Cradicle Explorer
fedimint
/ deny.toml
deny.toml
  1  # This template contains all of the possible sections and their default values
  2  
  3  # Note that all fields that take a lint level have these possible values:
  4  # * deny - An error will be produced and the check will fail
  5  # * warn - A warning will be produced, but the check will not fail
  6  # * allow - No warning or error will be produced, though in some cases a note
  7  # will be
  8  
  9  # The values provided in this template are the default values that will be used
 10  # when any section or field is not specified in your own configuration
 11  
 12  # Root options
 13  
 14  # If 1 or more target triples (and optionally, target_features) are specified,
 15  # only the specified targets will be checked when running `cargo deny check`.
 16  # This means, if a particular package is only ever used as a target specific
 17  # dependency, such as, for example, the `nix` crate only being used via the
 18  # `target_family = "unix"` configuration, that only having windows targets in
 19  # this list would mean the nix crate, as well as any of its exclusive
 20  # dependencies not shared by any other crates, would be ignored, as the target
 21  # list here is effectively saying which targets you are building for.
 22  targets = [
 23      # The triple can be any string, but only the target triples built in to
 24      # rustc (as of 1.40) can be checked against actual config expressions
 25      #{ triple = "x86_64-unknown-linux-musl" },
 26      # You can also specify which target_features you promise are enabled for a
 27      # particular target. target_features are currently not validated against
 28      # the actual valid features supported by the target architecture.
 29      #{ triple = "wasm32-unknown-unknown", features = ["atomics"] },
 30  ]
 31  # When creating the dependency graph used as the source of truth when checks are
 32  # executed, this field can be used to prune crates from the graph, removing them
 33  # from the view of cargo-deny. This is an extremely heavy hammer, as if a crate
 34  # is pruned from the graph, all of its dependencies will also be pruned unless
 35  # they are connected to another crate in the graph that hasn't been pruned,
 36  # so it should be used with care. The identifiers are [Package ID Specifications]
 37  # (https://doc.rust-lang.org/cargo/reference/pkgid-spec.html)
 38  #exclude = []
 39  # If true, metadata will be collected with `--all-features`. Note that this can't
 40  # be toggled off if true, if you want to conditionally enable `--all-features` it
 41  # is recommended to pass `--all-features` on the cmd line instead
 42  all-features = false
 43  # If true, metadata will be collected with `--no-default-features`. The same
 44  # caveat with `all-features` applies
 45  no-default-features = false
 46  # If set, these feature will be enabled when collecting metadata. If `--features`
 47  # is specified on the cmd line they will take precedence over this option.
 48  #features = []
 49  # When outputting inclusion graphs in diagnostics that include features, this
 50  # option can be used to specify the depth at which feature edges will be added.
 51  # This option is included since the graphs can be quite large and the addition
 52  # of features from the crate(s) to all of the graph roots can be far too verbose.
 53  # This option can be overridden via `--feature-depth` on the cmd line
 54  feature-depth = 1
 55  
 56  # This section is considered when running `cargo deny check advisories`
 57  # More documentation for the advisories section can be found here:
 58  # https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html
 59  [advisories]
 60  # The path where the advisory database is cloned/fetched into
 61  db-path = "~/.cargo/advisory-db"
 62  # The url(s) of the advisory databases to use
 63  db-urls = ["https://github.com/rustsec/advisory-db"]
 64  # The lint level for security vulnerabilities
 65  vulnerability = "deny"
 66  # The lint level for unmaintained crates
 67  unmaintained = "warn"
 68  # The lint level for crates that have been yanked from their source registry
 69  yanked = "warn"
 70  # The lint level for crates with security notices. Note that as of
 71  # 2019-12-17 there are no security notice advisories in
 72  # https://github.com/rustsec/advisory-db
 73  notice = "warn"
 74  # A list of advisory IDs to ignore. Note that ignored advisories will still
 75  # output a note when they are encountered.
 76  ignore = [
 77      #"RUSTSEC-0000-0000",
 78  ]
 79  # Threshold for security vulnerabilities, any vulnerability with a CVSS score
 80  # lower than the range specified will be ignored. Note that ignored advisories
 81  # will still output a note when they are encountered.
