Skip to content

Commit

Permalink
Remove docs for removed fields
Browse files Browse the repository at this point in the history
  • Loading branch information
@Jake-Shadle
Jake-Shadle committed Aug 2, 2024
1 parent 766745a commit 86b3ed6
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 112 deletions.
58 changes: 1 addition & 57 deletions docs/src/checks/advisories/cfg.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,9 +36,7 @@ Default: `$CARGO_HOME/advisory-dbs`
version = 2
```

The advisories section has an upcoming breaking change, with deprecation warnings for several fields that will be removed. Setting `version = 2` will opt-in to the future default behavior.

The breaking change is as follows:
The version field is (at the time of this writing) no longer used, the following fields have been removed and will now emit errors.

- `vulnerability` - Removed, all vulnerability advisories now emit errors.
- `unmaintained` - Removed, all unmaintained advisories now emit errors.
Expand All @@ -48,36 +46,6 @@ The breaking change is as follows:

As before, if you want to ignore a specific advisory, add it to the `ignore` field.

### The `vulnerability` field (optional)

[**DEPRECATED**](#the-version-field-optional)

Determines what happens when a crate with a security vulnerability is encountered.

- `deny` (default) - Will emit an error with details about each vulnerability, and fail the check.
- `warn` - Prints a warning for each vulnerability, but does not fail the check.
- `allow` - Prints a note about the security vulnerability, but does not fail the check.

### The `unmaintained` field (optional)

[**DEPRECATED**](#the-version-field-optional)

Determines what happens when a crate with an `unmaintained` advisory is encountered.

- `deny` - Will emit an error with details about the unmaintained advisory, and fail the check.
- `warn` (default) - Prints a warning for each unmaintained advisory, but does not fail the check.
- `allow` - Prints a note about the unmaintained advisory, but does not fail the check.

### The `unsound` field (optional)

[**DEPRECATED**](#the-version-field-optional)

Determines what happens when a crate with an `unsound` advisory is encountered.

- `deny` - Will emit an error with details about the unsound advisory, and fail the check.
- `warn` (default) - Prints a warning for each unsound advisory, but does not fail the check.
- `allow` - Prints a note about the unsound advisory, but does not fail the check.

### The `yanked` field (optional)

Determines what happens when a crate with a version that has been yanked from its source registry is encountered.
Expand All @@ -86,18 +54,6 @@ Determines what happens when a crate with a version that has been yanked from it
- `warn` (default) - Prints a warning with the crate name and version that was yanked, but does not fail the check.
- `allow` - Prints a note about the yanked crate, but does not fail the check.

### The `notice` field (optional)

[**DEPRECATED**](#the-version-field-optional)

Determines what happens when a crate with a `notice` advisory is encountered.

**NOTE**: As of 2019-12-17 there are no `notice` advisories in the [RustSec Advisory DB](https://github.com/RustSec/advisory-db)

- `deny` - Will emit an error with details about the notice advisory, and fail the check.
- `warn` (default) - Prints a warning for each notice advisory, but does not fail the check.
- `allow` - Prints a note about the notice advisory, but does not fail the check.

### The `ignore` field (optional)

```ini
Expand All @@ -113,18 +69,6 @@ Every advisory in the advisory database contains a unique identifier, eg. `RUSTS

In addition, yanked crate versions can be ignored by specifying a [PackageSpec](../cfg.md#package-spec) with an optional `reason`.

### The `severity-threshold` field (optional)

[**DEPRECATED**](#the-version-field-optional)

The threshold for security vulnerabilities to be turned into notes instead of warnings or errors, depending upon its [CVSS](https://en.wikipedia.org/wiki/Common_Vulnerability_Scoring_System) score. So having a high threshold means some vulnerabilities might not fail the check, but having a log level `>= info` will mean that a note will be printed instead of a warning or error, depending on `[advisories.vulnerability]`.

