deny.toml

[advisories]
db-path = "~/.cargo/advisory-db"
db-urls = ["https://github.com/rustsec/advisory-db"]
# https://github.com/EmbarkStudios/cargo-deny/pull/611
version = 2
yanked = "deny"
ignore = [
    { id = "RUSTSEC-2024-0370", reason = "crate is unmaintained. This needs `arrow_convert` to use an alternative to `err-derive`" },
    { id = "RUSTSEC-2024-0384", reason = "`instant` crate is unmaintained. The dependency comes from datafusion" },
]


[licenses]
version = 2
allow = [
    "MIT",
    "MIT-0",
    "Apache-2.0",
    "BSD-2-Clause",
    "BSD-3-Clause",
    "ISC",
    "BSL-1.0",
    "OpenSSL",
    "MPL-2.0",
    "CC0-1.0",
    "Zlib",
    "Unicode-3.0"
]
# The confidence threshold for detecting a license from license text.
# The higher the value, the more closely the license text must be to the
# canonical license text of a valid SPDX license file.
# [possible values: any between 0.0 and 1.0].
confidence-threshold = 0.8

[[licenses.exceptions]]
# Ignore Unicode-DFS-2016 because we don't bundle the generated files from
# the unicode-ident dependency. See https://github.com/dtolnay/unicode-ident/pull/9/files
allow = ["Unicode-DFS-2016"]
name = "unicode-ident"
version = "1.0.6"

[[licenses.exceptions]]
# We are using inferno as part of the benchmarks crate that does not get released.
# Only modifications to inferno would have to made available under the CDDL:
# See https://fossa.com/blog/open-source-licenses-101-cddl-common-development-distribution-license/ and
# https://opensource.stackexchange.com/questions/8265/cddl-library-and-closed-source-application.
allow = ["CDDL-1.0"]
name = "inferno"
version = "0.11"

[[licenses.clarify]]
name = "ring"
# SPDX considers OpenSSL to encompass both the OpenSSL and SSLeay licenses
# https://spdx.org/licenses/OpenSSL.html
# ISC - Both BoringSSL and ring use this for their new files
# MIT - "Files in third_party/ have their own licenses, as described therein. The MIT
# license, for third_party/fiat, which, unlike other third_party directories, is
# compiled into non-test libraries, is included below."
# OpenSSL - Obviously
expression = "ISC AND MIT AND OpenSSL"
license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }]

[licenses.private]
# If true, ignores workspace crates that aren't published, or are only
# published to private registries.
# To see how to mark a crate as unpublished (to the official registry),
# visit https://doc.rust-lang.org/cargo/reference/manifest.html#the-publish-field.
ignore = true
# One or more private registries that you might publish crates to, if a crate
# is only published to private registries, and ignore is true, the crate will
# not have its license(s) checked
registries = []

[bans]
multiple-versions = "warn"
wildcards = "allow"
highlight = "all"
allow = []
skip = [
    # It's ok to ignore these dependencies, as they're resolved but we never use them,
    # since we don't target Windows, nor HermitCore. We have a couple of transitive dependencies
    # requiring windows and hermit syscalls with conflicting version.
    # Also see https://github.com/rust-lang/cargo/issues/1197
    { name = "windows-sys" },
    { name = "windows-targets" },
    { name = "windows_x86_64_msvc" },
    { name = "windows_x86_64_gnullvm" },
    { name = "windows_aarch64_gnullvm" },
    { name = "windows_x86_64_gnu" },
    { name = "windows_i686_gnu" },
    { name = "windows_i686_msvc" },
    { name = "windows_aarch64_msvc" },
    { name = "hermit-abi" },
    # Clash between prost-reflect and tracing_instrumentation
    { name = "ordered-float" },

    # Clash between criterion clap dependency and our own
    { name = "clap" },
    { name = "clap_lex" },
    { name = "clap_derive" },

    # Clash between tonic clap dependency (outdated) and hyper-rustls and prost-reflect
    { name = "base64" },

    # The following is an internal dependecy needed by librocksdb-sys
    { name = "syn" },

    # The following is a dev and build dependecy used by tempfile but clashes with open telemetry.
    { name = "redox_syscall"},

    # Clash between criterion dependency and datafusion dependency
    { name = "half" },

    # Clash between datafusion async-compression dependency and datafusion zstd dependency
    { name = "zstd-safe"},
    { name = "zstd"},

    # Clash between datafusion and arrow
    { name = "hashbrown"},

    # Clash between datafusion and invoker
    { name = "tokio-rustls"},

    # Clash between rocksdb bindgen and prost-build
    { name = "prettyplease"},

    # Clash between our own and opentelemetry-otlp's Tonic dependency :-(
    { name = "tonic" },

    # Clash between tracing-subscriber and datafusion :-(
    { name = "regex-syntax" },

    # Clash between pprof and datafusion :-(
    { name = "quick-xml" },

    # Clash with criterion
    { name = "itertools" },

    # Clash between datafusion-expr and arrow
    { name = "strum"},
    { name = "strum_macros"},

    # Clash between pgwire and arrow
    {name = "time"},

    # clash between datafusion and arrow
    {name = "wasi"},

    # clash between rdkafka and many other libraries
    {name = "indexmap"},

    # clash between prost and otel libraries
    {name = "prost"},
    {name = "prost-derive"},

    # clash between aws-config and datafusion
    {name = "fastrand"},

    # clash between aws-config and pgwire
    {name = "untrusted"},
    {name = "spin"},
    {name = "ring"}
]

deny = [
    # Use rustls instead of openssl-sys since it is assumed to be more secure
    { name = "openssl-sys" }
]

[sources]
unknown-registry = "deny"
# Lint level for what to happen when a crate from a git repository that is not
# in the allow list is encountered
unknown-git = "deny"
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
allow-git = [
    "https://github.com/restatedev/rust-rocksdb.git",
]

[sources.allow-org]
# 1 or more github.com organizations to allow git sources for
github = ["restatedev"]