cargo-deny 0.14.5

Cargo plugin to help you manage large dependency graphs
Documentation 
# cargo-deny is really only ever intended to run on the "normal" tier-1 targets
targets = [
    { triple = "x86_64-unknown-linux-gnu" },
    { triple = "aarch64-unknown-linux-gnu" },
    { triple = "x86_64-unknown-linux-musl" },
    { triple = "aarch64-apple-darwin" },
    { triple = "x86_64-apple-darwin" },
    { triple = "x86_64-pc-windows-msvc" },
]

[advisories]
vulnerability = "deny"
unmaintained = "deny"
notice = "deny"
unsound = "deny"
ignore = [
    # rmp-serde used by askalono for the cache files, these are always utf-8 so
    # the advisory is not relevant
    "RUSTSEC-2022-0092",
]

[bans]
multiple-versions = "deny"
wildcards = 'deny'
deny = [
    # We use gix
    { name = "git2" },
    # NEVER AGAIN
    { name = "openssl" },
    { name = "openssl-sys" },
    { name = "libssh2-sys" },
    # There is literally never a reason to use this
    { name = "cmake" },
    # https://github.com/Byron/gitoxide/pull/1245
    { name = "windows", wrappers = ["gix-sec"] },
]
skip = [
    # strum_macros + maybe-async
    { name = "syn", version = "=1.0.109" },
    # security-framework uses an ooooold version
    { name = "bitflags", version = "=1.3.2" },
]
skip-tree = [
    # Sigh
    { name = "windows-sys", version = "<=0.48" },
    # cargo-lock uses an old version
    { name = "toml", version = "=0.7.8" },
]

[sources]
unknown-registry = "deny"
unknown-git = "deny"

# [sources.allow-org]
# github = ["EmbarkStudios"]

[licenses]
unlicensed = "deny"
allow-osi-fsf-free = "neither"
copyleft = "deny"
# We want really high confidence when inferring licenses from text
confidence-threshold = 0.93
allow = [
    "Apache-2.0",
    "Apache-2.0 WITH LLVM-exception",
    "MIT",
    "MPL-2.0",
    "BSD-3-Clause",
    "ISC",
]
exceptions = [
    { allow = [
        "Zlib",
    ], name = "tinyvec" },
    { allow = [
        "Unicode-DFS-2016",
    ], name = "unicode-ident" },
    { allow = [
        "OpenSSL",
    ], name = "ring" },
]

# Sigh
[[licenses.clarify]]
name = "ring"
# SPDX considers OpenSSL to encompass both the OpenSSL and SSLeay licenses
# https://spdx.org/licenses/OpenSSL.html
# ISC - Both BoringSSL and ring use this for their new files
# MIT - "Files in third_party/ have their own licenses, as described therein. The MIT
# license, for third_party/fiat, which, unlike other third_party directories, is
# compiled into non-test libraries, is included below."
# OpenSSL - Obviously
expression = "ISC AND MIT AND OpenSSL"
license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }]

[[licenses.clarify]]
name = "webpki"
expression = "ISC"
license-files = [{ path = "LICENSE", hash = 0x001c7e6c }]

# Actually "ISC-style"
[[licenses.clarify]]
name = "rustls-webpki"
expression = "ISC"
license-files = [{ path = "LICENSE", hash = 0x001c7e6c }]