github-actions: Add cargo-deny

Adds cargo-deny to scan for vulnerabilities and license issues regarding
rust crates.

Some modifications were required for the repo to pass the tests:

 Updates ttrpc to avoid using nix 0.16.0
   https://rustsec.org/advisories/RUSTSEC-2021-0119

 Updates slog-json to avoid MLP license (copyleft)

 Updates crossbeam-channel due to yanked package

 Ignores https://rustsec.org/advisories/RUSTSEC-2020-0071
   because chrono is dependent on that version of time.
   chronotope/chrono#578

 Allow multiple versions of the same package
  (package dependencies require this)

 Adds "oci" to src/libs workplace

 Adds Apache-2.0 license to workplace modules that did not have them
 because cargo-deny complains about them not having licenses.

Notes
GitHub Actions does not have an obvious way to loop over each of the
Cargo.toml files, so they have been hardcoded as separate steps. An
alternative that works is to use a matrix variable to run each
directory in a separate job. I opted not to do that because it uses a
bunch of runners and generates a lot of jobs, but open to feedback.

Signed-off-by: Derek Lee <[email protected]>

Author: Derek Lee

.github/cargo-deny-composite-action/action.yaml

@@ -0,0 +1,86 @@
+name: 'Cargo Crates Check'
+description: 'Checks every Cargo.toml file using cargo-deny'
+inputs:
+  command:
+    description: Either 'advisories' or 'bans licenses sources'
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - uses: actions/checkout@v3
+      with:
+        path: ${{ github.repository }}
+      # https://github.com/actions/runner/issues/1300
+      
+    - name: src/agent/Cargo.toml
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path "./cargo-deny-action-copy/src/agent/Cargo.toml"
+        command: check ${{ inputs.command }}
+
+    - name: src/agent/rustjail/Cargo.toml
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path "./cargo-deny-action-copy/src/agent/rustjail/Cargo.toml"
+        command: check ${{ inputs.command }}
+
+    - name: src/agent/vsock-exporter/Cargo.toml
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path "./cargo-deny-action-copy/src/agent/vsock-exporter/Cargo.toml"
+        command: check ${{ inputs.command }}
+
+    - name: src/libs/logging/Cargo.toml
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path "./cargo-deny-action-copy/src/libs/logging/Cargo.toml"
+        command: check ${{ inputs.command }}
+
+    - name: src/libs/oci/Cargo.toml
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path "./cargo-deny-action-copy/src/libs/oci/Cargo.toml"
+        command: check ${{ inputs.command }}
+
+    - name: src/libs/protocols/Cargo.toml
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path "./cargo-deny-action-copy/src/libs/protocols/Cargo.toml"
+        command: check ${{ inputs.command }}
+
+    - name: src/libs/safe-path/Cargo.toml
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path "./cargo-deny-action-copy/src/libs/safe-path/Cargo.toml"
+        command: check ${{ inputs.command }}
+
+    - name: src/libs/Cargo.toml
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path "./cargo-deny-action-copy/src/libs/Cargo.toml"
+        command: check ${{ inputs.command }}
+
+    - name: src/tools/agent-ctl/Cargo.toml
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path "./cargo-deny-action-copy/src/tools/agent-ctl/Cargo.toml"
+        command: check ${{ inputs.command }}
+
+    - name: src/tools/runk/libcontainer/Cargo.toml
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path "./cargo-deny-action-copy/src/tools/runk/libcontainer/Cargo.toml"
+        command: check ${{ inputs.command }}
+
+    - name: src/tools/runk/Cargo.toml
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path "./cargo-deny-action-copy/src/tools/runk/Cargo.toml"
+        command: check ${{ inputs.command }}
+
+    - name: src/tools/trace-forwarder/Cargo.toml
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path "./cargo-deny-action-copy/src/tools/trace-forwarder/Cargo.toml"
+        command: check ${{ inputs.command }}

