zec
/
librustzcash
mirror of https://github.com/zcash/librustzcash.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Import Rust crate audits from Mozilla

This commit is contained in:
Jack Grigg 2024-04-22 23:59:40 +00:00
parent 4eb2df6714
commit 6bbd002f59
2 changed files with 225 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
supply-chain/config.toml
View File

@ -4,6 +4,9 @@
[cargo-vet]
version = "0.9"
[imports.mozilla]
url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml"
[imports.zcash]
url = "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml"
@ -110,10 +113,6 @@ criteria = "safe-to-deploy"
version = "0.2.14"
criteria = "safe-to-run"
[[exemptions.autocfg]]
version = "1.1.0"
criteria = "safe-to-deploy"
[[exemptions.axum]]
version = "0.6.20"
criteria = "safe-to-deploy"
@ -146,14 +145,6 @@ criteria = "safe-to-deploy"
version = "0.10.1"
criteria = "safe-to-deploy"
[[exemptions.bit-set]]
version = "0.5.3"
criteria = "safe-to-deploy"
[[exemptions.bit-vec]]
version = "0.6.3"
criteria = "safe-to-deploy"
[[exemptions.bitflags]]
version = "1.3.2"
criteria = "safe-to-deploy"
@ -298,22 +289,10 @@ criteria = "safe-to-deploy"
version = "0.8.0"
criteria = "safe-to-deploy"
[[exemptions.debugid]]
version = "0.8.0"
criteria = "safe-to-run"
[[exemptions.digest]]
version = "0.10.7"
criteria = "safe-to-deploy"
[[exemptions.document-features]]
version = "0.2.8"
criteria = "safe-to-deploy"
[[exemptions.either]]
version = "1.9.0"
criteria = "safe-to-deploy"
[[exemptions.equivalent]]
version = "1.0.1"
criteria = "safe-to-deploy"
@ -350,10 +329,6 @@ criteria = "safe-to-deploy"
version = "0.4.2"
criteria = "safe-to-deploy"
[[exemptions.fnv]]
version = "1.0.7"
criteria = "safe-to-deploy"
[[exemptions.fpe]]
version = "0.6.1"
criteria = "safe-to-deploy"
@ -414,14 +389,6 @@ criteria = "safe-to-run"
version = "0.3.21"
criteria = "safe-to-deploy"
[[exemptions.half]]
version = "1.8.2"
criteria = "safe-to-run"
[[exemptions.hashbrown]]
version = "0.12.3"
criteria = "safe-to-deploy"
[[exemptions.hashbrown]]
version = "0.14.2"
criteria = "safe-to-deploy"
@ -446,10 +413,6 @@ criteria = "safe-to-run"
version = "0.3.3"
criteria = "safe-to-deploy"
[[exemptions.hex]]
version = "0.4.3"
criteria = "safe-to-deploy"
[[exemptions.hmac]]
version = "0.12.1"
criteria = "safe-to-deploy"
@ -518,10 +481,6 @@ criteria = "safe-to-deploy"
version = "0.10.0"
criteria = "safe-to-deploy"
[[exemptions.lazy_static]]
version = "1.4.0"
criteria = "safe-to-deploy"
[[exemptions.libc]]
version = "0.2.150"
criteria = "safe-to-deploy"
@ -538,18 +497,10 @@ criteria = "safe-to-deploy"
version = "0.4.11"
criteria = "safe-to-deploy"
[[exemptions.litrs]]
version = "0.4.1"
criteria = "safe-to-deploy"
[[exemptions.lock_api]]
version = "0.4.11"
criteria = "safe-to-run"
[[exemptions.log]]
version = "0.4.20"
criteria = "safe-to-deploy"
[[exemptions.matchit]]
version = "0.7.3"
criteria = "safe-to-deploy"
@ -614,10 +565,6 @@ criteria = "safe-to-deploy"
version = "0.4.4"
criteria = "safe-to-run"
[[exemptions.num-integer]]
version = "0.1.45"
criteria = "safe-to-deploy"
[[exemptions.num-traits]]
version = "0.2.17"
criteria = "safe-to-deploy"
@ -846,10 +793,6 @@ criteria = "safe-to-deploy"
version = "0.101.7"
criteria = "safe-to-deploy"
[[exemptions.rustversion]]
version = "1.0.14"
criteria = "safe-to-deploy"
[[exemptions.rusty-fork]]
version = "0.3.0"
criteria = "safe-to-deploy"
@ -974,10 +917,6 @@ criteria = "safe-to-deploy"
version = "3.8.1"
criteria = "safe-to-deploy"
[[exemptions.textwrap]]
version = "0.16.0"
criteria = "safe-to-run"
[[exemptions.thiserror]]
version = "1.0.50"
criteria = "safe-to-deploy"
@ -990,14 +929,6 @@ criteria = "safe-to-deploy"
version = "0.3.23"
criteria = "safe-to-deploy"
[[exemptions.time-core]]
version = "0.1.1"
criteria = "safe-to-deploy"
[[exemptions.time-macros]]
version = "0.2.10"
criteria = "safe-to-deploy"
[[exemptions.tinytemplate]]
version = "1.2.1"
criteria = "safe-to-run"
@ -1078,10 +1009,6 @@ criteria = "safe-to-deploy"
version = "1.0.12"
criteria = "safe-to-deploy"
[[exemptions.unicode-normalization]]
version = "0.1.22"
criteria = "safe-to-deploy"
[[exemptions.universal-hash]]
version = "0.5.1"
criteria = "safe-to-deploy"

