github-actions: Add cargo-deny

Adds cargo-deny to scan for vulnerabilities and license issues regarding rust crates. Some modifications were required for the repo to pass the tests: Updates ttrpc to avoid using nix 0.16.0 https://rustsec.org/advisories/RUSTSEC-2021-0119 Updates slog-json to avoid MLP license (copyleft) Updates crossbeam-channel due to yanked package Ignores https://rustsec.org/advisories/RUSTSEC-2020-0071 because chrono is dependent on that version of time. chronotope/chrono#578 Allow multiple versions of the same package (package dependencies require this) Adds "oci" to src/libs workplace Adds Apache-2.0 license to workplace modules that did not have them because cargo-deny complains about them not having licenses. Notes GitHub Actions does not have an obvious way to loop over each of the Cargo.toml files, so they have been hardcoded as separate steps. An alternative that works is to use a matrix variable to run each directory in a separate job. I opted not to do that because it uses a bunch of runners and generates a lot of jobs, but open to feedback. Signed-off-by: Derek Lee <[email protected]>
bookinabox · Jul 21, 2022 · 46849a3 · 46849a3
1 parent 0a9c8ca
commit 46849a3
Show file tree

Hide file tree

Showing 19 changed files with 309 additions and 201 deletions.
diff --git a/.github/cargo-deny-composite-action/action.yaml b/.github/cargo-deny-composite-action/action.yaml
@@ -0,0 +1,11 @@
+name: 'Cargo Crates Check'
+description: 'Checks every Cargo.toml file using cargo-deny'
+inputs:
+  command:
+    description: Either 'advisories' or 'bans licenses sources'
+    required: false
+
+    runs:
+      using: "composite"
+      steps:
+        run: echo "hi" 
diff --git a/.github/cargo-deny-composite-action/cargo-deny-action.yaml b/.github/cargo-deny-composite-action/cargo-deny-action.yaml
@@ -0,0 +1,87 @@
+name: Cargo Crates Check
+on: [pull_request]
+jobs:
+  cargo-deny:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        checks:
+          - advisories
+          - bans licenses sources
+
+    continue-on-error: true
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: src/agent/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/agent/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/agent/rustjail/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/agent/rustjail/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/agent/vsock-exporter/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/agent/vsock-exporter/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/libs/logging/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/libs/logging/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/libs/oci/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/libs/oci/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/libs/protocols/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/libs/protocols/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/libs/safe-path/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/libs/safe-path/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/libs/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/libs/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/tools/agent-ctl/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/tools/agent-ctl/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/tools/runk/libcontainer/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/tools/runk/libcontainer/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/tools/runk/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/tools/runk/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/tools/trace-forwarder/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/tools/trace-forwarder/Cargo.toml
+          command: check ${{ matrix.checks }}
diff --git a/.github/cargo-deny-composite-action/cargo-deny-generator.sh b/.github/cargo-deny-composite-action/cargo-deny-generator.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+script_dir=$(dirname "$(readlink -f "$0")")
+parent_dir=$(realpath "${script_dir}/../..")
+cargo_tomls=$(find "${parent_dir}" -name Cargo.toml)
+
+cargo_deny_file="${script_dir}/action.yaml"
+
+cat cargo-deny-skeleton.yaml.in > "${cargo_deny_file}"
+
+for path in $cargo_tomls
+do
+    path=$(realpath --relative-to="${parent_dir}" "${path}")
+
+    cat >> "${cargo_deny_file}" << EOF
+
+        - name: ${path}
+          uses: EmbarkStudios/cargo-deny-action@v1
+          with:
+            arguments: --manifest-path ./${path}
+            command: check \${{ inputs.command }}
+EOF
+done
diff --git a/.github/cargo-deny-composite-action/cargo-deny-skeleton.yaml.in b/.github/cargo-deny-composite-action/cargo-deny-skeleton.yaml.in
@@ -0,0 +1,11 @@
+name: 'Cargo Crates Check'
+description: 'Checks every Cargo.toml file using cargo-deny'
+inputs:
+  command:
+    description: Either 'advisories' or 'bans licneses sources'
+    required: true
+
+    runs:
+      using: "composite"
+      steps:
+
diff --git a/.github/workflows/cargo-deny-master.yaml b/.github/workflows/cargo-deny-master.yaml
@@ -0,0 +1,20 @@
+name: Cargo Crates Check
+on: [pull_request]
+jobs:
+  cargo-deny-master:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        checks:
+          - advisories
+          - bans licenses sources
+
+#    continue-on-error: ${{ matrix.checks = 'advisories' }}
+
+    steps:
+      - uses: actions/checkout@v3
+      - run: ls -al
+      - run: cat ./.github/cargo-deny-composite-action/action.yaml
+      - uses: ./.github/cargo-deny-action/action.yaml
+        with:
+          command: ${{ matrix.checks }}
diff --git a/.github/workflows/cargo-deny.yaml b/.github/workflows/cargo-deny.yaml
@@ -1,4 +1,4 @@
-name: Check 
+name: Cargo Crates Check
 on: [pull_request]
 jobs:
   cargo-deny:
@@ -8,27 +8,83 @@ jobs:
         checks:
           - advisories
           - bans licenses sources
-        tomls: [./src/agent/Cargo.toml,
-                ./src/agent/rustjail/Cargo.toml,
-                ./src/agent/vsock-exporter/Cargo.toml,
-                ./src/libs/Cargo.toml,
-                ./src/libs/logging/Cargo.toml,
-                ./src/libs/oci/Cargo.toml,
-                ./src/libs/protocols/Cargo.toml,
-                ./src/libs/safe-path/Cargo.toml,
-                ./src/tools/agent-ctl/Cargo.toml,
-                ./src/tools/runk/libcontainer/Cargo.toml,
-                ./src/tools/runk/Cargo.toml,
-                ./src/tools/trace-forwarder/Cargo.toml]
-
-    continue-on-error: ${{ matrix.checks == 'advisories' }}
+
+    continue-on-error: true
+
+    # Github Actions does not have a clean way of looping
+    # Could use matrix, but leads to 12+ jobs being run separately
 
