From c0f6b859442808a28b5655f893a1d1d28ee75c96 Mon Sep 17 00:00:00 2001
From: Joshua Potts <8704475+iamjpotts@users.noreply.github.com>
Date: Mon, 22 Jan 2024 21:14:50 -0600
Subject: [PATCH] chore(deps): Add deny.yaml and a cargo deny CI job to check
 dependencies for vulnerabilities

Signed-off-by: Joshua Potts <8704475+iamjpotts@users.noreply.github.com>
---
 .github/workflows/sqlx.yml |  7 ++++
 .gitignore                 |  3 ++
 Cargo.lock                 | 82 ++++++++++++++++----------------------
 Cargo.toml                 |  4 +-
 deny.toml                  | 67 +++++++++++++++++++++++++++++++
 sqlx-test/Cargo.toml       |  3 +-
 6 files changed, 116 insertions(+), 50 deletions(-)
 create mode 100644 deny.toml

diff --git a/.github/workflows/sqlx.yml b/.github/workflows/sqlx.yml
index 153ea24479..0933c8f657 100644
--- a/.github/workflows/sqlx.yml
+++ b/.github/workflows/sqlx.yml
@@ -8,6 +8,13 @@ on:
       - '*-dev'
 
 jobs:
+  deny:
+    name: Cargo Deny
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: EmbarkStudios/cargo-deny-action@v1
+
   format:
     name: Format
     runs-on: ubuntu-20.04
diff --git a/.gitignore b/.gitignore
index 9e71baaa01..df28142027 100644
--- a/.gitignore
+++ b/.gitignore
@@ -17,3 +17,6 @@ target/
 # Integration testing extension library for SQLite.
 ipaddr.dylib
 ipaddr.so
+
+# Temporary files from running the tests locally like they would be run from CI
+.sqlx
diff --git a/Cargo.lock b/Cargo.lock
index c1c301df0f..56cde771a9 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -88,9 +88,9 @@ dependencies = [
 
 [[package]]
 name = "anstream"
-version = "0.6.4"
+version = "0.6.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2ab91ebe16eb252986481c5b62f6098f3b698a45e34b5b98200cf20dd2484a44"
+checksum = "6e2e1ebcb11de5c03c67de28a7df593d32191b44939c482e97702baaaa6ab6a5"
 dependencies = [
  "anstyle",
  "anstyle-parse",
@@ -744,23 +744,11 @@ dependencies = [
  "atty",
  "bitflags 1.3.2",
  "strsim 0.8.0",
- "textwrap 0.11.0",
+ "textwrap",
  "unicode-width",
  "vec_map",
 ]
 
-[[package]]
-name = "clap"
-version = "3.2.25"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4ea181bf566f71cb9a5d17a59e1871af638180a18fb0035c92ae62b705207123"
-dependencies = [
- "bitflags 1.3.2",
- "clap_lex 0.2.4",
- "indexmap 1.9.3",
- "textwrap 0.16.0",
-]
-
 [[package]]
 name = "clap"
 version = "4.4.8"
@@ -779,7 +767,7 @@ checksum = "07cdf1b148b25c1e1f7a42225e30a0d99a615cd4637eae7365548dd4529b95bc"
 dependencies = [
  "anstream",
  "anstyle",
- "clap_lex 0.6.0",
+ "clap_lex",
  "strsim 0.10.0",
 ]
 
@@ -804,15 +792,6 @@ dependencies = [
  "syn 2.0.39",
 ]
 
-[[package]]
-name = "clap_lex"
-version = "0.2.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2850f2f5a82cbf437dd5af4d49848fbdfc27c157c3d010345776f952765261c5"
-dependencies = [
- "os_str_bytes",
-]
-
 [[package]]
 name = "clap_lex"
 version = "0.6.0"
@@ -906,20 +885,20 @@ checksum = "19d374276b40fb8bbdee95aef7c7fa6b5316ec764510eb64b8dd0e2ed0d7e7f5"
 
 [[package]]
 name = "criterion"
-version = "0.4.0"
+version = "0.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e7c76e09c1aae2bc52b3d2f29e13c6572553b30c4aa1b8a49fd70de6412654cb"
+checksum = "f2b12d017a929603d80db1831cd3a24082f8137ce19c69e6447f54f5fc8d692f"
 dependencies = [
  "anes",
- "atty",
  "cast",
  "ciborium",
- "clap 3.2.25",
+ "clap 4.4.8",
  "criterion-plot",
  "futures",
+ "is-terminal",
  "itertools 0.10.5",
- "lazy_static",
  "num-traits",
+ "once_cell",
  "oorandom",
  "plotters",
  "rayon",
@@ -1163,17 +1142,27 @@ version = "0.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c34f04666d835ff5d62e058c3995147c06f42fe86ff053337632bca83e42702d"
 
+[[package]]
+name = "env_filter"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a009aa4810eb158359dda09d0c87378e4bbb89b5a801f016885a4707ba24f7ea"
+dependencies = [
+ "log",
+ "regex",
+]
+
 [[package]]
 name = "env_logger"
-version = "0.9.3"
+version = "0.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a12e6657c4c97ebab115a42dcee77225f7f482cdd841cf7088c657a42e9e00e7"
+checksum = "9eeb342678d785662fd2514be38c459bb925f02b68dd2a3e0f21d7ef82d979dd"
 dependencies = [
- "atty",
+ "anstream",
+ "anstyle",
+ "env_filter",
  "humantime",
  "log",
- "regex",
- "termcolor",
 ]
 
