1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
# cargo-deny configuration.
# Run locally with: cargo deny check
# Docs: https://embarkstudios.github.io/cargo-deny/
# ---------------------------------------------------------------------------
# Graph traversal: consider all targets we actually support.
# Leaving this empty would walk every Tier-1+ target; we only care about
# what users actually build on.
# ---------------------------------------------------------------------------
[]
= [
"x86_64-unknown-linux-gnu",
"x86_64-apple-darwin",
"aarch64-apple-darwin",
"x86_64-pc-windows-msvc",
]
= true
[]
= 1
# ---------------------------------------------------------------------------
# Advisories: fail the build on known CVEs / yanked crates.
# ---------------------------------------------------------------------------
[]
= 2
= "~/.cargo/advisory-db"
= ["https://github.com/rustsec/advisory-db"]
= "deny"
= [
# RUSTSEC-2023-0071 — "Marvin Attack" timing sidechannel in `rsa`. Accepted
# with documented rationale (see SECURITY.md): no fixed release exists (the
# mitigation is partial and unreleased in the dragging rsa 0.10 line,
# RustCrypto/RSA#390), and pure-Rust RSA has no maintained alternative that
# would not pull in a C/asm backend — defeating this crate's no-C-build-chain
# premise. The practically-exploitable PKCS#1 v1.5 padding-oracle vector is
# gated behind `weak-algos` and refused by default (only RSA-OAEP key
# transport is accepted); the residual is generic non-constant-time modexp
# timing, and SP-side signature verification (no private key) is unaffected.
"RUSTSEC-2023-0071",
]
# ---------------------------------------------------------------------------
# Licenses: allow permissive only. No GPL/AGPL/LGPL/SSPL.
# ---------------------------------------------------------------------------
[]
= 2
= [
"MIT",
"Apache-2.0",
"Apache-2.0 WITH LLVM-exception",
"BSD-2-Clause",
"BSD-3-Clause",
"ISC",
"Unicode-DFS-2016",
"Unicode-3.0",
"MPL-2.0",
"Zlib",
"CC0-1.0",
# webpki-roots ships the Mozilla CA bundle; its *data* is licensed
# CDLA-Permissive-2.0 (a permissive, no-copyleft data license). Pulled
# transitively via reqwest -> rustls.
"CDLA-Permissive-2.0",
]
= 0.93
# Crates that ship without SPDX-tagged metadata can be allowlisted with a
# clarification. Keep this list short and audited.
[[]]
= "ring"
= "MIT AND ISC AND OpenSSL"
= [
{ = "LICENSE", = 0xbd0eed23 },
]
# ---------------------------------------------------------------------------
# Bans: no duplicate versions of major deps, no wildcard versions.
# Crypto crates are particularly prone to v0.x churn; we *do* allow some
# overlap because the RustCrypto ecosystem versions independently.
# ---------------------------------------------------------------------------
[]
= "deny"
= "deny"
= "all"
= "allow"
= "allow"
# Pragmatic skips: these crates legitimately appear at multiple versions in
# the dep graph today via transitive deps and aren't worth blocking releases
# on. Re-evaluate periodically — ideally this list shrinks.
= [
# `rand` / `rand_core` / `rand_chacha` / `getrandom` span multiple major
# versions across INDEPENDENT transitive chains we don't control:
# - older line: the RustCrypto signature stack (elliptic-curve ->
# rand_core 0.6 -> getrandom 0.2) and rsa (num-bigint-dig -> rand 0.8);
# - newer line: our own rand 0.9 (proxy nonce generation) -> rand_core 0.9
# -> getrandom 0.3.
# None are ours to unify; the rsa-side ones clear when rsa migrates off
# num-bigint-dig in its 0.10 release (see [advisories] note). Skip the
# older versions so the duplicate guard stays active elsewhere.
{ = "rand", = "0.8" },
{ = "rand_chacha", = "0.3" },
{ = "rand_core", = "0.6" },
{ = "getrandom", = "0.2" },
]
= []
# Deny anything that would pull a C build toolchain back in — the whole
# point of this crate is to avoid libxml2/xmlsec.
= [
{ = "openssl" },
{ = "openssl-sys" },
{ = "native-tls" },
]
# ---------------------------------------------------------------------------
# Sources: only crates.io + this repo. No random git deps.
# ---------------------------------------------------------------------------
[]
= "deny"
= "deny"
= ["https://github.com/rust-lang/crates.io-index"]
= []