1# This template contains all of the possible sections and their default values 2 3# Note that all fields that take a lint level have these possible values: 4# * deny - An error will be produced and the check will fail 5# * warn - A warning will be produced, but the check will not fail 6# * allow - No warning or error will be produced, though in some cases a note 7# will be 8 9# The values provided in this template are the default values that will be used 10# when any section or field is not specified in your own configuration 11 12# If 1 or more target triples (and optionally, target_features) are specified, 13# only the specified targets will be checked when running `cargo deny check`. 14# This means, if a particular package is only ever used as a target specific 15# dependency, such as, for example, the `nix` crate only being used via the 16# `target_family = "unix"` configuration, that only having windows targets in 17# this list would mean the nix crate, as well as any of its exclusive 18# dependencies not shared by any other crates, would be ignored, as the target 19# list here is effectively saying which targets you are building for. 20targets = [ 21 # The triple can be any string, but only the target triples built in to 22 # rustc (as of 1.40) can be checked against actual config expressions 23 #{ triple = "x86_64-unknown-linux-musl" }, 24 # You can also specify which target_features you promise are enabled for a 25 # particular target. target_features are currently not validated against 26 # the actual valid features supported by the target architecture. 27 #{ triple = "wasm32-unknown-unknown", features = ["atomics"] }, 28] 29 30# This section is considered when running `cargo deny check advisories` 31# More documentation for the advisories section can be found here: 32# https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html 33[advisories] 34# The path where the advisory database is cloned/fetched into 35db-path = "~/.cargo/advisory-db" 36# The url(s) of the advisory databases to use 37db-urls = ["https://github.com/rustsec/advisory-db"] 38# The lint level for security vulnerabilities 39vulnerability = "deny" 40# The lint level for unmaintained crates 41unmaintained = "warn" 42# The lint level for crates that have been yanked from their source registry 43yanked = "warn" 44# The lint level for crates with security notices. Note that as of 45# 2019-12-17 there are no security notice advisories in 46# https://github.com/rustsec/advisory-db 47notice = "warn" 48# A list of advisory IDs to ignore. Note that ignored advisories will still 49# output a note when they are encountered. 50ignore = [ 51 #"RUSTSEC-0000-0000", 52] 53# Threshold for security vulnerabilities, any vulnerability with a CVSS score 54# lower than the range specified will be ignored. Note that ignored advisories 55# will still output a note when they are encountered. 56# * None - CVSS Score 0.0 57# * Low - CVSS Score 0.1 - 3.9 58# * Medium - CVSS Score 4.0 - 6.9 59# * High - CVSS Score 7.0 - 8.9 60# * Critical - CVSS Score 9.0 - 10.0 61#severity-threshold = 62 63# If this is true, then cargo deny will use the git executable to fetch advisory database. 64# If this is false, then it uses a built-in git library. 65# Setting this to true can be helpful if you have special authentication requirements that cargo-deny does not support. 66# See Git Authentication for more information about setting up git authentication. 67#git-fetch-with-cli = true 68 69# This section is considered when running `cargo deny check licenses` 70# More documentation for the licenses section can be found here: 71# https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html 72[licenses] 73# The lint level for crates which do not have a detectable license 74unlicensed = "deny" 75# List of explicitly allowed licenses 76# See https://spdx.org/licenses/ for list of possible licenses 77# [possible values: any SPDX 3.11 short identifier (+ optional exception)]. 78allow = [ 79 "MIT", 80 "Apache-2.0", 81 "BSD-3-Clause", 82] 83# List of explicitly disallowed licenses 84# See https://spdx.org/licenses/ for list of possible licenses 85# [possible values: any SPDX 3.11 short identifier (+ optional exception)]. 86deny = [ 87 #"Nokia", 88] 89# Lint level for licenses considered copyleft 90copyleft = "warn" 91# Blanket approval or denial for OSI-approved or FSF Free/Libre licenses 92# * both - The license will be approved if it is both OSI-approved *AND* FSF 93# * either - The license will be approved if it is either OSI-approved *OR* FSF 94# * osi-only - The license will be approved if is OSI-approved *AND NOT* FSF 95# * fsf-only - The license will be approved if is FSF *AND NOT* OSI-approved 96# * neither - This predicate is ignored and the default lint level is used 97allow-osi-fsf-free = "neither" 98# Lint level used when no other predicates are matched 99# 1. License isn't in the allow or deny lists 100# 2. License isn't copyleft 101# 3. License isn't OSI/FSF, or allow-osi-fsf-free = "neither" 102default = "deny" 103# The confidence threshold for detecting a license from license text. 104# The higher the value, the more closely the license text must be to the 105# canonical license text of a valid SPDX license file. 106# [possible values: any between 0.0 and 1.0]. 