1606776394
## Formal Verification - Add TLA+ specs for UTXO conservation (formal/tla/UTXOConservation.tla) - Add TLA+ specs for GHOSTDAG ordering (formal/tla/GHOSTDAGOrdering.tla) - Add mathematical proof of DAA convergence (formal/proofs/) - Document Kani verification approach (formal/kani/) ## Bug Bounty Program - Add SECURITY.md with vulnerability disclosure process - Add docs/BUG_BOUNTY.md with $500-$100,000 reward tiers - Define scope, rules, and response SLA ## Web Wallet Dilithium3 WASM Integration - Build WASM module via Docker (498KB optimized) - Add wasm-crypto.ts lazy loader for Dilithium3 - Add createHybridSignatureLocal() for full client-side signing - Add createHybridSignatureSmart() for auto-mode selection - Add Dockerfile.wasm and build scripts ## Security Review ($0 Approach) - Add .github/workflows/security.yml CI workflow - Add deny.toml for cargo-deny license/security checks - Add Dockerfile.security for audit container - Add scripts/security-audit.sh for local audits - Configure cargo-audit, cargo-deny, cargo-geiger, gitleaks
83 lines
2 KiB
TOML
83 lines
2 KiB
TOML
# cargo-deny configuration for Synor
|
|
# https://embarkstudios.github.io/cargo-deny/
|
|
|
|
# ============================================================================
|
|
# Advisories - Security vulnerability database checks
|
|
# ============================================================================
|
|
[advisories]
|
|
db-path = "~/.cargo/advisory-db"
|
|
db-urls = ["https://github.com/rustsec/advisory-db"]
|
|
vulnerability = "deny"
|
|
unmaintained = "warn"
|
|
yanked = "warn"
|
|
notice = "warn"
|
|
ignore = [
|
|
# Add advisory IDs to ignore here if needed
|
|
# "RUSTSEC-2020-0000",
|
|
]
|
|
|
|
# ============================================================================
|
|
# Licenses - Allowed license check
|
|
# ============================================================================
|
|
[licenses]
|
|
unlicensed = "deny"
|
|
allow = [
|
|
"MIT",
|
|
"Apache-2.0",
|
|
"BSD-2-Clause",
|
|
"BSD-3-Clause",
|
|
"ISC",
|
|
"Zlib",
|
|
"0BSD",
|
|
"CC0-1.0",
|
|
"Unicode-DFS-2016",
|
|
"MPL-2.0",
|
|
"BSL-1.0",
|
|
]
|
|
copyleft = "warn"
|
|
allow-osi-fsf-free = "either"
|
|
default = "deny"
|
|
confidence-threshold = 0.8
|
|
|
|
[[licenses.clarify]]
|
|
name = "ring"
|
|
expression = "MIT AND ISC AND OpenSSL"
|
|
license-files = [
|
|
{ path = "LICENSE", hash = 0xbd0eed23 },
|
|
]
|
|
|
|
# ============================================================================
|
|
# Bans - Specific crate bans
|
|
# ============================================================================
|
|
[bans]
|
|
multiple-versions = "warn"
|
|
wildcards = "allow"
|
|
highlight = "all"
|
|
|
|
deny = [
|
|
# Deny crates with known security issues
|
|
# { name = "example-crate", version = "*" },
|
|
]
|
|
|
|
skip = [
|
|
# Allow specific duplicate versions if needed
|
|
]
|
|
|
|
skip-tree = [
|
|
# Skip entire dependency trees if needed
|
|
]
|
|
|
|
# ============================================================================
|
|
# Sources - Allowed crate sources
|
|
# ============================================================================
|
|
[sources]
|
|
unknown-registry = "warn"
|
|
unknown-git = "warn"
|
|
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
|
|
allow-git = []
|
|
|
|
[sources.allow-org]
|
|
github = [
|
|
"synor",
|
|
"pqcrypto",
|
|
]
|