chore: Update to latest cargo deny (#2746)

Cargo deny is a tool used for license checks (initial motivation), vulnerability checks and other checks (such as unmaintained crates). This tool has been used across core monorepo for a long time, but given one problematic upgrade it's been pinned to a version. There have been breaking changes since then and the tool got better, but we got stuck with the old version. This upgrades to the new version, but is still pinned. A future development is adding renovate bot, which will keep version up to date. Currently in backlog of @matter-labs/devops. This PR updates the tool & addresses issues where the fix is straightforward. Other issues will need to be prioritized & treated separately. They can be found in deny.toml under `advisories.ignore`. There is space for further improvements on our current defaults, again, not tackled in this PR.
matter-labs · Aug 29, 2024 · 180f787 · 180f787
1 parent 814dedf
commit 180f787
Show file tree

Hide file tree

Showing 6 changed files with 52 additions and 31 deletions.
diff --git a/.github/workflows/cargo-license.yaml b/.github/workflows/cargo-license.yaml
@@ -4,5 +4,5 @@ jobs:
   cargo-deny:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
-    - uses: EmbarkStudios/cargo-deny-action@68cd9c5e3e16328a430a37c743167572e3243e7e
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+    - uses: EmbarkStudios/cargo-deny-action@8371184bd11e21dcf8ac82ebf8c9c9f74ebf7268 # v2.0.1
diff --git a/deny.toml b/deny.toml
@@ -1,15 +1,24 @@
+[graph]
+targets = []
 all-features = false
 no-default-features = false
 
+[output]
+feature-depth = 1
+
 [advisories]
-vulnerability = "deny"
-unmaintained = "warn"
-yanked = "warn"
-notice = "warn"
-ignore = []
+ignore = [
+    "RUSTSEC-2023-0045", # memoffset vulnerability, dependency coming from bellman_ce
+    "RUSTSEC-2022-0041", # crossbeam-utils vulnerability, dependency coming from bellman_ce
+    "RUSTSEC-2024-0320", # yaml_rust dependency being unmaintained, dependency in core, we should consider moving to yaml_rust2 fork
+    "RUSTSEC-2020-0168", # mach dependency being unmaintained, dependency in consensus, we should consider moving to mach2 fork
+    # all below caused by StructOpt which we still use and we should move to clap v3 instead
+    "RUSTSEC-2021-0145",
+    "RUSTSEC-2021-0139",
+
+]
 
 [licenses]
-unlicensed = "deny"
 allow = [
     "MIT",
     "Apache-2.0",
@@ -23,34 +32,42 @@ allow = [
     "Zlib",
     "OpenSSL",
 ]
-copyleft = "warn"
-allow-osi-fsf-free = "neither"
-default = "deny"
 confidence-threshold = 0.8
-exceptions = [
-    { name = "ring", allow = ["OpenSSL"] },
-]
-unused-allowed-license = "allow"
 
 [[licenses.clarify]]
-name = "ring"
-expression = "OpenSSL"
-license-files = [
-    { path = "LICENSE", hash = 0xbd0eed23 },
-]
+crate = "ring"
+# SPDX considers OpenSSL to encompass both the OpenSSL and SSLeay licenses
+# https://spdx.org/licenses/OpenSSL.html
+# ISC - Both BoringSSL and ring use this for their new files
+# MIT - "Files in third_party/ have their own licenses, as described therein. The MIT
+# license, for third_party/fiat, which, unlike other third_party directories, is
+# compiled into non-test libraries, is included below."
+# OpenSSL - Obviously
+expression = "ISC AND MIT AND OpenSSL"
+license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }]
 
 [licenses.private]
 ignore = false
+registries = []
 
 [bans]
 multiple-versions = "warn"
 wildcards = "allow"
 highlight = "all"
 workspace-default-features = "allow"
 external-default-features = "allow"
+allow = []
+deny = []
+skip = []
+skip-tree = []
 
 [sources]
 unknown-registry = "deny"
 unknown-git = "allow"
 allow-registry = ["https://github.com/rust-lang/crates.io-index"]
 allow-git = []
+
+[sources.allow-org]
+github = []
+gitlab = []
+bitbucket = []
diff --git a/prover/Cargo.lock b/prover/Cargo.lock
diff --git a/prover/crates/bin/prover_version/Cargo.toml b/prover/crates/bin/prover_version/Cargo.toml
@@ -1,7 +1,13 @@
 [package]
 name = "prover_version"
-version = "0.1.0"
+version.workspace = true
 edition.workspace = true
+authors.workspace = true
+homepage.workspace = true
+repository.workspace = true
+license.workspace = true
+keywords.workspace = true
+categories.workspace = true
 
 [dependencies]
 zksync_prover_fri_types.workspace = true
diff --git a/prover/crates/bin/vk_setup_data_generator_server_fri/Cargo.toml b/prover/crates/bin/vk_setup_data_generator_server_fri/Cargo.toml
@@ -39,7 +39,6 @@ serde = { workspace = true, features = ["derive"] }
 serde_derive.workspace = true
 itertools.workspace = true
 bincode.workspace = true
-structopt.workspace = true
 once_cell.workspace = true
 toml_edit.workspace = true
 md5.workspace = true

diff --git a/zk_toolbox/Cargo.lock b/zk_toolbox/Cargo.lock