fix(phase2-gaps): remediate bytes vulnerability and add cargo-deny config

- Fix RUSTSEC-2026-0007: bytes crate vulnerability (CVE-2025-47685) - Updated bytes to v1.11.1 via workspace.dependencies override - Create deny.toml with permissive license policy - Allows MIT, Apache-2.0, BSD-2/3-Clause, ISC, Zlib, Unlicense, CC0-1.0, Unicode-3.0, GPL-3.0-only - Added license to linux-hello-tests crate (was missing) - Update project license to modern SPDX: GPL-3.0-only (was deprecated GPL-3.0) Verification: - cargo audit: PASSED (no vulnerabilities) - cargo deny check: PASSED (licenses ok, advisories ok, bans ok)
2026-02-14 11:39:58 +01:00
parent a2e4618836
commit 19a1a09808
4 changed files with 101 additions and 314 deletions
--- a/deny.toml
+++ b/deny.toml
@@ -0,0 +1,30 @@
+# cargo-deny configuration for Linux Hello
+# SPDX-License-Identifier: GPL-3.0
+
+[licenses]
+# Allow permissive licenses + our project's GPL-3.0 license
+allow = [
+    "MIT",
+    "Apache-2.0",
+    "Apache-2.0 WITH LLVM-exception",
+    "BSD-2-Clause",
+    "BSD-3-Clause",
+    "ISC",
+    "Zlib",
+    "Unlicense",
+    "CC0-1.0",
+    "Unicode-3.0",
+    # Our project license
+    "GPL-3.0-only",
+]
+
+# Confidence threshold for license detection
+confidence-threshold = 0.8
+
+[bans]
+# Allow duplicates (different versions of same crate from different dependencies)
+deny = []
+
+[advisories]
+# Ignore unmaintained advisories - we handle these manually
+ignore = []