chore: standardize cargo-deny coverage for rust projects (#3759)

lucarlig · crivetimihai · web-flow · commit aee405688048 · 2026-03-21T01:24:22.000Z
* chore: standardize cargo-deny coverage for rust projects

Signed-off-by: lucarlig &lt;luca.carlig@ibm.com&gt;

* chore: add cargo-deny CI coverage for mcp_runtime

Add cargo-deny policy checks (licenses, bans, sources) for
tools_rust/mcp_runtime in the rust-tools workflow. Advisories
are excluded as they have pre-existing failures tracked separately.

Signed-off-by: Mihai Criveti &lt;crivetimihai@gmail.com&gt;

* chore: trim license allowlist to actual usage and close CI gaps

Reduce deny.toml allowlist from 107 licenses to 17 (14 actually used
+ 3 common safe buffer). Remove problematic licenses (JSON, CDDL,
EPL, BSD-4-Clause, etc.) that were never needed.

Add cargo-deny CI enforcement for mcp-servers/rust/fast-test-server
and mcp-servers/rust/filesystem-server in the rust-tools workflow,
closing the last CI coverage gap for deny.toml files.

Signed-off-by: Mihai Criveti &lt;crivetimihai@gmail.com&gt;

---------

Signed-off-by: lucarlig &lt;luca.carlig@ibm.com&gt;
Signed-off-by: Mihai Criveti &lt;crivetimihai@gmail.com&gt;
Co-authored-by: Mihai Criveti &lt;crivetimihai@gmail.com&gt;
diff --git a/.github/workflows/rust-plugins.yml b/.github/workflows/rust-plugins.yml
@@ -121,9 +121,16 @@ jobs:
       - name: Install cargo-audit
         run: cargo install cargo-audit
 
+      - name: Install cargo-deny
+        run: cargo install cargo-deny
+
       - name: Run security audit on all plugins
         run: make rust-audit
 
+      # cargo-audit covers advisories separately; cargo-deny here enforces policy and licensing.
+      - name: Run cargo-deny policy checks on all plugins
+        run: make rust-deny
+
   # Benchmark tests (verify benchmarks compile and run)
   benchmark-tests:
     if: github.event_name != 'pull_request' || !github.event.pull_request.draft
diff --git a/.github/workflows/rust-tools.yml b/.github/workflows/rust-tools.yml
@@ -5,12 +5,14 @@ on:
     branches: [main, develop]
     paths:
       - "tools_rust/**"
+      - "mcp-servers/rust/**"
       - ".github/workflows/rust-tools.yml"
   pull_request:
     types: [opened, synchronize, ready_for_review]
     branches: [main, develop, rust-tools-ci]
     paths:
       - "tools_rust/**"
+      - "mcp-servers/rust/**"
   workflow_dispatch:
 
 env:
@@ -85,9 +87,22 @@ jobs:
       - name: Install cargo-deny
         run: cargo install cargo-deny
 
-      - name: Run license check
+      - name: Run cargo-deny policy checks (wrapper)
         working-directory: tools_rust/wrapper
-        run: make licenses
+        run: make deny
+
+      # Exclude advisories: pre-existing advisory issues tracked separately.
+      - name: Run cargo-deny policy checks (mcp_runtime)
+        working-directory: tools_rust/mcp_runtime
+        run: cargo deny check licenses bans sources
+
+      - name: Run cargo-deny policy checks (fast-test-server)
+        working-directory: mcp-servers/rust/fast-test-server
+        run: cargo deny check licenses bans sources
+
+      - name: Run cargo-deny policy checks (filesystem-server)
+        working-directory: mcp-servers/rust/filesystem-server
+        run: cargo deny check licenses bans sources
 
   coverage:
     if: github.event_name != 'pull_request' || !github.event.pull_request.draft
diff --git a/Makefile b/Makefile
@@ -8167,6 +8167,9 @@ rust-build-wheels: rust-ensure-deps     ## Build Python wheels for all Rust plug
 rust-audit: rust-ensure-deps            ## Run security audit on all Rust plugins
 	@$(MAKE) -C plugins_rust audit
 
+rust-deny: rust-ensure-deps             ## Run cargo-deny policy checks on all Rust plugins
+	@$(MAKE) -C plugins_rust deny
+
 rust-coverage: rust-ensure-deps         ## Run coverage for all Rust plugins
 	@$(MAKE) -C plugins_rust coverage
 
