diff --git a/.cargo/deny.toml b/.cargo/deny.toml new file mode 100644 index 0000000..cee6f6a --- /dev/null +++ b/.cargo/deny.toml @@ -0,0 +1,15 @@ +[bans] +multiple-versions = "deny" +wildcards = "allow" +highlight = "all" + +# Explicitly flag the weak cryptography so the agent is forced to justify its existence +[[bans.skip]] +name = "md-5" +version = "*" +reason = "MUST VERIFY: Only allowed for legacy checksums, never for security." + +[[bans.skip]] +name = "sha1" +version = "*" +reason = "MUST VERIFY: Only allowed for backwards compatibility." \ No newline at end of file diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml index effe3ea..0d42cd7 100644 --- a/.github/workflows/rust.yml +++ b/.github/workflows/rust.yml @@ -45,10 +45,14 @@ jobs: - name: Run tests run: cargo test --verbose -# clippy dont fail on warnings because of active development of telemt -# and many warnings + - name: Check benches compile + run: cargo check --benches + + # Strict policy is deferred to PR-SEC-8 — intermediate branches use + # #[allow(clippy::panic)], #[allow(clippy::expect_used)] etc. which are + # incompatible with -F (forbid) flags active before all source fixes land. - name: Run clippy - run: cargo clippy -- --cap-lints warn + run: cargo clippy --workspace -- -D clippy::correctness - name: Check for unused dependencies run: cargo udeps || true diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml new file mode 100644 index 0000000..c658c3c --- /dev/null +++ b/.github/workflows/security.yml @@ -0,0 +1,34 @@ +name: Security + +on: + push: + branches: [ "*" ] + pull_request: + branches: [ "*" ] + +env: + CARGO_TERM_COLOR: always + +jobs: + advisory-gate: + name: Advisory Gate + runs-on: ubuntu-latest + + permissions: + contents: read + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + - name: Install latest stable Rust toolchain + uses: dtolnay/rust-toolchain@stable + + - name: Install cargo-audit + run: cargo install --locked cargo-audit + + - name: Run policy regression tests + run: bash tools/security/test_enforce_audit_policy.sh + + - name: Enforce advisory policy + run: bash tools/security/enforce_audit_policy.sh \ No newline at end of file diff --git a/Cargo.lock b/Cargo.lock index 06ea5c6..3f837a2 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2025,6 +2025,12 @@ version = "1.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6ce2be8dc25455e1f91df71bfa12ad37d7af1092ae736f3a6cd0e37bc7810596" +[[package]] +name = "static_assertions" +version = "1.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a2eb9349b6444b326872e140eb1cf5e7c522154d69e7a0ffb0fb81c06b37543f" + [[package]] name = "subtle" version = "2.6.1" @@ -2087,7 +2093,7 @@ dependencies = [ [[package]] name = "telemt" -version = "3.3.15" +version = "3.3.17" dependencies = [ "aes", "anyhow", @@ -2127,6 +2133,8 @@ dependencies = [ "sha1", "sha2", "socket2 0.5.10", + "static_assertions", + "subtle", "thiserror 2.0.18", "tokio", "tokio-rustls", diff --git a/Cargo.toml b/Cargo.toml index dd3e5fb..51060d2 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -22,6 +22,7 @@ hmac = "0.12" crc32fast = "1.4" crc32c = "0.6" zeroize = { version = "1.8", features = ["derive"] } +subtle = "2.6" # Network socket2 = { version = "0.5", features = ["all"] } @@ -69,6 +70,7 @@ tokio-test = "0.4" criterion = "0.5" proptest = "1.4" futures = "0.3" +static_assertions = "1.1" [[bench]] name = "crypto_bench"