1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
# cargo-deny config — see https://embarkstudios.github.io/cargo-deny/
[]
= true
[]
= 2
# ─────────────────────────────────────────────────────────────────────
# Advisory ignore policy
# ─────────────────────────────────────────────────────────────────────
# Every entry here MUST have a clear reason that explains:
# 1. WHY the advisory is not exploitable in AeroSync's actual code paths
# 2. WHEN we expect to remove the ignore (which dependency upgrade unblocks it)
#
# All current ignores trace back to either:
# - warp 0.3.7 (HTTPS receiver, will be migrated to axum in v0.2.0)
# - quinn 0.10 (QUIC transport, will be upgraded to 0.11 in v0.2.0)
#
# Once both are done the entire chain of old rustls/webpki/ring/pemfile
# disappears. Track the migration in TODO.local.md (v0.2.0 milestone).
# ─────────────────────────────────────────────────────────────────────
= [
# ── rustls-webpki: name-constraint parsing bugs ──
# Advisory text: "reachable only after signature verification and
# requires misissuance to exploit." AeroSync uses self-signed certs
# (HTTPS receiver) and pinned certs (QUIC); neither walks a CA chain
# that could be misissued. We never assert URI / wildcard name
# constraints. Affects both 0.101.7 (rcgen chain) and 0.102.8 (warp
# chain).
{ = "RUSTSEC-2026-0098", = "name-constraint URI parsing; not on any AeroSync code path; blocked on warp 0.3 → axum (v0.2.0)" },
{ = "RUSTSEC-2026-0099", = "name-constraint wildcard parsing; not on any AeroSync code path; blocked on warp 0.3 → axum (v0.2.0)" },
# ── rustls-webpki 0.102.8: CRL distribution point matching ──
# AeroSync does not consult Certificate Revocation Lists in either
# the HTTPS or QUIC path. Self-signed / pinned cert verification
# bypasses CRL checking entirely.
{ = "RUSTSEC-2026-0049", = "CRL distribution point matching; AeroSync does not use CRLs; blocked on warp 0.3 → axum (v0.2.0)" },
# ── ring 0.16.20: AES panic when overflow checks are enabled ──
# Release builds disable overflow checks; debug/test builds do not
# exercise the AES paths in question (we use ring only via the rustls
# 0.21 transitive chain, which itself stays out of these paths in
# our usage). Blocked on rustls 0.22+ which uses ring 0.17 — comes
# for free once warp 0.3 is gone.
{ = "RUSTSEC-2025-0009", = "AES panic only with overflow_checks=on; release builds disable; blocked on warp 0.3 → axum (v0.2.0)" },
# ── quinn-proto 0.10.6: DoS in Quinn endpoints ──
# We use quinn for our own QUIC transport between trusted peers
# (auth-token gated, mDNS-discovered LAN). External adversaries
# cannot reach our QUIC endpoint without first guessing a 32-byte
# auth token. Blocked on quinn 0.10 → 0.11 migration (v0.2.0;
# requires rustls 0.21 → 0.23 + ServerCertVerifier rewrite).
{ = "RUSTSEC-2026-0037", = "Quinn DoS; AeroSync requires auth token before any QUIC operation; blocked on quinn 0.10 → 0.11 (v0.2.0)" },
# ── rustls-pemfile 1.0.4: unmaintained ──
# Used directly by aerosync-core to parse user-provided PEM certs
# (--tls-cert / --tls-key). Upstream replacement is rustls-pki-types'
# PemObject trait, but switching requires upgrading rustls 0.21 → 0.23
# which only makes sense alongside the warp 0.3 → axum migration.
# The crate itself is feature-frozen but not vulnerable.
{ = "RUSTSEC-2025-0134", = "rustls-pemfile unmaintained; functionally fine; migration to rustls-pki-types PemObject blocked on rustls 0.23 upgrade (v0.2.0)" },
# ── rand 0.7.3 / 0.8.5: unsound with custom logger calling rand::rng() ──
# Advisory: triggers ONLY when a custom log::Log implementation calls
# rand::thread_rng() at trace/warn level with a 64-KB-aligned reseed
# event. AeroSync uses `tracing` (not `log`), has no custom logger,
# and never calls rand from inside any logging code. Both versions
# are pulled transitively (tauri-build via phf, eframe via zbus,
# warp via tungstenite, quinn-proto). All disappear once the v0.2.0
# warp/quinn migration completes — none of those upgrades is in scope
# for v0.1.0.
{ = "RUSTSEC-2026-0097", = "rand unsound only with custom log::Log calling rng(); AeroSync uses tracing with no such logger; blocked on warp/quinn upgrades (v0.2.0)" },
]
# Default severity policy: error on real vulnerabilities, warn on
# unmaintained / unsound (these are informational and pervasive in
# the GUI/Tauri/warp ecosystems we transitively depend on).
= "workspace" # warn for workspace deps only
= "warn"
[]
= 2
= [
"MIT",
"Apache-2.0",
"Apache-2.0 WITH LLVM-exception",
"BSD-2-Clause",
"BSD-3-Clause",
"ISC",
"Unicode-DFS-2016",
"Unicode-3.0",
"Zlib",
"MPL-2.0",
"OpenSSL",
"BSL-1.0",
"CC0-1.0",
]
= 0.8
# Per-crate license clarifications: tell cargo-deny what SPDX expression
# to use when a crate's Cargo.toml lacks a `license` field but ships a
# LICENSE file. Each clarification names the file + a recognized hash so
# cargo-deny refuses to apply it if the file content drifts.
[[]]
# ring 0.16 ships a custom LICENSE that combines ISC, MIT, and OpenSSL.
# Its Cargo.toml has no `license` field and the LICENSE text only scores
# ~0.66 against any single SPDX template, below our 0.8 confidence floor.
# Per ring's README and LICENSE: the code is dual-licensed ISC + MIT
# with the OpenSSL license applying to portions ported from BoringSSL.
# All three are in our allow list (or will be once we accept OpenSSL,
# which we already do).
= "ring"
= "0.16.*"
= "ISC AND MIT AND OpenSSL"
= [
{ = "LICENSE", = 0xbd0eed23 },
]
[]
= "warn"
= "warn"
= [
# Add abandoned / known-bad crates here as we find them.
]
= []
[]
= "warn"
= "warn"
= ["https://github.com/rust-lang/crates.io-index"]