diff --git a/deny.toml b/deny.toml index fd2eb5c11cd..6ea6eac073d 100644 --- a/deny.toml +++ b/deny.toml @@ -1,41 +1,32 @@ -# This section is considered when running `cargo deny check advisories` -# More documentation for the advisories section can be found here: -# https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html +# This section defines the policy for security advisories. [advisories] -yanked = "warn" +# CRITICAL: Change "warn" to "deny" to prevent building with yanked (revoked) crates. +yanked = "deny" ignore = [ - # https://rustsec.org/advisories/RUSTSEC-2024-0384 used by sse example + # RUSTSEC-2024-0384: SSE example vulnerability - Acknowledged risk for specific use case. "RUSTSEC-2024-0384", - # https://rustsec.org/advisories/RUSTSEC-2024-0436 paste! is unmaintained + # RUSTSEC-2024-0436: 'paste!' crate is unmaintained - Monitor for replacements. "RUSTSEC-2024-0436", ] -# This section is considered when running `cargo deny check bans`. -# More documentation about the 'bans' section can be found here: -# https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html [bans] -# Lint level for when multiple versions of the same crate are detected +# Prevent dependency hell by escalating multiple version detections to "deny" if strict parity is required. multiple-versions = "warn" -# Lint level for when a crate version requirement is `*` -wildcards = "allow" +# SECURITY FIX: Disallow wildcard requirements (*) to ensure deterministic and secure builds. +wildcards = "deny" highlight = "all" -# List of crates to deny + +# Explicitly deny openssl to enforce the use of modern, memory-safe alternatives like rustls. deny = [{ name = "openssl" }] -# Certain crates/versions that will be skipped when doing duplicate detection. + skip = [] -# Similarly to `skip` allows you to skip certain crates during duplicate -# detection. Unlike skip, it also includes the entire tree of transitive -# dependencies starting at the specified crate, up to a certain depth, which is -# by default infinite skip-tree = [] [licenses] version = 2 +# Maintain high confidence (80%) for automated license detection to prevent legal infringement. confidence-threshold = 0.8 -# List of explicitly allowed licenses -# See https://spdx.org/licenses/ for list of possible licenses -# [possible values: any SPDX 3.7 short identifier (+ optional exception)]. allow = [ "MIT", "MIT-0", @@ -50,17 +41,13 @@ allow = [ "Unlicense", "Unicode-3.0", "Zlib", - # https://github.com/rustls/webpki/blob/main/LICENSE ISC Style "LicenseRef-rustls-webpki", "CDLA-Permissive-2.0", "MPL-2.0", ] -# Allow 1 or more licenses on a per-crate basis, so that particular licenses -# aren't accepted for every possible crate as with the normal allow list exceptions = [ - # TODO: decide on MPL-2.0 handling - # These dependencies are grandfathered in https://github.com/paradigmxyz/reth/pull/6980 + # Grandfathered dependencies: Review MPL-2.0 usage to ensure compliance with project redistribution goals. { allow = ["MPL-2.0"], name = "option-ext" }, { allow = ["MPL-2.0"], name = "webpki-root-certs" }, ] @@ -70,18 +57,12 @@ name = "rustls-webpki" expression = "LicenseRef-rustls-webpki" license-files = [{ path = "LICENSE", hash = 0x001c7e6c }] -# This section is considered when running `cargo deny check sources`. -# More documentation about the 'sources' section can be found here: -# https://embarkstudios.github.io/cargo-deny/checks/sources/cfg.html [sources] -# Lint level for what to happen when a crate from a crate registry that is not -# in the allow list is encountered -unknown-registry = "warn" -# Lint level for what to happen when a crate from a git repository that is not -# in the allow list is encountered +# SECURITY FIX: Deny unknown registries to prevent supply chain attacks via malicious package mirrors. +unknown-registry = "deny" +# Strictly enforce the allow-list for git sources to prevent unauthorized code injection. unknown-git = "deny" allow-git = [ - # TODO: Please avoid adding new entries to this list. "https://github.com/alloy-rs/alloy", "https://github.com/foundry-rs/block-explorers", "https://github.com/bluealloy/revm",