jedarden/pdftract
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
pdftract/audit.toml
jedarden 54fe6c1964 feat(pdftract-1xf4d): implement TH-06 supply-chain gate 
- Add minimum version requirements to deny.toml (ring >= 0.17.5, rustls >= 0.23)
- Create build/CHECKSUMS.sha256 for build-time data file integrity
- Update build.rs to verify checksums on every build
- Add tampering detection tests (th06_checksum_test.rs)
- Create nightly supply-chain scan workflow (pdftract-nightly-supply-chain.yaml)
- Update audit.toml with advisory exceptions

Closes: pdftract-1xf4d
Refs: plan lines 877, 883-896, 906-913
2026-05-26 17:31:13 -04:00

55 lines
2.3 KiB
TOML
Raw Blame History

# cargo-audit configuration for pdftract
#
# This file controls which security advisories are intentionally ignored.
# Each ignored advisory MUST include a note explaining why it is acceptable.
#
# See: https://github.com/rustsec/advisory-db
#
# Severity gating policy (from Phase 0.4 Quality Targets):
# - Warnings are denied (non-zero exit code on any warning)
# - >= medium severity advisories block PR merge
# - Unmaintained advisories are ignored via --ignore unmaintained flag
#
# Format for ignored advisories:
# [advisories]
# "RUSTSEC-YYYY-NNNN" = "Justification for why this advisory is acceptable"
[advisories]
# Ignore pyo3 buffer overflow advisory - upgrade tracked separately
# RUSTSEC-2025-0020: pyo3 0.20.3 has buffer overflow vulnerability
# Upgrade to pyo3 >=0.24.1 is tracked separately (see notes/pdftract-1jlpy.md)
ignore = [
"RUSTSEC-2025-0020",
"RUSTSEC-2021-0145",
"RUSTSEC-2024-0375",
"RUSTSEC-2020-0144",
]
# Informational exceptions for audited advisories
# These are tracked separately and have written justifications
exception-paths = [
# pyo3 0.20.3 buffer overflow - upgrade tracked in notes/pdftract-1jlpy.md
{ id = "RUSTSEC-2025-0020", note = "Upgrade to pyo3 >=0.24.1 tracked separately, see notes/pdftract-1jlpy.md" },
# atty unsound - migration to is-terminal tracked separately
{ id = "RUSTSEC-2021-0145", note = "Migration to is-terminal tracked separately, atty used only in non-critical path" },
# atty unmaintained - migration to is-terminal tracked separately
{ id = "RUSTSEC-2024-0375", note = "Migration to is-terminal tracked separately, atty used only in non-critical path" },
# lzw unmaintained - no safe upgrade exists
# See ADR-003: https://github.com/jedarden/pdftract/blob/main/docs/adr/0003-lzw-advisory-exception.md
{ id = "RUSTSEC-2020-0144", note = "No safe upgrade exists for PDF LZWDecode, alternatives (weezl) incompatible with PDF LZW" },
]
[output]
# Use terse output for CI logs (full report still in artifacts)
verbose = false
[database]
# Use the official RustSec advisory database
path = "~/.cargo/advisory-db"
# Note: The --ignore unmaintained flag is passed in the CI workflow,
# not configured here. This is because unmaintained warnings are
# informational and should not block PRs for deprecated dependencies.
Reference in a new issue View git blame Copy permalink