Skip to content

ci: calibrer la porte supply-chain cargo-deny (triage advisories + licences)#2

Merged
nobodyohm-web merged 1 commit into
mainfrom
fix/supply-chain-deny
May 31, 2026
Merged

ci: calibrer la porte supply-chain cargo-deny (triage advisories + licences)#2
nobodyohm-web merged 1 commit into
mainfrom
fix/supply-chain-deny

Conversation

@nobodyohm-web

@nobodyohm-web nobodyohm-web commented May 31, 2026

Copy link
Copy Markdown
Owner

Contexte

Le job Supply-chain de la CI (ci.yml) était rouge dès le premier run de cargo-deny. Cette PR le rend vert honnêtement — vérifié localement avec cargo-deny 0.19.8 :

advisories ok, bans ok, licenses ok, sources ok   (exit 0, y compris --all-features)

Triage des advisories (liste ignore documentée dans deny.toml)

20 crates unmaintained transitives, sans correctif amont — bindings GTK3 (gtk-rs) tirés par Tauri sur Linux, proc-macro-error, paste, fxhash, unic-*… Ce ne sont pas des vulnérabilités.

6 vulnérabilités transitives, verrouillées en amont — chacune avec id + reason + évaluation d'exposition :

  • rustls-webpki 0.102.8 (RUSTSEC-2026-0049/0098/0099/0104) via libsql → rustls 0.22. libsql est utilisé en LOCAL uniquement (l'app ne fait aucune requête HTTP sortante, cf. SECURITY.md) → le chemin TLS hyper-rustls/webpki n'est jamais exercé. Le TLS actif (iroh QUIC) utilise déjà rustls-webpki 0.103.13 (corrigé). Fix réel = bump libsql.
  • hickory-proto/hickory-net (RUSTSEC-2026-0119/0120) via le pin exact d'iroh =0.26.0-beta.4 (DoS sur la découverte DNS). Fix réel = bump iroh.

Les deux bumps amont sont du churn de dépendances cœur (iroh 0.98.2 régresse der/pkcs8/spki en pré-release) → reportés à une PR dédiée + testée, plutôt que bundlés ici.

Licences

Autorise CDLA-Permissive-2.0 (bundle CA Mozilla via rustls/iroh, permissive).

CI

cargo-deny devient la porte advisory unique ; suppression du step cargo-audit redondant (même base RustSec, une seule liste d'ignore → pas de dérive).

Aucun code modifié — Cargo.lock est resté à l'état mergé (iroh 0.98.1), cargo test reste donc vert (265). Seuls deny.toml + ci.yml changent.

🤖 Generated with Claude Code

@Nobody-Man @claude
ci: calibrate cargo-deny supply-chain gate (triage advisories + licen…
d605287 
…ses)

First cargo-deny run was red; this makes it green honestly — verified locally
with cargo-deny 0.19.8: advisories ok, bans ok, licenses ok, sources ok.

Advisories (documented ignore list in deny.toml):
- 20 transitive `unmaintained` crates, no upstream fix (GTK3 bindings via Tauri,
  proc-macro-error, paste, fxhash, unic-*, ...).
- 6 transitive vulnerabilities, upstream-pinned, each with id + reason:
  - rustls-webpki 0.102.8 via libsql -> rustls 0.22: libsql is local-only (no
    outbound HTTP), so the hyper-rustls/webpki TLS path is never exercised;
    iroh's active TLS already uses patched 0.103.13. Real fix = bump libsql.
  - hickory-proto/net via iroh's exact pin =0.26.0-beta.4 (DoS-class on DNS
    discovery). Real fix = bump iroh.
  Both upstream bumps are core-dep churn (iroh pulls pre-release der/pkcs8/spki),
  deferred to a dedicated, tested PR.

Licenses: allow CDLA-Permissive-2.0 (Mozilla CA bundle via rustls/iroh).

CI: cargo-deny becomes the single advisory gate; drops the redundant cargo-audit
step (same RustSec DB, one ignore list, no drift).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@nobodyohm-web nobodyohm-web merged commit ea0cc05 into main May 31, 2026
3 of 4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@nobodyohm-web @Nobody-Man