14.1
│ └── vaultwarden v1.0.0 (/workspace)
└── reqwest v0.12.24 (*)

42
docker/audit/run-audit.ps1
View file

@ -9,35 +9,19 @@ try {
docker build -t $ImageName .
Write-Host "Running audit container... outputs will be written to: $Workspace"
# Create a small LF-only shell script to avoid CRLF issues when passing
# multi-line commands into bash on Linux containers from Windows hosts.
$auditScriptPath = Join-Path $PSScriptRoot 'audit.sh'
$scriptContent = @'
set -euo pipefail
export PATH="/usr/local/cargo/bin:/usr/local/bin:$PATH"
echo "=== cargo-audit --version ==="
/usr/local/cargo/bin/cargo-audit --version || true
echo "=== cargo-audit report ==="
# Run cargo-audit on the workspace Cargo.lock if present; local crate otherwise
/usr/local/cargo/bin/cargo-audit || true
echo "=== cargo-deny --version ==="
/usr/local/cargo/bin/cargo-deny --version || true
echo "=== cargo-deny advisories ==="
# Use --manifest-path as a global option and run check advisories and licenses
/usr/local/cargo/bin/cargo-deny --manifest-path Cargo.toml check advisories || true
echo "=== cargo-deny licenses ==="
/usr/local/cargo/bin/cargo-deny --manifest-path Cargo.toml check licenses || true
'@
# Ensure the script uses LF-only line endings by replacing CRLF with LF
$scriptContent = $scriptContent -replace "`r`n", "`n"
# Write bytes directly to ensure exact newlines (UTF8 without BOM)
$bytes = [System.Text.Encoding]::UTF8.GetBytes($scriptContent)
[System.IO.File]::WriteAllBytes($auditScriptPath, $bytes)
# Run the audit script inside the container by mounting it read-only
docker run --rm -v "${Workspace}:/workspace" -v "${auditScriptPath}:/audit.sh:ro" -w /workspace $ImageName bash -lc 'bash /audit.sh'
docker run --rm -v "${Workspace}:/workspace" -w /workspace $ImageName bash -lc '
set -euo pipefail
echo "=== cargo-audit --version ==="
/usr/local/cargo/bin/cargo-audit --version || true
echo "=== cargo-audit report ==="
/usr/local/cargo/bin/cargo-audit -q || true
echo "=== cargo-deny --version ==="
/usr/local/cargo/bin/cargo-deny --version || true
echo "=== cargo-deny advisories ==="
/usr/local/cargo/bin/cargo-deny check advisories --manifest-path Cargo.toml || true
echo "=== cargo-deny licenses ==="
/usr/local/cargo/bin/cargo-deny check licenses --manifest-path Cargo.toml || true
'
}
finally {
Pop-Location

