Setup cargo-deny (#2638)

Using [`cargo-deny`](https://embarkstudios.github.io/cargo-deny/) to ensure that disallowed dependencies removed in #2423 do not accidentally make their way back in. `cargo-deny` subsumes the `cargo-audit` functionality, so switch to the `cargo-deny` version. Setting this up required explicitly stating the license which was not in some of our `Cargo.toml` files.
2025-06-11 09:41:37 +00:00 · 2022-11-22 02:23:20 +13:00 · 2022-11-22 02:23:20 +13:00 · 04d39a3f28
commit 04d39a3f28
parent 894dcc62be
10 changed files with 48 additions and 15 deletions
--- a/.devcontainer/install-dependencies.sh
+++ b/.devcontainer/install-dependencies.sh
@ -5,7 +5,7 @@ set -eux
 # Note that this script runs as user 'vscode' during devcontainer setup.

 # Rust global tools, needed to run CI scripts
-"$HOME/.cargo/bin/cargo" install cargo-audit cargo-license@0.4.2 cargo-llvm-cov
+"$HOME/.cargo/bin/cargo" install cargo-license@0.4.2 cargo-llvm-cov cargo-deny
 "$HOME/.cargo/bin/rustup" component add llvm-tools-preview

 # NPM global tools
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -18,7 +18,7 @@ env:
  CARGO_TERM_COLOR: always
  SCCACHE_DIR: ${{github.workspace}}/sccache/
  SCCACHE_CACHE_SIZE: 1G
-  ACTIONS_CACHE_KEY_DATE: 2022-10-28-01
+  ACTIONS_CACHE_KEY_DATE: 2022-11-21-02
  CI: true
  DOTNET_VERSION: 7.0.x

--- a/src/agent/dynamic-library/Cargo.toml
+++ b/src/agent/dynamic-library/Cargo.toml
@ -2,6 +2,7 @@
 name = "dynamic-library"
 version = "0.1.0"
 edition = "2021"
+license = "MIT"

 [dependencies]
 anyhow = "1.0"
@ -26,7 +27,7 @@ features = [
    "shellapi",
    "werapi",
    "winbase",
-    "winerror"
+    "winerror",
 ]

 [[bin]]
--- a/src/agent/onefuzz-agent/Cargo.toml
+++ b/src/agent/onefuzz-agent/Cargo.toml
@ -4,6 +4,7 @@ version = "0.1.0"
 authors = ["fuzzing@microsoft.com"]
 edition = "2018"
 publish = false
+license = "MIT"

 [dependencies]
 anyhow = { version = "1.0", features = ["backtrace"] }
@ -13,7 +14,11 @@ env_logger = "0.9"
 futures = "0.3"
 log = "0.4"
 onefuzz = { path = "../onefuzz" }
-reqwest = { version = "0.11", features = ["json", "stream", "native-tls-vendored"], default-features = false}
+reqwest = { version = "0.11", features = [
+    "json",
+    "stream",
+    "native-tls-vendored",
+], default-features = false }
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 storage-queue = { path = "../storage-queue" }
--- a/src/agent/stacktrace-parser/Cargo.toml
+++ b/src/agent/stacktrace-parser/Cargo.toml
@ -3,6 +3,7 @@ name = "stacktrace-parser"
 version = "0.1.0"
 authors = ["<fuzzing@microsoft.com>"]
 edition = "2018"
+license = "MIT"

 [dependencies]
 anyhow = "1.0"
--- a/src/ci/agent.sh
+++ b/src/ci/agent.sh
@ -37,7 +37,7 @@ cd src/agent

 rustc --version
 cargo --version
-cargo audit --version
+cargo deny --version
 cargo clippy --version
 cargo fmt --version
 cargo license --version
@ -48,9 +48,7 @@ if [ X${CARGO_INCREMENTAL} == X ]; then
 fi

 cargo fmt -- --check
-# RUSTSEC-2022-0048: xml-rs is unmaintained
-# RUSTSEC-2021-0139: ansi_term is unmaintained
-cargo audit --deny warnings --deny unmaintained --deny unsound --deny yanked --ignore RUSTSEC-2022-0048 --ignore RUSTSEC-2021-0139
+cargo deny -L error check
 cargo license -j > data/licenses.json
 cargo build --release --locked
 cargo clippy --release --locked --all-targets -- -D warnings
--- a/src/ci/proxy.sh
+++ b/src/ci/proxy.sh
@ -12,13 +12,11 @@ mkdir -p artifacts/proxy
 cd src/proxy-manager
 cargo fmt -- --check
 cargo clippy --release --all-targets -- -D warnings
-# RUSTSEC-2022-0048: xml-rs is unmaintained
-# RUSTSEC-2021-0139: ansi_term is unmaintained
-cargo audit --deny warnings --deny unmaintained --deny unsound --deny yanked --ignore RUSTSEC-2022-0048 --ignore RUSTSEC-2021-0139
+cargo deny -L error check
 cargo license -j > data/licenses.json
 cargo build --release --locked
 # export RUST_LOG=trace
 export RUST_BACKTRACE=full
-cargo test --release
+cargo test --release --locked

 cp target/release/onefuzz-proxy-manager ../../artifacts/proxy
--- a/src/ci/rust-prereqs.sh
+++ b/src/ci/rust-prereqs.sh
@ -11,7 +11,7 @@ fi
 # sccache --start-server
 # export RUSTC_WRAPPER=$(which sccache)

-cargo install cargo-audit cargo-llvm-cov
+cargo install cargo-llvm-cov cargo-deny

 if ! cargo license --help; then
    cargo install cargo-license@0.4.2
--- a/src/deny.toml
+++ b/src/deny.toml
@ -0,0 +1,30 @@
+[licenses]
+allow = [
+    "Apache-2.0 WITH LLVM-exception",
+    "Apache-2.0",
+    "BSD-3-Clause",
+    "CC0-1.0",
+    "ISC",
+    "MIT",
+    "Zlib",
+]
+
+[advisories]
+vulnerability = "deny"
+unmaintained = "deny"
+unsound = "deny"
+yanked = "deny"
+ignore = [
+    "RUSTSEC-2022-0048", # xml-rs is unmaintained
+    "RUSTSEC-2021-0139", # ansi_term is unmaintained
+]
+
+[bans]
+
+# disallow rustls; we must use OpenSSL
+[[bans.deny]]
+name = "rustls"
+
+# disallow ring; unapproved crypto
+[[bans.deny]]
+name = "ring"
--- a/src/proxy-manager/Cargo.lock
+++ b/src/proxy-manager/Cargo.lock
@ -1076,9 +1076,9 @@ dependencies = [

 [[package]]
 name = "serde-xml-rs"
-version = "0.5.1"
+version = "0.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "65162e9059be2f6a3421ebbb4fef3e74b7d9e7c60c50a0e292c6239f19f1edfa"
+checksum = "fb3aa78ecda1ebc9ec9847d5d3aba7d618823446a049ba2491940506da6e2782"
 dependencies = [
 "log",
 "serde",