- `None` (default) - CVSS Score 0.0
- `Low` - CVSS Score 0.1 - 3.9
- `Medium` - CVSS Score 4.0 - 6.9
- `High` - CVSS Score 7.0 - 8.9
- `Critical` - CVSS Score 9.0 - 10.0

### The `git-fetch-with-cli` field (optional)

Similar to cargo's [net.git-fetch-with-cli](https://doc.rust-lang.org/cargo/reference/config.html#netgit-fetch-with-cli), this field allows you to opt-in to fetching advisory databases with the git CLI rather than using `gix`.
Expand Down
58 changes: 3 additions & 55 deletions docs/src/checks/licenses/cfg.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,30 +51,17 @@ If `true`, licenses are checked even for `dev-dependencies`. By default this is
version = 2
```

The licenses section has an upcoming breaking change, with deprecation warnings for several fields that will be removed. Setting `version = 2` will opt-in to the future default behavior.

The breaking change is as follows:
The version field is (at the time of this writing) no longer used, the following fields have been removed and will now emit errors.

- `unlicensed` - Removed, if a crate is unlicensed you should open an issue/PR to fix it, and in the meantime, you may add a [clarification](#the-clarify-field-optional).
- `deny` - Removed, all licenses are denied unless explicitly allowed
- `copyleft` - Removed, all licenses are denied unless explicitly allowed
- `allow-osi-fsf-free` - Removed, all licenses are denied unless explicitly allowed
- `default` - Removed, all licenses are denied unless explicitly allowed

### The `unlicensed` field (optional)

Determines what happens when a crate has not explicitly specified its license terms, and no license information could be confidently detected via `LICENSE*` files in the crate's source.

- `deny` (default) - All unlicensed crates will emit an error and fail the license check
- `allow` - All unlicensed crates will show a note, but will not fail the license check
- `warn` - All unlicensed crates will show a warning, but will not fail the license check

### The `allow` and `deny` fields (optional)

The licenses that should be allowed or denied, note that the same license cannot
appear in both the `allow` and `deny` lists.
### The `allow` field (optional)

[`deny` is **DEPRECATED**](#the-version-field-optional)
The licenses that are explicitly allowed.

#### Note on GNU licenses

Expand All @@ -90,7 +77,6 @@ So, for example, if you wanted to disallow `GPL-2.0` licenses, but allow `GPL-3.
```ini
[licenses]
allow = [ "GPL-3.0" ]
deny = [ "GPL-2.0" ]
```

This gets worse with the GFDL licenses, which also have an `invariants` modifier. Before licenses are checked they are normalized to make them consistent for all licenses.
Expand Down Expand Up @@ -150,44 +136,6 @@ exceptions = [
]
```

### The `copyleft` field (optional)

[**DEPRECATED**](#the-version-field-optional)

Determines what happens when a license that is considered [copyleft](https://www.gnu.org/licenses/license-list.html) is encountered.

- `warn` (default) - Will emit a warning that a copyleft license was detected, but will not fail the license check
- `deny` - The license is not accepted if it is copyleft, but the license check might not fail if the expression still evaluates to true
- `allow` - The license is accepted if it is copyleft

### The `allow-osi-fsf-free` field (optional)

[**DEPRECATED**](#the-version-field-optional)

Determines what happens when licenses aren't explicitly allowed or denied, but **are** marked as [OSI Approved](https://opensource.org/licenses) or [FSF Free/Libre](https://www.gnu.org/licenses/license-list.en.html) in version 3.23 of the [SPDX License List](https://spdx.org/licenses/).

- `both` - The license is accepted if it is both OSI approved and FSF Free
- `either` - The license is accepted if it is either OSI approved or FSF Free
- `osi` - The license is accepted if it is OSI approved
- `fsf` - The license is accepted if it is FSF Free
- `osi-only` - The license is accepted if it is OSI approved and not FSF Free
- `fsf-only` - The license is accepted if it is FSF Free and not OSI approved
- `neither` (default) - No special consideration is given the license

### The `default` field (optional)

[**DEPRECATED**](#the-version-field-optional)

Determines what happens when a license is encountered that:

1. Isn't in the `allow` or `deny` lists
1. Isn't `copyleft`
1. Isn't OSI Approved nor FSF Free/Libre, or `allow-osi-fsf-free = "neither"`

- `warn` - Will emit a warning that the license was detected, but will not fail the license check
- `deny` (default) - The license is not accepted, but the license check might not fail if the expression still evaluates to true
- `allow` - The license is accepted

### The `confidence-threshold` field (optional)

`cargo-deny` uses [askalono](https://github.com/amzn/askalono) to determine the license of a LICENSE file. Due to variability in license texts because of things like authors, copyright year, and so forth, askalano assigns a confidence score to its determination, from `0.0` (no confidence) to `1.0` (perfect match). The confidence threshold value is used to reject the license determination if the score does not match or exceed the threshold.
Expand Down

0 comments on commit 86b3ed6

Please sign in to comment.