30
issues/EXP-REQWEST-WEBAUTHN-2025-11-10.md Normal file
View file

@ -0,0 +1,30 @@
# Experiment: reqwest(native-tls) & webauthn-rs bump (2025-11-10)
Summary
-------
Two non-destructive experiments were executed in a copied workspace to evaluate remediation paths for the top license clusters.
1) reqwest/native-tls experiment
- Script: `docker/audit/exp/reqwest_native_exp.sh`
- Action: attempted to prefer `native-tls` for `reqwest` by editing `Cargo.toml`, running `cargo update -p reqwest`, and running `cargo-deny` (licenses) in a workspace copy.
- Result: `cargo-deny` reduced license errors to a single error: `ar_archive_writer v0.2.0` (license: Apache-2.0 WITH LLVM-exception) via `lettre` -> `psm` -> `stacker` -> `chumsky` -> `vaultwarden` path. The `webpki-roots` (CDLA-Permissive-2.0) failure was removed in this experiment.
- Artifacts: `docker/audit/output/deny_reqwest_native.err` (diagnostic), `docker/audit/output/deny_reqwest_native.json` (may be empty), `docker/audit/output/req_exp.done` (marker).
2) webauthn-rs bump experiment
- Script: `docker/audit/exp/patch_and_run.sh`
- Action: in a workspace copy, attempted to bump `webauthn-rs` to `0.6` and ran `cargo update -p webauthn-rs` and `cargo-deny` (licenses).
- Result: MPL-2.0 failures related to the `webauthn-rs` family were removed by the non-destructive bump attempt (in the copied workspace experiment). The remaining single license rejection (same as above) persisted.
- Artifacts: `docker/audit/output/deny_licenses.err`, `docker/audit/output/deny_licenses.json` (may be empty), `docker/audit/output/exp.done`.
Conclusion & recommended next step
--------------------------------
- Both experiments significantly reduced the license noise: from the previously reported set down to one remaining rejection: `ar_archive_writer v0.2.0` (Apache-2.0 WITH LLVM-exception).
- Recommended immediate actions:
1. Decide whether to temporarily allow `Apache-2.0 WITH LLVM-exception` in `deny.toml` (timeboxed) to unblock CI, OR
2. Investigate the `lettre`/`psm` chain to find alternative crates or versions that avoid `ar_archive_writer`.
- If you approve, I can open a follow-up branch that applies the minimal change (either temporary allowlist addition or a patch bump) and run CI to verify `cargo-deny` cleanly passes.
Notes
-----
- All changes in these experiments were done in copied workspaces inside the audit container and did not modify the main branch's `Cargo.toml` or lockfile.
- Full experiment artifacts are saved under `docker/audit/output/` in the repository workspace.

19
issues/FEASIBILITY-WEBAUTHN-WEBPKI.md
View file

@ -94,3 +94,22 @@ Next suggested step
-------------------
Run the quick experiment: upgrade `reqwest` (and hyper-rustls) in a temporary branch, re-run `cargo-deny` and tests, and report the results. This often removes `webpki-roots` without deeper changes.
Experiment results (2025-11-10)
--------------------------------
Summary of actions run in a temporary experiment branch and container:
- Performed `cargo search webauthn-rs` inside the audit container; crates.io shows `webauthn-rs = "0.5.3"` as the current published version in that namespace (search results saved to `docker/audit/output/webauthn_search.txt`).
- Ran a safe workspace copy upgrade attempt (in `/tmp/wrk_upgrade`) where I attempted incremental updates: `cargo update -p reqwest`, `cargo update -p hyper-rustls`, and `cargo update -p webauthn-rs`. Build and `cargo-deny` were run in the copy. Outputs were captured to `docker/audit/output/upgrade_*.{out,err,json}`.
Findings:
- The quick experiments did not eliminate the MPL-2.0 or CDLA-Permissive-2.0 diagnostics. `cargo-deny` still reports 7 license errors — the same clusters identified earlier (webauthn-rs family and webpki-roots). See `docker/audit/output/upgrade_deny.err` for the diagnostic JSON lines.
- The crates.io search indicates no newer `webauthn-rs` version in the same crate name space beyond `0.5.3` (at time of experiment). That suggests upgrading `webauthn-rs` may not be an option unless an alternate crate name or published fork exists.
Next steps recommended:
- Given that `webauthn-rs` appears to be at 0.5.3 on crates.io, investigate upstream (project repository) for planned releases or contact upstream about licensing/maintenance.
- For the TLS/root-store problem (webpki-roots), continue with a coordinated upgrade of `reqwest` + `hyper-rustls` and dependent crates (openidconnect/opendal) on a feature-aware branch; if upgrades are blocked, trial a `native-tls` switch in a dedicated branch where dependent features are adjusted accordingly.
All experiment artifacts are available under `docker/audit/output/`.

