tikv/deny.toml at master · pingyu/tikv · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
# To comply with FIPS 140-2, we should not use crypto algorithms implemented in
# rust, instead we should delegate these operation to OpenSSL, including
# symmetric encryption, asymmetric encryption, hash functions,
# key establishment, digital signatures and random number generators.
[bans]
deny = [
    # Hash functions
    # We allow md5 for AWS S3 object lock feature which requires
    # computting object's md5.
    { name = "md5", wrappers = ["aws", "google-cloud-storage"] },
    { name = "md-5", wrappers = ["aws-smithy-checksums"]},
    # time 0.2 pulls sha1 through stdweb's proc-macro on wasm-only targets.
    { name = "sha1", wrappers = ["aws-smithy-checksums", "stdweb-internal-macros"]},
    { name = "sha-1" },
    { name = "sha2", wrappers = ["oauth2", "aws-sigv4", "aws-smithy-checksums", "aws-sdk-s3", "google-cloud-storage"] },
    { name = "sha3" },
    # Symmetric encryption
    { name = "aes" },
    { name = "aes-gcm" },
    { name = "aes-gcm-siv" },
    { name = "chacha20poly1305" },
    # google-cloud-gax pulls rand 0.10, which currently reaches chacha20.
    { name = "chacha20", wrappers = ["rand"] },
    # Asymmetric encryption
    { name = "elliptic-curves" },
    { name = "rsa" },
    # Digital signatures
    { name = "dsa" },
    { name = "ecdsa" },
    { name = "ed25519" },
    # Message authentication codes
    { name = "hmac", wrappers = ["aws-sigv4", "aws-sdk-s3"]},
    # We prefer the system native TLS or OpenSSL.
    # gcp_v2 enables rustls only to install and require the aws-lc-rs FIPS provider at runtime.
    { name = "rustls", wrappers = ["gcp_v2", "google-cloud-auth", "reqwest", "tokio-rustls", "hyper-rustls"] },
    { name = "ring", wrappers = ["rustls", "rustls-webpki"] },
    # Ban trait crates from RustCrypto.
    { name = "aead" },
    { name = "cipher" },
    # aws-smithy-checksums reaches digest through crc-fast in newer releases.
    { name = "digest", wrappers = ["sha2", "md-5", "sha1", "hmac", "crc-fast"] },
    { name = "password-hash" },
    { name = "signature" },
]
multiple-versions = "allow"

[advisories]
version = 2
yanked = "deny"
unmaintained = 'workspace'
ignore = [
    # Ignore RUSTSEC-2023-0072 as we ban the unsound `X509StoreRef::objects`.
    #
    # NB: Upgrading rust-openssl the latest version do fix the issue but it
    # also upgrade the OpenSSL to v3.x which causes performance degradation.
    # See https://github.com/openssl/openssl/issues/17064
    "RUSTSEC-2023-0072",
    # Ignore RUSTSEC-2024-0357 as there is no `MemBio::get_buf` in TiKV, also
    # we ban all openssl (Rust) APIs that call `MemBio::get_buf`.
    #
    # See https://github.com/sfackler/rust-openssl/pull/2266
    "RUSTSEC-2024-0357",
    # Ignore RUSTSEC-2021-0145 (unsound issue of "atty" crate) as it only
    # affects Windows plaform which is not supported offically by TiKV, and 2)
    # we have disabled the clap feature "color" so that the "atty" crate is not
    # included in production code.
    #
    # TODO: Upgrade clap to v4.x.
    "RUSTSEC-2021-0145",
    # Ignore RUSTSEC-2025-0004, as it will trigger a recursive upgrade of OpenSSL
    # to version 3.x.
    #
    # NB: Upgrading openssl the version >= 0.10.70 do fix the issue but it
    # also upgrade the OpenSSL to v3.x which causes performance degradation.
    # See https://github.com/openssl/openssl/issues/17064
    "RUSTSEC-2025-0004",
    # Ignore RUSTSEC-2025-0022, as it will trigger a recursive upgrade of OpenSSL
    # to version 3.x.
    #
    # NB: Upgrading openssl the version >= 0.10.72 do fix the issue but it
    # also upgrade the OpenSSL to v3.x which causes performance degradation.
    # See https://github.com/openssl/openssl/issues/17064
    "RUSTSEC-2025-0022",
    # Ignore RUSTSEC-2024-0436, as there is no widely used replacement of
    # package 'paste', and the package itself is very stable.
    "RUSTSEC-2024-0436",
    # Ignore RUSTSEC-2025-0057 temporarily. We are evaluating alternatives to
    # replace FxHash. Currently, this package is stable and there are no known
    # exploitable vulnerabilities affecting our use case.
    "RUSTSEC-2025-0057",
    # Ignore RUSTSEC-2026-0009 temporarily. This advisory comes from the
    # transitive cloud SDK dependency chain pulling in time 0.3.47. The fixed
    # time release requires serde 1.0.220 through serde_core, but the current
    # raft-engine revision in this workspace still hard-pins serde = 1.0.228,
    # so this cannot be resolved with a lockfile-only update.
    "RUSTSEC-2026-0009",
    # Ignore RUSTSEC-2026-0097 (unsound issue in rand with a custom logger using
    # rand::rng()). The vulnerability requires a custom logger that calls
    # rand::rng() / thread_rng() during logging, which TiKV does not do.
    # TODO: Upgrade rand to >=0.9.3 or >=0.10.1 when possible.
    "RUSTSEC-2026-0097",
]

# TiKV is licensed under Apache 2.0, according to ASF 3RD PARTY LICENSE POLICY,
# TiKV can include licenses in Category A, and include licenses in Category B
# under certain conditions.
# See https://www.apache.org/legal/resolved.html.
[licenses]
version = 2
private = { ignore = false }
# Allow licenses in Category A
allow = ["0BSD", "Apache-2.0", "BSD-3-Clause", "CC0-1.0", "ISC", "MIT", "Zlib", "Unicode-3.0"]
exceptions = [
    # unicode-ident includes data generated from Unicode Character Database
    # which is licensed under Unicode-DFS-2016.
    # See https://github.com/dtolnay/unicode-ident/pull/4
    { name = "unicode-ident", allow = ["Unicode-DFS-2016"] },
    # Allow licenses in Category B explicitly, make their usage more prominent.
    { name = "slog-json", allow = ["MPL-2.0"] },
    { name = "smartstring", allow = ["MPL-2.0"] },
    { name = "inferno", allow = ["CDDL-1.0"] },
    # rustls FIPS support pulls aws-lc-fips-sys, which is dual/triple licensed and
    # includes the OpenSSL license in its SPDX expression.
    { name = "aws-lc-fips-sys", allow = ["OpenSSL"] },
    # reqwest/hyper-rustls bundle Mozilla root certificates through webpki-roots.
    { name = "webpki-roots", allow = ["CDLA-Permissive-2.0"] },
]

[sources]
unknown-git = "deny"
unknown-registry = "deny"
allow-org = { github = ["tikv", "pingcap", "rust-lang"] }