222
supply-chain/imports.lock
View File

@ -58,6 +58,13 @@ user-id = 169181
user-login = "nuttycom"
user-name = "Kris Nuttycombe"
[[publisher.unicode-normalization]]
version = "0.1.22"
when = "2022-09-16"
user-id = 1139
user-login = "Manishearth"
user-name = "Manish Goregaokar"
[[publisher.windows-sys]]
version = "0.48.0"
when = "2023-03-31"
@ -211,6 +218,221 @@ user-id = 169181
user-login = "nuttycom"
user-name = "Kris Nuttycombe"
[[audits.mozilla.wildcard-audits.unicode-normalization]]
who = "Manish Goregaokar <manishsmail@gmail.com>"
criteria = "safe-to-deploy"
user-id = 1139 # Manish Goregaokar (Manishearth)
start = "2019-11-06"
end = "2024-05-03"
notes = "All code written or reviewed by Manish"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.autocfg]]
who = "Josh Stone <jistone@redhat.com>"
criteria = "safe-to-deploy"
version = "1.1.0"
notes = "All code written or reviewed by Josh Stone."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.bit-set]]
who = "Aria Beingessner <a.beingessner@gmail.com>"
criteria = "safe-to-deploy"
version = "0.5.2"
notes = "Another crate I own via contain-rs that is ancient and maintenance mode, no known issues."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.bit-set]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.5.2 -> 0.5.3"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.bit-vec]]
who = "Aria Beingessner <a.beingessner@gmail.com>"
criteria = "safe-to-deploy"
version = "0.6.3"
notes = "Another crate I own via contain-rs that is ancient and in maintenance mode but otherwise perfectly fine."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.debugid]]
who = "Gabriele Svelto <gsvelto@mozilla.com>"
criteria = "safe-to-deploy"
version = "0.8.0"
notes = "This crates was written by Sentry and I've fully audited it as Firefox crash reporting machinery relies on it."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.document-features]]
who = "Erich Gubler <erichdongubler@gmail.com>"
criteria = "safe-to-deploy"
version = "0.2.8"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.either]]
who = "Nika Layzell <nika@thelayzells.com>"
criteria = "safe-to-deploy"
version = "1.6.1"
notes = """
Straightforward crate providing the Either enum and trait implementations with
no unsafe code.
"""
aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml"
[[audits.mozilla.audits.either]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.6.1 -> 1.7.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.either]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.7.0 -> 1.8.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.either]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.8.0 -> 1.8.1"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.fnv]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
version = "1.0.7"
notes = "Simple hasher implementation with no unsafe code."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.half]]
who = "John M. Schanck <jschanck@mozilla.com>"
criteria = "safe-to-deploy"
version = "1.8.2"
notes = """
This crate contains unsafe code for bitwise casts to/from binary16 floating-point
format. I've reviewed these and found no issues. There are no uses of ambient
capabilities.
"""
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.hashbrown]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
version = "0.12.3"
notes = "This version is used in rust's libstd, so effectively we're already trusting it"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.hex]]
who = "Simon Friedberger <simon@mozilla.com>"
criteria = "safe-to-deploy"
version = "0.4.3"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.lazy_static]]
who = "Nika Layzell <nika@thelayzells.com>"
criteria = "safe-to-deploy"
version = "1.4.0"
notes = "I have read over the macros, and audited the unsafe code."
aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml"
[[audits.mozilla.audits.litrs]]
who = "Erich Gubler <erichdongubler@gmail.com>"
criteria = "safe-to-deploy"
version = "0.4.1"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.log]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
version = "0.4.17"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.log]]
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
criteria = "safe-to-deploy"
delta = "0.4.17 -> 0.4.18"
notes = "One dependency removed, others updated (which we don't rely on), some APIs (which we don't use) changed."
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
[[audits.mozilla.audits.log]]
who = "Kagami Sascha Rosylight <krosylight@mozilla.com>"
criteria = "safe-to-deploy"
delta = "0.4.18 -> 0.4.20"
notes = "Only cfg attribute and internal macro changes and module refactorings"
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
[[audits.mozilla.audits.num-integer]]
who = "Josh Stone <jistone@redhat.com>"
criteria = "safe-to-deploy"
version = "0.1.45"
notes = "All code written or reviewed by Josh Stone."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.rustversion]]
who = "Bobby Holley <bobbyholley@gmail.com>"
criteria = "safe-to-deploy"
version = "1.0.9"
notes = """
This crate has a build-time component and procedural macro logic, which I looked
at enough to convince myself it wasn't going to do anything dramatically wrong.
I don't think logic bugs in the version parsing etc can realistically introduce
a security vulnerability.
"""
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.rustversion]]
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
criteria = "safe-to-deploy"
delta = "1.0.9 -> 1.0.14"
notes = "Doc updates, minimal CI changes and a fix to build-script reruns"
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
[[audits.mozilla.audits.textwrap]]
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
criteria = "safe-to-deploy"
version = "0.15.0"
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
[[audits.mozilla.audits.textwrap]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.15.0 -> 0.15.2"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.textwrap]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.15.2 -> 0.16.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.time-core]]
who = "Kershaw Chang <kershaw@mozilla.com>"
criteria = "safe-to-deploy"
version = "0.1.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.time-core]]
who = "Kershaw Chang <kershaw@mozilla.com>"
criteria = "safe-to-deploy"
delta = "0.1.0 -> 0.1.1"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.time-macros]]
who = "Kershaw Chang <kershaw@mozilla.com>"
criteria = "safe-to-deploy"
version = "0.2.6"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.time-macros]]
who = "Kershaw Chang <kershaw@mozilla.com>"
criteria = "safe-to-deploy"
delta = "0.2.6 -> 0.2.10"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.zcash.audits.either]]
who = "Jack Grigg <jack@electriccoin.co>"
criteria = "safe-to-deploy"
delta = "1.8.1 -> 1.9.0"
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
[[audits.zcash.audits.inout]]
who = "Daira Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"