36
issues/LICENSE-TRIAGE-2025-11-10.md Normal file
View file

@ -0,0 +1,36 @@
# License triage summary (2025-11-10)
Summary
-------
This short report summarizes the top remaining license failures reported by `cargo-deny` after temporary allowlist adjustments and initial experiments.
Top offenders (extracted from `docker/audit/output/license_triage_2025-11-09.csv`):
- webauthn-rs family (MPL-2.0):
- `webauthn-rs v0.5.3` (direct dependency)
- `webauthn-rs-core v0.5.3`
- `webauthn-rs-proto v0.5.3`
- `webauthn-attestation-ca v0.5.3`
- `base64urlsafedata v0.5.3`
- webpki-roots (CDLA-Permissive-2.0):
- `webpki-roots v1.0.3` pulled via `hyper-rustls v0.27.7` -> `reqwest v0.12.24` -> `openidconnect v4.0.1` (and also via `opendal`/`yubico_ng`).
Counts and impact
-----------------
- cargo-deny reported 7 license errors in the most recent run. The list above represents the full set of failing crates.
Short remediation guidance
------------------------
- `webauthn-rs`: direct dependency. Options: (a) upgrade (if a permissively licensed version exists), (b) replace with an alternative WebAuthn crate, or (c) vendor minimal functionality. Immediate step: contact upstream and search for forks/relicensing.
- `webpki-roots`: transitive via the TLS/HTTP stack. Options: (a) coordinated upgrade of `reqwest`/`hyper-rustls`/`openidconnect` or (b) switch TLS backend/features to avoid `webpki-roots`.
Artifacts
---------
- Full diagnostics and experiment artifacts: `docker/audit/output/` (files: `*_deny.err`, `*_deny.json`, `*_build.err`).
Next steps
----------
1. Owner assignment and tasking in PR checklist (see draft PR #2).
2. Continue coordinated upgrades for `reqwest` chain and attempt to upgrade/replace `webauthn-rs`.
3. Remove temporary allowlist once all offenders are resolved.

39
issues/LICENSE-TRIAGE-SUMMARY-2025-11-12.md Normal file
View file

@ -0,0 +1,39 @@
# License triage summary — 2025-11-12
This short summary aggregates the highest-impact license failures reported by the audit tooling and gives a quick feasibility recommendation for policy and remediation.
Source
------
- Generated from `docker/audit/output/license_triage_2025-11-09.csv` and follow-up experiment artifacts in `docker/audit/output/`.
Top offenders
-------------
1. webauthn-rs family — MPL-2.0 (direct)
- Crates: `webauthn-rs v0.5.3`, `webauthn-rs-core v0.5.3`, `webauthn-rs-proto v0.5.3`, `webauthn-attestation-ca v0.5.3`, `base64urlsafedata v0.5.3`
- Path: direct dependency from `vaultwarden` to `webauthn-rs`.
- Impact: high (direct dependency). Remediation: upgrade to permissive version, replace crate, or vendor functionality.
2. webpki-roots — CDLA-Permissive-2.0 (transitive)
- Crate: `webpki-roots v1.0.3` via `hyper-rustls -> reqwest -> openidconnect`.
- Impact: medium. Remediation: prefer `native-tls` or upgrade TLS/reqwest stack to versions that avoid `webpki-roots`.
3. ar_archive_writer — Apache-2.0 WITH LLVM-exception (transitive)
- Crate: `ar_archive_writer v0.2.0` via `lettre -> psm -> stacker -> chumsky`.
- Impact: small (single remaining blocking error after experiments). Remediation: bump `lettre`/`psm` versions (experiment shows this removes the error) or timebox an allowlist entry while a bump PR is prepared.
Feasibility and immediate policy guidance
---------------------------------------
- The webauthn-rs cluster requires direct attention (upgrade/replace); temporarily allowing MPL-2.0 is defensible but should be strictly timeboxed and tracked.
- The webpki-roots issue looks solvable by TLS/reqwest feature/upgrade changes; continue the experiment work and prefer coordinated upgrades rather than allowing CDLA-Permissive-2.0 permanently.
- The ar_archive_writer issue is directly addressable via a `lettre`/`psm` bump. Experiments in a workspace copy removed the error, so preparing a minimal bump PR is recommended.
Actionable next steps
---------------------
1. Prepare a minimal PR to bump `lettre` and/or `psm` to the versions validated by the experiment and run CI with cargo-deny.
2. Continue webauthn-rs remediation plan (upgrade/replace/vendor) as the top priority.
3. Keep MPL-2.0 and CDLA-Permissive-2.0 as temporary allowlist entries while the above are addressed; remove them as soon as remediation is merged.
Artifacts
---------
- `docker/audit/output/license_triage_2025-11-09.csv`
- Experiment outputs: `docker/audit/output/deny_let_update.*`, `deny_reqwest_native.*`, `deny_licenses.*`

