gitea-mirror/rosenpass
1
0
Fork 0
mirror of https://github.com/rosenpass/rosenpass.git synced 2025-12-05 20:40:02 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
rosenpass/supply-chain-protection.md
David Niehues 27650e95a7 doc(ci): add documentation for supply chain protection
2025-02-06 08:18:17 +01:00

4.0 KiB
Raw Permalink Blame History

Supply Chain Protection

The CI for this repository uses the following tools to protect the supply chain:

  • cargo-vet: vets dependencies based on existing audits with the aim of incrementally using fewer and fewer unaudited dependencies.
  • cargo-deny: checks for unwanted licenses, crates, and other security issues.
  • cargo-supply-chain: generates reports on dependencies and their authors.

Below, we briefly explain how to configure these tools and how to make appropriate adjustments when dependencies change.

cargo-vet

cargo-vet vets dependencies based on performed audits. In order to avoid redundant work, it encourages the use of already performed audits by trusted organizations or people. As of now, we trust audits performed by the actix team, the bytecode-alliance embark-studios, fermyon, google, the ISRG, the mozilla team, and the ZCash foundaton. Since, as of now, only a minority of crates have been audited, the tool aims at incrementally using fewer and fewer unaudited dependencies by initially exempting all dependencies from the need to be audited for the CI to pass. When more and more crates are audited, the tool prompts to reevaluate the list of exemptions and remove as many as possible.

Configuration

The configuration files for cargo-vet are located in the supply-chain directory. The central configuration file is config.toml, where the lst of trusted organizations and the list of exemptions are defined.

Adding new dependencies

Make sure to install cargo vet first. Then, when adding new dependencies, run cargo vet suggest before committing. If the dependency is not safe-to-deploy, add it to the exemptions in the file supply-chain/config.toml.

For all further configration options, please refer to the cargo-vet documentation.

cargo-deny

cargo-deny checks for unwanted licenses, crates, and other security issues. It is configured in the file deny.toml.

Licenses

The only allowed licenses are the MIT license, the Apache-2.0 license, Apache-2.0 license WITH LLVM-exception, BSD-3-Clause license and the ISC license. All other licenses are banned. An exception is made for the unicode-ident-crate, for which we allow the Unicode-DFS-2016 license.

Security vulnerabilities

The tool checks for security vulnerabilities in dependencies. If a vulnerability is found, the CI will fail. If you must, you can add exceptions in the deny.toml file, but this should only be a last resort.

Adding new dependencies

Make sure to install cargo deny first. Then, when adding new dependencies, run cargo deny check before committing. If there are issues wth the dependency reported by cargo deny check, you should try to resolve it appropriately. If this is not possible thoroughly consider if the dependency is necessary and an exception should be made in the deny.toml file.

For all further configration options, please refer to the cargo-deny documentation.

cargo-supply-chain

cargo-supply-chain generates reports on dependencies and their authors. These reports should be reviewed regularly. However, they will not cause the CI to fail.

Reference in New Issue View Git Blame Copy Permalink