-
Notifications
You must be signed in to change notification settings - Fork 83
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
This PR deprecates several fields which will be removed in a future update. I'll explain in detail why below, but the TLDR is that cargo-deny surfaces several configuration options that were added because we _could_, but not necessarily because they are useful in practice. ## Licenses ### [`deny`](https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html#the-allow-and-deny-fields-optional) This field was only added for consistency with `[bans]` but makes no sense for `[licenses]`, if a license you don't explicitly allow is used it is implicitly denied. ### [`copyleft`](https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html#the-copyleft-field-optional) There is no reason to treat these differently from any other license, if it's not explicitly allowed it should be denied, and it just adds confusion due to the terrible default. See: #602 See: #354 ### [`allow-osi-fsf-free`](https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html#the-allow-osi-fsf-free-field-optional) Similarly to copyleft, this field just makes no sense and was only added because the SPDX metadata allowed us to query this information. ### [`default`](https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html#the-default-field-optional) This was added so that users could just ignore/warn all their dependencies not following the set of allowed licenses, but just isn't much value. Even in large projects with literally hundreds of external dependencies the set of licenses that need to be allowed are relatively small compared to the total set of licenses in SPDX due to the Rust ecosystem generally using only a handful of licenses, with rare exceptions. ### [`unlicensed`](https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html#the-unlicensed-field-optional) Crates that don't specify a license via `[package.license/license-file]` or have a license file in their package source are incredibly rare, and there is already a [mechanism](https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html#the-clarify-field-optional) to provide/override license information for those rare crates. ## Advisories ### Blanket - [`vulnerability`](https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html#the-vulnerability-field-optional) - [`unmaintained`](https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html#the-unmaintained-field-optional) - [`unsound`](https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html#the-unsound-field-optional) - [`notice`](https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html#the-notice-field-optional) There's no need to blanket handle any of these specific advisory types, there just aren't enough advisories (currently, this could change in the future) that a typical workspace will encounter that they can't be handled explicitly via `ignore`. See: #449 ### [`severity-threshold`](https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html#the-severity-threshold-field-optional) This optional field is available in rustsec advisories, but provides no real value as it's just flavor on top of a reported vulnerability, but doesn't fundamentally change that it is a vulnerability, and can either be ignored or better yet, updated to a version without the vulnerability.
- Loading branch information
1 parent
3b13cc9
commit 800c768
Showing
9 changed files
with
324 additions
and
115 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
44 changes: 44 additions & 0 deletions
44
...dvisories/snapshots/cargo_deny__advisories__cfg__test__deserializes_advisories_cfg-2.snap
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,44 @@ | ||
--- | ||
source: src/advisories/cfg.rs | ||
expression: validated | ||
--- | ||
{ | ||
"file_id": 1, | ||
"db_path": "~/.cargo/advisory-dbs", | ||
"db_urls": [ | ||
"https://github.com/RustSec/advisory-db" | ||
], | ||
"ignore": [ | ||
"RUSTSEC-0000-0000" | ||
], | ||
"ignore_yanked": [ | ||
{ | ||
"spec": { | ||
"name": "crate", | ||
"version-req": "=0.1" | ||
}, | ||
"reason": null, | ||
"use-instead": null | ||
}, | ||
{ | ||
"spec": { | ||
"name": "yanked", | ||
"version-req": null | ||
}, | ||
"reason": "a new version has not been released", | ||
"use-instead": null | ||
} | ||
], | ||
"vulnerability": "deny", | ||
"unmaintained": "warn", | ||
"unsound": "warn", | ||
"yanked": "warn", | ||
"notice": "warn", | ||
"severity_threshold": "medium", | ||
"git_fetch_with_cli": false, | ||
"disable_yank_checking": false, | ||
"maximum_db_staleness": [ | ||
466560000, | ||
0 | ||
] | ||
} |
73 changes: 32 additions & 41 deletions
73
src/advisories/snapshots/cargo_deny__advisories__cfg__test__deserializes_advisories_cfg.snap
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,44 +1,35 @@ | ||
--- | ||
source: src/advisories/cfg.rs | ||
expression: validated | ||
expression: diags | ||
--- | ||
{ | ||
"file_id": 1, | ||
"db_path": "~/.cargo/advisory-dbs", | ||
"db_urls": [ | ||
"https://github.com/RustSec/advisory-db" | ||
], | ||
"ignore": [ | ||
"RUSTSEC-0000-0000" | ||
], | ||
"ignore_yanked": [ | ||
{ | ||
"spec": { | ||
"name": "crate", | ||
"version-req": "=0.1" | ||
}, | ||
"reason": null, | ||
"use-instead": null | ||
}, | ||
{ | ||
"spec": { | ||
"name": "yanked", | ||
"version-req": null | ||
}, | ||
"reason": "a new version has not been released", | ||
"use-instead": null | ||
} | ||
], | ||
"vulnerability": "deny", | ||
"unmaintained": "warn", | ||
"unsound": "warn", | ||
"yanked": "warn", | ||
"notice": "warn", | ||
"severity_threshold": "medium", | ||
"git_fetch_with_cli": false, | ||
"disable_yank_checking": false, | ||
"maximum_db_staleness": [ | ||
466560000, | ||
0 | ||
] | ||
} | ||
warning[deprecated]: this key will be removed in a future update, see https://github.com/EmbarkStudios/cargo-deny/pull/606 for details | ||
┌─ tests/cfg/advisories.toml:4:1 | ||
│ | ||
4 │ vulnerability = "deny" | ||
│ ^^^^^^^^^^^^^ | ||
|
||
warning[deprecated]: this key will be removed in a future update, see https://github.com/EmbarkStudios/cargo-deny/pull/606 for details | ||
┌─ tests/cfg/advisories.toml:5:1 | ||
│ | ||
5 │ unmaintained = "warn" | ||
│ ^^^^^^^^^^^^ | ||
|
||
warning[deprecated]: this key will be removed in a future update, see https://github.com/EmbarkStudios/cargo-deny/pull/606 for details | ||
┌─ tests/cfg/advisories.toml:6:1 | ||
│ | ||
6 │ unsound = "warn" | ||
│ ^^^^^^^ | ||
|
||
warning[deprecated]: this key will be removed in a future update, see https://github.com/EmbarkStudios/cargo-deny/pull/606 for details | ||
┌─ tests/cfg/advisories.toml:8:1 | ||
│ | ||
8 │ notice = "warn" | ||
│ ^^^^^^ | ||
|
||
warning[deprecated]: this key will be removed in a future update, see https://github.com/EmbarkStudios/cargo-deny/pull/606 for details | ||
┌─ tests/cfg/advisories.toml:14:1 | ||
│ | ||
14 │ severity-threshold = "medium" | ||
│ ^^^^^^^^^^^^^^^^^^ | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.