107confidence-threshold = 0.8 108# Allow 1 or more licenses on a per-crate basis, so that particular licenses 109# aren't accepted for every possible crate as with the normal allow list 110exceptions = [ 111 # Each entry is the crate and version constraint, and its specific allow 112 # list 113 #{ allow = ["Zlib"], name = "adler32", version = "*" }, 114] 115 116# Some crates don't have (easily) machine readable licensing information, 117# adding a clarification entry for it allows you to manually specify the 118# licensing information 119#[[licenses.clarify]] 120# The name of the crate the clarification applies to 121#name = "ring" 122# The optional version constraint for the crate 123#version = "*" 124# The SPDX expression for the license requirements of the crate 125#expression = "MIT AND ISC AND OpenSSL" 126# One or more files in the crate's source used as the "source of truth" for 127# the license expression. If the contents match, the clarification will be used 128# when running the license check, otherwise the clarification will be ignored 129# and the crate will be checked normally, which may produce warnings or errors 130# depending on the rest of your configuration 131#license-files = [ 132 # Each entry is a crate relative path, and the (opaque) hash of its contents 133 #{ path = "LICENSE", hash = 0xbd0eed23 } 134#] 135 136[[licenses.clarify]] 137name = "ring" 138version = "*" 139expression = "MIT AND ISC AND OpenSSL" 140license-files = [ 141 # Each entry is a crate relative path, and the (opaque) hash of its contents 142 { path = "LICENSE", hash = 0xbd0eed23 } 143] 144 145[licenses.private] 146# If true, ignores workspace crates that aren't published, or are only 147# published to private registries. 148# To see how to mark a crate as unpublished (to the official registry), 149# visit https://doc.rust-lang.org/cargo/reference/manifest.html#the-publish-field. 150ignore = true 151# One or more private registries that you might publish crates to, if a crate 152# is only published to private registries, and ignore is true, the crate will 153# not have its license(s) checked 154registries = [ 155 #"https://sekretz.com/registry 156] 157 158# This section is considered when running `cargo deny check bans`. 159# More documentation about the 'bans' section can be found here: 160# https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html 161[bans] 162# Lint level for when multiple versions of the same crate are detected 163multiple-versions = "allow" 164# Lint level for when a crate version requirement is `*` 165wildcards = "allow" 166# The graph highlighting used when creating dotgraphs for crates 167# with multiple versions 168# * lowest-version - The path to the lowest versioned duplicate is highlighted 169# * simplest-path - The path to the version with the fewest edges is highlighted 170# * all - Both lowest-version and simplest-path are used 171highlight = "all" 172# List of crates that are allowed. Use with care! 173allow = [ 174 #{ name = "ansi_term", version = "=0.11.0" }, 175] 176# List of crates to deny 177deny = [ 178 # Each entry the name of a crate and a version range. If version is 179 # not specified, all versions will be matched. 180 #{ name = "ansi_term", version = "=0.11.0" }, 181 # 182 # Wrapper crates can optionally be specified to allow the crate when it 183 # is a direct dependency of the otherwise banned crate 184 #{ name = "ansi_term", version = "=0.11.0", wrappers = [] }, 185] 186# Certain crates/versions that will be skipped when doing duplicate detection. 187skip = [ 188 #{ name = "ansi_term", version = "=0.11.0" }, 189] 190# Similarly to `skip` allows you to skip certain crates during duplicate 191# detection. Unlike skip, it also includes the entire tree of transitive 192# dependencies starting at the specified crate, up to a certain depth, which is 193# by default infinite 194skip-tree = [ 195 #{ name = "ansi_term", version = "=0.11.0", depth = 20 }, 196] 197 198# This section is considered when running `cargo deny check sources`. 199# More documentation about the 'sources' section can be found here: 200# https://embarkstudios.github.io/cargo-deny/checks/sources/cfg.html 201[sources] 202# Lint level for what to happen when a crate from a crate registry that is not 203# in the allow list is encountered 204unknown-registry = "warn" 205# Lint level for what to happen when a crate from a git repository that is not 206# in the allow list is encountered 207unknown-git = "warn" 208# List of URLs for allowed crate registries. Defaults to the crates.io index 209# if not specified. If it is specified but empty, no registries are allowed. 210allow-registry = ["https://github.com/rust-lang/crates.io-index"] 211# List of URLs for allowed Git repositories 212allow-git = []