# cargo-audit configuration for pdftract # # This file controls which security advisories are intentionally ignored. # Each ignored advisory MUST include a note explaining why it is acceptable. # # See: https://github.com/rustsec/advisory-db # # Severity gating policy (from Phase 0.4 Quality Targets): # - Warnings are denied (non-zero exit code on any warning) # - >= medium severity advisories block PR merge # - Unmaintained advisories are ignored via --ignore unmaintained flag # # Format for ignored advisories: # [advisories] # "RUSTSEC-YYYY-NNNN" = "Justification for why this advisory is acceptable" [advisories] # Ignore pyo3 buffer overflow advisory - upgrade tracked separately # RUSTSEC-2025-0020: pyo3 0.20.3 has buffer overflow vulnerability # Upgrade to pyo3 >=0.24.1 is tracked separately (see notes/pdftract-1jlpy.md) ignore = [ "RUSTSEC-2025-0020", "RUSTSEC-2021-0145", "RUSTSEC-2024-0375", "RUSTSEC-2020-0144", ] # Informational exceptions for audited advisories # These are tracked separately and have written justifications exception-paths = [ # pyo3 0.20.3 buffer overflow - upgrade tracked in notes/pdftract-1jlpy.md { id = "RUSTSEC-2025-0020", note = "Upgrade to pyo3 >=0.24.1 tracked separately, see notes/pdftract-1jlpy.md" }, # atty unsound - migration to is-terminal tracked separately { id = "RUSTSEC-2021-0145", note = "Migration to is-terminal tracked separately, atty used only in non-critical path" }, # atty unmaintained - migration to is-terminal tracked separately { id = "RUSTSEC-2024-0375", note = "Migration to is-terminal tracked separately, atty used only in non-critical path" }, # lzw unmaintained - no safe upgrade exists # See ADR-003: https://github.com/jedarden/pdftract/blob/main/docs/adr/0003-lzw-advisory-exception.md { id = "RUSTSEC-2020-0144", note = "No safe upgrade exists for PDF LZWDecode, alternatives (weezl) incompatible with PDF LZW" }, ] [output] # Use terse output for CI logs (full report still in artifacts) verbose = false [database] # Use the official RustSec advisory database path = "~/.cargo/advisory-db" # Note: The --ignore unmaintained flag is passed in the CI workflow, # not configured here. This is because unmaintained warnings are # informational and should not block PRs for deprecated dependencies.