Run cargo deny check in Analyze job (#2340)

* Run `cargo deny check` in Analyze job

* Add BSL-1.0 to approved licenses

* Fix lint

* Enable running cargo-deny in pipeline

* Update dependencies and remove ring dependency

The `reqwest_rustls` feature now enables `rustls-tls-native-roots-no-provider` instead of `rustls-tls-native-roots`, which removes the ring dependency.

* Document features

Author: heaths

.vscode/cspell.json

@@ -17,6 +17,7 @@
     ".vscode/settings.json",
     ".vscode/tasks.json",
     "NOTICE.txt",
+    "deny.toml",
     "eng/",
     "**/.dict.txt",
     "rust-toolchain.toml"

Cargo.lock

@@ -0,0 +1,40 @@
+[graph]
+all-features = true
+exclude-dev = true
+
+[advisories]
+git-fetch-with-cli = true
+ignore = [
+    { id = "RUSTSEC-2024-0384", reason = "We're tracking https://github.com/minghuaw/fe2o3-amqp/issues/306" },
+]
+
+[licenses]
+allow = [
+    "Apache-2.0",
+    "BSD-3-Clause",
+    "BSL-1.0",
+    "ISC",
+    "MIT",
+    # "OpenSSL",
+    "Unicode-3.0",
+]
+
+[[licenses.clarify]]
+name = "ring"
+expression = "MIT AND ISC AND OpenSSL"
+license-files = [
+    { path = "LICENSE", hash = 0xbd0eed23 },
+]
+
+[bans]
+multiple-versions = "allow"
+wildcards = "deny"
+allow-wildcard-paths = true
+deny = [
+    "ring",
+    "smol",
+]
+
+[sources]
+unknown-registry = "deny"
+unknown-git = "deny"

deny.toml

@@ -9,4 +9,5 @@ repr
 rustc
 rustflags
 rustls
+rustsec
 turbofish

eng/dict/rust-custom.txt

@@ -41,6 +41,7 @@ jobs:
       arguments: >
         -PackageInfoDirectory '$(Build.ArtifactStagingDirectory)/PackageInfo'
         -SkipPackageAnalysis:('$(NoPackagesChanged)' -eq 'true')
+        -Deny
 
   - template: /eng/common/pipelines/templates/steps/check-spelling.yml
     parameters: