Setup cargo-deny

.devcontainer/install-dependencies.sh

@@ -5,7 +5,7 @@ set -eux
 # Note that this script runs as user 'vscode' during devcontainer setup.
 
 # Rust global tools, needed to run CI scripts
-"$HOME/.cargo/bin/cargo" install cargo-audit cargo-[email protected] cargo-llvm-cov
+"$HOME/.cargo/bin/cargo" install [email protected] cargo-llvm-cov cargo-deny
 "$HOME/.cargo/bin/rustup" component add llvm-tools-preview
 
 # NPM global tools

.github/workflows/ci.yml

@@ -18,7 +18,7 @@ env:
   CARGO_TERM_COLOR: always
   SCCACHE_DIR: ${{github.workspace}}/sccache/
   SCCACHE_CACHE_SIZE: 1G
-  ACTIONS_CACHE_KEY_DATE: 2022-10-28-01
+  ACTIONS_CACHE_KEY_DATE: 2022-11-21-02
   CI: true
   DOTNET_VERSION: 7.0.x
 

src/agent/dynamic-library/Cargo.toml

@@ -2,6 +2,7 @@
 name = "dynamic-library"
 version = "0.1.0"
 edition = "2021"
+license = "MIT"
 
 [dependencies]
 anyhow = "1.0"
@@ -26,7 +27,7 @@ features = [
     "shellapi",
     "werapi",
     "winbase",
-    "winerror"
+    "winerror",
 ]
 
 [[bin]]

src/agent/onefuzz-agent/Cargo.toml

@@ -4,6 +4,7 @@ version = "0.1.0"
 authors = ["[email protected]"]
 edition = "2018"
 publish = false
+license = "MIT"
 
 [dependencies]
 anyhow = { version = "1.0", features = ["backtrace"] }
@@ -13,7 +14,11 @@ env_logger = "0.9"
 futures = "0.3"
 log = "0.4"
 onefuzz = { path = "../onefuzz" }
-reqwest = { version = "0.11", features = ["json", "stream", "native-tls-vendored"], default-features = false}
+reqwest = { version = "0.11", features = [
+    "json",
+    "stream",
+    "native-tls-vendored",
+], default-features = false }
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 storage-queue = { path = "../storage-queue" }

src/agent/stacktrace-parser/Cargo.toml

@@ -3,6 +3,7 @@ name = "stacktrace-parser"
 version = "0.1.0"
 authors = ["<[email protected]>"]
 edition = "2018"
+license = "MIT"
 
 [dependencies]
 anyhow = "1.0"

src/ci/agent.sh

@@ -37,7 +37,7 @@ cd src/agent
 
 rustc --version
 cargo --version
-cargo audit --version
+cargo deny --version
 cargo clippy --version
 cargo fmt --version
 cargo license --version
@@ -48,9 +48,7 @@ if [ X${CARGO_INCREMENTAL} == X ]; then
 fi
 
 cargo fmt -- --check
-# RUSTSEC-2022-0048: xml-rs is unmaintained
-# RUSTSEC-2021-0139: ansi_term is unmaintained
-cargo audit --deny warnings --deny unmaintained --deny unsound --deny yanked --ignore RUSTSEC-2022-0048 --ignore RUSTSEC-2021-0139
+cargo deny -L error check
 cargo license -j > data/licenses.json
 cargo build --release --locked
 cargo clippy --release --locked --all-targets -- -D warnings

src/ci/proxy.sh

@@ -12,13 +12,11 @@ mkdir -p artifacts/proxy
 cd src/proxy-manager
 cargo fmt -- --check
 cargo clippy --release --all-targets -- -D warnings
-# RUSTSEC-2022-0048: xml-rs is unmaintained
-# RUSTSEC-2021-0139: ansi_term is unmaintained
-cargo audit --deny warnings --deny unmaintained --deny unsound --deny yanked --ignore RUSTSEC-2022-0048 --ignore RUSTSEC-2021-0139
+cargo deny -L error check
 cargo license -j > data/licenses.json
 cargo build --release --locked
 # export RUST_LOG=trace
 export RUST_BACKTRACE=full
-cargo test --release
+cargo test --release --locked
 
 cp target/release/onefuzz-proxy-manager ../../artifacts/proxy

src/ci/rust-prereqs.sh

@@ -11,7 +11,7 @@ fi
 # sccache --start-server
 # export RUSTC_WRAPPER=$(which sccache)
 
-cargo install cargo-audit cargo-llvm-cov
+cargo install cargo-llvm-cov cargo-deny
 
 if ! cargo license --help; then
     cargo install [email protected]

src/deny.toml

@@ -0,0 +1,30 @@
+[licenses]
+allow = [
+    "Apache-2.0 WITH LLVM-exception",
+    "Apache-2.0",
+    "BSD-3-Clause",
+    "CC0-1.0",
+    "ISC",
+    "MIT",
+    "Zlib",
+]
+
+[advisories]
+vulnerability = "deny"
+unmaintained = "deny"
+unsound = "deny"
+yanked = "deny"
+ignore = [
+    "RUSTSEC-2022-0048", # xml-rs is unmaintained
+    "RUSTSEC-2021-0139", # ansi_term is unmaintained
+]
+
+[bans]
+
+# disallow rustls; we must use OpenSSL
+[[bans.deny]]
+name = "rustls"
+
+# disallow ring; unapproved crypto
+[[bans.deny]]
+name = "ring"