From e63b3b7eb2a2af739bf7961610f4abfeed7ce80a Mon Sep 17 00:00:00 2001
From: Joshua Potts <8704475+iamjpotts@users.noreply.github.com>
Date: Mon, 22 Jan 2024 21:14:50 -0600
Subject: [PATCH] chore(deps): Add deny.yaml and a cargo deny CI job to check
 dependencies for vulnerabilities

Signed-off-by: Joshua Potts <8704475+iamjpotts@users.noreply.github.com>
---
 .github/workflows/sqlx.yml |  7 ++++
 Cargo.lock                 | 51 +++++++++++----------------
 deny.toml                  | 70 ++++++++++++++++++++++++++++++++++++++
 sqlx-test/Cargo.toml       |  1 +
 4 files changed, 98 insertions(+), 31 deletions(-)
 create mode 100644 deny.toml

diff --git a/.github/workflows/sqlx.yml b/.github/workflows/sqlx.yml
index 153ea24479..0933c8f657 100644
--- a/.github/workflows/sqlx.yml
+++ b/.github/workflows/sqlx.yml
@@ -8,6 +8,13 @@ on:
       - '*-dev'
 
 jobs:
+  deny:
+    name: Cargo Deny
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: EmbarkStudios/cargo-deny-action@v1
+
   format:
     name: Format
     runs-on: ubuntu-20.04
diff --git a/Cargo.lock b/Cargo.lock
index 56cde771a9..208ed2c2cf 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -336,11 +336,11 @@ checksum = "1505bd5d3d116872e7271a6d4e16d81d0c8570876c8de68093a09ac269d8aac0"
 
 [[package]]
 name = "atomic-write-file"
-version = "0.1.0"
+version = "0.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c232177ba50b16fe7a4588495bd474a62a9e45a8e4ca6fd7d0b7ac29d164631e"
+checksum = "edcdbedc2236483ab103a53415653d6b4442ea6141baf1ffa85df29635e88436"
 dependencies = [
- "nix 0.26.4",
+ "nix 0.27.1",
  "rand",
 ]
 
@@ -1951,15 +1951,6 @@ dependencies = [
  "autocfg",
 ]
 
-[[package]]
-name = "memoffset"
-version = "0.7.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5de893c32cde5f383baa4c04c5d6dbdd735cfd4a794b0debdb2bb1b421da5ff4"
-dependencies = [
- "autocfg",
-]
-
 [[package]]
 name = "memoffset"
 version = "0.9.0"
@@ -2071,15 +2062,13 @@ dependencies = [
 
 [[package]]
 name = "nix"
-version = "0.26.4"
+version = "0.27.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "598beaf3cc6fdd9a5dfb1630c2800c7acd31df7aaf0f565796fba2b53ca1af1b"
+checksum = "2eb04e9c688eff1c89d72b407f168cf79bb9e867a9d3323ed6c01519eb9cc053"
 dependencies = [
- "bitflags 1.3.2",
+ "bitflags 2.4.1",
  "cfg-if",
  "libc",
- "memoffset 0.7.1",
- "pin-utils",
 ]
 
 [[package]]
@@ -2190,9 +2179,9 @@ checksum = "0ab1bc2a289d34bd04a330323ac98a1b4bc82c9d9fcb1e66b63caa84da26b575"
 
 [[package]]
 name = "openssl"
-version = "0.10.59"
+version = "0.10.63"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7a257ad03cd8fb16ad4172fedf8094451e1af1c4b70097636ef2eac9a5f0cc33"
+checksum = "15c9d69dd87a29568d4d017cfe8ec518706046a05184e5aea92d0af890b803c8"
 dependencies = [
  "bitflags 2.4.1",
  "cfg-if",
@@ -2231,9 +2220,9 @@ dependencies = [
 
 [[package]]
 name = "openssl-sys"
-version = "0.9.95"
+version = "0.9.99"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "40a4130519a360279579c2053038317e40eff64d13fd3f004f9e1b72b8a6aaf9"
+checksum = "22e1bf214306098e4832460f797824c05d25aacdf896f64a985fb0fd992454ae"
 dependencies = [
  "cc",
  "libc",
@@ -4130,9 +4119,9 @@ checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423"
 
