The [advisories]
section
Contains all of the configuration for cargo deny check advisories
Example Config
[advisories]
db-path = "~/.cargo/advisory-dbs"
db-urls = ["https://github.com/RustSec/advisory-db"]
vulnerability = "deny"
unmaintained = "warn"
unsound = "warn"
yanked = "warn"
notice = "warn"
ignore = [
"RUSTSEC-0000-0000",
"crate@0.1",
{ crate = "yanked", reason = "a new version has not been released" },
]
severity-threshold = "medium"
The db-urls
field (optional)
URLs to one or more advisory databases.
Default: RustSec Advisory DB
The db-path
field (optional)
Path to the root directory into which one or more advisory databases are cloned into.
This value supports basic shell expansion:
~
- Expands tohome::home_dir
$VARNAME
- Expands tostd::env::var("VARNAME")
${VARNAME}
- Expands tostd::env::var("VARNAME")
${VARNAME:-fallback}
- Expands tostd::env::var("VARNAME")
or the fallback value if it doesn't exist (everything between the:-
and}
)$CARGO_HOME
- Expands tostd::env::var("CARGO_HOME")
if it exists, otherwise expands to$(home::home_dir())/.cargo
Note that the path must be valid utf-8, after expansion.
Default: $CARGO_HOME/advisory-dbs
The version
field (optional)
version = 2
The advisories section has an upcoming breaking change, with deprecation warnings for several fields that will be removed. Setting version = 2
will opt-in to the future default behavior.
The breaking change is as follows:
vulnerability
- Removed, all vulnerability advisories now emit errors.unmaintained
- Removed, all unmaintained advisories now emit errors.unsound
- Removed, all unsound advisories now emit errors.notice
- Removed, all notice advisories now emit errors.severity-threshold
- Removed, all vulnerability advisories now emit errors.
As before, if you want to ignore a specific advisory, add it to the ignore
field.
The vulnerability
field (optional)
Determines what happens when a crate with a security vulnerability is encountered.
deny
(default) - Will emit an error with details about each vulnerability, and fail the check.warn
- Prints a warning for each vulnerability, but does not fail the check.allow
- Prints a note about the security vulnerability, but does not fail the check.
The unmaintained
field (optional)
Determines what happens when a crate with an unmaintained
advisory is encountered.
deny
- Will emit an error with details about the unmaintained advisory, and fail the check.warn
(default) - Prints a warning for each unmaintained advisory, but does not fail the check.allow
- Prints a note about the unmaintained advisory, but does not fail the check.
The unsound
field (optional)
Determines what happens when a crate with an unsound
advisory is encountered.
deny
- Will emit an error with details about the unsound advisory, and fail the check.warn
(default) - Prints a warning for each unsound advisory, but does not fail the check.allow
- Prints a note about the unsound advisory, but does not fail the check.
The yanked
field (optional)
Determines what happens when a crate with a version that has been yanked from its source registry is encountered.
deny
- Will emit an error with the crate name and version that was yanked, and fail the check.warn
(default) - Prints a warning with the crate name and version that was yanked, but does not fail the check.allow
- Prints a note about the yanked crate, but does not fail the check.
The notice
field (optional)
Determines what happens when a crate with a notice
advisory is encountered.
NOTE: As of 2019-12-17 there are no notice
advisories in the RustSec Advisory DB
deny
- Will emit an error with details about the notice advisory, and fail the check.warn
(default) - Prints a warning for each notice advisory, but does not fail the check.allow
- Prints a note about the notice advisory, but does not fail the check.
The ignore
field (optional)
ignore = [
"RUSTSEC-0000-0000",
{ id = "RUSTSEC-0000-0000", reason = "this vulnerability does not affect us as we don't use the particular code path" },
"yanked@0.1.1",
{ crate = "yanked-crate@0.1.1", reason = "a semver compatible version hasn't been published yet" },
]
Every advisory in the advisory database contains a unique identifier, eg. RUSTSEC-2019-0001
. Putting an identifier in this array will cause the advisory to be treated as a note, rather than a warning or error.
In addition, yanked crate versions can be ignored by specifying a PackageSpec with an optional reason
.
The severity-threshold
field (optional)
The threshold for security vulnerabilities to be turned into notes instead of warnings or errors, depending upon its CVSS score. So having a high threshold means some vulnerabilities might not fail the check, but having a log level >= info
will mean that a note will be printed instead of a warning or error, depending on [advisories.vulnerability]
.
None
(default) - CVSS Score 0.0Low
- CVSS Score 0.1 - 3.9Medium
- CVSS Score 4.0 - 6.9High
- CVSS Score 7.0 - 8.9Critical
- CVSS Score 9.0 - 10.0
The git-fetch-with-cli
field (optional)
Similar to cargo's net.git-fetch-with-cli, this field allows you to opt-in to fetching advisory databases with the git CLI rather than using gix
.
false
(default) - Fetches advisory databases viagix
true
- Fetches advisory databases usinggit
. Git must be installed and inPATH
.
The maximum-db-staleness
field (optional)
A duration in RFC3339 format that specifies the maximum amount of time that can pass before the database is considered stale and an error is emitted. This is only checked when advisory database fetching has been disabled via the --offline
or check --disable-fetch
flags, as otherwise the database is always cloned or fetched to be up to date with the remote git repository.
The default if not specified is the same value that cargo-audit
uses, and cargo-deny
has been using, which is P90D
, or 90 days.
The RFC3339 duration format is...not well documented. The official grammar is as follows:
dur-second = 1*DIGIT "S"
dur-minute = 1*DIGIT "M" [dur-second]
dur-hour = 1*DIGIT "H" [dur-minute]
dur-time = "T" (dur-hour / dur-minute / dur-second)
dur-day = 1*DIGIT "D"
dur-week = 1*DIGIT "W"
dur-month = 1*DIGIT "M" [dur-day]
dur-year = 1*DIGIT "Y" [dur-month]
dur-date = (dur-day / dur-month / dur-year) [dur-time]
duration = "P" (dur-date / dur-time / dur-week)
However, as far as I can tell, there are no official spec compliance tests one can run for the duration formation, and several parsers I found written in other languages seemed to...not actually properly follow the grammar, so the implementation in cargo-deny may be wrong according to the spec, but at least it will be consistently wrong.
Note that while the spec supports ,
as a decimal separator, for simplicity cargo-deny only supports .
as a decimal separator.
One final note, there are 2 units available in the format that are not exact, namely, year 'Y' and month 'M'. It's not recommended to use either of them for that reason, but if you do they are calculated as follows.
- 1 year = 365 days
- 1 month = 30.43 days