-
Notifications
You must be signed in to change notification settings - Fork 43
/
deny.toml
74 lines (69 loc) · 2.1 KB
/
deny.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
[advisories]
version = 2
yanked = "deny"
ignore = [
# https://rustsec.org/advisories/RUSTSEC-2023-0071
#
# This is a side-channel vulnerability where secrets can be leaked to an
# attacker that is able to measure the timing of a large number of RSA
# operations. As of 2023-12-03, there is no released version of the rsa
# crate that contains a fix.
#
# For avbroot specifically, this vulnerability is not too critical for a
# couple reasons:
#
# 1. avbroot performs RSA signing only at the end of lengthy processes
# that involve a lot of disk I/O. It's very expensive to run avbroot
# the millions of times needed to capture a sufficient amount of timing
# data.
# 2. During a single run of avbroot, it will only perform RSA signing a
# handful of times. To get sufficient measurements, the attacker would
# need to rerun avbroot. If they are able to rerun avbroot, then they
# are also able to just read and steal the private key directly.
#
# avbroot has no network capabilities, so this is not inherently remotely
# exploitable.
"RUSTSEC-2023-0071",
]
[licenses]
version = 2
include-dev = true
allow = [
"Apache-2.0",
"Apache-2.0 WITH LLVM-exception",
"BSD-3-Clause",
"bzip2-1.0.6",
"GPL-3.0",
"ISC",
"MIT",
"OpenSSL",
"Unicode-3.0",
]
[[licenses.clarify]]
name = "ring"
expression = "MIT AND ISC AND OpenSSL"
license-files = [
{ path = "LICENSE", hash = 0xbd0eed23 },
]
[bans]
multiple-versions = "warn"
multiple-versions-include-dev = true
deny = [
# https://github.com/serde-rs/serde/issues/2538
{ name = "serde_derive", version = ">=1.0.172,<1.0.184" },
]
[bans.build]
executables = "deny"
include-dependencies = true
include-workspace = true
bypass = [
# Copies of unmodified crashwrangler objects for old macOS versions.
{ name = "honggfuzz", allow-globs = ["honggfuzz/third_party/mac/CrashReport_*.o"] },
]
[sources]
unknown-registry = "deny"
unknown-git = "deny"
allow-git = [
"https://github.com/chenxiaolong/bzip2-rs",
"https://github.com/chenxiaolong/zip",
]