Setup cargo-deny (#2638)

Porges · web-flow · commit 04d39a3f28ab · 2022-11-21T08:23:20.000-05:00
Using [`cargo-deny`](https://embarkstudios.github.io/cargo-deny/) to ensure that disallowed dependencies removed in #2423 do not accidentally make their way back in. `cargo-deny` subsumes the `cargo-audit` functionality, so switch to the `cargo-deny` version. Setting this up required explicitly stating the license which was not in some of our `Cargo.toml` files.
diff --git a/.devcontainer/install-dependencies.sh b/.devcontainer/install-dependencies.sh
@@ -5,7 +5,7 @@ set -eux
 # Note that this script runs as user 'vscode' during devcontainer setup.
 
 # Rust global tools, needed to run CI scripts
-"$HOME/.cargo/bin/cargo" install cargo-audit cargo-license@0.4.2 cargo-llvm-cov
+"$HOME/.cargo/bin/cargo" install cargo-license@0.4.2 cargo-llvm-cov cargo-deny
 "$HOME/.cargo/bin/rustup" component add llvm-tools-preview
 
 # NPM global tools
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -18,7 +18,7 @@ env:
   CARGO_TERM_COLOR: always
   SCCACHE_DIR: ${{github.workspace}}/sccache/
   SCCACHE_CACHE_SIZE: 1G
-  ACTIONS_CACHE_KEY_DATE: 2022-10-28-01
+  ACTIONS_CACHE_KEY_DATE: 2022-11-21-02
   CI: true
   DOTNET_VERSION: 7.0.x
 
diff --git a/src/agent/dynamic-library/Cargo.toml b/src/agent/dynamic-library/Cargo.toml
@@ -2,6 +2,7 @@
 name = "dynamic-library"
 version = "0.1.0"
 edition = "2021"
+license = "MIT"
 
 [dependencies]
 anyhow = "1.0"
@@ -26,7 +27,7 @@ features = [
     "shellapi",
     "werapi",
     "winbase",
-    "winerror"
+    "winerror",
 ]
 
 [[bin]]
diff --git a/src/agent/onefuzz-agent/Cargo.toml b/src/agent/onefuzz-agent/Cargo.toml
@@ -4,6 +4,7 @@ version = "0.1.0"
 authors = ["fuzzing@microsoft.com"]
 edition = "2018"
 publish = false
+license = "MIT"
 
 [dependencies]
 anyhow = { version = "1.0", features = ["backtrace"] }
@@ -13,7 +14,11 @@ env_logger = "0.9"
 futures = "0.3"
 log = "0.4"
 onefuzz = { path = "../onefuzz" }
-reqwest = { version = "0.11", features = ["json", "stream", "native-tls-vendored"], default-features = false}
+reqwest = { version = "0.11", features = [
+    "json",
+    "stream",
+    "native-tls-vendored",
+], default-features = false }
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 storage-queue = { path = "../storage-queue" }
diff --git a/src/agent/stacktrace-parser/Cargo.toml b/src/agent/stacktrace-parser/Cargo.toml
@@ -3,6 +3,7 @@ name = "stacktrace-parser"
 version = "0.1.0"
 authors = ["<fuzzing@microsoft.com>"]
 edition = "2018"
+license = "MIT"
 
 [dependencies]
 anyhow = "1.0"
diff --git a/src/ci/agent.sh b/src/ci/agent.sh
@@ -37,7 +37,7 @@ cd src/agent
 
 rustc --version
 cargo --version
-cargo audit --version
+cargo deny --version
 cargo clippy --version
 cargo fmt --version
 cargo license --version
@@ -48,9 +48,7 @@ if [ X${CARGO_INCREMENTAL} == X ]; then
 fi
 
 cargo fmt -- --check
-# RUSTSEC-2022-0048: xml-rs is unmaintained
-# RUSTSEC-2021-0139: ansi_term is unmaintained
-cargo audit --deny warnings --deny unmaintained --deny unsound --deny yanked --ignore RUSTSEC-2022-0048 --ignore RUSTSEC-2021-0139
+cargo deny -L error check
 cargo license -j > data/licenses.json
 cargo build --release --locked
 cargo clippy --release --locked --all-targets -- -D warnings
diff --git a/src/ci/proxy.sh b/src/ci/proxy.sh
@@ -12,13 +12,11 @@ mkdir -p artifacts/proxy
 cd src/proxy-manager
 cargo fmt -- --check
 cargo clippy --release --all-targets -- -D warnings
-# RUSTSEC-2022-0048: xml-rs is unmaintained
-# RUSTSEC-2021-0139: ansi_term is unmaintained
-cargo audit --deny warnings --deny unmaintained --deny unsound --deny yanked --ignore RUSTSEC-2022-0048 --ignore RUSTSEC-2021-0139
+cargo deny -L error check
 cargo license -j > data/licenses.json
 cargo build --release --locked
 # export RUST_LOG=trace
 export RUST_BACKTRACE=full
-cargo test --release
+cargo test --release --locked
 
 cp target/release/onefuzz-proxy-manager ../../artifacts/proxy
diff --git a/src/ci/rust-prereqs.sh b/src/ci/rust-prereqs.sh
@@ -11,7 +11,7 @@ fi
 # sccache --start-server
 # export RUSTC_WRAPPER=$(which sccache)
 
-cargo install cargo-audit cargo-llvm-cov
+cargo install cargo-llvm-cov cargo-deny
 
 if ! cargo license --help; then
     cargo install cargo-license@0.4.2
diff --git a/src/deny.toml b/src/deny.toml
@@ -0,0 +1,30 @@
+[licenses]
+allow = [
+    "Apache-2.0 WITH LLVM-exception",
+    "Apache-2.0",
+    "BSD-3-Clause",
+    "CC0-1.0",
+    "ISC",
+    "MIT",
+    "Zlib",
+]
+
+[advisories]
+vulnerability = "deny"
+unmaintained = "deny"
+unsound = "deny"
+yanked = "deny"
+ignore = [
+    "RUSTSEC-2022-0048", # xml-rs is unmaintained
+    "RUSTSEC-2021-0139", # ansi_term is unmaintained
+]
+
+[bans]
+
+# disallow rustls; we must use OpenSSL
+[[bans.deny]]
+name = "rustls"
+
+# disallow ring; unapproved crypto
+[[bans.deny]]
+name = "ring"
diff --git a/src/proxy-manager/Cargo.lock b/src/proxy-manager/Cargo.lock
