From 3cfd7fa035bb71aaf75f93d415d008b54e30e472 Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Sat, 5 Apr 2025 00:15:42 -0400 Subject: [PATCH 1/4] Delist LicenseRef-ring, as ring no longer uses it MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Before this change, we get a warning: $ cargo deny --workspace --all-features check licenses warning[license-not-encountered]: license was not encountered ┌─ /home/ek/source/repos/gitoxide/deny.toml:32:6 │ 32 │ "LicenseRef-ring", │ ━━━━━━━━━━━━━━━ unmatched license allowance licenses ok The same warning is shown in the `cargo-deny` job check on CI. This happens because `ring` no longer uses a custom/nonstandard license, instead using `Apache-2.0 AND ISC` since version 0.17.10. (See https://github.com/briansmith/ring/pull/2402 and https://crates.io/crates/ring/versions for details.) Nothing in this workspace depends directly or directly on old versions of `ring` that use that license, so this removes it from the list of licenses in `deny.toml`. --- deny.toml | 1 - 1 file changed, 1 deletion(-) diff --git a/deny.toml b/deny.toml index a82e3b44407..dd76f31372f 100644 --- a/deny.toml +++ b/deny.toml @@ -29,7 +29,6 @@ allow = [ "MIT", "MIT-0", "ISC", - "LicenseRef-ring", "OpenSSL", "Zlib", "MPL-2.0", From f8fb226950f9e5f3dc6898c28cf735dd0ec0da1b Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Sat, 5 Apr 2025 00:29:31 -0400 Subject: [PATCH 2/4] Use "reason" field to explain ignored advisory This turns the comment in `cargo.deny` explaining why we currently ignore the informational advisory RUSTSEC-2024-0436 in `paste` into data that could be parsed and displayed by tools, by using the form with `id` and `reason` fields, where the old comment text is the value of the `reason` field. This is one of the forms documented in: https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html#the-ignore-field-optional --- deny.toml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/deny.toml b/deny.toml index dd76f31372f..26587fb91b6 100644 --- a/deny.toml +++ b/deny.toml @@ -9,8 +9,7 @@ # https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html [advisories] ignore = [ - # `paste` - macro crate without replacement - "RUSTSEC-2024-0436" + { id = "RUSTSEC-2024-0436", reason = "`paste` - macro crate without replacement" }, ] From 7ad29e68f8096c08564febe1de78c2dba2e0a131 Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Sat, 5 Apr 2025 01:20:35 -0400 Subject: [PATCH 3/4] Reorder `with` subkeys in `cargo-deny-*` CI for clarity This is only a minor improvement in clarity now, but the benefit will be greater with the immediately forthcoming change, and doing this separately makes it so the next commit can be reverted by itself once it is no longer needed. --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 726ca26243e..1752d8d356d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -346,8 +346,8 @@ jobs: - uses: actions/checkout@v4 - uses: EmbarkStudios/cargo-deny-action@v2 with: - arguments: --workspace --all-features command: check advisories + arguments: --workspace --all-features cargo-deny: runs-on: ubuntu-latest @@ -356,8 +356,8 @@ jobs: - uses: actions/checkout@v4 - uses: EmbarkStudios/cargo-deny-action@v2 with: - arguments: --workspace --all-features command: check bans licenses sources + arguments: --workspace --all-features wasm: name: WebAssembly From 67d9bf494315a6b5b172bd81b330b1c60d16d46d Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Sat, 5 Apr 2025 01:34:21 -0400 Subject: [PATCH 4/4] On CI, have `cargo deny` allow RUSTSEC-2025-0021 via gix-testtools This splits the `EmbarkStudios/cargo-deny-action` step in `cargo-deny-advisories` into two such steps: - Scan the workspace except prune `gix-testtools` and everything reachable through it (following it neither as a root, nor when it is found as dev dependency of another crate). This doesn't get to its obsolete dependencies, while still ensuring that nothing in the workspace *except* what we reach through `gix-testtools` is affected by RUSTSEC-2025-0021. - Scan the whole workspace, including `gix-testtools` and all its dependencies, including the obsolete version of `gix-features` that is affected by RUSTSEC-2025-0021. But ignore that advisory. To support this, steps are added to install the `yq`-associated `tomlq` command and use it to produce the modified configuration file for the second scan in a way that shouldn't break under any changes to comments, spacing, style, or ordering in `deny.toml`. --- .github/workflows/ci.yml | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1752d8d356d..c1df7e2d27f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -344,10 +344,28 @@ jobs: steps: - uses: actions/checkout@v4 - - uses: EmbarkStudios/cargo-deny-action@v2 + - name: Install tomlq + run: | + # The runner already has the `yq` command but not its associated `tomlq` command. + sudo apt-get update + sudo apt-get install yq + - name: Strict check, but omit gix-testtools + uses: EmbarkStudios/cargo-deny-action@v2 + with: + command: check advisories + arguments: --workspace --all-features --exclude gix-testtools + - name: Configure less strict check + run: | + filter='.advisories.ignore += [ + { id: "RUSTSEC-2025-0021", reason: "gix-testtools can’t upgrade from old gix-features yet" } + ]' + tomlq "$filter" deny.toml --toml-output > deny-but-ignore-RUSTSEC-2025-0021.toml + - name: Less strict check, but include gix-testtools + uses: EmbarkStudios/cargo-deny-action@v2 with: command: check advisories arguments: --workspace --all-features + command-arguments: --config deny-but-ignore-RUSTSEC-2025-0021.toml cargo-deny: runs-on: ubuntu-latest