Add cargo deny to check dependency supply chain

biopragmatics · Dec 22, 2023 · f9b6841 · f9b6841
1 parent f8536bb
commit f9b6841
Show file tree

Hide file tree

Showing 3 changed files with 133 additions and 3 deletions.
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -16,14 +16,26 @@ repos:
         name: 🪚 Fix end of files
     -   id: trailing-whitespace
         name: ✂️  Trim trailing whitespaces
+-   repo: https://github.com/crate-ci/typos
+    rev: v1.16.25
+    hooks:
+    -   id: typos
+        name: ✒️  Check typos
+        # exclude: ^CHANGELOG.md$
+
 -   repo: local
     hooks:
-      - id: rustfmt
-        name: 🦀 Format Rust files
+    -   id: rustfmt
+        name: 🧹 Format Rust files
         description: Check if all files follow the rustfmt style
         entry: cargo fmt
         language: system
         pass_filenames: false
+    -   id: deny
+        name: ❌ Check dependencies
+        entry: cargo deny check
+        language: system
+        pass_filenames: false
 ci:
     autofix_commit_msg: 🎨 [pre-commit.ci] Auto format from pre-commit.com hooks
     autoupdate_commit_msg: ⬆ [pre-commit.ci] pre-commit autoupdate
diff --git a/deny.toml b/deny.toml
@@ -0,0 +1,110 @@
+# https://embarkstudios.github.io/cargo-deny
+
+targets = []
+#exclude = []
+all-features = false
+no-default-features = false
+#features = []
+feature-depth = 1
+
+# https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html
+[advisories]
+db-path = "~/.cargo/advisory-db"
+db-urls = ["https://github.com/rustsec/advisory-db"]
+vulnerability = "deny"
+unmaintained = "warn"
+yanked = "warn"
+notice = "warn"
+ignore = [
+    #"RUSTSEC-0000-0000",
+]
+# Threshold for security vulnerabilities:
+# * None - CVSS Score 0.0
+# * Low - CVSS Score 0.1 - 3.9
+# * Medium - CVSS Score 4.0 - 6.9
+# * High - CVSS Score 7.0 - 8.9
+# * Critical - CVSS Score 9.0 - 10.0
+#severity-threshold =
+
+# https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html
+[licenses]
+unlicensed = "deny"
+# See https://spdx.org/licenses/ for list of possible licenses
+allow = [
+    #"MIT",
+    #"Apache-2.0 WITH LLVM-exception",
+]
+deny = [
+    #"Nokia",
+]
+copyleft = "warn"
+# Blanket approval or denial for OSI-approved or FSF Free/Libre licenses
+# * both - The license will be approved if it is both OSI-approved *AND* FSF
+# * either - The license will be approved if it is either OSI-approved *OR* FSF
+allow-osi-fsf-free = "either"
+# Lint level used when no other predicates are matched
+# 1. License isn't in the allow or deny lists
+# 2. License isn't copyleft
+# 3. License isn't OSI/FSF, or allow-osi-fsf-free = "neither"
+default = "deny"
+# The confidence threshold for detecting a license from license text.
+# [possible values: any between 0.0 and 1.0].
+confidence-threshold = 0.8
+exceptions = [
+    # Each entry is the crate and version constraint, and its specific allow
+    # list
+    #{ allow = ["Zlib"], name = "adler32", version = "*" },
+]
+
+[licenses.private]
+# If true, ignores workspace crates that aren't published https://doc.rust-lang.org/cargo/reference/manifest.html#the-publish-field.
+ignore = false
+registries = [
+    #"https://sekretz.com/registry
+]
+
+# https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html
+[bans]
+multiple-versions = "warn"
+wildcards = "allow"
+# The graph highlighting used when creating dotgraphs for crates with multiple versions
+# * lowest-version - The path to the lowest versioned duplicate is highlighted
+# * simplest-path - The path to the version with the fewest edges is highlighted
+# * all - Both lowest-version and simplest-path are used
+highlight = "all"
+workspace-default-features = "allow"
+external-default-features = "allow"
+allow = [
+    #{ name = "ansi_term", version = "=0.11.0" },
+]
+deny = [
+    # Each entry the name of a crate and a version range. If version is
+    # not specified, all versions will be matched.
+    #{ name = "ansi_term", version = "=0.11.0" },
+]
+
+# Certain crates/versions that will be skipped when doing duplicate detection.
+skip = [
+    #{ name = "ansi_term", version = "=0.11.0" },
+]
+# Similarly to `skip` allows you to skip certain crates during duplicate
+# detection. Also includes the entire tree of transitive dependencies
+skip-tree = [
+    #{ name = "ansi_term", version = "=0.11.0", depth = 20 },
+]
+
+# https://embarkstudios.github.io/cargo-deny/checks/sources/cfg.html
+[sources]
+unknown-registry = "warn"
+unknown-git = "warn"
+allow-registry = ["https://github.com/rust-lang/crates.io-index"]
+# List of URLs for allowed Git repositories
+allow-git = []
+
+# [sources.allow-org]
+# # 1 or more github.com organizations to allow git sources for
+# github = [""]
+# # 1 or more gitlab.com organizations to allow git sources for
+# gitlab = [""]
+# # 1 or more bitbucket.org organizations to allow git sources for
+# bitbucket = [""]
diff --git a/lib/docs/contributing.md b/lib/docs/contributing.md
@@ -52,7 +52,7 @@ pip install maturin
 # Install rust dev tools
 rustup update
 rustup component add rustfmt clippy
-cargo install wasm-pack cargo-tarpaulin mdbook mdbook-admonish cargo-make
+cargo install wasm-pack cargo-tarpaulin mdbook mdbook-admonish cargo-deny
 ```
 
 ### 📥️ Clone the repository
@@ -153,6 +153,14 @@ Build and serve:
 ./scripts/docs-serve.sh
 ```
 
+### ️⛓️ Check supply chain
+
+Check the dependency supply chain, only accept dependencies with OSI or FSF approved licenses.
+
+```bash
+cargo deny check
+```
+
 ### 🏷️ New release
 
 Publishing artifacts will be done by the `build.yml` workflow, make sure you have set the following tokens as secrets for this repository: `PYPI_TOKEN`, `NPM_TOKEN`, `CRATES_IO_TOKEN`, `CODECOV_TOKEN`