9
issues/NOTE-ALLOW-APACHE-LLVM-2025-11-12.md Normal file
View file

@ -0,0 +1,9 @@
# NOTE: Temporary allowlist for Apache-2.0 WITH LLVM-exception
Branch: `remediations/allow-apache-llvm-exception`
Purpose: Add a timeboxed allowlist entry for `Apache-2.0 WITH LLVM-exception` to `deny.toml` to unblock CI while the maintainers pursue upstream or replacement remediation for `ar_archive_writer`.
Timebox: Remove no later than 2026-02-10 (90 days from addition).
Tracking: See `issues/TRACK-2025-11-09-RSA-PASTE.md` and PR #2 for the remediation plan and tasks.

36
issues/SHORT-LICENSE-ANALYSIS-2025-11-10.md Normal file
View file

@ -0,0 +1,36 @@
# Short license-failure analysis (2025-11-10)
Purpose
-------
This short analysis summarizes the top offenders that caused the recent license failures (537 total failures reported across the full audit) and provides a quick feasibility assessment of whether the temporary allowlist can be narrowed or must remain in place while remediation proceeds.
Key findings
------------
- The top failing crates (from `docker/audit/output/license_triage_2025-11-09.csv`) are:
- webauthn-rs family (MPL-2.0): `webauthn-rs v0.5.3` (direct dep), `webauthn-rs-core v0.5.3`, `webauthn-rs-proto v0.5.3`, `webauthn-attestation-ca v0.5.3`, `base64urlsafedata v0.5.3`.
- `webpki-roots v1.0.3` (CDLA-Permissive-2.0) pulled transitively via `hyper-rustls -> reqwest -> openidconnect`.
- `ar_archive_writer v0.2.0` (Apache-2.0 WITH LLVM-exception) reported via `lettre` (present in CSV but not blocking if Apache+LLVM-exception is in your allowlist policy).
Feasibility of policy adjustment
--------------------------------
- MPL-2.0 cluster (webauthn-rs):
- Because `webauthn-rs` is a direct dependency for `vaultwarden`, allowing MPL-2.0 in the policy would immediately remove this class of failures.
- Trade-off: MPL-2.0 is a copyleft-style license with obligations different from Apache/MIT; adding it to an allowlist should be treated as temporary and timeboxed while an upgrade/replacement is pursued.
- Recommendation: Keep restrictive stance (do not permanently allow MPL-2.0). Use timeboxed temporary allowlist and expedite `webauthn-rs` remediation.
- CDLA-Permissive-2.0 cluster (webpki-roots):
- This is transitive via TLS stacks; often solvable by switching TLS backend (native-tls) or upgrading `reqwest`/`hyper-rustls`/`openidconnect` chain.
- Feasibility: Medium — requires coordination across multiple crates; experimenting with toggling features or bumping versions may remove webpki-roots without wider policy changes.
- Recommendation: Prioritize a targeted experiment (already started) to prefer `native-tls` or bump specific dependencies; avoid permanently allowing CDLA-Permissive-2.0 unless remediation proves infeasible.
Quick action items
------------------
1. Apply targeted experiments (in separate ephemeral branches):
- Toggle `reqwest` to prefer `native-tls` in a workspace copy and run `cargo-deny`.
- Attempt upgrading/removing `openidconnect`'s `reqwest` feature as done in previous experiments and record before/after diffs.
2. Attempt `webauthn-rs` remediation (upgrade, replace, or vendor) as top priority; the direct dependency makes this the highest-impact remediation.
3. Keep temporary allowlist timeboxed and document progress in `issues/TRACK-2025-11-09-RSA-PASTE.md`.
Conclusion
----------
Short-term policy change (temporary allowlist for MPL-2.0 and CDLA-Permissive-2.0) is defensible as a timeboxed mitigation while focused remediation proceeds. The high-impact targets are `webauthn-rs` (direct dep) and the transitive `webpki-roots` via the TLS stack. Prioritize `webauthn-rs` remediation and coordinated TLS-stack experiments; if they succeed, remove the temporary allowlist.