kos-rs/deny.toml at develop · klever-io/kos-rs · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
[bans]
multiple-versions = "deny"
deny = [{ name = "libssh2-sys" }]
skip = [
    { name = "base64", version = "<=0.22" },    # openssl
    { name = "secp256k1", version = "0.29.1" }, # bitcoin locked at this version
    { name = "hash32", version = "0.2.1" },
    { name = "heapless", version = "0.7.17" },
]

skip-tree = [
    { crate = "lwk_common@0.9.0", reason = "third party integration" },
    { crate = "lwk_signer@0.8.0", reason = "third party integration" },
    { crate = "lwk_wollet@0.8.0", reason = "third party integration" },
]

[sources]
unknown-registry = "deny"
unknown-git = "deny"


[licenses]
confidence-threshold = 0.8
allow = [
    "Apache-2.0",
    "Apache-2.0 WITH LLVM-exception",
    "MIT",
    "MITNFA",
    "BSD-3-Clause",
    "BSD-2-Clause",
    "CC0-1.0",
    "MPL-2.0",
    "Zlib",
    "Unicode-3.0",
    "ISC",
    "BlueOak-1.0.0",
    "CDLA-Permissive-2.0",
]

[[licenses.clarify]]
name = "ring"
# SPDX considers OpenSSL to encompass both the OpenSSL and SSLeay licenses
# https://spdx.org/licenses/OpenSSL.html
# ISC - Both BoringSSL and ring use this for their new files
# MIT - "Files in third_party/ have their own licenses, as described therein. The MIT
# license, for third_party/fiat, which, unlike other third_party directories, is
# compiled into non-test libraries, is included below."
# OpenSSL - Obviously
expression = "ISC AND MIT AND OpenSSL"
license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }]

[advisories]
ignore = [
    "RUSTSEC-2024-0436",                                                                                                                                                                                                                                                                   # paste unmaintained, but still used by uniffy
    "RUSTSEC-2021-0127",                                                                                                                                                                                                                                                                   # this libs is a sub-dependency of lwk_common/serde_cbol
    "RUSTSEC-2024-0384",                                                                                                                                                                                                                                                                   # this libs is a sub-dependency of lwk_common/serde_cbol
    "RUSTSEC-2024-0370",
    "RUSTSEC-2024-0421",
    { id = "RUSTSEC-2023-0089", reason = "this is a deprecation warning for a dependency of a dependency. https://github.com/jamesmunns/postcard/issues/223 tracks fixing the dependency; until that's resolved, we can accept the deprecated code as it has no known vulnerabilities." },
    "RUSTSEC-2025-0057",                                                                                                                                                                                                                                                                   # fxhash unmaintained - from lwk_wollet dependency
]