Add cargo deny to audit licenses of dependencies

[expressvpn-mariappan-r]

Description

• Add earthly target check-license for checking licenses
• Update github actions to cargo deny licenses sources bans on every pr excluding advisories
• Add github action nightly job to run cargo deny including advisories
• Updated CA cert for openquantumsafe test site which is used in example

Motivation and Context

Auditing workspace (and its dependency graph) for security issues, licensing and other issues using cargo-deny

How Has This Been Tested?

Verified cargo deny sources licenses running successfully locally

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• All active GitHub checks are passing
• The correct base branch is being used, if not main

[CLAassistant]

All committers have signed the CLA.

[expressvpn-ian-c]

https://github.com/expressvpn/wolfssl-sys/actions/runs/6021857682/job/16335468877?pr=40 failed but CI shows passed -- I guess we need to propagate an error code or something?

[expressvpn-ian-c]

I think you need to add the liboqs repo here -- or maybe we can switch back to the released version now that 0.8.0 is out?

[expressvpn-mariappan-r]

Yes makes sense to update the deps since its released last week.

[expressvpn-pete-m]

We should switch back to using the crate now that it has been released. This is on my todo list for this week, but if you're already working in this area, feel free to make the change 🙂

[expressvpn-mariappan-r]

It became chicken and egg problem when I tried to upgrade liboqs to 0.8.0

Issue:

The latest version of wolfssl v5.6.3 was released on June 21:
https://github.com/wolfSSL/wolfssl/releases/tag/v5.6.3-stable

But liboqs renamed some of its api's on May 17 in this pr:
open-quantum-safe/liboqs#1467

and released v0.8.0 on Aug 21

WolfSSL updated its api to accomodate the above rename in this pr only on July 12:

• Rename sphincs algs to follow upstream wolfSSL/wolfssl#6576

But it is not yet released.

So if we have to move liboqs to crates version, either we have to patch the wolfssl in build script or use the master version of wolfssl. Think we can take this up in future pr

[expressvpn-mariappan-r]

https://github.com/expressvpn/wolfssl-sys/actions/runs/6021857682/job/16335468877?pr=40 failed but CI shows passed -- I guess we need to propagate an error code or something?

This is actually a warning and cargo-deny ran successfully. That's why GA run succeeded.

But the run actually getting succeeding for me without any warnings locally (typical works for me scenario)
Checking why there is difference between mine and github environment

[expressvpn-ian-c]

This is actually a warning and cargo-deny ran successfully.

Oh, I missed that.

I think we should consider making most of these things actual errors, a warning hidden in a passing CI job noone will ever notice.

But the run actually getting succeeding for me without any warnings locally (typical works for me scenario)
Checking why there is difference between mine and github environment

cargo deny fetch or cargo install -f cargo-deny are my usual "fix" when this sort of thing happens, CI naturally gets the very latest of everything.

[expressvpn-mariappan-r]

Found the issue, the github run uses --all-features which i was not adding when running locally:

❯ cargo deny check license sources bans
bans ok, licenses ok, sources ok
❯ cargo deny --all-features check license sources bans
error[source-not-allowed]: detected 'git' source not explicitly allowed
   ┌─ /home/maari/work/expressvpn/wolfssl-sys/Cargo.lock:22:15
   │
22 │ oqs-sys 0.7.2 git+https://github.com/open-quantum-safe/liboqs-rust?rev=10c540350d86fa71110b325f4883f421cb326970#10c540350d86fa71110b325f4883f421cb326970
   │               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ source
   │
   = oqs-sys v0.7.2
     └── wolfssl-sys v0.1.15

bans ok, licenses ok, sources FAILED
❯