search

magic-wormhole / magic-wormhole.rs

Rust implementation of Magic Wormhole, with new features and enhancements
European Union Public License 1.2
722 stars 78 forks source link

Add deny.toml #99

Closed piegamesde closed 3 years ago

piegamesde commented 3 years ago

https://github.com/EmbarkStudios/cargo-deny

We want to know about:

and probably a lot of other things.

brightly-salty commented 3 years ago

Having done a similar PR for Gleam, I'd like to take this issue on (I can also add cargo-deny to the CI if you would like). A couple things before I start: Which licenses would you like to allow? cargo-audit currently has the following warnings on magic-wormhole:

Crate:         ws
Version:       0.9.1
Title:         Insufficient size checks in outgoing buffer in ws allows remote attacker to run the process out of memory
Date:          2020-09-25
ID:            RUSTSEC-2020-0043
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0043
Solution:      No safe upgrade is available!
Dependency tree:
ws 0.9.1
└── magic-wormhole 0.0.2
    └── testy_project 0.1.0

Crate:         net2
Version:       0.2.37
Warning:       unmaintained
Title:         `net2` crate has been deprecated; use `socket2` instead
Date:          2020-05-01
ID:            RUSTSEC-2020-0016
URL:           https://rustsec.org/advisories/RUSTSEC-2020-0016
Dependency tree:
net2 0.2.37
├── miow 0.2.2
│   └── mio 0.6.23
│       ├── ws 0.9.1
│       │   └── magic-wormhole 0.0.2
│       │       └── testy_project 0.1.0
│       ├── tokio-uds 0.2.7
│       │   └── tokio 0.1.22
│       │       └── tokio-core 0.1.18
│       │           └── magic-wormhole 0.0.2
│       ├── tokio-udp 0.1.6
│       │   └── tokio 0.1.22
│       ├── tokio-tcp 0.1.4
│       │   ├── websocket 0.23.0
│       │   │   └── magic-wormhole 0.0.2
│       │   └── tokio 0.1.22
│       ├── tokio-reactor 0.1.12
│       │   ├── websocket 0.23.0
│       │   ├── tokio-uds 0.2.7
│       │   ├── tokio-udp 0.1.6
│       │   ├── tokio-tcp 0.1.4
│       │   ├── tokio-core 0.1.18
│       │   └── tokio 0.1.22
│       ├── tokio-core 0.1.18
│       ├── tokio 0.1.22
│       ├── mio-uds 0.6.8
│       │   └── tokio-uds 0.2.7
│       └── mio-extras 2.0.6
│           └── ws 0.9.1
└── mio 0.6.23

error: 1 vulnerability found!
warning: 1 allowed warning found

Would you like me to allow these in the deny.toml, and we can remove it once they are fixed? Or should we fix them first before we add the deny.toml?

Thanks!

piegamesde commented 3 years ago

I can also add cargo-deny to the CI if you would like

Pretty please. That would be cool!

Which licenses would you like to allow?

Well, everything that's compatible with the project's current one (MIT). That mostly excludes GPL and maybe also LGPL.

cargo-audit currently has the following warnings on magic-wormhole:

That's interesting. I'm pretty sure I already removed these some while ago.

brightly-salty commented 3 years ago

Yes, it looks like the master branch does not have those warnings, but does have one about term. Maybe there hasn't been a release since those changes?

Crate:         term
Version:       0.4.6
Warning:       unmaintained
Title:         term is looking for a new maintainer
Date:          2018-11-19
ID:            RUSTSEC-2018-0015
URL:           https://rustsec.org/advisories/RUSTSEC-2018-0015
Dependency tree:
term 0.4.6
├── syntex_syntax 0.42.0
│   ├── syntex 0.42.2
│   │   ├── pnet_packet 0.27.2
│   │   │   ├── pnet_transport 0.27.2
│   │   │   │   └── pnet 0.27.2
│   │   │   │       └── magic-wormhole 0.1.0
│   │   │   └── pnet 0.27.2
│   │   └── pnet_macros 0.27.2
│   │       └── pnet_packet 0.27.2
│   └── pnet_macros 0.27.2
└── syntex_errors 0.42.0
    ├── syntex_syntax 0.42.0
    └── syntex 0.42.2