     steps:
-    - name: "Checkout code"
-      if: ${{ !contains(github.event.pull_request.labels.*.name, 'force-skip-ci') && ( success() || failure() ) }}
-      uses: actions/checkout@v2
-    - name: "Check Rust Licenses"
-      uses: EmbarkStudios/cargo-deny-action@v1
-      with:
-        command: check ${{ matrix.checks }}
-        entrypoint: ${{ matrix.tomls }}
+      - uses: actions/checkout@v2
+
+      - name: src/agent/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/agent/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/agent/rustjail/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/agent/rustjail/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/agent/vsock-exporter/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/agent/vsock-exporter/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/libs/logging/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/libs/logging/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/libs/oci/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/libs/oci/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/libs/protocols/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/libs/protocols/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/libs/safe-path/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/libs/safe-path/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/libs/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/libs/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/tools/agent-ctl/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/tools/agent-ctl/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/tools/runk/libcontainer/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/tools/runk/libcontainer/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/tools/runk/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/tools/runk/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/tools/trace-forwarder/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/tools/trace-forwarder/Cargo.toml
+          command: check ${{ matrix.checks }}
diff --git a/deny.toml b/deny.toml
@@ -9,17 +9,14 @@ targets = [
 vulnerability = "deny"
 unsound = "deny"
 unmaintained = "deny"
-ignore = []
+ignore = ["RUSTSEC-2020-0071"]
 
 [bans]
-multiple-versions = "deny"
+multiple-versions = "allow"
 deny = [
-    # You can never be too sure
     { name = "openssl-sys" },
-    # crates should use cc, not big separate build systems
     { name = "cmake" },
 ]
-skip = []
 
 [licenses]
 unlicensed = "deny"
@@ -28,37 +25,6 @@ copyleft = "deny"
 # We want really high confidence when inferring licenses from text
 confidence-threshold = 0.93
 allow = ["Apache-2.0", "MIT", "BSD-3-Clause", "ISC"]
+private = { ignore = true}
 
-exceptions = [
-    # ring uses code from multiple libraries but all with permissive licenses
-    # https://tldrlegal.com/license/openssl-license-(openssl)
-    { allow = ["ISC", "MIT", "OpenSSL"], name = "ring" },
-
-    # MPL 2.0 is a copyleft license and we HAVE to disclose
-    # the source code of these specific libraries if we do changes to it.
-    # which we do through public forks of the repos if/when we do changes to it.
-    # https://tldrlegal.com/license/mozilla-public-license-2.0-(mpl-2)
-    { allow = ["MPL-2.0"], name = "webpki-roots" },
-]
-
-[[licenses.clarify]]
-name = "ring"
-# SPDX considers OpenSSL to encompass both the OpenSSL and SSLeay licenses
-# https://spdx.org/licenses/OpenSSL.html
-# ISC - Both BoringSSL and ring use this for their new files
-# MIT - "Files in third_party/ have their own licenses, as described therein. The MIT
-# license, for third_party/fiat, which, unlike other third_party directories, is
-# compiled into non-test libraries, is included below."
-# OpenSSL - Obviously
-expression = "ISC AND MIT AND OpenSSL"
-license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }]
-
-[[licenses.clarify]]
-name = "webpki"
-expression = "ISC"
-license-files = [{ path = "LICENSE", hash = 0x001c7e6c }]
-
-[[licenses.clarify]]
-name = "encoding_rs"
-expression = "(Apache-2.0 OR MIT) AND BSD-3-Clause"
-license-files = [{ path = "COPYRIGHT", hash = 0x39f8ad31 }]
+exceptions = []
diff --git a/src/agent/Cargo.toml b/src/agent/Cargo.toml
@@ -3,6 +3,7 @@ name = "kata-agent"
 version = "0.1.0"
 authors = ["The Kata Containers community <[email protected]>"]
 edition = "2018"
+license = "Apache-2.0"
 
 [dependencies]
 oci = { path = "../libs/oci" }

diff --git a/src/agent/rustjail/Cargo.toml b/src/agent/rustjail/Cargo.toml
@@ -3,6 +3,7 @@ name = "rustjail"
 version = "0.1.0"
 authors = ["The Kata Containers community <[email protected]>"]
 edition = "2018"
+license = "Apache-2.0"
 
 [dependencies]
 serde = "1.0.91"

diff --git a/src/agent/vsock-exporter/Cargo.toml b/src/agent/vsock-exporter/Cargo.toml
@@ -3,6 +3,7 @@ name = "vsock-exporter"
 version = "0.1.0"
 authors = ["James O. D. Hunt <[email protected]>"]
 edition = "2018"
+license = "Apache-2.0"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html