From 672cc9f08093ea94e637f2f167d5dca6f86ef698 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Mon, 22 Apr 2024 23:31:40 +0000 Subject: [PATCH 01/15] cargo vet init --- supply-chain/audits.toml | 4 + supply-chain/config.toml | 1372 +++++++++++++++++++++++++++++++++++++ supply-chain/imports.lock | 2 + 3 files changed, 1378 insertions(+) create mode 100644 supply-chain/audits.toml create mode 100644 supply-chain/config.toml create mode 100644 supply-chain/imports.lock diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml new file mode 100644 index 000000000..2772ccb21 --- /dev/null +++ b/supply-chain/audits.toml @@ -0,0 +1,4 @@ + +# cargo-vet audits file + +[audits] diff --git a/supply-chain/config.toml b/supply-chain/config.toml new file mode 100644 index 000000000..c3db29dec --- /dev/null +++ b/supply-chain/config.toml @@ -0,0 +1,1372 @@ + +# cargo-vet config file + +[cargo-vet] +version = "0.9" + +[policy.equihash] +audit-as-crates-io = true + +[policy.f4jumble] +audit-as-crates-io = true + +[policy.zcash_address] +audit-as-crates-io = true + +[policy.zcash_client_backend] +audit-as-crates-io = true + +[policy.zcash_client_sqlite] +audit-as-crates-io = true + +[policy.zcash_encoding] +audit-as-crates-io = true + +[policy.zcash_extensions] +audit-as-crates-io = true + +[policy.zcash_history] +audit-as-crates-io = true + +[policy.zcash_keys] +audit-as-crates-io = true + +[policy.zcash_primitives] +audit-as-crates-io = true + +[policy.zcash_proofs] +audit-as-crates-io = true + +[policy.zcash_protocol] +audit-as-crates-io = true + +[policy.zip321] +audit-as-crates-io = true + +[[exemptions.addr2line]] +version = "0.21.0" +criteria = "safe-to-deploy" + +[[exemptions.adler]] +version = "1.0.2" +criteria = "safe-to-deploy" + +[[exemptions.aead]] +version = "0.5.2" +criteria = "safe-to-deploy" + +[[exemptions.aes]] +version = "0.8.3" +criteria = "safe-to-deploy" + +[[exemptions.ahash]] +version = "0.8.6" +criteria = "safe-to-deploy" + +[[exemptions.aho-corasick]] +version = "1.1.2" +criteria = "safe-to-deploy" + +[[exemptions.allocator-api2]] +version = "0.2.16" +criteria = "safe-to-deploy" + +[[exemptions.anes]] +version = "0.1.6" +criteria = "safe-to-run" + +[[exemptions.anyhow]] +version = "1.0.75" +criteria = "safe-to-deploy" + +[[exemptions.arrayref]] +version = "0.3.7" +criteria = "safe-to-deploy" + +[[exemptions.arrayvec]] +version = "0.7.4" +criteria = "safe-to-deploy" + +[[exemptions.assert_matches]] +version = "1.5.0" +criteria = "safe-to-deploy" + +[[exemptions.async-stream]] +version = "0.3.5" +criteria = "safe-to-deploy" + +[[exemptions.async-stream-impl]] +version = "0.3.5" +criteria = "safe-to-deploy" + +[[exemptions.async-trait]] +version = "0.1.78" +criteria = "safe-to-deploy" + +[[exemptions.atty]] +version = "0.2.14" +criteria = "safe-to-run" + +[[exemptions.autocfg]] +version = "1.1.0" +criteria = "safe-to-deploy" + +[[exemptions.axum]] +version = "0.6.20" +criteria = "safe-to-deploy" + +[[exemptions.axum-core]] +version = "0.3.4" +criteria = "safe-to-deploy" + +[[exemptions.backtrace]] +version = "0.3.69" +criteria = "safe-to-deploy" + +[[exemptions.base64]] +version = "0.21.5" +criteria = "safe-to-deploy" + +[[exemptions.base64ct]] +version = "1.0.1" +criteria = "safe-to-deploy" + +[[exemptions.bech32]] +version = "0.9.1" +criteria = "safe-to-deploy" + +[[exemptions.bellman]] +version = "0.14.0" +criteria = "safe-to-deploy" + +[[exemptions.bip0039]] +version = "0.10.1" +criteria = "safe-to-deploy" + +[[exemptions.bit-set]] +version = "0.5.3" +criteria = "safe-to-deploy" + +[[exemptions.bit-vec]] +version = "0.6.3" +criteria = "safe-to-deploy" + +[[exemptions.bitflags]] +version = "1.3.2" +criteria = "safe-to-deploy" + +[[exemptions.bitflags]] +version = "2.4.1" +criteria = "safe-to-deploy" + +[[exemptions.bitvec]] +version = "1.0.1" +criteria = "safe-to-deploy" + +[[exemptions.blake2b_simd]] +version = "1.0.1" +criteria = "safe-to-deploy" + +[[exemptions.blake2s_simd]] +version = "1.0.1" +criteria = "safe-to-deploy" + +[[exemptions.block-buffer]] +version = "0.10.4" +criteria = "safe-to-deploy" + +[[exemptions.bls12_381]] +version = "0.8.0" +criteria = "safe-to-deploy" + +[[exemptions.bs58]] +version = "0.5.0" +criteria = "safe-to-deploy" + +[[exemptions.bumpalo]] +version = "3.14.0" +criteria = "safe-to-deploy" + +[[exemptions.bytemuck]] +version = "1.14.0" +criteria = "safe-to-run" + +[[exemptions.byteorder]] +version = "1.5.0" +criteria = "safe-to-deploy" + +[[exemptions.bytes]] +version = "1.5.0" +criteria = "safe-to-deploy" + +[[exemptions.cast]] +version = "0.3.0" +criteria = "safe-to-run" + +[[exemptions.cbc]] +version = "0.1.2" +criteria = "safe-to-deploy" + +[[exemptions.cc]] +version = "1.0.83" +criteria = "safe-to-deploy" + +[[exemptions.cfg-if]] +version = "1.0.0" +criteria = "safe-to-deploy" + +[[exemptions.chacha20]] +version = "0.9.1" +criteria = "safe-to-deploy" + +[[exemptions.chacha20poly1305]] +version = "0.10.1" +criteria = "safe-to-deploy" + +[[exemptions.ciborium]] +version = "0.2.1" +criteria = "safe-to-run" + +[[exemptions.ciborium-io]] +version = "0.2.1" +criteria = "safe-to-run" + +[[exemptions.ciborium-ll]] +version = "0.2.1" +criteria = "safe-to-run" + +[[exemptions.cipher]] +version = "0.4.4" +criteria = "safe-to-deploy" + +[[exemptions.clap]] +version = "3.2.25" +criteria = "safe-to-run" + +[[exemptions.clap_lex]] +version = "0.2.4" +criteria = "safe-to-run" + +[[exemptions.constant_time_eq]] +version = "0.2.6" +criteria = "safe-to-deploy" + +[[exemptions.cpp_demangle]] +version = "0.4.3" +criteria = "safe-to-run" + +[[exemptions.cpufeatures]] +version = "0.2.11" +criteria = "safe-to-deploy" + +[[exemptions.criterion]] +version = "0.4.0" +criteria = "safe-to-run" + +[[exemptions.criterion-plot]] +version = "0.5.0" +criteria = "safe-to-run" + +[[exemptions.crossbeam-channel]] +version = "0.5.8" +criteria = "safe-to-deploy" + +[[exemptions.crossbeam-deque]] +version = "0.8.3" +criteria = "safe-to-deploy" + +[[exemptions.crossbeam-epoch]] +version = "0.9.15" +criteria = "safe-to-deploy" + +[[exemptions.crossbeam-utils]] +version = "0.8.16" +criteria = "safe-to-deploy" + +[[exemptions.crunchy]] +version = "0.2.2" +criteria = "safe-to-deploy" + +[[exemptions.crypto-common]] +version = "0.1.6" +criteria = "safe-to-deploy" + +[[exemptions.daggy]] +version = "0.8.0" +criteria = "safe-to-deploy" + +[[exemptions.debugid]] +version = "0.8.0" +criteria = "safe-to-run" + +[[exemptions.digest]] +version = "0.10.7" +criteria = "safe-to-deploy" + +[[exemptions.document-features]] +version = "0.2.8" +criteria = "safe-to-deploy" + +[[exemptions.either]] +version = "1.9.0" +criteria = "safe-to-deploy" + +[[exemptions.equihash]] +version = "0.2.0" +criteria = "safe-to-deploy" + +[[exemptions.equivalent]] +version = "1.0.1" +criteria = "safe-to-deploy" + +[[exemptions.errno]] +version = "0.3.6" +criteria = "safe-to-deploy" + +[[exemptions.f4jumble]] +version = "0.1.0" +criteria = "safe-to-deploy" + +[[exemptions.fallible-iterator]] +version = "0.2.0" +criteria = "safe-to-deploy" + +[[exemptions.fallible-streaming-iterator]] +version = "0.1.9" +criteria = "safe-to-deploy" + +[[exemptions.fastrand]] +version = "2.0.1" +criteria = "safe-to-deploy" + +[[exemptions.ff]] +version = "0.13.0" +criteria = "safe-to-deploy" + +[[exemptions.findshlibs]] +version = "0.10.2" +criteria = "safe-to-run" + +[[exemptions.fixed-hash]] +version = "0.8.0" +criteria = "safe-to-deploy" + +[[exemptions.fixedbitset]] +version = "0.4.2" +criteria = "safe-to-deploy" + +[[exemptions.fnv]] +version = "1.0.7" +criteria = "safe-to-deploy" + +[[exemptions.fpe]] +version = "0.6.1" +criteria = "safe-to-deploy" + +[[exemptions.funty]] +version = "2.0.0" +criteria = "safe-to-deploy" + +[[exemptions.futures-channel]] +version = "0.3.29" +criteria = "safe-to-deploy" + +[[exemptions.futures-core]] +version = "0.3.29" +criteria = "safe-to-deploy" + +[[exemptions.futures-macro]] +version = "0.3.29" +criteria = "safe-to-deploy" + +[[exemptions.futures-sink]] +version = "0.3.29" +criteria = "safe-to-deploy" + +[[exemptions.futures-task]] +version = "0.3.29" +criteria = "safe-to-deploy" + +[[exemptions.futures-util]] +version = "0.3.29" +criteria = "safe-to-deploy" + +[[exemptions.generic-array]] +version = "0.14.7" +criteria = "safe-to-deploy" + +[[exemptions.getrandom]] +version = "0.2.11" +criteria = "safe-to-deploy" + +[[exemptions.gimli]] +version = "0.28.0" +criteria = "safe-to-deploy" + +[[exemptions.group]] +version = "0.13.0" +criteria = "safe-to-deploy" + +[[exemptions.gumdrop]] +version = "0.8.1" +criteria = "safe-to-run" + +[[exemptions.gumdrop_derive]] +version = "0.8.1" +criteria = "safe-to-run" + +[[exemptions.h2]] +version = "0.3.21" +criteria = "safe-to-deploy" + +[[exemptions.half]] +version = "1.8.2" +criteria = "safe-to-run" + +[[exemptions.halo2_gadgets]] +version = "0.3.0" +criteria = "safe-to-deploy" + +[[exemptions.halo2_legacy_pdqsort]] +version = "0.1.0" +criteria = "safe-to-deploy" + +[[exemptions.halo2_proofs]] +version = "0.3.0" +criteria = "safe-to-deploy" + +[[exemptions.hashbrown]] +version = "0.12.3" +criteria = "safe-to-deploy" + +[[exemptions.hashbrown]] +version = "0.14.2" +criteria = "safe-to-deploy" + +[[exemptions.hashlink]] +version = "0.8.4" +criteria = "safe-to-deploy" + +[[exemptions.hdwallet]] +version = "0.4.1" +criteria = "safe-to-deploy" + +[[exemptions.heck]] +version = "0.4.1" +criteria = "safe-to-deploy" + +[[exemptions.hermit-abi]] +version = "0.1.19" +criteria = "safe-to-run" + +[[exemptions.hermit-abi]] +version = "0.3.3" +criteria = "safe-to-deploy" + +[[exemptions.hex]] +version = "0.4.3" +criteria = "safe-to-deploy" + +[[exemptions.hmac]] +version = "0.12.1" +criteria = "safe-to-deploy" + +[[exemptions.home]] +version = "0.5.5" +criteria = "safe-to-deploy" + +[[exemptions.http]] +version = "0.2.9" +criteria = "safe-to-deploy" + +[[exemptions.http-body]] +version = "0.4.5" +criteria = "safe-to-deploy" + +[[exemptions.httparse]] +version = "1.8.0" +criteria = "safe-to-deploy" + +[[exemptions.httpdate]] +version = "1.0.3" +criteria = "safe-to-deploy" + +[[exemptions.hyper]] +version = "0.14.27" +criteria = "safe-to-deploy" + +[[exemptions.hyper-timeout]] +version = "0.4.1" +criteria = "safe-to-deploy" + +[[exemptions.incrementalmerkletree]] +version = "0.5.1" +criteria = "safe-to-deploy" + +[[exemptions.indexmap]] +version = "1.9.3" +criteria = "safe-to-deploy" + +[[exemptions.indexmap]] +version = "2.1.0" +criteria = "safe-to-deploy" + +[[exemptions.inferno]] +version = "0.11.17" +criteria = "safe-to-run" + +[[exemptions.inout]] +version = "0.1.3" +criteria = "safe-to-deploy" + +[[exemptions.is-terminal]] +version = "0.4.9" +criteria = "safe-to-run" + +[[exemptions.itertools]] +version = "0.10.5" +criteria = "safe-to-run" + +[[exemptions.itertools]] +version = "0.11.0" +criteria = "safe-to-deploy" + +[[exemptions.itoa]] +version = "1.0.9" +criteria = "safe-to-deploy" + +[[exemptions.js-sys]] +version = "0.3.65" +criteria = "safe-to-deploy" + +[[exemptions.jubjub]] +version = "0.10.0" +criteria = "safe-to-deploy" + +[[exemptions.known-folders]] +version = "1.0.1" +criteria = "safe-to-deploy" + +[[exemptions.lazy_static]] +version = "1.4.0" +criteria = "safe-to-deploy" + +[[exemptions.libc]] +version = "0.2.150" +criteria = "safe-to-deploy" + +[[exemptions.libm]] +version = "0.2.8" +criteria = "safe-to-deploy" + +[[exemptions.libsqlite3-sys]] +version = "0.26.0" +criteria = "safe-to-deploy" + +[[exemptions.linux-raw-sys]] +version = "0.4.11" +criteria = "safe-to-deploy" + +[[exemptions.litrs]] +version = "0.4.1" +criteria = "safe-to-deploy" + +[[exemptions.lock_api]] +version = "0.4.11" +criteria = "safe-to-run" + +[[exemptions.log]] +version = "0.4.20" +criteria = "safe-to-deploy" + +[[exemptions.matchit]] +version = "0.7.3" +criteria = "safe-to-deploy" + +[[exemptions.maybe-rayon]] +version = "0.1.1" +criteria = "safe-to-deploy" + +[[exemptions.memchr]] +version = "2.6.4" +criteria = "safe-to-deploy" + +[[exemptions.memmap2]] +version = "0.5.10" +criteria = "safe-to-run" + +[[exemptions.memoffset]] +version = "0.9.0" +criteria = "safe-to-deploy" + +[[exemptions.memuse]] +version = "0.2.1" +criteria = "safe-to-deploy" + +[[exemptions.mime]] +version = "0.3.17" +criteria = "safe-to-deploy" + +[[exemptions.minimal-lexical]] +version = "0.2.1" +criteria = "safe-to-deploy" + +[[exemptions.miniz_oxide]] +version = "0.7.1" +criteria = "safe-to-deploy" + +[[exemptions.minreq]] +version = "2.11.0" +criteria = "safe-to-deploy" + +[[exemptions.mio]] +version = "0.8.9" +criteria = "safe-to-deploy" + +[[exemptions.multimap]] +version = "0.8.3" +criteria = "safe-to-deploy" + +[[exemptions.nix]] +version = "0.26.4" +criteria = "safe-to-run" + +[[exemptions.nom]] +version = "7.1.3" +criteria = "safe-to-deploy" + +[[exemptions.nonempty]] +version = "0.7.0" +criteria = "safe-to-deploy" + +[[exemptions.num-bigint]] +version = "0.4.4" +criteria = "safe-to-deploy" + +[[exemptions.num-format]] +version = "0.4.4" +criteria = "safe-to-run" + +[[exemptions.num-integer]] +version = "0.1.45" +criteria = "safe-to-deploy" + +[[exemptions.num-traits]] +version = "0.2.17" +criteria = "safe-to-deploy" + +[[exemptions.num_cpus]] +version = "1.16.0" +criteria = "safe-to-deploy" + +[[exemptions.object]] +version = "0.32.1" +criteria = "safe-to-deploy" + +[[exemptions.once_cell]] +version = "1.18.0" +criteria = "safe-to-deploy" + +[[exemptions.oorandom]] +version = "11.1.3" +criteria = "safe-to-run" + +[[exemptions.opaque-debug]] +version = "0.3.0" +criteria = "safe-to-deploy" + +[[exemptions.orchard]] +version = "0.8.0" +criteria = "safe-to-deploy" + +[[exemptions.os_str_bytes]] +version = "6.6.1" +criteria = "safe-to-run" + +[[exemptions.pairing]] +version = "0.23.0" +criteria = "safe-to-deploy" + +[[exemptions.parking_lot]] +version = "0.12.1" +criteria = "safe-to-run" + +[[exemptions.parking_lot_core]] +version = "0.9.9" +criteria = "safe-to-run" + +[[exemptions.password-hash]] +version = "0.3.2" +criteria = "safe-to-deploy" + +[[exemptions.pasta_curves]] +version = "0.5.1" +criteria = "safe-to-deploy" + +[[exemptions.pbkdf2]] +version = "0.10.1" +criteria = "safe-to-deploy" + +[[exemptions.percent-encoding]] +version = "2.3.0" +criteria = "safe-to-deploy" + +[[exemptions.petgraph]] +version = "0.6.4" +criteria = "safe-to-deploy" + +[[exemptions.pin-project]] +version = "1.1.3" +criteria = "safe-to-deploy" + +[[exemptions.pin-project-internal]] +version = "1.1.3" +criteria = "safe-to-deploy" + +[[exemptions.pin-project-lite]] +version = "0.2.13" +criteria = "safe-to-deploy" + +[[exemptions.pin-utils]] +version = "0.1.0" +criteria = "safe-to-deploy" + +[[exemptions.pkg-config]] +version = "0.3.27" +criteria = "safe-to-deploy" + +[[exemptions.plotters]] +version = "0.3.5" +criteria = "safe-to-run" + +[[exemptions.plotters-backend]] +version = "0.3.5" +criteria = "safe-to-run" + +[[exemptions.plotters-svg]] +version = "0.3.5" +criteria = "safe-to-run" + +[[exemptions.poly1305]] +version = "0.8.0" +criteria = "safe-to-deploy" + +[[exemptions.pprof]] +version = "0.11.1" +criteria = "safe-to-run" + +[[exemptions.ppv-lite86]] +version = "0.2.17" +criteria = "safe-to-deploy" + +[[exemptions.prettyplease]] +version = "0.2.15" +criteria = "safe-to-deploy" + +[[exemptions.primitive-types]] +version = "0.12.2" +criteria = "safe-to-deploy" + +[[exemptions.proc-macro2]] +version = "1.0.79" +criteria = "safe-to-deploy" + +[[exemptions.proptest]] +version = "1.3.1" +criteria = "safe-to-deploy" + +[[exemptions.prost]] +version = "0.12.1" +criteria = "safe-to-deploy" + +[[exemptions.prost-build]] +version = "0.12.1" +criteria = "safe-to-deploy" + +[[exemptions.prost-derive]] +version = "0.12.1" +criteria = "safe-to-deploy" + +[[exemptions.prost-types]] +version = "0.12.1" +criteria = "safe-to-deploy" + +[[exemptions.quick-error]] +version = "1.2.3" +criteria = "safe-to-deploy" + +[[exemptions.quick-xml]] +version = "0.26.0" +criteria = "safe-to-run" + +[[exemptions.quote]] +version = "1.0.35" +criteria = "safe-to-deploy" + +[[exemptions.radium]] +version = "0.7.0" +criteria = "safe-to-deploy" + +[[exemptions.rand]] +version = "0.8.5" +criteria = "safe-to-deploy" + +[[exemptions.rand_chacha]] +version = "0.3.1" +criteria = "safe-to-deploy" + +[[exemptions.rand_core]] +version = "0.6.4" +criteria = "safe-to-deploy" + +[[exemptions.rand_xorshift]] +version = "0.3.0" +criteria = "safe-to-deploy" + +[[exemptions.rayon]] +version = "1.8.0" +criteria = "safe-to-deploy" + +[[exemptions.rayon-core]] +version = "1.12.0" +criteria = "safe-to-deploy" + +[[exemptions.reddsa]] +version = "0.5.1" +criteria = "safe-to-deploy" + +[[exemptions.redjubjub]] +version = "0.7.0" +criteria = "safe-to-deploy" + +[[exemptions.redox_syscall]] +version = "0.4.1" +criteria = "safe-to-deploy" + +[[exemptions.regex]] +version = "1.10.2" +criteria = "safe-to-deploy" + +[[exemptions.regex-automata]] +version = "0.4.3" +criteria = "safe-to-deploy" + +[[exemptions.regex-syntax]] +version = "0.7.5" +criteria = "safe-to-deploy" + +[[exemptions.regex-syntax]] +version = "0.8.2" +criteria = "safe-to-deploy" + +[[exemptions.rgb]] +version = "0.8.37" +criteria = "safe-to-run" + +[[exemptions.ring]] +version = "0.16.20" +criteria = "safe-to-deploy" + +[[exemptions.ring]] +version = "0.17.5" +criteria = "safe-to-deploy" + +[[exemptions.ripemd]] +version = "0.1.3" +criteria = "safe-to-deploy" + +[[exemptions.rusqlite]] +version = "0.29.0" +criteria = "safe-to-deploy" + +[[exemptions.rustc-demangle]] +version = "0.1.23" +criteria = "safe-to-deploy" + +[[exemptions.rustix]] +version = "0.38.21" +criteria = "safe-to-deploy" + +[[exemptions.rustls]] +version = "0.21.8" +criteria = "safe-to-deploy" + +[[exemptions.rustls-webpki]] +version = "0.101.7" +criteria = "safe-to-deploy" + +[[exemptions.rustversion]] +version = "1.0.14" +criteria = "safe-to-deploy" + +[[exemptions.rusty-fork]] +version = "0.3.0" +criteria = "safe-to-deploy" + +[[exemptions.ryu]] +version = "1.0.15" +criteria = "safe-to-run" + +[[exemptions.same-file]] +version = "1.0.6" +criteria = "safe-to-run" + +[[exemptions.sapling-crypto]] +version = "0.1.3" +criteria = "safe-to-deploy" + +[[exemptions.schemer]] +version = "0.2.1" +criteria = "safe-to-deploy" + +[[exemptions.schemer-rusqlite]] +version = "0.2.2" +criteria = "safe-to-deploy" + +[[exemptions.scopeguard]] +version = "1.2.0" +criteria = "safe-to-deploy" + +[[exemptions.sct]] +version = "0.7.1" +criteria = "safe-to-deploy" + +[[exemptions.secp256k1]] +version = "0.26.0" +criteria = "safe-to-deploy" + +[[exemptions.secp256k1-sys]] +version = "0.8.1" +criteria = "safe-to-deploy" + +[[exemptions.secrecy]] +version = "0.8.0" +criteria = "safe-to-deploy" + +[[exemptions.serde]] +version = "1.0.192" +criteria = "safe-to-deploy" + +[[exemptions.serde_derive]] +version = "1.0.192" +criteria = "safe-to-deploy" + +[[exemptions.serde_json]] +version = "1.0.108" +criteria = "safe-to-run" + +[[exemptions.sha2]] +version = "0.10.8" +criteria = "safe-to-deploy" + +[[exemptions.shardtree]] +version = "0.3.0" +criteria = "safe-to-deploy" + +[[exemptions.slab]] +version = "0.4.9" +criteria = "safe-to-deploy" + +[[exemptions.smallvec]] +version = "1.11.1" +criteria = "safe-to-deploy" + +[[exemptions.socket2]] +version = "0.4.10" +criteria = "safe-to-deploy" + +[[exemptions.socket2]] +version = "0.5.5" +criteria = "safe-to-deploy" + +[[exemptions.spin]] +version = "0.5.2" +criteria = "safe-to-deploy" + +[[exemptions.spin]] +version = "0.9.8" +criteria = "safe-to-deploy" + +[[exemptions.stable_deref_trait]] +version = "1.2.0" +criteria = "safe-to-run" + +[[exemptions.static_assertions]] +version = "1.1.0" +criteria = "safe-to-deploy" + +[[exemptions.str_stack]] +version = "0.1.0" +criteria = "safe-to-run" + +[[exemptions.subtle]] +version = "2.4.1" +criteria = "safe-to-deploy" + +[[exemptions.symbolic-common]] +version = "10.2.1" +criteria = "safe-to-run" + +[[exemptions.symbolic-demangle]] +version = "10.2.1" +criteria = "safe-to-run" + +[[exemptions.syn]] +version = "1.0.109" +criteria = "safe-to-run" + +[[exemptions.syn]] +version = "2.0.53" +criteria = "safe-to-deploy" + +[[exemptions.sync_wrapper]] +version = "0.1.2" +criteria = "safe-to-deploy" + +[[exemptions.tap]] +version = "1.0.1" +criteria = "safe-to-deploy" + +[[exemptions.tempfile]] +version = "3.8.1" +criteria = "safe-to-deploy" + +[[exemptions.textwrap]] +version = "0.16.0" +criteria = "safe-to-run" + +[[exemptions.thiserror]] +version = "1.0.50" +criteria = "safe-to-deploy" + +[[exemptions.thiserror-impl]] +version = "1.0.50" +criteria = "safe-to-deploy" + +[[exemptions.time]] +version = "0.3.23" +criteria = "safe-to-deploy" + +[[exemptions.time-core]] +version = "0.1.1" +criteria = "safe-to-deploy" + +[[exemptions.time-macros]] +version = "0.2.10" +criteria = "safe-to-deploy" + +[[exemptions.tinytemplate]] +version = "1.2.1" +criteria = "safe-to-run" + +[[exemptions.tinyvec]] +version = "1.6.0" +criteria = "safe-to-deploy" + +[[exemptions.tinyvec_macros]] +version = "0.1.1" +criteria = "safe-to-deploy" + +[[exemptions.tokio]] +version = "1.35.1" +criteria = "safe-to-deploy" + +[[exemptions.tokio-io-timeout]] +version = "1.2.0" +criteria = "safe-to-deploy" + +[[exemptions.tokio-stream]] +version = "0.1.14" +criteria = "safe-to-deploy" + +[[exemptions.tokio-util]] +version = "0.7.10" +criteria = "safe-to-deploy" + +[[exemptions.tonic]] +version = "0.10.2" +criteria = "safe-to-deploy" + +[[exemptions.tonic-build]] +version = "0.10.2" +criteria = "safe-to-deploy" + +[[exemptions.tower]] +version = "0.4.13" +criteria = "safe-to-deploy" + +[[exemptions.tower-layer]] +version = "0.3.2" +criteria = "safe-to-deploy" + +[[exemptions.tower-service]] +version = "0.3.2" +criteria = "safe-to-deploy" + +[[exemptions.tracing]] +version = "0.1.40" +criteria = "safe-to-deploy" + +[[exemptions.tracing-attributes]] +version = "0.1.27" +criteria = "safe-to-deploy" + +[[exemptions.tracing-core]] +version = "0.1.32" +criteria = "safe-to-deploy" + +[[exemptions.try-lock]] +version = "0.2.4" +criteria = "safe-to-deploy" + +[[exemptions.typenum]] +version = "1.17.0" +criteria = "safe-to-deploy" + +[[exemptions.uint]] +version = "0.9.5" +criteria = "safe-to-deploy" + +[[exemptions.unarray]] +version = "0.1.4" +criteria = "safe-to-deploy" + +[[exemptions.unicode-ident]] +version = "1.0.12" +criteria = "safe-to-deploy" + +[[exemptions.unicode-normalization]] +version = "0.1.22" +criteria = "safe-to-deploy" + +[[exemptions.universal-hash]] +version = "0.5.1" +criteria = "safe-to-deploy" + +[[exemptions.untrusted]] +version = "0.7.1" +criteria = "safe-to-deploy" + +[[exemptions.untrusted]] +version = "0.9.0" +criteria = "safe-to-deploy" + +[[exemptions.uuid]] +version = "1.5.0" +criteria = "safe-to-deploy" + +[[exemptions.vcpkg]] +version = "0.2.15" +criteria = "safe-to-deploy" + +[[exemptions.version_check]] +version = "0.9.4" +criteria = "safe-to-deploy" + +[[exemptions.wagyu-zcash-parameters]] +version = "0.2.0" +criteria = "safe-to-deploy" + +[[exemptions.wagyu-zcash-parameters-1]] +version = "0.2.0" +criteria = "safe-to-deploy" + +[[exemptions.wagyu-zcash-parameters-2]] +version = "0.2.0" +criteria = "safe-to-deploy" + +[[exemptions.wagyu-zcash-parameters-3]] +version = "0.2.0" +criteria = "safe-to-deploy" + +[[exemptions.wagyu-zcash-parameters-4]] +version = "0.2.0" +criteria = "safe-to-deploy" + +[[exemptions.wagyu-zcash-parameters-5]] +version = "0.2.0" +criteria = "safe-to-deploy" + +[[exemptions.wagyu-zcash-parameters-6]] +version = "0.2.0" +criteria = "safe-to-deploy" + +[[exemptions.wait-timeout]] +version = "0.2.0" +criteria = "safe-to-deploy" + +[[exemptions.walkdir]] +version = "2.4.0" +criteria = "safe-to-run" + +[[exemptions.want]] +version = "0.3.1" +criteria = "safe-to-deploy" + +[[exemptions.wasi]] +version = "0.11.0+wasi-snapshot-preview1" +criteria = "safe-to-deploy" + +[[exemptions.wasm-bindgen]] +version = "0.2.88" +criteria = "safe-to-deploy" + +[[exemptions.wasm-bindgen-backend]] +version = "0.2.88" +criteria = "safe-to-deploy" + +[[exemptions.wasm-bindgen-macro]] +version = "0.2.88" +criteria = "safe-to-deploy" + +[[exemptions.wasm-bindgen-macro-support]] +version = "0.2.88" +criteria = "safe-to-deploy" + +[[exemptions.wasm-bindgen-shared]] +version = "0.2.88" +criteria = "safe-to-deploy" + +[[exemptions.web-sys]] +version = "0.3.65" +criteria = "safe-to-deploy" + +[[exemptions.webpki-roots]] +version = "0.25.2" +criteria = "safe-to-deploy" + +[[exemptions.which]] +version = "4.4.2" +criteria = "safe-to-deploy" + +[[exemptions.winapi]] +version = "0.3.9" +criteria = "safe-to-deploy" + +[[exemptions.winapi-i686-pc-windows-gnu]] +version = "0.4.0" +criteria = "safe-to-deploy" + +[[exemptions.winapi-util]] +version = "0.1.6" +criteria = "safe-to-run" + +[[exemptions.winapi-x86_64-pc-windows-gnu]] +version = "0.4.0" +criteria = "safe-to-deploy" + +[[exemptions.windows-sys]] +version = "0.48.0" +criteria = "safe-to-deploy" + +[[exemptions.windows-targets]] +version = "0.48.5" +criteria = "safe-to-deploy" + +[[exemptions.windows_aarch64_gnullvm]] +version = "0.48.5" +criteria = "safe-to-deploy" + +[[exemptions.windows_aarch64_msvc]] +version = "0.48.5" +criteria = "safe-to-deploy" + +[[exemptions.windows_i686_gnu]] +version = "0.48.5" +criteria = "safe-to-deploy" + +[[exemptions.windows_i686_msvc]] +version = "0.48.5" +criteria = "safe-to-deploy" + +[[exemptions.windows_x86_64_gnu]] +version = "0.48.5" +criteria = "safe-to-deploy" + +[[exemptions.windows_x86_64_gnullvm]] +version = "0.48.5" +criteria = "safe-to-deploy" + +[[exemptions.windows_x86_64_msvc]] +version = "0.48.5" +criteria = "safe-to-deploy" + +[[exemptions.wyz]] +version = "0.5.1" +criteria = "safe-to-deploy" + +[[exemptions.xdg]] +version = "2.5.2" +criteria = "safe-to-deploy" + +[[exemptions.zcash_address]] +version = "0.3.2" +criteria = "safe-to-deploy" + +[[exemptions.zcash_client_backend]] +version = "0.12.1" +criteria = "safe-to-deploy" + +[[exemptions.zcash_client_sqlite]] +version = "0.10.3" +criteria = "safe-to-deploy" + +[[exemptions.zcash_encoding]] +version = "0.2.0" +criteria = "safe-to-deploy" + +[[exemptions.zcash_extensions]] +version = "0.0.0" +criteria = "safe-to-deploy" + +[[exemptions.zcash_history]] +version = "0.4.0" +criteria = "safe-to-deploy" + +[[exemptions.zcash_keys]] +version = "0.2.0" +criteria = "safe-to-deploy" + +[[exemptions.zcash_note_encryption]] +version = "0.4.0" +criteria = "safe-to-deploy" + +[[exemptions.zcash_primitives]] +version = "0.15.0" +criteria = "safe-to-deploy" + +[[exemptions.zcash_proofs]] +version = "0.15.0" +criteria = "safe-to-deploy" + +[[exemptions.zcash_protocol]] +version = "0.1.1" +criteria = "safe-to-deploy" + +[[exemptions.zcash_spec]] +version = "0.1.0" +criteria = "safe-to-deploy" + +[[exemptions.zerocopy]] +version = "0.7.25" +criteria = "safe-to-deploy" + +[[exemptions.zerocopy-derive]] +version = "0.7.25" +criteria = "safe-to-deploy" + +[[exemptions.zeroize]] +version = "1.6.0" +criteria = "safe-to-deploy" + +[[exemptions.zeroize_derive]] +version = "1.4.2" +criteria = "safe-to-deploy" + +[[exemptions.zip32]] +version = "0.1.1" +criteria = "safe-to-deploy" + +[[exemptions.zip321]] +version = "0.0.0" +criteria = "safe-to-deploy" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock new file mode 