Add chore cargo-deny

[pinkforest]

Signed-off-by: MissM [email protected]

Cargo-deny action by the lovely Embark crowd can be used to note on advisories / licenses upon PR / push

I've set so any advisory will not trash CI completely suddenly.

We can have separate audit job that runs periodically and raises Issues automatically upon any new advisory

EDIT: the deny action obviously fails atm

Licensing clarifications needed - besides the ones that FSF has decided on already as copyleft / compatible:

• ring (think TLS) - Same story as with radicle-link - Basically MIT, ISC aaaand OpenSSL (ring borrowed code from BoringSSL which took code from OpenSSL) but supposedly OpenSSL moved to Apache 2.0 https://www.openssl.org/blog/blog/2017/03/22/license/ some time after 2017 but question is what happened to BoringSSL code and thereafter to code in ring that came from nobody guess what version of OpenSSL - IANAL
• rad-inspect brings colored_json which is Eclipse License 2.0 and is not compatible with GPL when not dual licensed according to FSF: https://directory.fsf.org/wiki/License:EPL-2.0 - Replace colored_json with json-color #229

Advisories - Security / Errors

We can either deal with or supress them after evaluating impact if any -

RUSTSEC-2020-0043 - DoS - Insufficient size checks in outgoing buffer in ws allows remote attacker to run the process OOM
Crate ws is brought by walletconnect we have no control of - direct fork exists as parity-ws - housleyjk/ws-rs#291

RUSTSEC-2020-0159, RUSTSEC-2020-0071 - #231 - clarify & bump chrono features/time dependency

Advisories - Informational / Warns

Usually we nudge people to move away from these and may contain unsound / other concerns but no concrete threats

Unmaintained cbor, ansi_term, ...