 82  # * None - CVSS Score 0.0
 83  # * Low - CVSS Score 0.1 - 3.9
 84  # * Medium - CVSS Score 4.0 - 6.9
 85  # * High - CVSS Score 7.0 - 8.9
 86  # * Critical - CVSS Score 9.0 - 10.0
 87  #severity-threshold =
 88  
 89  # If this is true, then cargo deny will use the git executable to fetch advisory database.
 90  # If this is false, then it uses a built-in git library.
 91  # Setting this to true can be helpful if you have special authentication requirements that cargo-deny does not support.
 92  # See Git Authentication for more information about setting up git authentication.
 93  #git-fetch-with-cli = true
 94  
 95  # This section is considered when running `cargo deny check licenses`
 96  # More documentation for the licenses section can be found here:
 97  # https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html
 98  [licenses]
 99  # The lint level for crates which do not have a detectable license
100  unlicensed = "deny"
101  # List of explicitly allowed licenses
102  # See https://spdx.org/licenses/ for list of possible licenses
103  # [possible values: any SPDX 3.11 short identifier (+ optional exception)].
104  allow = [
105      "Apache-2.0",
106      "Apache-2.0 WITH LLVM-exception",
107      "MIT",
108      "MPL-2.0",
109      "BSD-3-Clause",
110      "ISC",
111      "CC0-1.0",
112      "Unlicense",
113      "MITNFA"
114  ]
115  # List of explicitly disallowed licenses
116  # See https://spdx.org/licenses/ for list of possible licenses
117  # [possible values: any SPDX 3.11 short identifier (+ optional exception)].
118  deny = [
119      #"Nokia",
120  ]
121  # Lint level for licenses considered copyleft
122  copyleft = "warn"
123  # Blanket approval or denial for OSI-approved or FSF Free/Libre licenses
124  # * both - The license will be approved if it is both OSI-approved *AND* FSF
125  # * either - The license will be approved if it is either OSI-approved *OR* FSF
126  # * osi-only - The license will be approved if is OSI-approved *AND NOT* FSF
127  # * fsf-only - The license will be approved if is FSF *AND NOT* OSI-approved
128  # * neither - This predicate is ignored and the default lint level is used
129  allow-osi-fsf-free = "neither"
130  # Lint level used when no other predicates are matched
131  # 1. License isn't in the allow or deny lists
132  # 2. License isn't copyleft
133  # 3. License isn't OSI/FSF, or allow-osi-fsf-free = "neither"
134  default = "deny"
135  # The confidence threshold for detecting a license from license text.
136  # The higher the value, the more closely the license text must be to the
137  # canonical license text of a valid SPDX license file.
138  # [possible values: any between 0.0 and 1.0].
139  confidence-threshold = 0.8
140  # Allow 1 or more licenses on a per-crate basis, so that particular licenses
141  # aren't accepted for every possible crate as with the normal allow list
142  exceptions = [
143      { allow = [
144          "Zlib",
145      ], name = "tinyvec" },
146      { allow = [
147          "Unicode-DFS-2016",
148      ], name = "unicode-ident" },
149      { allow = [
150          "OpenSSL",
151      ], name = "ring" }
152  ]
153  
154  # Some crates don't have (easily) machine readable licensing information,
155  # adding a clarification entry for it allows you to manually specify the
156  # licensing information
157  [[licenses.clarify]]
158  name = "ring"
159  # SPDX considers OpenSSL to encompass both the OpenSSL and SSLeay licenses
160  # https://spdx.org/licenses/OpenSSL.html
161  # ISC - Both BoringSSL and ring use this for their new files
162  # MIT - "Files in third_party/ have their own licenses, as described therein. The MIT
163  # license, for third_party/fiat, which, unlike other third_party directories, is
164  # compiled into non-test libraries, is included below."
165  # OpenSSL - Obviously
166  expression = "ISC AND MIT AND OpenSSL"
167  license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }]
168  
169  
170  [licenses.private]
171  # If true, ignores workspace crates that aren't published, or are only
172  # published to private registries.
173  # To see how to mark a crate as unpublished (to the official registry),
174  # visit https://doc.rust-lang.org/cargo/reference/manifest.html#the-publish-field.