.github/cargo-deny-composite-action/cargo-deny-action.yaml

@@ -0,0 +1,87 @@
+name: Cargo Crates Check
+on: [pull_request]
+jobs:
+  cargo-deny:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        checks:
+          - advisories
+          - bans licenses sources
+
+    continue-on-error: true
+
+    steps:
+      - uses: actions/checkout@v3
+      
+      - name: src/agent/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/agent/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/agent/rustjail/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/agent/rustjail/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/agent/vsock-exporter/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/agent/vsock-exporter/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/libs/logging/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/libs/logging/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/libs/oci/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/libs/oci/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/libs/protocols/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/libs/protocols/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/libs/safe-path/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/libs/safe-path/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/libs/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/libs/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/tools/agent-ctl/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/tools/agent-ctl/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/tools/runk/libcontainer/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/tools/runk/libcontainer/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/tools/runk/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/tools/runk/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/tools/trace-forwarder/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/tools/trace-forwarder/Cargo.toml
+          command: check ${{ matrix.checks }}

.github/cargo-deny-composite-action/cargo-deny-generator.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+script_dir=$(dirname "$(readlink -f "$0")")
+parent_dir=$(realpath "${script_dir}/../..")
+cargo_tomls=$(find "${parent_dir}" -name Cargo.toml)
+
+temp_checkout_dir="./cargo-deny-action-copy"
+
+cargo_deny_file="${script_dir}/action.yaml"
+
+cat cargo-deny-skeleton.yaml.in > "${cargo_deny_file}"
+
+for path in $cargo_tomls
+do
+    path=$(realpath --relative-to="${parent_dir}" "${path}")
+
+    cat >> "${cargo_deny_file}" << EOF
+
+    - name: ${path}
+      uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        arguments: --manifest-path "${temp_checkout_dir}/${path}"
+        command: check \${{ inputs.command }}
+EOF
+done

.github/cargo-deny-composite-action/cargo-deny-skeleton.yaml.in

@@ -0,0 +1,14 @@
+name: 'Cargo Crates Check'
+description: 'Checks every Cargo.toml file using cargo-deny'
+inputs:
+  command:
+    description: Either 'advisories' or 'bans licenses sources'
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - uses: actions/checkout@v3
+      path: ./cargo-deny-action-copy/
+      # https://github.com/actions/runner/issues/1300
+      

.github/workflows/.old-cargo-deny.yaml

@@ -0,0 +1,90 @@
+name: Cargo Crates Check
+on: [pull_request]
+jobs:
+  cargo-deny:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        checks:
+          - advisories
+          - bans licenses sources
+
+    continue-on-error: true
+
+    # Github Actions does not have a clean way of looping
+    # Could use matrix, but leads to 12+ jobs being run separately
+
+    steps:
+      - uses: actions/checkout@v2
+      
+      - name: src/agent/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/agent/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/agent/rustjail/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/agent/rustjail/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/agent/vsock-exporter/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/agent/vsock-exporter/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/libs/logging/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/libs/logging/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/libs/oci/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/libs/oci/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/libs/protocols/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/libs/protocols/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/libs/safe-path/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/libs/safe-path/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/libs/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/libs/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/tools/agent-ctl/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/tools/agent-ctl/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/tools/runk/libcontainer/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/tools/runk/libcontainer/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/tools/runk/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/tools/runk/Cargo.toml
+          command: check ${{ matrix.checks }}
+
+      - name: src/tools/trace-forwarder/Cargo.toml
+        uses: EmbarkStudios/cargo-deny-action@v1
+        with:
+          arguments: --manifest-path ./src/tools/trace-forwarder/Cargo.toml
+          command: check ${{ matrix.checks }}

.github/workflows/cargo-deny-master.yaml

@@ -0,0 +1,20 @@
+name: Cargo Crates Check
+on: [pull_request]
+jobs:
+  cargo-deny-master:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        checks:
+          - advisories
+          - bans licenses sources
+
+#    continue-on-error: ${{ matrix.checks = 'advisories' }}
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          path: ./.github/cargo-deny-action/
+      - uses: ./.github/cargo-deny-action/
+        with:
+          command: ${{ matrix.checks }}