github-actions: Add cargo-deny

Adds cargo-deny to scan for vulnerabilities and license issues regarding
rust crates.

Some modifications were required for the repo to pass the tests:

 Updates ttrpc to avoid using nix 0.16.0
   https://rustsec.org/advisories/RUSTSEC-2021-0119

 Updates slog-json to avoid MLP license (copyleft)

 Updates crossbeam-channel because 0.52.0 was a yanked package

 Ignores https://rustsec.org/advisories/RUSTSEC-2020-0071
   because chrono is dependent on that version of time.
   chronotope/chrono#578

 Allow multiple versions of the same package
  (package dependencies require this)

 Adds "oci" to src/libs workplace

 Adds Apache-2.0 license to workplace modules that did not have them
 because cargo-deny complains about them not having licenses.

Notes
GitHub Actions does not have an obvious way to loop over each of the
Cargo.toml files. To avoid hardcoding it, I worked around the problem
using a composite action that first generates the cargo-deny action by
finding all Cargo.toml files before calling this new generated action in
the master workflow.

Fixes kata-containers#3359

Signed-off-by: Derek Lee <[email protected]>

.github/cargo-deny-composite-action/action.yaml

@@ -0,0 +1,83 @@
+name: 'Cargo Crates Check'
+description: 'Checks every Cargo.toml file using cargo-deny'
+inputs:
+  command:
+    description: Either 'advisories' or 'bans licenses sources'
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - uses: actions/checkout@v3
+
+    - name: src/agent/Cargo.toml
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path src/agent/Cargo.toml
+        command: check ${{ inputs.command }}
+
+    - name: src/agent/rustjail/Cargo.toml
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path src/agent/rustjail/Cargo.toml
+        command: check ${{ inputs.command }}
+
+    - name: src/agent/vsock-exporter/Cargo.toml
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path src/agent/vsock-exporter/Cargo.toml
+        command: check ${{ inputs.command }}
+
+    - name: src/libs/logging/Cargo.toml
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path src/libs/logging/Cargo.toml
+        command: check ${{ inputs.command }}
+
+    - name: src/libs/oci/Cargo.toml
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path src/libs/oci/Cargo.toml
+        command: check ${{ inputs.command }}
+
+    - name: src/libs/protocols/Cargo.toml
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path src/libs/protocols/Cargo.toml
+        command: check ${{ inputs.command }}
+
+    - name: src/libs/safe-path/Cargo.toml
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path src/libs/safe-path/Cargo.toml
+        command: check ${{ inputs.command }}
+
+    - name: src/libs/Cargo.toml
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path src/libs/Cargo.toml
+        command: check ${{ inputs.command }}
+
+    - name: src/tools/agent-ctl/Cargo.toml
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path src/tools/agent-ctl/Cargo.toml
+        command: check ${{ inputs.command }}
+
+    - name: src/tools/runk/libcontainer/Cargo.toml
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path src/tools/runk/libcontainer/Cargo.toml
+        command: check ${{ inputs.command }}
+
+    - name: src/tools/runk/Cargo.toml
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path src/tools/runk/Cargo.toml
+        command: check ${{ inputs.command }}
+
+    - name: src/tools/trace-forwarder/Cargo.toml
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path src/tools/trace-forwarder/Cargo.toml
+        command: check ${{ inputs.command }}

.github/cargo-deny-composite-action/cargo-deny-generator.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+script_dir=$(dirname "$(readlink -f "$0")")
+parent_dir=$(realpath "${script_dir}/../..")
+cargo_tomls=$(find "${parent_dir}" -name Cargo.toml)
+
+temp_checkout_dir="./cargo-deny-action-copy"
+
+cargo_deny_file="${script_dir}/action.yaml"
+
+cat cargo-deny-skeleton.yaml.in > "${cargo_deny_file}"
+
+for path in $cargo_tomls
+do
+    path=$(realpath --relative-to="${parent_dir}" "${path}")
+
+    cat >> "${cargo_deny_file}" << EOF
+
+    - name: ${path}
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path ${path}
+        command: check \${{ inputs.command }}
+EOF
+done

