Server: add automatic security auditing for PR/main. (#285)

tasn · web-flow · commit eec98bef20df · 2022-05-10T14:56:22.000-04:00
Adds security and license auditing via cargo-deny.
diff --git a/.github/workflows/server-security.yml b/.github/workflows/server-security.yml
@@ -0,0 +1,22 @@
+name: Server Security
+
+on:
+  push:
+    branches:
+    - main
+    paths:
+      - '**/Cargo.toml'
+      - '**/Cargo.lock'
+  pull_request:
+    paths:
+      - '**/Cargo.toml'
+      - '**/Cargo.lock'
+
+jobs:
+  security_audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+            arguments: --manifest-path=server/Cargo.toml
diff --git a/deny.toml b/deny.toml
@@ -0,0 +1,79 @@
+targets = [
+    { triple = "x86_64-pc-windows-gnu" },
+    { triple = "x86_64-unknown-linux-musl" },
+    { triple = "x86_64-apple-darwin" },
+    { triple = "aarch64-apple-darwin" },
+]
+
+[advisories]
+db-path = "~/.cargo/advisory-db"
+db-urls = ["https://github.com/rustsec/advisory-db"]
+vulnerability = "deny"
+unmaintained = "warn"
+yanked = "deny"
+notice = "warn"
+ignore = [
+    # TODO: Update `time` crate when possible. Old versions are currently required for `sqlx` and
+    # `sea-orm`
+    "RUSTSEC-2020-0071",
+
+	# TODO: Eliminate `chrono` crate when `time` update is possible.
+    "RUSTSEC-2020-0159",
+]
+
+[licenses]
+unlicensed = "deny"
+allow = [
+    "Apache-2.0",
+    "BSD-2-Clause",
+    "BSD-3-Clause",
+	"ISC",
+    "MIT",
+	"MPL-2.0",
+    "OpenSSL",
+]
+deny = []
+copyleft = "deny"
+allow-osi-fsf-free = "neither"
+default = "deny"
+confidence-threshold = 0.8
+exceptions = [
+    #{ allow = ["Zlib"], name = "adler32", version = "*" },
+]
+
+[[licenses.clarify]]
+name = "ring"
+version = "*"
+expression = "MIT AND ISC AND OpenSSL"
+license-files = [
+    { path = "LICENSE", hash = 0xbd0eed23 }
+]
+
+[[licenses.clarify]]
+name = "encoding_rs"
+version = "0.8.30"
+expression = "MIT OR Apache-2.0"
+license-files = [
+    { path = "COPYRIGHT", hash = 0x39f8ad31 }
+]
+
+# TODO: Include internal crates
+[licenses.private]
+ignore = false
+registries = []
+
+[bans]
+multiple-versions = "warn"
+wildcards = "allow"
+highlight = "all"
+allow = []
+deny = []
+skip = []
+skip-tree = []
+
+[sources]
+unknown-registry = "warn"
+unknown-git = "warn"
+allow-registry = ["https://github.com/rust-lang/crates.io-index"]
+allow-git = []
+
diff --git a/server/svix-server/Cargo.toml b/server/svix-server/Cargo.toml
@@ -31,7 +31,7 @@ serde_urlencoded = "0.7.1"
 serde_path_to_error = "0.1.7"
 num_enum = "0.5.6"
 enum_dispatch = "0.3.8"
-regex = "1.5.4"
+regex = "1.5.5"
 lazy_static = "1.4.0"
 figment = { version = "0.10", features = ["toml", "env"] }
 tracing = "0.1.29"
diff --git a/server/svix-server_derive/Cargo.toml b/server/svix-server_derive/Cargo.toml
@@ -3,6 +3,7 @@ name = "svix-server_derive"
 version = "0.1.0"
 edition = "2021"
 publish = false
+license = "MIT"
 
 [lib]
 proc-macro = true
