jedarden/pdftract
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
pdftract/deny.toml
jedarden 54fe6c1964 feat(pdftract-1xf4d): implement TH-06 supply-chain gate 
- Add minimum version requirements to deny.toml (ring >= 0.17.5, rustls >= 0.23)
- Create build/CHECKSUMS.sha256 for build-time data file integrity
- Update build.rs to verify checksums on every build
- Add tampering detection tests (th06_checksum_test.rs)
- Create nightly supply-chain scan workflow (pdftract-nightly-supply-chain.yaml)
- Update audit.toml with advisory exceptions

Closes: pdftract-1xf4d
Refs: plan lines 877, 883-896, 906-913
2026-05-26 17:31:13 -04:00

118 lines
5.6 KiB
TOML
Raw Blame History

[graph]
targets = [
"x86_64-unknown-linux-gnu",
"x86_64-unknown-linux-musl",
"x86_64-apple-darwin",
"aarch64-apple-darwin",
"x86_64-pc-windows-msvc",
]
[licenses]
version = 2
allow = [
"MIT",
"Apache-2.0",
"Apache-2.0 WITH LLVM-exception",
"BSD-2-Clause",
"BSD-3-Clause",
"ISC",
"Zlib",
"Unicode-DFS-2016",
"Unicode-3.0",
]
confidence-threshold = 0.93
# License exceptions for dependencies in the current dependency tree.
# Each exception has a corresponding ADR documenting the rationale.
# See docs/adr/ for ADR files.
exceptions = [
# cbindgen (MPL-2.0) - build dependency for C FFI (pdftract-libpdftract)
# ADR-001: https://github.com/jedarden/pdftract/blob/main/docs/adr/0001-mpl-2-0-cbindgen-exception.md
{ name = "cbindgen", allow = ["MPL-2.0"] },
# option-ext (MPL-2.0) - transitive dependency of dirs (filesystem paths)
# ADR-002: https://github.com/jedarden/pdftract/blob/main/docs/adr/0002-mpl-2-0-option-ext-exception.md
{ name = "option-ext", allow = ["MPL-2.0"] },
]
[licenses.private]
ignore = false
[bans]
multiple-versions = "warn"
wildcards = "deny"
# Banned crates per TH-06 supply-chain policy (plan line 908)
# - openssl-sys, native-tls: we use rustls instead
# - git2, libgit2-sys: no git CLI dependency in this project
deny = [
{ name = "openssl-sys", use-instead = "rustls" },
{ name = "native-tls", use-instead = "rustls" },
{ name = "git2" },
{ name = "libgit2-sys" },
]
# Minimum version requirements per TH-06 supply-chain policy (plan line 908)
# - ring >= 0.17.5 (critical crypto primitive, known vulns in older versions)
# - rustls >= 0.23 (TLS implementation, API changes and fixes in 0.23.x)
skip = [
{ name = "ring", version = "=0.17.5", use-instead = "ring >= 0.17.5", reason = "TH-06: ring >= 0.17.5 required" },
{ name = "ring", version = "=0.17.6", use-instead = "ring >= 0.17.5", reason = "TH-06: ring >= 0.17.5 required" },
{ name = "ring", version = "=0.17.7", use-instead = "ring >= 0.17.5", reason = "TH-06: ring >= 0.17.5 required" },
{ name = "ring", version = "=0.17.8", use-instead = "ring >= 0.17.5", reason = "TH-06: ring >= 0.17.5 required" },
{ name = "ring", version = "=0.17.9", use-instead = "ring >= 0.17.5", reason = "TH-06: ring >= 0.17.5 required" },
{ name = "ring", version = "=0.17.10", use-instead = "ring >= 0.17.5", reason = "TH-06: ring >= 0.17.5 required" },
{ name = "ring", version = "=0.17.11", use-instead = "ring >= 0.17.5", reason = "TH-06: ring >= 0.17.5 required" },
{ name = "ring", version = "=0.17.12", use-instead = "ring >= 0.17.5", reason = "TH-06: ring >= 0.17.5 required" },
{ name = "ring", version = "=0.17.13", use-instead = "ring >= 0.17.5", reason = "TH-06: ring >= 0.17.5 required" },
{ name = "rustls", version = "=0.23.0", use-instead = "rustls >= 0.23", reason = "TH-06: rustls >= 0.23 required" },
{ name = "rustls", version = "=0.23.1", use-instead = "rustls >= 0.23", reason = "TH-06: rustls >= 0.23 required" },
{ name = "rustls", version = "=0.23.2", use-instead = "rustls >= 0.23", reason = "TH-06: rustls >= 0.23 required" },
{ name = "rustls", version = "=0.23.3", use-instead = "rustls >= 0.23", reason = "TH-06: rustls >= 0.23 required" },
{ name = "rustls", version = "=0.23.4", use-instead = "rustls >= 0.23", reason = "TH-06: rustls >= 0.23 required" },
{ name = "rustls", version = "=0.23.5", use-instead = "rustls >= 0.23", reason = "TH-06: rustls >= 0.23 required" },
{ name = "rustls", version = "=0.23.6", use-instead = "rustls >= 0.23", reason = "TH-06: rustls >= 0.23 required" },
{ name = "rustls", version = "=0.23.7", use-instead = "rustls >= 0.23", reason = "TH-06: rustls >= 0.23 required" },
{ name = "rustls", version = "=0.23.8", use-instead = "rustls >= 0.23", reason = "TH-06: rustls >= 0.23 required" },
{ name = "rustls", version = "=0.23.9", use-instead = "rustls >= 0.23", reason = "TH-06: rustls >= 0.23 required" },
{ name = "rustls", version = "=0.23.10", use-instead = "rustls >= 0.23", reason = "TH-06: rustls >= 0.23 required" },
{ name = "rustls", version = "=0.23.11", use-instead = "rustls >= 0.23", reason = "TH-06: rustls >= 0.23 required" },
{ name = "rustls", version = "=0.23.12", use-instead = "rustls >= 0.23", reason = "TH-06: rustls >= 0.23 required" },
]
# Allow wildcards for workspace crates (path dependencies)
# These are internal crates within the pdftract workspace
skip-tree = [
{ name = "pdftract-cli", reason = "workspace path dependency" },
{ name = "pdftract-libpdftract", reason = "workspace path dependency" },
{ name = "pdftract-py", reason = "workspace path dependency" },
]
[advisories]
yanked = "deny"
# Advisory exceptions for dependencies with no viable alternative.
# Each exception has a corresponding ADR documenting the rationale.
# See docs/adr/ for ADR files.
ignore = [
# RUSTSEC-2020-0144: lzw crate is unmaintained, no safe upgrade exists
# Used for LZWDecode filter in PDF streams; alternatives (weezl) incompatible with PDF LZW
# ADR-003: https://github.com/jedarden/pdftract/blob/main/docs/adr/0003-lzw-advisory-exception.md
"RUSTSEC-2020-0144",
# RUSTSEC-2021-0145: atty has unsound code (potential unaligned read)
# Migration to is-terminal is tracked separately
"RUSTSEC-2021-0145",
# RUSTSEC-2024-0375: atty is unmaintained
# Migration to is-terminal is tracked separately
"RUSTSEC-2024-0375",
# RUSTSEC-2025-0020: pyo3 0.20.3 has buffer overflow vulnerability
# Upgrade to pyo3 >=0.24.1 is tracked separately
"RUSTSEC-2025-0020",
]
[sources]
unknown-registry = "deny"
unknown-git = "deny"
Reference in a new issue View git blame Copy permalink