.github/cargo-deny-composite-action/cargo-deny-skeleton.yaml.in

@@ -0,0 +1,12 @@
+name: 'Cargo Crates Check'
+description: 'Checks every Cargo.toml file using cargo-deny'
+inputs:
+  command:
+    description: Either 'advisories' or 'bans licenses sources'
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - uses: actions/checkout@v3
+

.github/workflows/cargo-deny-master.yaml

@@ -0,0 +1,20 @@
+name: Cargo Crates Check
+on: [pull_request]
+jobs:
+  cargo-deny-master:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        checks:
+          - advisories
+          - bans licenses sources
+
+    continue-on-error: ${{ matrix.checks == 'advisories' }}
+
+    steps:
+      - uses: actions/checkout@v3
+      - run: bash cargo-deny-generator.sh
+        working-directory: ./.github/cargo-deny-composite-action/
+      - uses: ./.github/cargo-deny-composite-action
+        with:
+          command: ${{ matrix.checks }}

deny.toml

@@ -0,0 +1,30 @@
+targets = [
+    { triple = "x86_64-unknown-linux-gnu" },
+    { triple = "x86_64-unknown-linux-musl" },
+    { triple = "x86_64-apple-darwin" },
+    { triple = "x86_64-pc-windows-msvc" },
+]
+
+[advisories]
+vulnerability = "deny"
+unsound = "deny"
+unmaintained = "deny"
+ignore = ["RUSTSEC-2020-0071"]
+
+[bans]
+multiple-versions = "allow"
+deny = [
+    { name = "openssl-sys" },
+    { name = "cmake" },
+]
+
+[licenses]
+unlicensed = "deny"
+allow-osi-fsf-free = "neither"
+copyleft = "deny"
+# We want really high confidence when inferring licenses from text
+confidence-threshold = 0.93
+allow = ["Apache-2.0", "MIT", "BSD-3-Clause", "ISC"]
+private = { ignore = true}
+
+exceptions = []

src/agent/Cargo.toml

@@ -3,6 +3,7 @@ name = "kata-agent"
 version = "0.1.0"
 authors = ["The Kata Containers community <[email protected]>"]
 edition = "2018"
+license = "Apache-2.0"
 
 [dependencies]
 oci = { path = "../libs/oci" }

src/agent/rustjail/Cargo.toml

@@ -3,6 +3,7 @@ name = "rustjail"
 version = "0.1.0"
 authors = ["The Kata Containers community <[email protected]>"]
 edition = "2018"
+license = "Apache-2.0"
 
 [dependencies]
 serde = "1.0.91"

src/agent/vsock-exporter/Cargo.toml

@@ -3,6 +3,7 @@ name = "vsock-exporter"
 version = "0.1.0"
 authors = ["James O. D. Hunt <[email protected]>"]
 edition = "2018"
+license = "Apache-2.0"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 

src/libs/Cargo.toml

@@ -1,6 +1,7 @@
 [workspace]
 members = [
     "logging",
+    "oci",
     "safe-path",
     "protocols",
 ]

src/libs/logging/Cargo.toml

@@ -3,6 +3,7 @@ name = "logging"
 version = "0.1.0"
 authors = ["The Kata Containers community <[email protected]>"]
 edition = "2018"
+license = "Apache-2.0"
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 

src/libs/oci/Cargo.toml

@@ -3,6 +3,7 @@ name = "oci"
 version = "0.1.0"
 authors = ["The Kata Containers community <[email protected]>"]
 edition = "2018"
+license = "Apache-2.0"
 
 [dependencies]
 serde = "1.0.131"

src/libs/protocols/Cargo.toml

@@ -3,6 +3,7 @@ name = "protocols"
 version = "0.1.0"
 authors = ["The Kata Containers community <[email protected]>"]
 edition = "2018"
+license = "Apache-2.0"
 
 [features]
 default = []