diff --git a/mcp-servers/rust/fast-test-server/deny.toml b/mcp-servers/rust/fast-test-server/deny.toml
@@ -0,0 +1,27 @@
+# Cargo-deny config: license and policy checks for this crate.
+# See https://embarkstudios.github.io/cargo-deny/
+
+[licenses]
+unused-allowed-license = "allow"
+confidence-threshold = 0.95
+allow = [
+    # Currently used across our Rust projects
+    "Apache-2.0",
+    "BSD-2-Clause",
+    "BSD-3-Clause",
+    "BSL-1.0",
+    "CC0-1.0",
+    "ISC",
+    "LGPL-2.1-or-later",
+    "MIT",
+    "MIT-0",
+    "OpenSSL",
+    "Unicode-3.0",
+    "Unicode-DFS-2016",
+    "Unlicense",
+    "Zlib",
+    # Common safe licenses in the Rust ecosystem
+    "0BSD",
+    "Apache-2.0 WITH LLVM-exception",
+    "Unicode-DFS-2015",
+]
diff --git a/mcp-servers/rust/filesystem-server/Cargo.toml b/mcp-servers/rust/filesystem-server/Cargo.toml
@@ -3,6 +3,7 @@ name = "filesystem-server"
 version = "0.1.0"
 edition = "2024"
 authors = ["Matheus Cafalchio"]
+license = "Apache-2.0"
 
 
 [dependencies]
diff --git a/mcp-servers/rust/filesystem-server/deny.toml b/mcp-servers/rust/filesystem-server/deny.toml
@@ -0,0 +1,27 @@
+# Cargo-deny config: license and policy checks for this crate.
+# See https://embarkstudios.github.io/cargo-deny/
+
+[licenses]
+unused-allowed-license = "allow"
+confidence-threshold = 0.95
+allow = [
+    # Currently used across our Rust projects
+    "Apache-2.0",
+    "BSD-2-Clause",
+    "BSD-3-Clause",
+    "BSL-1.0",
+    "CC0-1.0",
+    "ISC",
+    "LGPL-2.1-or-later",
+    "MIT",
+    "MIT-0",
+    "OpenSSL",
+    "Unicode-3.0",
+    "Unicode-DFS-2016",
+    "Unlicense",
+    "Zlib",
+    # Common safe licenses in the Rust ecosystem
+    "0BSD",
+    "Apache-2.0 WITH LLVM-exception",
+    "Unicode-DFS-2015",
+]
diff --git a/plugins_rust/Makefile b/plugins_rust/Makefile
@@ -1,7 +1,7 @@
 # Makefile for Rust Plugins
 # Automatically discovers and installs all plugins (subdirectories with Cargo.toml)
 
-.PHONY: install clean list help build test fmt clippy doc test-python test-verbose clean-all fmt-check doc-open bench bench-compare compare check verify verify-stubs clean-stubs test-integration test-all uninstall
+.PHONY: install clean list help build test fmt clippy doc test-python test-verbose clean-all fmt-check doc-open bench bench-compare compare check verify verify-stubs clean-stubs test-integration test-all uninstall deny
 
 # Discover all plugin directories containing Cargo.toml
 PLUGIN_DIRS := $(shell find . -mindepth 1 -maxdepth 1 -type d -exec test -f {}/Cargo.toml \; -print | sed 's|^\./||' | sort)
@@ -162,6 +162,14 @@ audit:
 	done
 	@echo "✓ All plugins audited successfully"
 
