forked from modcrafter77/hyperspot
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathdeny.toml
More file actions
146 lines (124 loc) · 4.92 KB
/
deny.toml
File metadata and controls
146 lines (124 loc) · 4.92 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
# cargo-deny configuration for security, licenses, bans, and sources.
# Docs: https://embarkstudios.github.io/cargo-deny/
################################################################################
# Dependency graph construction
################################################################################
[graph]
# Optionally restrict targets to check (kept commented by default).
# targets = [
# "x86_64-unknown-linux-gnu",
# { triple = "wasm32-unknown-unknown", features = ["atomics"] },
# ]
# all-features = true
# exclude-dev = true
# exclude-unpublished = false
################################################################################
# Security advisories (RustSec)
################################################################################
[advisories]
# Local clone/cache of the RustSec advisory DB
db-path = ".cargo/advisory-db"
# Upstream advisory DBs to use
db-urls = ["https://github.com/RustSec/advisory-db"]
# How to treat "unmaintained" advisories:
# one of: "all" | "workspace" | "transitive" | "none"
# (This is NOT a severity level; it scopes where the rule applies.)
unmaintained = "workspace"
# Yanked crate versions still use classic lint levels.
# one of: "deny" | "warn" | "allow"
yanked = "warn"
# List of advisory IDs to ignore (RUSTSEC-YYYY-XXXX, etc.)
ignore = [
# "RUSTSEC-0000-0000",
"RUSTSEC-2024-0437", # protobuf 2.28 stack overflow — transitive via pingora-core→prometheus 0.13; we never parse untrusted protobuf (prometheus metrics endpoint is unused)
]
# Note:
# - Modern cargo-deny versions treat vulnerabilities as hard errors by default.
# - If you must silence a specific vuln, add its ID to `ignore` above.
################################################################################
# License policy
################################################################################
[licenses]
# Allow-list of SPDX license IDs
allow = [
"MIT",
"MIT-0",
"Apache-2.0",
"Apache-2.0 WITH LLVM-exception",
"BSD-2-Clause",
"BSD-3-Clause",
"BSL-1.0",
"ISC",
"Unicode-3.0",
"Unicode-DFS-2016",
"CDLA-Permissive-2.0",
"MPL-2.0",
"Zlib",
"CC0-1.0"
]
# Confidence threshold (0.0..1.0) for license text detection
confidence-threshold = 0.8
# Per-crate exceptions (license(s) allowed only for a specific crate/version)
exceptions = [
# kreuzberg >=4.8.0 changed from MIT to Elastic License 2.0 (EL-2.0).
# EL-2.0 is not on the default allow-list but is acceptable here because:
# 1. kreuzberg is an in-process library dependency, not a hosted service we resell.
# 2. Cyber Ware's document parsing is incidental to the platform's core value
# proposition; it is NOT a product sold primarily as a document-parsing service
# competing with kreuzberg.
# 3. The pin `=4.9.4` prevents silent upgrades; any future version bump must be
# reviewed for license changes.
# Reviewer sign-off required before removing or modifying this exception.
{ name = "kreuzberg", version = "=4.9.4", allow = ["Elastic-2.0"] },
]
# Private workspace crates handling
[licenses.private]
# If true, ignore unpublished/private workspace crates for license checks
ignore = false
# Private registries considered "published" for the rule above
registries = [
# "https://example.com/registry",
]
################################################################################
# Duplicate versions / wildcards / bans
################################################################################
[bans]
# Multiple versions of the same crate in the graph
multiple-versions = "warn"
# Version wildcards like "*"
wildcards = "allow"
# How to highlight in dot graphs when multiple versions are present
# "lowest-version" | "simplest-path" | "all"
highlight = "all"
# Default lint level for `default-features` on workspace deps (requires the
# `workspace-dependencies` feature in cargo-deny to take effect)
workspace-default-features = "allow"
# Allow-list of specific crates (use carefully)
allow = [
# { name = "ansi_term", version = "=0.11.0" },
]
# Deny-list of specific crates (optionally with version ranges/wrappers)
deny = [
# { name = "some-bad-crate", version = "*", wrappers = [] },
]
# Skip specific crate versions when checking for duplicates
skip = [
# { name = "ansi_term", version = "=0.11.0" },
]
# Remove a crate subtree entirely from the graph for checks (stronger than skip)
skip-tree = [
# { name = "ansi_term", version = "=0.11.0", depth = 1 },
]
################################################################################
# Allowed sources (registries and git)
################################################################################
[sources]
# Non-allowed registry encountered
unknown-registry = "warn"
# Non-allowed git source encountered
unknown-git = "warn"
# Allowed crate registries (empty list => none allowed)
# Default crates.io index:
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
# Allowed git repositories (empty => none)
allow-git = []