freedomofpress · cfm · Feb 15, 2024 · Feb 9, 2024
@@ -0,0 +1,13 @@
+[advisories]
+# advisory IDs to ignore e.g. ["RUSTSEC-2019-0001", ...]
+ignore = []
+
+# Output Configuration
+[output]
+deny = ["warnings"]
+quiet = false
+
+# Target Configuration
+[target]
+arch = "x86_64" # Ignore advisories for CPU architectures other than this one
+os = "linux" # Ignore advisories for operating systems other than this one
@@ -0,0 +1,26 @@
+# Roughly based off of https://mozilla.github.io/cargo-vet/configuring-ci.html
+
+name: cargo vet
+
+on: [push, pull_request]
+
+jobs:
+  cargo-vet:
+    name: Vet Dependencies
+    runs-on: ubuntu-latest
+    # Keep version in sync with rust-toolchain.toml
+    container: rust:1.74.1
+    env:
+      CARGO_VET_VERSION: 0.9.0
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/cache@v2
+      id: cache-vet
+      with:
+        path: /usr/local/cargo/bin/cargo-vet
+        key: cargo-vet-${{ env.CARGO_VET_VERSION }}
+    - name: Install the cargo-vet binary, if needed
+      if: ${{ steps.cache-vet.outputs.cache-hit != 'true' }}
+      run: cargo install --version ${{ env.CARGO_VET_VERSION }} cargo-vet
+    - name: Invoke cargo-vet
+      run: cargo vet --locked
@@ -64,3 +64,18 @@ jobs:
           poetry install
           poetry update safety
           make safety
+
+  rust:
+    runs-on: ubuntu-latest
+    # Keep version in sync with rust-toolchain.toml
+    container: rust:1.74.1
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install dependencies
+        run: |
+          rustup component add rustfmt
+          rustup component add clippy
+      - name: Lint and test Rust code
+        run: |
+          make rust-lint
+          make rust-test
@@ -0,0 +1,16 @@
+name: Security (cron)
+on:
+  schedule:
+    - cron: '0 3 * * *'
+
+jobs:
+  rust-audit:
+    runs-on: ubuntu-latest
+    # Keep version in sync with rust-toolchain.toml
+    container: rust:1.74.1
+    steps:
+      - uses: actions/checkout@v3
+      - name: Check Rust dependencies
+        run: |
+          cargo install cargo-audit
+          cargo audit
@@ -0,0 +1,5 @@
+[workspace]
+members = [
+    "proxy"
+]
+resolver = "2"
@@ -24,6 +24,15 @@ safety:  ## Run safety dependency checks on build dependencies
 		--ignore 62044 \
  		-r
 
+.PHONY: rust-lint
+rust-lint: ## Lint Rust code
+	cargo fmt --check
+	cargo clippy
+
+.PHONY: rust-test
+rust-test: ## Run Rust tests
+	cargo test
+
 # Explanation of the below shell command should it ever break.
 # 1. Set the field separator to ": ##" and any make targets that might appear between : and ##
 # 2. Use sed-like syntax to remove the make targets

@@ -0,0 +1,8 @@
+[package]
+name = "securedrop-proxy"
+version = "0.1.0"
+edition = "2021"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
@@ -0,0 +1,5 @@
+#![deny(clippy::all)]
+
+fn main() {
+    println!("Hello, world!");
+}
@@ -0,0 +1,2 @@
+[toolchain]
+channel = "1.74.1"
@@ -0,0 +1 @@
+max_width = 80
@@ -0,0 +1,4 @@
+
+# cargo-vet audits file
+
+[audits]
@@ -0,0 +1,26 @@
+
+# cargo-vet config file
+
+[cargo-vet]
+version = "0.9"
+
+[imports.bytecode-alliance]
+url = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml"
+
+[imports.google]
+url = "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml"
+
+[imports.isrg]
+url = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml"
+
+[imports.mozilla]
+url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml"
+
+[imports.securedrop]
+url = "https://raw.githubusercontent.com/freedomofpress/securedrop-supply-chain/main/audits.toml"
+
+[imports.zcash]
+url = "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml"
+
+[policy.securedrop-proxy]
+criteria = "safe-to-run"
@@ -0,0 +1,14 @@
+
+# cargo-vet imports lock
+
+[audits.bytecode-alliance.audits]
+
+[audits.google.audits]
+
+[audits.isrg.audits]
+
+[audits.mozilla.audits]
+
+[audits.securedrop.audits]
+
+[audits.zcash.audits]