docs: Document how to vet dependencies

[doc only]
2023-03-21 11:50:47 +01:00 · 2023-03-21 11:50:47 +01:00 · 5059fa66eb
--- a/.dictionary
+++ b/.dictionary
@ -1,4 +1,4 @@
-personal_ws-1.1 en 256 utf-8
+personal_ws-1.1 en 257 utf-8
 AAR
 AARs
 ABI
@ -75,6 +75,7 @@ SDK's
 SDKs
 SRE
 Solaris
+Sourcegraph
 TLDs
 TODO
 TSan
--- a/docs/dev/SUMMARY.md
+++ b/docs/dev/SUMMARY.md
@ -21,6 +21,7 @@
 - [Rust Component](core/index.md)
    - [Documentation guidelines](core/documentation-guidelines.md)
    - [Dependency Management](core/dependency-management.md)
+      - [Dependency Vetting](core/dependency-vetting.md)
    - [Adding a new metric type](core/new-metric-type.md)
        - [Kotlin](core/new-metric-type/kotlin.md)
        - [Swift](core/new-metric-type/swift.md)
--- a/docs/dev/core/dependency-vetting.md
+++ b/docs/dev/core/dependency-vetting.md
@ -0,0 +1,62 @@
+# Dependency vetting
+
+[cargo-vet]: https://mozilla.github.io/cargo-vet/index.html
+
+The Glean SDK uses `cargo-vet` to ensure that third-party Rust dependencies have been audited by a trusted entity.
+For a full overview over `cargo-vet`'s capabilities and usage see the [`cargo-vet` documentation][cargo-vet].
+
+New or updated dependencies need to be audited to allow their usage.
+Dependency audits are shared with downstream Mozilla projects.
+
+> **Note:** Please be thorough when auditing dependencies.
+
+## 3-step guide
+
+* `cargo vet`
+* `cargo vet diff $crate $old-version $new-version`
+* `cargo vet certify`
+
+## Longer guide
+
+### Prerequisites
+
+Install `cargo-vet`:
+
+```
+cargo install cargo-vet
+```
+
+### Auditing steps
+
+After adding or updating a dependency start the audit process:
+
+```
+cargo vet
+```
+
+This will scan the dependencies for any missing audits and show instructions how to proceed.
+For dependency updates you should start by looking at the diff.
+For new dependencies you will look at the full code.
+
+This will be something like the following command for any dependency:
+
+```
+cargo vet diff $crate $old-version $new-version
+```
+
+Please read the printed criteria and consider them when performing the audit.
+If unsure please ask other Glean engineers for help.
+
+It will then provide you with a Sourcegraph link to inspect the code.
+Alternatively you can run with `--mode=local` to get a diff view in your terminal.
+
+Once you have reviewed run:
+
+```
+cargo vet certify
+```
+
+and follow the instructions.
+
+Finally you will notice the audit being added to `supply-chain/audits.toml`.
+Add this file to your commit and create a pull request.