|
| 1 | +# cargo-deny configuration file |
| 2 | +# https://embarkstudios.github.io/cargo-deny/ |
| 3 | + |
| 4 | +[graph] |
| 5 | +# If 1 or more target triples are specified, only the packages matching the |
| 6 | +# target triples will be considered when building the crate graph. |
| 7 | +targets = [ |
| 8 | + "x86_64-unknown-linux-gnu", |
| 9 | + "x86_64-unknown-linux-musl", |
| 10 | + "x86_64-apple-darwin", |
| 11 | + "aarch64-apple-darwin", |
| 12 | +] |
| 13 | + |
| 14 | +[advisories] |
| 15 | +# The path where the advisory databases are cloned/fetched into |
| 16 | +db-path = "~/.cargo/advisory-dbs" |
| 17 | +# The url(s) of the advisory databases to use |
| 18 | +db-urls = ["https://github.com/rustsec/advisory-db"] |
| 19 | +# The lint level for security vulnerabilities |
| 20 | +vulnerability = "deny" |
| 21 | +# The lint level for unmaintained crates |
| 22 | +unmaintained = "warn" |
| 23 | +# The lint level for crates that have been yanked from their source registry |
| 24 | +yanked = "warn" |
| 25 | +# The lint level for crates with security notices |
| 26 | +notice = "warn" |
| 27 | +# A list of advisory IDs to ignore. Note that ignored advisories will still |
| 28 | +# output a note when they are encountered. |
| 29 | +ignore = [ |
| 30 | + # Ignore specific advisories if needed |
| 31 | + # "RUSTSEC-2020-0001", |
| 32 | +] |
| 33 | + |
| 34 | +[licenses] |
| 35 | +# The confidence threshold for detecting a license from a license text. |
| 36 | +confidence-threshold = 0.8 |
| 37 | +# List of explicitly allowed licenses |
| 38 | +allow = [ |
| 39 | + "Apache-2.0", |
| 40 | + "Apache-2.0 WITH LLVM-exception", |
| 41 | + "MIT", |
| 42 | + "BSD-2-Clause", |
| 43 | + "BSD-3-Clause", |
| 44 | + "ISC", |
| 45 | + "Unicode-DFS-2016", |
| 46 | + "CC0-1.0", |
| 47 | +] |
| 48 | +# List of explicitly disallowed licenses |
| 49 | +deny = [ |
| 50 | + "GPL-2.0", |
| 51 | + "GPL-3.0", |
| 52 | + "AGPL-1.0", |
| 53 | + "AGPL-3.0", |
| 54 | +] |
| 55 | +# Lint level for when multiple versions of the same license are detected |
| 56 | +multiple-versions = "warn" |
| 57 | +# Some crates don't have (easily) machine readable licensing information, |
| 58 | +# adding a clarification or license text here will help cargo-deny |
| 59 | +exceptions = [ |
| 60 | + # Ring has a complex but compatible license |
| 61 | + { allow = ["MIT", "ISC", "OpenSSL"], name = "ring" }, |
| 62 | + { allow = ["Unicode-DFS-2016"], name = "unicode-ident" }, |
| 63 | +] |
| 64 | + |
| 65 | +[bans] |
| 66 | +# Lint level for when multiple versions of the same crate are detected |
| 67 | +multiple-versions = "warn" |
| 68 | +# Lint level for when a crate version requirement is `*` |
| 69 | +wildcards = "allow" |
| 70 | +highlight = "all" |
| 71 | +# List of crates that are allowed. Use with care! |
| 72 | +allow = [ |
| 73 | + # Add specific crates that might trigger false positives |
| 74 | +] |
| 75 | +# List of crates to deny |
| 76 | +deny = [ |
| 77 | + # Crates that are known to be problematic |
| 78 | + { name = "openssl", use-instead = "rustls" }, |
| 79 | + { name = "cmake" }, # Prefer pure Rust solutions |
| 80 | +] |
| 81 | + |
| 82 | +[sources] |
| 83 | +# Lint level for what to happen when a crate from a crate registry that is |
| 84 | +# not in the allow list is encountered |
| 85 | +unknown-registry = "warn" |
| 86 | +# Lint level for what to happen when a crate from a git repository that is not |
| 87 | +# in the allow list is encountered |
| 88 | +unknown-git = "warn" |
| 89 | +# List of allowed registries |
| 90 | +allow-registry = ["https://github.com/rust-lang/crates.io-index"] |
| 91 | +# List of allowed Git repositories |
| 92 | +allow-git = [] |
0 commit comments