chore(deps): Add deny.yaml and a cargo deny CI job to check dependencies for vulnerabilities

iamjpotts · iamjpotts · commit c0f6b8594428 · 2024-01-23T07:51:49.000-06:00
Signed-off-by: Joshua Potts &lt;8704475+iamjpotts@users.noreply.github.com&gt;
diff --git a/.github/workflows/sqlx.yml b/.github/workflows/sqlx.yml
@@ -8,6 +8,13 @@ on:
       - '*-dev'
 
 jobs:
+  deny:
+    name: Cargo Deny
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: EmbarkStudios/cargo-deny-action@v1
+
   format:
     name: Format
     runs-on: ubuntu-20.04
diff --git a/.gitignore b/.gitignore
@@ -17,3 +17,6 @@ target/
 # Integration testing extension library for SQLite.
 ipaddr.dylib
 ipaddr.so
+
+# Temporary files from running the tests locally like they would be run from CI
+.sqlx
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -161,7 +161,7 @@ sqlx-sqlite = { workspace = true, optional = true }
 anyhow = "1.0.52"
 time_ = { version = "0.3.2", package = "time" }
 futures = "0.3.19"
-env_logger = "0.9.0"
+env_logger = "0.11"
 async-std = { version = "1.12.0", features = ["attributes"] }
 tokio = { version = "1.15.0", features = ["full"] }
 dotenvy = "0.15.0"
@@ -175,7 +175,7 @@ rand = "0.8.4"
 rand_xoshiro = "0.6.0"
 hex = "0.4.3"
 tempfile = "3.9.0"
-criterion = {version = "0.4", features = ["async_tokio"]}
+criterion = { version = "0.5", features = ["async_tokio"] }
 
 # Needed to test SQLCipher
 libsqlite3-sys = { version = "0.27", features = ["bundled-sqlcipher"] }
diff --git a/deny.toml b/deny.toml
@@ -0,0 +1,67 @@
+[advisories]
+ignore = [
+    # No upgrade available for rsa 0.9.4, a direct dependency of sqlx-mysql
+    "RUSTSEC-2023-0071",
+]
+notice = "deny"
+unmaintained = "deny"
+vulnerability = "deny"
+yanked = "deny"
+
+[licenses]
+allow = [
+    "Apache-2.0",
+    "BSD-2-Clause",
+    "BSD-3-Clause",
+    "ISC",
+    "MIT",
+    "MPL-2.0",
+    "OpenSSL",
+    "Unicode-DFS-2016",
+    "Zlib",
+]
+default = "deny"
+confidence-threshold = 0.9
+unlicensed = "deny"
+
+[[licenses.clarify]]
+name = "ring"
+expression = "MIT AND ISC AND OpenSSL"
+license-files = [
+    { path = "LICENSE", hash = 0xbd0eed23 }
+]
+
+[bans]
+allow = []
+deny = []
+multiple-versions = "deny"
+skip = [
+    # async-std 1.12 uses two versions - this older version directly, and a newer verison transitively.
+    { name = "async-channel", version = "=1.9.0" },
+    # native-tls 0.2.11 has this older version as a transitive dependency
+    { name = "spin", version = "=0.5.2" },
+    # criterion 0.5.1 uses this older version of itertools
+    { name = "itertools", version = "=0.10.5" },
+    # syn 2.0 has not been adopted by many crates using syn 1.x due to difficult breaking changes
+    { name = "syn", version = "<2" },
+]
+skip-tree = [
+    # async-std 1.12 uses two versions - this older version directly, and a newer verison transitively.
+    { name = "async-io", version = "=1.13.0" },
+]
+
+# Warn, rather than deny, due to sqlx crates not referencing each other by a specific version
+wildcards = "warn"
+
+[sources]
+allow-git = []
+allow-registry = [
+    "https://github.com/rust-lang/crates.io-index"
+]
+unknown-git = "deny"
+unknown-registry = "deny"
+
+[sources.allow-org]
+bitbucket = []
+github = []
+gitlab = []
diff --git a/sqlx-test/Cargo.toml b/sqlx-test/Cargo.toml
@@ -2,11 +2,12 @@
 name = "sqlx-test"
 version = "0.1.0"
 edition = "2021"
+license = "MIT OR Apache-2.0"
 publish = false
 
 [dependencies]
 sqlx = { default-features = false, path = ".." }
-env_logger = "0.9.0"
+env_logger = "0.11"
 dotenvy = "0.15.0"
 anyhow = "1.0.26"
 async-std = { version = "1.8.0", features = [ "attributes" ] }
