-
Notifications
You must be signed in to change notification settings - Fork 25
Expand file tree
/
Copy pathdeny.toml
More file actions
88 lines (80 loc) · 5.3 KB
/
Copy pathdeny.toml
File metadata and controls
88 lines (80 loc) · 5.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
[graph]
# Cargo deny will check dependencies via `--all-features`
all-features = true
[bans]
multiple-versions = "warn"
# Deny multiple versions of metrics - having multiple versions causes metrics
# to use separate global recorders, silently breaking metrics collection.
[[bans.deny]]
name = "metrics"
deny-multiple-versions = true
reason = "metrics crate uses a global recorder - multiple versions may break metrics silently"
[advisories]
version = 2
ignore = [
{ id = "RUSTSEC-2021-0137", reason = "we will switch to alkali eventually" },
# https://github.com/mehcode/config-rs/issues/563
{ id = "RUSTSEC-2024-0402", reason = "waiting for `index-map` crate to remove the dependency" },
{ id = "RUSTSEC-2024-0421", reason = "waiting for `mongodb` crate to remove the dependency" },
{ id = "RUSTSEC-2024-0436", reason = "deep subdependency from several aws and sqlx crates" },
# Doing this (see PR: https://github.com/worldcoin/iris-mpc/commit/f209e6e9b4195c766f7accf465f5d69c59e9157f)
# caused a 3x slowdown in performance. Needs to be investigated thoroughly, though most likely it is due
# to the bump in tokio.
{ id = "RUSTSEC-2025-0056", reason = "Bumping adler requires bumping backtrace and possibly tokio" },
# rustls-pemfile is required by reqwest and tonic, we will switch once they do
{ id = "RUSTSEC-2025-0134", reason = "No mature alternative available yet" },
# bincode is no longer maintained, but it's considered finalized by the authors; we can switch to a maintained alternative at some point
{ id = "RUSTSEC-2025-0141", reason = "stable even if no longer maintained" },
{ id = "RUSTSEC-2026-0097", reason = "transitive rand 0.9.2 via metrics-util 0.19.x (metrics-exporter-prometheus → telemetry-batteries); UB requires a custom log::Log logger calling rand::rng() — iris-mpc uses tracing with no such logger. Drop once metrics-exporter-prometheus bumps metrics-util to a version using rand >=0.9.3." },
{ id = "RUSTSEC-2026-0098", reason = "rustls-webpki 0.101.7 pulled transitively through aws-config 1.5.x via the legacy rustls 0.21 chain; bug silently accepts URI name constraints instead of rejecting them — only exploitable via CA misissuance of URI-constrained certs, and our TLS usage targets AWS endpoints where this isn't used. The 0.101.x line has no fix; drop once aws-config is bumped to drop the legacy rustls 0.21 chain." },
{ id = "RUSTSEC-2026-0099", reason = "same rustls-webpki 0.101.7 chain as RUSTSEC-2026-0098; sibling bug accepts DNS name constraints for wildcard-asserting certs. Same misissuance-required exploit model, same AWS-TLS-only attack surface, same fix path (bump aws-config off the legacy rustls 0.21 chain)." },
{ id = "RUSTSEC-2026-0104", reason = "rustls-webpki 0.101.7 pulled transitively through aws-config 1.5.x via the legacy rustls 0.21 chain; reachable panic in certificate revocation list parsing — only triggered when parsing CRLs, which iris-mpc does not do (TLS to AWS endpoints only). The 0.101.x line has no fix; drop once aws-config is bumped to drop the legacy rustls 0.21 chain." },
{ id = "RUSTSEC-2026-0002", reason = "lru 0.12.5 pulled transitively through aws-sdk-s3 1.65.0; Stacked Borrows soundness issue in IterMut — iris-mpc does not use lru directly and aws-sdk-s3 uses it for internal endpoint/credential caching that does not iterate mutably. Patched in lru >=0.16.3; drop once aws-sdk-s3 is bumped to a release pulling the patched lru. Note: cargo-deny 0.19+ demotes unsound informational advisories to notes locally, so this is only surfaced by the CI action (currently pinned to cargo-deny 0.18.6)." },
{ id = "RUSTSEC-2026-0176", reason = "pyo3 0.24.2 out-of-bounds read in PyList/PyTuple iterators; fixed in >=0.29.0. iris-mpc-py is a test-only tool with no production exposure; drop once iris-mpc-py updates to pyo3 >=0.29.0" },
{ id = "RUSTSEC-2026-0177", reason = "pyo3 0.24.2 missing Sync bound on PyCFunction::new_closure; fixed in >=0.29.0. iris-mpc-py is a test-only tool with no production exposure; drop once iris-mpc-py updates to pyo3 >=0.29.0" },
]
[sources]
unknown-registry = "deny"
[licenses]
version = 2
# We want really high confidence when inferring licenses from text
confidence-threshold = 1.0
# List of explicitly allowed licenses
# See https://spdx.org/licenses/ for list of possible licenses
allow = [
"0BSD",
"Apache-2.0 WITH LLVM-exception",
"Apache-2.0",
"BSD-2-Clause",
"BSD-2-Clause-Patent",
"BSD-3-Clause",
"BSL-1.0",
"CC0-1.0",
"ISC",
"LicenseRef-ring",
"MIT",
"MPL-2.0", # Although this is copyleft, it is scoped to modifying the original files
"OpenSSL",
"Unicode-3.0",
"Unicode-DFS-2016",
"Unlicense",
"Zlib",
"CDDL-1.0",
"CDLA-Permissive-2.0"
]
# See https://github.com/briansmith/ring/blob/95948b3977013aed16db92ae32e6b8384496a740/deny.toml#L12
[[licenses.clarify]]
name = "ring"
expression = "LicenseRef-ring"
license-files = [
{ path = "LICENSE", hash = 0xbd0eed23 },
]
# The nix crate is MIT licensed. The GPL-2.0 file detected in the source tree
# is a test fixture (test/test_kmod/hello_mod/hello.c) that is not part of the
# compiled library and does not affect the license of code linking against nix.
[[licenses.clarify]]
name = "nix"
expression = "MIT"
license-files = [
{ path = "LICENSE", hash = 0x6ec9b2e5 },
]