From e008001f137b7333f28cc0400d38cbc38109cb5e Mon Sep 17 00:00:00 2001 From: Emil Ernerfeldt Date: Mon, 11 Apr 2022 13:19:14 +0200 Subject: [PATCH 1/6] cargo-deny [cargo-deny](https://github.com/EmbarkStudios/cargo-deny) is an amazing tool that protects from: * duplicated crates (code bloat) * copy-left licenses in the dependency tree * RUSTSEC advisories In this case it discovered the duplication of 'jpeg-decoder' and 'miniz_oxide', both because of the 'tiff' crate. Until we can update the tiff crate and resolve those problem I opted to ignore these duplicated crated in the deny.toml file. Adding cargo-deny to the CI will prevent more dependency duplication, hence this unsolicited PR. --- .github/workflows/rust.yml | 5 ++++ deny.toml | 56 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 61 insertions(+) create mode 100644 deny.toml diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index f32044a5a5..3310fad915 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -159,3 +159,8 @@ jobs: with: command: fmt args: -- --check + cargo-deny: + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@v2 + - uses: EmbarkStudios/cargo-deny-action@v1 diff --git a/deny.toml b/deny.toml new file mode 100644 index 0000000000..f9cb89758f --- /dev/null +++ b/deny.toml @@ -0,0 +1,56 @@ +# https://embarkstudios.github.io/cargo-deny/ + +targets = [ + { triple = "aarch64-apple-darwin" }, + { triple = "aarch64-linux-android" }, + { triple = "x86_64-apple-darwin" }, + { triple = "x86_64-pc-windows-msvc" }, + { triple = "x86_64-unknown-linux-gnu" }, + { triple = "x86_64-unknown-linux-musl" }, +] + + +[advisories] +vulnerability = "deny" +unmaintained = "warn" +yanked = "deny" +ignore = [] + + +[bans] +multiple-versions = "deny" +wildcards = "allow" # at least until https://github.com/EmbarkStudios/cargo-deny/issues/241 is fixed +deny = [] +skip = [ + { name = "jpeg-decoder" }, # Duplicated by tiff crate; awaiting patch release: https://github.com/image-rs/image-tiff/pull/155 + { name = "miniz_oxide" }, # Used by tiff/flate2; awaiting patch release: https://github.com/rust-lang/flate2-rs/pull/293 +] +skip-tree = [ + { name = "criterion" }, # dev-dependnecy +] + + +[licenses] +unlicensed = "deny" +allow-osi-fsf-free = "neither" +confidence-threshold = 0.92 # We want really high confidence when inferring licenses from text +copyleft = "deny" +allow = [ + # "Apache-2.0 WITH LLVM-exception", # https://spdx.org/licenses/LLVM-exception.html + "Apache-2.0", # https://tldrlegal.com/license/apache-license-2.0-(apache-2.0) + # "BSD-2-Clause", # https://tldrlegal.com/license/bsd-2-clause-license-(freebsd) + "BSD-3-Clause", # https://tldrlegal.com/license/bsd-3-clause-license-(revised) + "BSL-1.0", # https://tldrlegal.com/license/boost-software-license-1.0-explained + # "CC0-1.0", # https://creativecommons.org/publicdomain/zero/1.0/ + # "ISC", # https://tldrlegal.com/license/-isc-license + "MIT", # https://tldrlegal.com/license/mit-license + # "MPL-2.0", # https://www.mozilla.org/en-US/MPL/2.0/FAQ/ - see Q11 + # "OpenSSL", # https://www.openssl.org/source/license.html + "Zlib", # https://tldrlegal.com/license/zlib-libpng-license-(zlib) +] + +[[licenses.clarify]] +name = "exr" +expression = "BSD-3-Clause" +license-files = [{ path = "LICENSE.md", hash = 0xf0600744 }] +# https://github.com/johannesvollmer/exrs/blob/master/LICENSE.md From 4d0e929d58e9c666ef93e9fafc9b7b94d5dfbc8a Mon Sep 17 00:00:00 2001 From: Emil Ernerfeldt Date: Tue, 12 Apr 2022 08:51:45 +0200 Subject: [PATCH 2/6] Remove exemptions for jpeg-decoder and miniz_oxide new versions of image-tiff and flate2 has been published --- deny.toml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/deny.toml b/deny.toml index f9cb89758f..d036a111b1 100644 --- a/deny.toml +++ b/deny.toml @@ -21,10 +21,7 @@ ignore = [] multiple-versions = "deny" wildcards = "allow" # at least