 [[package]]
 name = "wasm-bindgen"
-version = "0.2.88"
+version = "0.2.90"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7daec296f25a1bae309c0cd5c29c4b260e510e6d813c286b19eaadf409d40fce"
+checksum = "b1223296a201415c7fad14792dbefaace9bd52b62d33453ade1c5b5f07555406"
 dependencies = [
  "cfg-if",
  "wasm-bindgen-macro",
@@ -4140,9 +4129,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-backend"
-version = "0.2.88"
+version = "0.2.90"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e397f4664c0e4e428e8313a469aaa58310d302159845980fd23b0f22a847f217"
+checksum = "fcdc935b63408d58a32f8cc9738a0bffd8f05cc7c002086c6ef20b7312ad9dcd"
 dependencies = [
  "bumpalo",
  "log",
@@ -4167,9 +4156,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-macro"
-version = "0.2.88"
+version = "0.2.90"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5961017b3b08ad5f3fe39f1e79877f8ee7c23c5e5fd5eb80de95abc41f1f16b2"
+checksum = "3e4c238561b2d428924c49815533a8b9121c664599558a5d9ec51f8a1740a999"
 dependencies = [
  "quote",
  "wasm-bindgen-macro-support",
@@ -4177,9 +4166,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-macro-support"
-version = "0.2.88"
+version = "0.2.90"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c5353b8dab669f5e10f5bd76df26a9360c748f054f862ff5f3f8aae0c7fb3907"
+checksum = "bae1abb6806dc1ad9e560ed242107c0f6c84335f1749dd4e8ddb012ebd5e25a7"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -4190,9 +4179,9 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-shared"
-version = "0.2.88"
+version = "0.2.90"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0d046c5d029ba91a1ed14da14dca44b68bf2f124cfbaf741c54151fdb3e0750b"
+checksum = "4d91413b1c31d7539ba5ef2451af3f0b833a005eb27a631cec32bc0635a8602b"
 
 [[package]]
 name = "web-sys"
diff --git a/deny.toml b/deny.toml
new file mode 100644
index 0000000000..1ed3d6a474
--- /dev/null
+++ b/deny.toml
@@ -0,0 +1,70 @@
+[advisories]
+ignore = [
+    # No upgrade available for rsa 0.9.4, a direct dependency of sqlx-mysql
+    "RUSTSEC-2023-0071",
+]
+notice = "deny"
+unmaintained = "deny"
+vulnerability = "deny"
+yanked = "deny"
+
+[licenses]
+allow = [
+    "Apache-2.0",
+    "BSD-2-Clause",
+    "BSD-3-Clause",
+    "ISC",
+    "MIT",
+    "MPL-2.0",
+    "OpenSSL",
+    "Unicode-DFS-2016",
+    "Zlib",
+]
+default = "deny"
+confidence-threshold = 0.9
+unlicensed = "deny"
+
+[[licenses.clarify]]
+name = "ring"
+expression = "MIT AND ISC AND OpenSSL"
+license-files = [
+    { path = "LICENSE", hash = 0xbd0eed23 }
+]
+
+[bans]
+allow = []
+deny = []
+multiple-versions = "deny"
+skip = [
+    # async-std 1.12 uses two versions - this older version directly, and a newer verison transitively.
+    { name = "async-channel", version = "=1.9.0" },
+    # criterion 0.5.1 uses this older version of itertools
+    # Note that cargo deny will warn about this being unmatched with the --all-features flag set
+    { name = "itertools", version = "=0.10.5" },
+    # mac_address 1.1.5, an optional feature of sqlx-core, this older version as a direct dependency
+    { name = "nix", version = "=0.23.2" },
+    # native-tls 0.2.11 has this older version as a transitive dependency
+    { name = "spin", version = "=0.5.2" },
+    # syn 2.0 has not been adopted by many crates using syn 1.x due to difficult breaking changes
+    { name = "syn", version = "<2" },
+]
+skip-tree = [
+    # async-std 1.12 uses two versions - this older version directly, and a newer verison transitively.
+    { name = "async-io", version = "=1.13.0" },
+]
+
+# Warn, rather than deny, due to sqlx crates not referencing each other by a specific version
+wildcards = "warn"
+
+[sources]
+allow-git = []
+allow-registry = [
+    "https://github.com/rust-lang/crates.io-index"
+]
+unknown-git = "deny"
+unknown-registry = "deny"
+
+[sources.allow-org]
+bitbucket = []
+github = []
+gitlab = []
diff --git a/sqlx-test/Cargo.toml b/sqlx-test/Cargo.toml
index ddc94d216e..8c0b6adda4 100644
--- a/sqlx-test/Cargo.toml
+++ b/sqlx-test/Cargo.toml
@@ -2,6 +2,7 @@
 name = "sqlx-test"
 version = "0.1.0"
 edition = "2021"
+license = "MIT OR Apache-2.0"
 publish = false
 
 [dependencies]