# cargo-deny configuration for supply chain security
# This file configures cargo-deny to ensure dependencies meet security and licensing standards
# Run with: cargo deny check
# License checking configuration
[licenses]
# List of allowed licenses
allow = [
"MIT",
"Apache-2.0",
"Apache-2.0 WITH LLVM-exception",
"BSD-2-Clause",
"BSD-3-Clause",
"ISC",
"Unicode-DFS-2016",
"CC0-1.0",
"Unlicense",
]
# List of explicitly denied licenses
deny = [
"GPL-2.0",
"GPL-3.0",
"AGPL-1.0",
"AGPL-3.0",
"LGPL-2.0",
"LGPL-2.1",
"LGPL-3.0",
"EUPL-1.0",
"EUPL-1.1",
"EUPL-1.2",
"CPAL-1.0",
"OSL-1.0",
"OSL-1.1",
"OSL-2.0",
"OSL-2.1",
"OSL-3.0",
]
# Crates that are explicitly allowed despite their license
confidence-threshold = 0.8
exceptions = [
# Allow ring crate with its custom license (ISC-style)
{ allow = ["LicenseRef-ring"], name = "ring" },
# Allow unicode normalization tables
{ allow = ["Unicode-3.0"], name = "unicode-normalization" },
]
# Security advisories configuration
[advisories]
# The path where the advisory database is cloned/fetched into
db-path = "~/.cargo/advisory-db"
# The url(s) of the advisory databases to use
db-urls = ["https://github.com/rustsec/advisory-db"]
# The lint level for security vulnerabilities
vulnerability = "deny"
# The lint level for crates that have been marked as Unmaintained
unmaintained = "none"
# The lint level for crates that have been marked as Unsound
unsound = "deny"
# The lint level for crates that have been yanked from their source registry
yanked = "warn"
# The lint level for crates with security notices
notice = "warn"
# Ignore specific advisories (use with caution)
ignore = [
# Example: Ignore a specific advisory if you've assessed it as not applicable
# "RUSTSEC-2020-0001",
]
# Dependency banning configuration
[bans]
# Lint level for when multiple versions of the same crate are detected
multiple-versions = "warn"
# Lint level for when a crate version requirement is `*`
wildcards = "allow"
# The graph highlighting used when creating dotgraphs for crates
highlight = "all"
# List of crates that are allowed. Use with care!
allow = []
# List of crates to deny
deny = [
# Old/vulnerable versions of security-sensitive crates
{ name = "openssl", version = "<0.10.45" },
{ name = "openssl-sys", version = "<0.9.75" },
{ name = "rustls", version = "<0.21.0" },
{ name = "hyper", version = "<0.14.18" },
{ name = "reqwest", version = "<0.11.14" },
{ name = "tokio", version = "<1.21.0" },
{ name = "serde", version = "<1.0.136" },
{ name = "serde_json", version = "<1.0.85" },
# Crates with known security issues
{ name = "yaml-rust", version = "*" }, # Use serde_yaml instead
{ name = "crossbeam-channel", version = "<0.5.2" },
{ name = "crossbeam-utils", version = "<0.8.7" },
{ name = "regex", version = "<1.5.5" },
{ name = "net2", version = "*" }, # Deprecated, use socket2
{ name = "tempfile", version = "<3.2.0" },
# Crates that should be avoided for security/maintenance reasons
{ name = "chrono", version = "<0.4.23" }, # Time zone handling issues
{ name = "time", version = "<0.3.17" }, # Soundness issues in older versions
]
# Skip certain crates when doing duplicate detection
skip = []
# Similarly named crates that should be considered duplicates
skip-tree = []
# Source validation configuration
[sources]
# Lint level for what to happen when a crate from a crate registry that is
# not in the allow list is encountered
unknown-registry = "deny"
# Lint level for what to happen when a crate from a git repository that is not
# in the allow list is encountered
unknown-git = "deny"
# List of allowed crate registries
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
# List of allowed Git repositories
allow-git = []
# 1 or more crates sources that are allowed. Either `allow-registry` or `allow-git`
# is required for this section to be valid. Unnamed registries are not supported.
[sources.allow-org]
# github.com organizations to allow git sources for
github = []
# gitlab.com organizations to allow git sources for
gitlab = []
# bitbucket.org organizations to allow git sources for
bitbucket = []