-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdeny.toml
102 lines (99 loc) · 4 KB
/
deny.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
# To comply with FIPS 140-2, we should not use crypto algorithms implemented in
# rust, instead we should delegate these operation to OpenSSL, including
# symmetric encryption, asymmetric encryption, hash functions,
# key establishment, digital signatures and random number generators.
[bans]
deny = [
# Hash functions
# We allow md5 for AWS S3 object lock feature which requires
# computting object's md5.
{ name = "md5", wrappers = ["aws"] },
{ name = "md-5", wrappers = ["aws-smithy-checksums"]},
{ name = "sha1", wrappers = ["aws-smithy-checksums"]},
{ name = "sha-1" },
# We allow sha2 for oauth2 and aws rust sdk crate, because it does use sha2 in TiKV use case.
{ name = "sha2", wrappers = ["oauth2", "aws-sigv4", "aws-smithy-checksums", "aws-sdk-s3"] },
{ name = "sha3" },
# Symmetric encryption
{ name = "aes" },
{ name = "aes-gcm" },
{ name = "aes-gcm-siv" },
{ name = "chacha20poly1305" },
# Asymmetric encryption
{ name = "elliptic-curves" },
{ name = "rsa" },
# Digital signatures
{ name = "dsa" },
{ name = "ecdsa" },
{ name = "ed25519" },
# Message authentication codes
{ name = "hmac", wrappers = ["aws-sigv4", "aws-sdk-s3"]},
# We prefer the system native TLS or OpenSSL.
{ name = "rustls" },
{ name = "ring" },
# Ban trait crates from RustCrypto.
{ name = "aead" },
{ name = "cipher" },
{ name = "digest", wrappers = ["sha2", "md-5", "sha1", "hmac"] },
{ name = "password-hash" },
{ name = "signature" },
]
multiple-versions = "allow"
[advisories]
vulnerability = "deny"
unmaintained = "allow" # FIXME: Deny it.
unsound = "deny"
yanked = "deny"
notice = "warn"
ignore = [
# Ignore time 0.1 RUSTSEC-2020-0071 as 1) we have taken measures (see
# clippy.toml) to mitigate the issue and 2) time 0.1 has no fix availble.
#
# NB: Upgrading to time 0.3 do fix the issue but it's an imcompatible
# versoin which removes some necessary APIs (`time::precise_time_ns`) that
# are required by TiKV.
# See https://github.com/time-rs/time/blob/8067540c/CHANGELOG.md#L703
"RUSTSEC-2020-0071",
# Ignore RUSTSEC-2023-0072 as we ban the unsound `X509StoreRef::objects`.
#
# NB: Upgrading rust-openssl the latest version do fix the issue but it
# also upgrade the OpenSSL to v3.x which causes performance degradation.
# See https://github.com/openssl/openssl/issues/17064
"RUSTSEC-2023-0072",
# Ignore RUSTSEC-2024-0357 as there is no `MemBio::get_buf` in TiKV, also
# we ban all openssl (Rust) APIs that call `MemBio::get_buf`.
#
# See https://github.com/sfackler/rust-openssl/pull/2266
"RUSTSEC-2024-0357",
# Ignore RUSTSEC-2021-0145 (unsound issue of "atty" crate) as it only
# affects Windows plaform which is not supported offically by TiKV, and 2)
# we have disabled the clap feature "color" so that the "atty" crate is not
# included in production code.
#
# TODO: Upgrade clap to v4.x.
"RUSTSEC-2021-0145",
]
# TiKV is licensed under Apache 2.0, according to ASF 3RD PARTY LICENSE POLICY,
# TiKV can include licenses in Category A, and include licenses in Category B
# under certain conditions.
# See https://www.apache.org/legal/resolved.html.
[licenses]
unlicensed = "deny"
copyleft = "deny"
private = { ignore = false }
# Allow licenses in Category A
allow = ["0BSD", "Apache-2.0", "BSD-3-Clause", "CC0-1.0", "ISC", "MIT", "Zlib", "Unicode-3.0"]
exceptions = [
# unicode-ident includes data generated from Unicode Character Database
# which is licensed under Unicode-DFS-2016.
# See https://github.com/dtolnay/unicode-ident/pull/4
{ name = "unicode-ident", allow = ["Unicode-DFS-2016"] },
# Allow licenses in Category B explicitly, make their usage more prominent.
{ name = "slog-json", allow = ["MPL-2.0"] },
{ name = "smartstring", allow = ["MPL-2.0"] },
{ name = "inferno", allow = ["CDDL-1.0"] },
]
[sources]
unknown-git = "deny"
unknown-registry = "deny"
allow-org = { github = ["tikv", "pingcap", "rust-lang"] }