 [[package]]
@@ -1794,6 +1783,17 @@ dependencies = [
  "serde",
 ]
 
+[[package]]
+name = "is-terminal"
+version = "0.4.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0bad00257d07be169d870ab665980b06cdb366d792ad690bf2e76876dc503455"
+dependencies = [
+ "hermit-abi 0.3.3",
+ "rustix 0.38.30",
+ "windows-sys 0.52.0",
+]
+
 [[package]]
 name = "itertools"
 version = "0.10.5"
@@ -2242,12 +2242,6 @@ dependencies = [
  "vcpkg",
 ]
 
-[[package]]
-name = "os_str_bytes"
-version = "6.6.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e2355d85b9a3786f481747ced0e0ff2ba35213a1f9bd406ed906554d7af805a1"
-
 [[package]]
 name = "parking"
 version = "2.2.0"
@@ -3700,12 +3694,6 @@ dependencies = [
  "unicode-width",
 ]
 
-[[package]]
-name = "textwrap"
-version = "0.16.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "222a222a5bfe1bba4a77b45ec488a741b3cb8872e5e499451fd7d0129c9c7c3d"
-
 [[package]]
 name = "thiserror"
 version = "1.0.50"
diff --git a/Cargo.toml b/Cargo.toml
index e49c2de930..29c5259306 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -161,7 +161,7 @@ sqlx-sqlite = { workspace = true, optional = true }
 anyhow = "1.0.52"
 time_ = { version = "0.3.2", package = "time" }
 futures = "0.3.19"
-env_logger = "0.9.0"
+env_logger = "0.11"
 async-std = { version = "1.12.0", features = ["attributes"] }
 tokio = { version = "1.15.0", features = ["full"] }
 dotenvy = "0.15.0"
@@ -175,7 +175,7 @@ rand = "0.8.4"
 rand_xoshiro = "0.6.0"
 hex = "0.4.3"
 tempfile = "3.9.0"
-criterion = {version = "0.4", features = ["async_tokio"]}
+criterion = { version = "0.5", features = ["async_tokio"] }
 
 # Needed to test SQLCipher
 libsqlite3-sys = { version = "0.27", features = ["bundled-sqlcipher"] }
diff --git a/deny.toml b/deny.toml
new file mode 100644
index 0000000000..62ead109e4
--- /dev/null
+++ b/deny.toml
@@ -0,0 +1,67 @@
+[advisories]
+ignore = [
+    # No upgrade available for rsa 0.9.4, a direct dependency of sqlx-mysql
+    "RUSTSEC-2023-0071",
+]
+notice = "deny"
+unmaintained = "deny"
+vulnerability = "deny"
+yanked = "deny"
+
+[licenses]
+allow = [
+    "Apache-2.0",
+    "BSD-2-Clause",
+    "BSD-3-Clause",
+    "ISC",
+    "MIT",
+    "MPL-2.0",
+    "OpenSSL",
+    "Unicode-DFS-2016",
+    "Zlib",
+]
+default = "deny"
+confidence-threshold = 0.9
+unlicensed = "deny"
+
+[[licenses.clarify]]
+name = "ring"
+expression = "MIT AND ISC AND OpenSSL"
+license-files = [
+    { path = "LICENSE", hash = 0xbd0eed23 }
+]
+
+[bans]
+allow = []
+deny = []
+multiple-versions = "deny"
+skip = [
+    # async-std 1.12 uses two versions - this older version directly, and a newer verison transitively.
+    { name = "async-channel", version = "=1.9.0" },
+    # native-tls 0.2.11 has this older version as a transitive dependency
+    { name = "spin", version = "=0.5.2" },
+    # criterion 0.5.1 uses this older version of itertools
+    { name = "itertools", version = "=0.10.5" },
+    # syn 2.0 has not been adopted by many crates using syn 1.x due to difficult breaking changes
+    { name = "syn", version = "<2" },
+]
+skip-tree = [
+    # async-std 1.12 uses two versions - this older version directly, and a newer verison transitively.
+    { name = "async-io", version = "=1.13.0" },
+]
+
+# Warn, rather than deny, due to sqlx crates not referencing each other by a specific version
+wildcards = "warn"
+
+[sources]
+allow-git = []
+allow-registry = [
+    "https://github.com/rust-lang/crates.io-index"
+]
+unknown-git = "deny"
+unknown-registry = "deny"
+
+[sources.allow-org]
+bitbucket = []
+github = []
+gitlab = []
diff --git a/sqlx-test/Cargo.toml b/sqlx-test/Cargo.toml
index 23f417b7f9..8c0b6adda4 100644
--- a/sqlx-test/Cargo.toml
+++ b/sqlx-test/Cargo.toml
@@ -2,11 +2,12 @@
 name = "sqlx-test"
 version = "0.1.0"
 edition = "2021"
+license = "MIT OR Apache-2.0"
 publish = false
 
 [dependencies]
 sqlx = { default-features = false, path = ".." }
-env_logger = "0.9.0"
+env_logger = "0.11"
 dotenvy = "0.15.0"
 anyhow = "1.0.26"
 async-std = { version = "1.8.0", features = [ "attributes" ] }