+deny:
+	@echo "Running cargo-deny policy checks for all Rust plugins..."
+	@for plugin in $(PLUGIN_DIRS); do \
+		echo "Checking dependency policy: $$plugin"; \
+		(cd $$plugin && cargo deny check licenses bans sources) || exit 1; \
+	done
+	@echo "✓ All plugins passed cargo-deny"
+
 coverage:
 	@echo "Running coverage for all Rust plugins..."
 	@for plugin in $(PLUGIN_DIRS); do \
diff --git a/plugins_rust/encoded_exfil_detection/deny.toml b/plugins_rust/encoded_exfil_detection/deny.toml
@@ -0,0 +1,27 @@
+# Cargo-deny config: license and policy checks for this crate.
+# See https://embarkstudios.github.io/cargo-deny/
+
+[licenses]
+unused-allowed-license = "allow"
+confidence-threshold = 0.95
+allow = [
+    # Currently used across our Rust projects
+    "Apache-2.0",
+    "BSD-2-Clause",
+    "BSD-3-Clause",
+    "BSL-1.0",
+    "CC0-1.0",
+    "ISC",
+    "LGPL-2.1-or-later",
+    "MIT",
+    "MIT-0",
+    "OpenSSL",
+    "Unicode-3.0",
+    "Unicode-DFS-2016",
+    "Unlicense",
+    "Zlib",
+    # Common safe licenses in the Rust ecosystem
+    "0BSD",
+    "Apache-2.0 WITH LLVM-exception",
+    "Unicode-DFS-2015",
+]
diff --git a/plugins_rust/pii_filter/deny.toml b/plugins_rust/pii_filter/deny.toml
@@ -0,0 +1,27 @@
+# Cargo-deny config: license and policy checks for this crate.
+# See https://embarkstudios.github.io/cargo-deny/
+
+[licenses]
+unused-allowed-license = "allow"
+confidence-threshold = 0.95
+allow = [
+    # Currently used across our Rust projects
+    "Apache-2.0",
+    "BSD-2-Clause",
+    "BSD-3-Clause",
+    "BSL-1.0",
+    "CC0-1.0",
+    "ISC",
+    "LGPL-2.1-or-later",
+    "MIT",
+    "MIT-0",
+    "OpenSSL",
+    "Unicode-3.0",
+    "Unicode-DFS-2016",
+    "Unlicense",
+    "Zlib",
+    # Common safe licenses in the Rust ecosystem
+    "0BSD",
+    "Apache-2.0 WITH LLVM-exception",
+    "Unicode-DFS-2015",
+]
diff --git a/plugins_rust/secrets_detection/deny.toml b/plugins_rust/secrets_detection/deny.toml
@@ -0,0 +1,27 @@
+# Cargo-deny config: license and policy checks for this crate.
+# See https://embarkstudios.github.io/cargo-deny/
+
+[licenses]
+unused-allowed-license = "allow"
+confidence-threshold = 0.95
+allow = [
+    # Currently used across our Rust projects
+    "Apache-2.0",
+    "BSD-2-Clause",
+    "BSD-3-Clause",
+    "BSL-1.0",
+    "CC0-1.0",
+    "ISC",
+    "LGPL-2.1-or-later",
+    "MIT",
+    "MIT-0",
+    "OpenSSL",
+    "Unicode-3.0",
+    "Unicode-DFS-2016",
+    "Unlicense",
+    "Zlib",
+    # Common safe licenses in the Rust ecosystem
+    "0BSD",
+    "Apache-2.0 WITH LLVM-exception",
+    "Unicode-DFS-2015",
+]
diff --git a/tools_rust/mcp_runtime/deny.toml b/tools_rust/mcp_runtime/deny.toml
@@ -0,0 +1,27 @@
+# Cargo-deny config: license and policy checks for this crate.
+# See https://embarkstudios.github.io/cargo-deny/
+
+[licenses]
+unused-allowed-license = "allow"
+confidence-threshold = 0.95
+allow = [
+    # Currently used across our Rust projects
+    "Apache-2.0",
+    "BSD-2-Clause",
+    "BSD-3-Clause",
+    "BSL-1.0",
+    "CC0-1.0",
+    "ISC",
+    "LGPL-2.1-or-later",
+    "MIT",
+    "MIT-0",
+    "OpenSSL",
+    "Unicode-3.0",
+    "Unicode-DFS-2016",
+    "Unlicense",
+    "Zlib",
+    # Common safe licenses in the Rust ecosystem
+    "0BSD",
+    "Apache-2.0 WITH LLVM-exception",
+    "Unicode-DFS-2015",
+]
diff --git a/tools_rust/wrapper/Makefile b/tools_rust/wrapper/Makefile
@@ -94,8 +94,11 @@ coverage cov cv:
 	@echo "Coverage report generated at target/llvm-cov/html/index.html"
 	@xdg-open target/llvm-cov/html/index.html 2>/dev/null || true
 
-# help: licenses		- Check licenses
-licenses license lic l:
-	@echo Check licenses
+# help: deny		- Run cargo-deny license and policy checks
+deny:
+	@echo "Running cargo-deny checks"
 	@cargo install cargo-deny
-	@cargo deny check licenses
+	@cargo deny check
+
+# help: licenses		- Check licenses
+licenses license lic l: deny
diff --git a/tools_rust/wrapper/deny.toml b/tools_rust/wrapper/deny.toml
@@ -1,19 +1,27 @@
+# Cargo-deny config: license and policy checks for this crate.
+# See https://embarkstudios.github.io/cargo-deny/
+
 [licenses]
-unused-allowed-license = "warn"
+unused-allowed-license = "allow"
 confidence-threshold = 0.95
 allow = [
-    "MIT",
-    "ISC",
+    # Currently used across our Rust projects
     "Apache-2.0",
+    "BSD-2-Clause",
+    "BSD-3-Clause",
+    "BSL-1.0",
+    "CC0-1.0",
+    "ISC",
+    "LGPL-2.1-or-later",
+    "MIT",
+    "MIT-0",
     "OpenSSL",
     "Unicode-3.0",
-    "BSD-3-Clause",
-    "CDLA-Permissive-2.0",
+    "Unicode-DFS-2016",
+    "Unlicense",
+    "Zlib",
+    # Common safe licenses in the Rust ecosystem
+    "0BSD",
+    "Apache-2.0 WITH LLVM-exception",
+    "Unicode-DFS-2015",
 ]
-
-#[[licenses.clarify]]
-#name = "ring"
-#expression = "MIT AND ISC AND OpenSSL"
-#license-files = [
-#    { path = "LICENSE", hash = 0xbd0eed23 }
-#]
