Need for a Viable Security Scanning Tool

[kxyr]

A security workflow does not currently exist as part of the CI/CD or security workflows in the Rust repository. This is necessary to satisfy the security requirements of open-telemetry/opentelemetry-specification#1333.

CodeQL is the common security scanning tool that is used currently for all of the supported OpenTelemetry language repositories (Go, Java, Javascript, Python, C++, etc.). Unfortunately CodeQL does not offer support for Rust. Thus an alternative would need to be found.

We evaluated different possibilities but there seems to be limited available code scanning tools for Rust that could be integrated with Github Actions. The following code scanning tools for Rust could work:

• Rust Audit Check. This tool however only checks for reported security vulnerabilities in dependencies

We’d like to better understand the opinions from Rust engineers on a recommended code scanning tool so that one may be added for open-telemetry/oteps#144.

cc @KKelvinLo @alolita

[djc]

I like to use cargo-deny, which will check for vulnerable dependencies but can also help checking for inappropriate licenses and duplicate dependency versions.

[TommyCpp]

Should we also consider adding a license check? I ran a quick check with cargo deny. The only crate that seems to be a problem is ring. It contains a custom LICENSE file. The template in cargo deny describes ring's LICENSE as MIT AND ISC AND OpenSSL. I suppose this is compatible with our repo's license?