175  ignore = false
176  # One or more private registries that you might publish crates to, if a crate
177  # is only published to private registries, and ignore is true, the crate will
178  # not have its license(s) checked
179  registries = [
180      #"https://sekretz.com/registry
181  ]
182  
183  # This section is considered when running `cargo deny check bans`.
184  # More documentation about the 'bans' section can be found here:
185  # https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html
186  [bans]
187  # Lint level for when multiple versions of the same crate are detected
188  multiple-versions = "warn"
189  # Lint level for when a crate version requirement is `*`
190  wildcards = "allow"
191  # The graph highlighting used when creating dotgraphs for crates
192  # with multiple versions
193  # * lowest-version - The path to the lowest versioned duplicate is highlighted
194  # * simplest-path - The path to the version with the fewest edges is highlighted
195  # * all - Both lowest-version and simplest-path are used
196  highlight = "all"
197  # The default lint level for `default` features for crates that are members of
198  # the workspace that is being checked. This can be overridden by allowing/denying
199  # `default` on a crate-by-crate basis if desired.
200  workspace-default-features = "allow"
201  # The default lint level for `default` features for external crates that are not
202  # members of the workspace. This can be overridden by allowing/denying `default`
203  # on a crate-by-crate basis if desired.
204  external-default-features = "allow"
205  # List of crates that are allowed. Use with care!
206  allow = [
207      #{ name = "ansi_term", version = "=0.11.0" },
208  ]
209  # List of crates to deny
210  deny = [
211      # Each entry the name of a crate and a version range. If version is
212      # not specified, all versions will be matched.
213      #{ name = "ansi_term", version = "=0.11.0" },
214      #
215      # Wrapper crates can optionally be specified to allow the crate when it
216      # is a direct dependency of the otherwise banned crate
217      #{ name = "ansi_term", version = "=0.11.0", wrappers = [] },
218  ]
219  
220  # List of features to allow/deny
221  # Each entry the name of a crate and a version range. If version is
222  # not specified, all versions will be matched.
223  #[[bans.features]]
224  #name = "reqwest"
225  # Features to not allow
226  #deny = ["json"]
227  # Features to allow
228  #allow = [
229  #    "rustls",
230  #    "__rustls",
231  #    "__tls",
232  #    "hyper-rustls",
233  #    "rustls",
234  #    "rustls-pemfile",
235  #    "rustls-tls-webpki-roots",
236  #    "tokio-rustls",
237  #    "webpki-roots",
238  #]
239  # If true, the allowed features must exactly match the enabled feature set. If
240  # this is set there is no point setting `deny`
241  #exact = true
242  
243  # Certain crates/versions that will be skipped when doing duplicate detection.
244  skip = [
245      #{ name = "ansi_term", version = "=0.11.0" },
246  ]
247  # Similarly to `skip` allows you to skip certain crates during duplicate
248  # detection. Unlike skip, it also includes the entire tree of transitive
249  # dependencies starting at the specified crate, up to a certain depth, which is
250  # by default infinite.
251  skip-tree = [
252      #{ name = "ansi_term", version = "=0.11.0", depth = 20 },
253  ]
254  
255  # This section is considered when running `cargo deny check sources`.
256  # More documentation about the 'sources' section can be found here:
257  # https://embarkstudios.github.io/cargo-deny/checks/sources/cfg.html
258  [sources]
259  # Lint level for what to happen when a crate from a crate registry that is not
260  # in the allow list is encountered
261  unknown-registry = "warn"
262  # Lint level for what to happen when a crate from a git repository that is not
263  # in the allow list is encountered
264  unknown-git = "warn"
265  # List of URLs for allowed crate registries. Defaults to the crates.io index
266  # if not specified. If it is specified but empty, no registries are allowed.
267  allow-registry = ["https://github.com/rust-lang/crates.io-index"]
268  # List of URLs for allowed Git repositories
269  allow-git = []
270  
271  [sources.allow-org]
272  # 1 or more github.com organizations to allow git sources for
273  github = [""]
274  # 1 or more gitlab.com organizations to allow git sources for
275  gitlab = [""]
276  # 1 or more bitbucket.org organizations to allow git sources for
277  bitbucket = [""]