Skip to content

chore(soc2): deny.toml ignore for no-fix RustSec advisories (accept-with-reason)#338

Open
walnut-the-cat wants to merge 1 commit into
mainfrom
soc2/rustsec-nofix-deny-ignore
Open

chore(soc2): deny.toml ignore for no-fix RustSec advisories (accept-with-reason)#338
walnut-the-cat wants to merge 1 commit into
mainfrom
soc2/rustsec-nofix-deny-ignore

Conversation

@walnut-the-cat

@walnut-the-cat walnut-the-cat commented Jun 27, 2026

Copy link
Copy Markdown
Collaborator

Adds an [advisories] ignore list to deny.toml for the residual chat-api RustSec advisories with no available fix or that are unmaintained build-time crates (RUSTSEC-2026-0118 hickory NSEC3; 2024-0436 paste; 2025-0134 rustls-pemfile; 2026-0173 proc-macro-error2; 2024-0370 proc-macro-error), each with an inline reason. Accept-with-reason step of the chat-api RustSec disposition (after fix batches #332 + #335). cargo-deny stays report-only. Each has a matching exception-register entry (Vuln Mgmt Policy s3.5 / Secure SDLC s7; CC.3.1.6), pending risk-acceptance sign-off. (Supersedes #337, which closed when its branch was renamed.)

@walnut-the-cat @claude
chore(soc2): deny.toml ignore for no-fix RustSec advisories (accept-w…
e9819a2 
…ith-reason)

Adds an [advisories] ignore list for the residual chat-api RustSec advisories that have no available fix or are unmaintained build-time crates (not runtime-reachable): RUSTSEC-2026-0118 (hickory NSEC3, no fix), 2024-0436 (paste), 2025-0134 (rustls-pemfile), 2026-0173 (proc-macro-error2), 2024-0370 (proc-macro-error). Each carries an inline reason + a matching entry in the exception register (Vuln Mgmt Policy s3.5 / Secure SDLC s7; SOC 2 CC.3.1.6). cargo-deny stays report-only.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@walnut-the-cat walnut-the-cat requested a review from a team as a code owner June 27, 2026 02:45
Copilot AI review requested due to automatic review settings June 27, 2026 02:45
@gemini-code-assist

gemini-code-assist Bot commented Jun 27, 2026

Copy link
Copy Markdown
Contributor

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@claude

claude Bot commented Jun 27, 2026

Copy link
Copy Markdown

Review — deny.toml accept-with-reason ignore list

Reviewed the diff (config-only, 12 additions to deny.toml). This is a low-risk change: cargo-deny remains report-only (continue-on-error), so it cannot break the build, and each ignore carries an inline rationale tied to the exception register. The TOML structure (ignore = [ { id, reason }, ... ]) is well-formed and matches cargo-deny's expected schema.

Minor (non-blocking)

  • RUSTSEC-2024-0370 (proc-macro-error) does not match any crate in the current Cargo.lock. Verified the other four (hickory-proto, paste, proc-macro-error2, rustls-pemfile) are all present, but plain proc-macro-error is not — only proc-macro-error2 is. The entry is harmless (it's a no-op while the crate is absent), but cargo-deny will emit an advisory was not encountered warning for it, and if the goal is eventually to flip the gate to blocking with --deny unmatched-advisory or similar, a stale ignore could itself trip that. Worth either confirming it's a transitive dep that comes and goes, or dropping it until it reappears.

Notes (no action needed)

  • The privacy/logging rules in CLAUDE.md don't apply here — no logging, no customer data, no code paths touched.
  • Rolling-update safe: report-only config, no runtime behavior change, no state/schema migration.

No critical issues found.

⚠️ (one minor: stale proc-macro-error ignore entry — non-blocking)

Copilot AI reviewed Jun 27, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds documented cargo-deny advisory ignores for residual RustSec findings that are currently non-remediable (no fix available) or unmaintained build-time crates, aligning the repo’s security-audit output with the stated “accept-with-reason” vulnerability-management process while keeping cargo-deny report-only.

Changes:

  • Added an [advisories] ignore list in deny.toml for the specified RustSec IDs.
  • Included per-advisory inline rationale to support auditability and future gating.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@walnut-the-cat