until https://github.com/EmbarkStudios/cargo-deny/issues/241 is fixed deny = [] -skip = [ - { name = "jpeg-decoder" }, # Duplicated by tiff crate; awaiting patch release: https://github.com/image-rs/image-tiff/pull/155 - { name = "miniz_oxide" }, # Used by tiff/flate2; awaiting patch release: https://github.com/rust-lang/flate2-rs/pull/293 -] +skip = [] skip-tree = [ { name = "criterion" }, # dev-dependnecy ] From fec1d0286b3ef73e93253127d9b85e1ec7a979d3 Mon Sep 17 00:00:00 2001 From: Emil Ernerfeldt Date: Tue, 12 Apr 2022 08:51:53 +0200 Subject: [PATCH 3/6] Allow all licenses --- deny.toml | 26 +++----------------------- 1 file changed, 3 insertions(+), 23 deletions(-) diff --git a/deny.toml b/deny.toml index d036a111b1..ae6e3b6373 100644 --- a/deny.toml +++ b/deny.toml @@ -28,26 +28,6 @@ skip-tree = [ [licenses] -unlicensed = "deny" -allow-osi-fsf-free = "neither" -confidence-threshold = 0.92 # We want really high confidence when inferring licenses from text -copyleft = "deny" -allow = [ - # "Apache-2.0 WITH LLVM-exception", # https://spdx.org/licenses/LLVM-exception.html - "Apache-2.0", # https://tldrlegal.com/license/apache-license-2.0-(apache-2.0) - # "BSD-2-Clause", # https://tldrlegal.com/license/bsd-2-clause-license-(freebsd) - "BSD-3-Clause", # https://tldrlegal.com/license/bsd-3-clause-license-(revised) - "BSL-1.0", # https://tldrlegal.com/license/boost-software-license-1.0-explained - # "CC0-1.0", # https://creativecommons.org/publicdomain/zero/1.0/ - # "ISC", # https://tldrlegal.com/license/-isc-license - "MIT", # https://tldrlegal.com/license/mit-license - # "MPL-2.0", # https://www.mozilla.org/en-US/MPL/2.0/FAQ/ - see Q11 - # "OpenSSL", # https://www.openssl.org/source/license.html - "Zlib", # https://tldrlegal.com/license/zlib-libpng-license-(zlib) -] - -[[licenses.clarify]] -name = "exr" -expression = "BSD-3-Clause" -license-files = [{ path = "LICENSE.md", hash = 0xf0600744 }] -# https://github.com/johannesvollmer/exrs/blob/master/LICENSE.md +unlicensed = "allow" +allow-osi-fsf-free = "allow" +copyleft = "allow" From d9b1ead370e4075fbca19b8ce566a7276c15729f Mon Sep 17 00:00:00 2001 From: Emil Ernerfeldt Date: Tue, 12 Apr 2022 09:47:18 +0200 Subject: [PATCH 4/6] Ignore RUSTSEC:s related to chrono crate --- deny.toml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/deny.toml b/deny.toml index ae6e3b6373..99421c7b46 100644 --- a/deny.toml +++ b/deny.toml @@ -14,7 +14,10 @@ targets = [ vulnerability = "deny" unmaintained = "warn" yanked = "deny" -ignore = [] +ignore = [ + "RUSTSEC-2020-0071", # https://rustsec.org/advisories/RUSTSEC-2020-0071 - Potential segfault in the time crate. + "RUSTSEC-2020-0159", # https://rustsec.org/advisories/RUSTSEC-2020-0159 - Potential segfault in `localtime_r` invocations. +] [bans] From f23715edf7dbe37203966dcf58deb76954590c3b Mon Sep 17 00:00:00 2001 From: Emil Ernerfeldt Date: Tue, 12 Apr 2022 09:47:35 +0200 Subject: [PATCH 5/6] Ignore duplicated crates due to dev-dependency --- deny.toml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/deny.toml b/deny.toml index 99421c7b46..d8e028e7ac 100644 --- a/deny.toml +++ b/deny.toml @@ -26,7 +26,8 @@ wildcards = "allow" # at least until https://github.com/EmbarkStudios/cargo-deny deny = [] skip = [] skip-tree = [ - { name = "criterion" }, # dev-dependnecy + { name = "criterion" }, # dev-dependency + { name = "quickcheck" }, # dev-dependency ] From 3589d2cf7cca6f48014c3cea455500d0ffc209e7 Mon Sep 17 00:00:00 2001 From: Emil Ernerfeldt Date: Tue, 12 Apr 2022 09:48:40 +0200 Subject: [PATCH 6/6] fix typo in deny.toml --- deny.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deny.toml b/deny.toml index d8e028e7ac..84673e3572 100644 --- a/deny.toml +++ b/deny.toml @@ -33,5 +33,5 @@ skip-tree = [ [licenses] unlicensed = "allow" -allow-osi-fsf-free = "allow" +allow-osi-fsf-free = "either" copyleft = "allow"