100644 index 000000000..0c397a404 --- /dev/null +++ b/supply-chain/imports.lock @@ -0,0 +1,2 @@ + +# cargo-vet imports lock From afb8b55ed8ef659fbd77664e1e1774539304888c Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Mon, 22 Apr 2024 23:37:02 +0000 Subject: [PATCH 02/15] Import cargo-vet criteria from `zcash/zcash` --- supply-chain/audits.toml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml index 2772ccb21..828dea44e 100644 --- a/supply-chain/audits.toml +++ b/supply-chain/audits.toml @@ -1,4 +1,10 @@ # cargo-vet audits file +[criteria.crypto-reviewed] +description = "The cryptographic code in this crate has been reviewed for correctness by a member of a designated set of cryptography experts within the project." + +[criteria.license-reviewed] +description = "The license of this crate has been reviewed for compatibility with its usage in this repository." + [audits] From f3717d9427644f974dd1eb762d67241bffaf2291 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Mon, 22 Apr 2024 23:41:40 +0000 Subject: [PATCH 03/15] Trust the Zcash crates we maintain and publish Trust set imported from `zcash/zcash` where there were common deps. --- supply-chain/audits.toml | 174 ++++++++++++++++++++++++++++++++++++++ supply-chain/config.toml | 92 -------------------- supply-chain/imports.lock | 147 ++++++++++++++++++++++++++++++++ 3 files changed, 321 insertions(+), 92 deletions(-) diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml index 828dea44e..f1536f6d1 100644 --- a/supply-chain/audits.toml +++ b/supply-chain/audits.toml @@ -8,3 +8,177 @@ description = "The cryptographic code in this crate has been reviewed for correc description = "The license of this crate has been reviewed for compatibility with its usage in this repository." [audits] + +[[trusted.equihash]] +criteria = "safe-to-deploy" +user-id = 6289 # str4d +start = "2020-06-26" +end = "2025-04-22" + +[[trusted.f4jumble]] +criteria = ["safe-to-deploy", "crypto-reviewed"] +user-id = 6289 # str4d +start = "2021-09-22" +end = "2025-04-22" + +[[trusted.halo2_gadgets]] +criteria = ["safe-to-deploy", "crypto-reviewed"] +user-id = 1244 # ebfull +start = "2022-05-10" +end = "2025-04-22" + +[[trusted.halo2_legacy_pdqsort]] +criteria = ["safe-to-deploy", "crypto-reviewed"] +user-id = 199950 # Daira Emma Hopwood (daira) +start = "2023-02-24" +end = "2025-04-22" + +[[trusted.halo2_proofs]] +criteria = ["safe-to-deploy", "crypto-reviewed"] +user-id = 1244 # ebfull +start = "2022-05-10" +end = "2025-04-22" + +[[trusted.incrementalmerkletree]] +criteria = "safe-to-deploy" +user-id = 6289 # str4d +start = "2021-12-17" +end = "2025-04-22" + +[[trusted.incrementalmerkletree]] +criteria = "safe-to-deploy" +user-id = 1244 # ebfull +start = "2021-06-24" +end = "2025-04-22" + +[[trusted.incrementalmerkletree]] +criteria = "safe-to-deploy" +user-id = 169181 # Kris Nuttycombe (nuttycom) +start = "2023-02-28" +end = "2025-04-22" + +[[trusted.orchard]] +criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] +user-id = 6289 # str4d +start = "2021-01-07" +end = "2025-04-22" + +[[trusted.orchard]] +criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] +user-id = 1244 # ebfull +start = "2022-10-19" +end = "2025-04-22" + +[[trusted.sapling-crypto]] +criteria = ["safe-to-deploy", "crypto-reviewed"] +user-id = 6289 # str4d +start = "2024-01-26" +end = "2025-04-22" + +[[trusted.shardtree]] +criteria = "safe-to-deploy" +user-id = 169181 # Kris Nuttycombe (nuttycom) +start = "2022-12-15" +end = "2025-04-22" + +[[trusted.zcash_address]] +criteria = "safe-to-deploy" +user-id = 1244 # ebfull +start = "2022-10-19" +end = "2025-04-22" + +[[trusted.zcash_address]] +criteria = "safe-to-deploy" +user-id = 6289 # str4d +start = "2021-03-07" +end = "2025-04-22" + +[[trusted.zcash_client_backend]] +criteria = "safe-to-deploy" +user-id = 169181 # Kris Nuttycombe (nuttycom) +start = "2024-03-25" +end = "2025-04-22" + +[[trusted.zcash_client_sqlite]] +criteria = "safe-to-deploy" +user-id = 169181 # Kris Nuttycombe (nuttycom) +start = "2024-03-25" +end = "2025-04-22" + +[[trusted.zcash_encoding]] +criteria = "safe-to-deploy" +user-id = 1244 # ebfull +start = "2022-10-19" +end = "2025-04-22" + +[[trusted.zcash_extensions]] +criteria = "safe-to-deploy" +user-id = 6289 # str4d +start = "2020-04-24" +end = "2025-04-23" + +[[trusted.zcash_history]] +criteria = "safe-to-deploy" +user-id = 1244 # ebfull +start = "2020-03-04" +end = "2025-04-22" + +[[trusted.zcash_history]] +criteria = "safe-to-deploy" +user-id = 6289 # str4d +start = "2024-03-01" +end = "2025-04-22" + +[[trusted.zcash_keys]] +criteria = "safe-to-deploy" +user-id = 169181 # Kris Nuttycombe (nuttycom) +start = "2024-01-15" +end = "2025-04-22" + +[[trusted.zcash_note_encryption]] +criteria = ["safe-to-deploy", "crypto-reviewed"] +user-id = 169181 # Kris Nuttycombe (nuttycom) +start = "2023-03-22" +end = "2025-04-22" + +[[trusted.zcash_primitives]] +criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] +user-id = 6289 # str4d +start = "2021-03-26" +end = "2025-04-22" + +[[trusted.zcash_primitives]] +criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] +user-id = 1244 # ebfull +start = "2019-10-08" +end = "2025-04-22" + +[[trusted.zcash_proofs]] +criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] +user-id = 6289 # str4d +start = "2021-03-26" +end = "2025-04-22" + +[[trusted.zcash_protocol]] +criteria = "safe-to-deploy" +user-id = 169181 # Kris Nuttycombe (nuttycom) +start = "2024-01-27" +end = "2025-04-22" + +[[trusted.zcash_spec]] +criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] +user-id = 6289 # str4d +start = "2023-12-07" +end = "2025-04-22" + +[[trusted.zip32]] +criteria = "safe-to-deploy" +user-id = 6289 # str4d +start = "2023-12-06" +end = "2025-04-22" + +[[trusted.zip321]] +criteria = "safe-to-deploy" +user-id = 169181 # Kris Nuttycombe (nuttycom) +start = "2024-01-15" +end = "2025-04-22" diff --git a/supply-chain/config.toml b/supply-chain/config.toml index c3db29dec..3d5a83cfd 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -311,10 +311,6 @@ criteria = "safe-to-deploy" version = "1.9.0" criteria = "safe-to-deploy" -[[exemptions.equihash]] -version = "0.2.0" -criteria = "safe-to-deploy" - [[exemptions.equivalent]] version = "1.0.1" criteria = "safe-to-deploy" @@ -323,10 +319,6 @@ criteria = "safe-to-deploy" version = "0.3.6" criteria = "safe-to-deploy" -[[exemptions.f4jumble]] -version = "0.1.0" -criteria = "safe-to-deploy" - [[exemptions.fallible-iterator]] version = "0.2.0" criteria = "safe-to-deploy" @@ -423,18 +415,6 @@ criteria = "safe-to-deploy" version = "1.8.2" criteria = "safe-to-run" -[[exemptions.halo2_gadgets]] -version = "0.3.0" -criteria = "safe-to-deploy" - -[[exemptions.halo2_legacy_pdqsort]] -version = "0.1.0" -criteria = "safe-to-deploy" - -[[exemptions.halo2_proofs]] -version = "0.3.0" -criteria = "safe-to-deploy" - [[exemptions.hashbrown]] version = "0.12.3" criteria = "safe-to-deploy" @@ -499,10 +479,6 @@ criteria = "safe-to-deploy" version = "0.4.1" criteria = "safe-to-deploy" -[[exemptions.incrementalmerkletree]] -version = "0.5.1" -criteria = "safe-to-deploy" - [[exemptions.indexmap]] version = "1.9.3" criteria = "safe-to-deploy" @@ -675,10 +651,6 @@ criteria = "safe-to-run" version = "0.3.0" criteria = "safe-to-deploy" -[[exemptions.orchard]] -version = "0.8.0" -criteria = "safe-to-deploy" - [[exemptions.os_str_bytes]] version = "6.6.1" criteria = "safe-to-run" @@ -911,10 +883,6 @@ criteria = "safe-to-run" version = "1.0.6" criteria = "safe-to-run" -[[exemptions.sapling-crypto]] -version = "0.1.3" -criteria = "safe-to-deploy" - [[exemptions.schemer]] version = "0.2.1" criteria = "safe-to-deploy" @@ -959,10 +927,6 @@ criteria = "safe-to-run" version = "0.10.8" criteria = "safe-to-deploy" -[[exemptions.shardtree]] -version = "0.3.0" -criteria = "safe-to-deploy" - [[exemptions.slab]] version = "0.4.9" criteria = "safe-to-deploy" @@ -1299,54 +1263,6 @@ criteria = "safe-to-deploy" version = "2.5.2" criteria = "safe-to-deploy" -[[exemptions.zcash_address]] -version = "0.3.2" -criteria = "safe-to-deploy" - -[[exemptions.zcash_client_backend]] -version = "0.12.1" -criteria = "safe-to-deploy" - -[[exemptions.zcash_client_sqlite]] -version = "0.10.3" -criteria = "safe-to-deploy" - -[[exemptions.zcash_encoding]] -version = "0.2.0" -criteria = "safe-to-deploy" - -[[exemptions.zcash_extensions]] -version = "0.0.0" -criteria = "safe-to-deploy" - -[[exemptions.zcash_history]] -version = "0.4.0" -criteria = "safe-to-deploy" - -[[exemptions.zcash_keys]] -version = "0.2.0" -criteria = "safe-to-deploy" - -[[exemptions.zcash_note_encryption]] -version = "0.4.0" -criteria = "safe-to-deploy" - -[[exemptions.zcash_primitives]] -version = "0.15.0" -criteria = "safe-to-deploy" - -[[exemptions.zcash_proofs]] -version = "0.15.0" -criteria = "safe-to-deploy" - -[[exemptions.zcash_protocol]] -version = "0.1.1" -criteria = "safe-to-deploy" - -[[exemptions.zcash_spec]] -version = "0.1.0" -criteria = "safe-to-deploy" - [[exemptions.zerocopy]] version = "0.7.25" criteria = "safe-to-deploy" @@ -1362,11 +1278,3 @@ criteria = "safe-to-deploy" [[exemptions.zeroize_derive]] version = "1.4.2" criteria = "safe-to-deploy" - -[[exemptions.zip32]] -version = "0.1.1" -criteria = "safe-to-deploy" - -[[exemptions.zip321]] -version = "0.0.0" -criteria = "safe-to-deploy" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index 0c397a404..8dd723b71 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -1,2 +1,149 @@ # cargo-vet imports lock + +[[publisher.equihash]] +version = "0.2.0" +when = "2022-06-24" +user-id = 6289 +user-login = "str4d" + +[[publisher.f4jumble]] +version = "0.1.0" +when = "2022-05-10" +user-id = 6289 +user-login = "str4d" + +[[publisher.halo2_gadgets]] +version = "0.3.0" +when = "2023-03-22" +user-id = 1244 +user-login = "ebfull" + +[[publisher.halo2_legacy_pdqsort]] +version = "0.1.0" +when = "2023-03-10" +user-id = 199950 +user-login = "daira" +user-name = "Daira Emma Hopwood" + +[[publisher.halo2_proofs]] +version = "0.3.0" +when = "2023-03-22" +user-id = 1244 +user-login = "ebfull" + +[[publisher.incrementalmerkletree]] +version = "0.5.1" +when = "2024-03-25" +user-id = 169181 +user-login = "nuttycom" +user-name = "Kris Nuttycombe" + +[[publisher.orchard]] +version = "0.8.0" +when = "2024-03-25" +user-id = 6289 +user-login = "str4d" + +[[publisher.sapling-crypto]] +version = "0.1.3" +when = "2024-03-25" +user-id = 6289 +user-login = "str4d" + +[[publisher.shardtree]] +version = "0.3.0" +when = "2024-03-25" +user-id = 169181 +user-login = "nuttycom" +user-name = "Kris Nuttycombe" + +[[publisher.zcash_address]] +version = "0.3.2" +when = "2024-03-06" +user-id = 6289 +user-login = "str4d" + +[[publisher.zcash_client_backend]] +version = "0.12.1" +when = "2024-03-27" +user-id = 169181 +user-login = "nuttycom" +user-name = "Kris Nuttycombe" + +[[publisher.zcash_client_sqlite]] +version = "0.10.3" +when = "2024-04-08" +user-id = 169181 +user-login = "nuttycom" +user-name = "Kris Nuttycombe" + +[[publisher.zcash_encoding]] +version = "0.2.0" +when = "2022-10-19" +user-id = 1244 +user-login = "ebfull" + +[[publisher.zcash_extensions]] +version = "0.0.0" +when = "2020-04-24" +user-id = 6289 +user-login = "str4d" + +[[publisher.zcash_history]] +version = "0.4.0" +when = "2024-03-01" +user-id = 6289 +user-login = "str4d" + +[[publisher.zcash_keys]] +version = "0.2.0" +when = "2024-03-25" +user-id = 169181 +user-login = "nuttycom" +user-name = "Kris Nuttycombe" + +[[publisher.zcash_note_encryption]] +version = "0.4.0" +when = "2023-06-06" +user-id = 169181 +user-login = "nuttycom" +user-name = "Kris Nuttycombe" + +[[publisher.zcash_primitives]] +version = "0.15.0" +when = "2024-03-25" +user-id = 6289 +user-login = "str4d" + +[[publisher.zcash_proofs]] +version = "0.15.0" +when = "2024-03-25" +user-id = 6289 +user-login = "str4d" + +[[publisher.zcash_protocol]] +version = "0.1.1" +when = "2024-03-25" +user-id = 169181 +user-login = "nuttycom" +user-name = "Kris Nuttycombe" + +[[publisher.zcash_spec]] +version = "0.1.0" +when = "2023-12-07" +user-id = 6289 +user-login = "str4d" + +[[publisher.zip32]] +version = "0.1.1" +when = "2024-03-14" +user-id = 6289 +user-login = "str4d" + +[[publisher.zip321]] +version = "0.0.0" +when = "2024-01-15" +user-id = 169181 +user-login = "nuttycom" +user-name = "Kris Nuttycombe" From 3f11ba5c7435e80e6af14a57078f0e9e73bce239 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Mon, 22 Apr 2024 23:42:55 +0000 Subject: [PATCH 04/15] Import our Rust crate audits from elsewhere --- supply-chain/config.toml | 55 ++----------------- supply-chain/imports.lock | 108 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 111 insertions(+), 52 deletions(-) diff --git a/supply-chain/config.toml b/supply-chain/config.toml index 3d5a83cfd..766d009aa 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -4,6 +4,9 @@ [cargo-vet] version = "0.9" +[imports.zcash] +url = "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml" + [policy.equihash] audit-as-crates-io = true @@ -491,10 +494,6 @@ criteria = "safe-to-deploy" version = "0.11.17" criteria = "safe-to-run" -[[exemptions.inout]] -version = "0.1.3" -criteria = "safe-to-deploy" - [[exemptions.is-terminal]] version = "0.4.9" criteria = "safe-to-run" @@ -519,10 +518,6 @@ criteria = "safe-to-deploy" version = "0.10.0" criteria = "safe-to-deploy" -[[exemptions.known-folders]] -version = "1.0.1" -criteria = "safe-to-deploy" - [[exemptions.lazy_static]] version = "1.4.0" criteria = "safe-to-deploy" @@ -559,10 +554,6 @@ criteria = "safe-to-deploy" version = "0.7.3" criteria = "safe-to-deploy" -[[exemptions.maybe-rayon]] -version = "0.1.1" -criteria = "safe-to-deploy" - [[exemptions.memchr]] version = "2.6.4" criteria = "safe-to-deploy" @@ -791,10 +782,6 @@ criteria = "safe-to-deploy" version = "0.6.4" criteria = "safe-to-deploy" -[[exemptions.rand_xorshift]] -version = "0.3.0" -criteria = "safe-to-deploy" - [[exemptions.rayon]] version = "1.8.0" criteria = "safe-to-deploy" @@ -807,10 +794,6 @@ criteria = "safe-to-deploy" version = "0.5.1" criteria = "safe-to-deploy" -[[exemptions.redjubjub]] -version = "0.7.0" -criteria = "safe-to-deploy" - [[exemptions.redox_syscall]] version = "0.4.1" criteria = "safe-to-deploy" @@ -827,10 +810,6 @@ criteria = "safe-to-deploy" version = "0.7.5" criteria = "safe-to-deploy" -[[exemptions.regex-syntax]] -version = "0.8.2" -criteria = "safe-to-deploy" - [[exemptions.rgb]] version = "0.8.37" criteria = "safe-to-run" @@ -1127,34 +1106,6 @@ criteria = "safe-to-deploy" version = "0.9.4" criteria = "safe-to-deploy" -[[exemptions.wagyu-zcash-parameters]] -version = "0.2.0" -criteria = "safe-to-deploy" - -[[exemptions.wagyu-zcash-parameters-1]] -version = "0.2.0" -criteria = "safe-to-deploy" - -[[exemptions.wagyu-zcash-parameters-2]] -version = "0.2.0" -criteria = "safe-to-deploy" - -[[exemptions.wagyu-zcash-parameters-3]] -version = "0.2.0" -criteria = "safe-to-deploy" - -[[exemptions.wagyu-zcash-parameters-4]] -version = "0.2.0" -criteria = "safe-to-deploy" - -[[exemptions.wagyu-zcash-parameters-5]] -version = "0.2.0" -criteria = "safe-to-deploy" - -[[exemptions.wagyu-zcash-parameters-6]] -version = "0.2.0" -criteria = "safe-to-deploy" - [[exemptions.wait-timeout]] version = "0.2.0" criteria = "safe-to-deploy" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index 8dd723b71..9710809cf 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -147,3 +147,111 @@ when = "2024-01-15" user-id = 169181 user-login = "nuttycom" user-name = "Kris Nuttycombe" + +[[audits.zcash.audits.inout]] +who = "Daira Hopwood " +criteria = "safe-to-deploy" +version = "0.1.3" +notes = "Reviewed in full." +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.known-folders]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +version = "1.0.1" +notes = """ +Uses `unsafe` blocks to interact with `windows-sys` crate. +- `SHGetKnownFolderPath` safety requirements are met. +- `CoTaskMemFree` has no effect if passed `NULL`, so there is no issue if some + future refactor created a pathway where `ffi::Guard` could be dropped before + `SHGetKnownFolderPath` is called. +- Small nit: `ffi::Guard::as_pwstr` takes `&self` but returns `PWSTR` which is + the mutable type; it should instead return `PCWSTR` which is the const type + (and what `lstrlenW` takes) instead of implicitly const-casting the pointer, + as this would better reflect the intent to take an immutable reference. +- The slice constructed from the `PWSTR` correctly goes out of scope before + `guard` is dropped. +- A code comment says that `path_ptr` is valid for `len` bytes, but `PCWSTR` is + a `*const u16` and `lstrlenW` returns its length \"in characters\" (which the + Windows documentation confirms means the number of `WCHAR` values). This is + likely a typo; the code checks that `len * size_of::() <= isize::MAX`. +""" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.maybe-rayon]] +who = "Sean Bowe " +criteria = "safe-to-deploy" +version = "0.1.1" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.rand_xorshift]] +who = "Sean Bowe " +criteria = "safe-to-deploy" +version = "0.3.0" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.redjubjub]] +who = "Daira Emma Hopwood " +criteria = "safe-to-deploy" +version = "0.7.0" +notes = """ +This crate is a thin wrapper around the `reddsa` crate, which I did not review. I also +did not review tests or verify test vectors. + +The comment on `batch::Verifier::verify` has an error in the batch verification equation, +filed as https://github.com/ZcashFoundation/redjubjub/issues/163 . It does not affect the +implementation which just delegates to `reddsa`. `reddsa` has the same comment bug filed as +https://github.com/ZcashFoundation/reddsa/issues/52 , but its batch verification implementation +is correct. (I checked the latter against https://zips.z.cash/protocol/protocol.pdf#reddsabatchvalidate +which has had previous cryptographic review by NCC group; see finding NCC-Zcash2018-009 in +https://research.nccgroup.com/wp-content/uploads/2020/07/NCC_Group_Zcash2018_Public_Report_2019-01-30_v1.3.pdf ). +""" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.regex-syntax]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.7.5 -> 0.8.2" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.wagyu-zcash-parameters]] +who = "Sean Bowe " +criteria = "safe-to-deploy" +version = "0.2.0" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.wagyu-zcash-parameters-1]] +who = "Sean Bowe " +criteria = "safe-to-deploy" +version = "0.2.0" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.wagyu-zcash-parameters-2]] +who = "Sean Bowe " +criteria = "safe-to-deploy" +version = "0.2.0" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.wagyu-zcash-parameters-3]] +who = "Sean Bowe " +criteria = "safe-to-deploy" +version = "0.2.0" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.wagyu-zcash-parameters-4]] +who = "Sean Bowe " +criteria = "safe-to-deploy" +version = "0.2.0" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.wagyu-zcash-parameters-5]] +who = "Sean Bowe " +criteria = "safe-to-deploy" +version = "0.2.0" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.wagyu-zcash-parameters-6]] +who = "Sean Bowe " +criteria = "safe-to-deploy" +version = "0.2.0" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" From 4eb2df671491fb4d57c01330558b51a7907b9911 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Mon, 22 Apr 2024 23:51:53 +0000 Subject: [PATCH 05/15] Trust the Windows crates published by Microsoft As with our `cargo-vet` usage in `zcash/zcash`, these are binary crates for interacting with Windows APIs, so both sides are maintained by Microsoft and are not something we can audit ourselves. --- supply-chain/audits.toml | 54 +++++++++++++++++++++++++++++++++ supply-chain/config.toml | 36 ---------------------- supply-chain/imports.lock | 63 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 117 insertions(+), 36 deletions(-) diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml index f1536f6d1..4a1f0b017 100644 --- a/supply-chain/audits.toml +++ b/supply-chain/audits.toml @@ -81,6 +81,60 @@ user-id = 169181 # Kris Nuttycombe (nuttycom) start = "2022-12-15" end = "2025-04-22" +[[trusted.windows-sys]] +criteria = "safe-to-deploy" +user-id = 64539 # Kenny Kerr (kennykerr) +start = "2021-11-15" +end = "2025-04-22" + +[[trusted.windows-targets]] +criteria = "safe-to-deploy" +user-id = 64539 # Kenny Kerr (kennykerr) +start = "2022-09-09" +end = "2025-04-22" + +[[trusted.windows_aarch64_gnullvm]] +criteria = "safe-to-deploy" +user-id = 64539 # Kenny Kerr (kennykerr) +start = "2022-09-01" +end = "2025-04-22" + +[[trusted.windows_aarch64_msvc]] +criteria = "safe-to-deploy" +user-id = 64539 # Kenny Kerr (kennykerr) +start = "2021-11-05" +end = "2025-04-22" + +[[trusted.windows_i686_gnu]] +criteria = "safe-to-deploy" +user-id = 64539 # Kenny Kerr (kennykerr) +start = "2021-10-28" +end = "2025-04-22" + +[[trusted.windows_i686_msvc]] +criteria = "safe-to-deploy" +user-id = 64539 # Kenny Kerr (kennykerr) +start = "2021-10-27" +end = "2025-04-22" + +[[trusted.windows_x86_64_gnu]] +criteria = "safe-to-deploy" +user-id = 64539 # Kenny Kerr (kennykerr) +start = "2021-10-28" +end = "2025-04-22" + +[[trusted.windows_x86_64_gnullvm]] +criteria = "safe-to-deploy" +user-id = 64539 # Kenny Kerr (kennykerr) +start = "2022-09-01" +end = "2025-04-22" + +[[trusted.windows_x86_64_msvc]] +criteria = "safe-to-deploy" +user-id = 64539 # Kenny Kerr (kennykerr) +start = "2021-10-27" +end = "2025-04-22" + [[trusted.zcash_address]] criteria = "safe-to-deploy" user-id = 1244 # ebfull diff --git a/supply-chain/config.toml b/supply-chain/config.toml index 766d009aa..9166f8dff 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -1170,42 +1170,6 @@ criteria = "safe-to-run" version = "0.4.0" criteria = "safe-to-deploy" -[[exemptions.windows-sys]] -version = "0.48.0" -criteria = "safe-to-deploy" - -[[exemptions.windows-targets]] -version = "0.48.5" -criteria = "safe-to-deploy" - -[[exemptions.windows_aarch64_gnullvm]] -version = "0.48.5" -criteria = "safe-to-deploy" - -[[exemptions.windows_aarch64_msvc]] -version = "0.48.5" -criteria = "safe-to-deploy" - -[[exemptions.windows_i686_gnu]] -version = "0.48.5" -criteria = "safe-to-deploy" - -[[exemptions.windows_i686_msvc]] -version = "0.48.5" -criteria = "safe-to-deploy" - -[[exemptions.windows_x86_64_gnu]] -version = "0.48.5" -criteria = "safe-to-deploy" - -[[exemptions.windows_x86_64_gnullvm]] -version = "0.48.5" -criteria = "safe-to-deploy" - -[[exemptions.windows_x86_64_msvc]] -version = "0.48.5" -criteria = "safe-to-deploy" - [[exemptions.wyz]] version = "0.5.1" criteria = "safe-to-deploy" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index 9710809cf..9b09cc4c9 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -58,6 +58,69 @@ user-id = 169181 user-login = "nuttycom" user-name = "Kris Nuttycombe" +[[publisher.windows-sys]] +version = "0.48.0" +when = "2023-03-31" +user-id = 64539 +user-login = "kennykerr" +user-name = "Kenny Kerr" + +[[publisher.windows-targets]] +version = "0.48.5" +when = "2023-08-18" +user-id = 64539 +user-login = "kennykerr" +user-name = "Kenny Kerr" + +[[publisher.windows_aarch64_gnullvm]] +version = "0.48.5" +when = "2023-08-18" +user-id = 64539 +user-login = "kennykerr" +user-name = "Kenny Kerr" + +[[publisher.windows_aarch64_msvc]] +version = "0.48.5" +when = "2023-08-18" +user-id = 64539 +user-login = "kennykerr" +user-name = "Kenny Kerr" + +[[publisher.windows_i686_gnu]] +version = "0.48.5" +when = "2023-08-18" +user-id = 64539 +user-login = "kennykerr" +user-name = "Kenny Kerr" + +[[publisher.windows_i686_msvc]] +version = "0.48.5" +when = "2023-08-18" +user-id = 64539 +user-login = "kennykerr" +user-name = "Kenny Kerr" + +[[publisher.windows_x86_64_gnu]] +version = "0.48.5" +when = "2023-08-18" +user-id = 64539 +user-login = "kennykerr" +user-name = "Kenny Kerr" + +[[publisher.windows_x86_64_gnullvm]] +version = "0.48.5" +when = "2023-08-18" +user-id = 64539 +user-login = "kennykerr" +user-name = "Kenny Kerr" + +[[publisher.windows_x86_64_msvc]] +version = "0.48.5" +when = "2023-08-18" +user-id = 64539 +user-login = "kennykerr" +user-name = "Kenny Kerr" + [[publisher.zcash_address]] version = "0.3.2" when = "2024-03-06" From 6bbd002f595a60f577550ff903a778e4582759d6 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Mon, 22 Apr 2024 23:59:40 +0000 Subject: [PATCH 06/15] Import Rust crate audits from Mozilla --- supply-chain/config.toml | 79 +------------- supply-chain/imports.lock | 222 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 225 insertions(+), 76 deletions(-) diff --git a/supply-chain/config.toml b/supply-chain/config.toml index 9166f8dff..76d34161b 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -4,6 +4,9 @@ [cargo-vet] version = "0.9" +[imports.mozilla] +url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml" + [imports.zcash] url = "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml" @@ -110,10 +113,6 @@ criteria = "safe-to-deploy" version = "0.2.14" criteria = "safe-to-run" -[[exemptions.autocfg]] -version = "1.1.0" -criteria = "safe-to-deploy" - [[exemptions.axum]] version = "0.6.20" criteria = "safe-to-deploy" @@ -146,14 +145,6 @@ criteria = "safe-to-deploy" version = "0.10.1" criteria = "safe-to-deploy" -[[exemptions.bit-set]] -version = "0.5.3" -criteria = "safe-to-deploy" - -[[exemptions.bit-vec]] -version = "0.6.3" -criteria = "safe-to-deploy" - [[exemptions.bitflags]] version = "1.3.2" criteria = "safe-to-deploy" @@ -298,22 +289,10 @@ criteria = "safe-to-deploy" version = "0.8.0" criteria = "safe-to-deploy" -[[exemptions.debugid]] -version = "0.8.0" -criteria = "safe-to-run" - [[exemptions.digest]] version = "0.10.7" criteria = "safe-to-deploy" -[[exemptions.document-features]] -version = "0.2.8" -criteria = "safe-to-deploy" - -[[exemptions.either]] -version = "1.9.0" -criteria = "safe-to-deploy" - [[exemptions.equivalent]] version = "1.0.1" criteria = "safe-to-deploy" @@ -350,10 +329,6 @@ criteria = "safe-to-deploy" version = "0.4.2" criteria = "safe-to-deploy" -[[exemptions.fnv]] -version = "1.0.7" -criteria = "safe-to-deploy" - [[exemptions.fpe]] version = "0.6.1" criteria = "safe-to-deploy" @@ -414,14 +389,6 @@ criteria = "safe-to-run" version = "0.3.21" criteria = "safe-to-deploy" -[[exemptions.half]] -version = "1.8.2" -criteria = "safe-to-run" - -[[exemptions.hashbrown]] -version = "0.12.3" -criteria = "safe-to-deploy" - [[exemptions.hashbrown]] version = "0.14.2" criteria = "safe-to-deploy" @@ -446,10 +413,6 @@ criteria = "safe-to-run" version = "0.3.3" criteria = "safe-to-deploy" -[[exemptions.hex]] -version = "0.4.3" -criteria = "safe-to-deploy" - [[exemptions.hmac]] version = "0.12.1" criteria = "safe-to-deploy" @@ -518,10 +481,6 @@ criteria = "safe-to-deploy" version = "0.10.0" criteria = "safe-to-deploy" -[[exemptions.lazy_static]] -version = "1.4.0" -criteria = "safe-to-deploy" - [[exemptions.libc]] version = "0.2.150" criteria = "safe-to-deploy" @@ -538,18 +497,10 @@ criteria = "safe-to-deploy" version = "0.4.11" criteria = "safe-to-deploy" -[[exemptions.litrs]] -version = "0.4.1" -criteria = "safe-to-deploy" - [[exemptions.lock_api]] version = "0.4.11" criteria = "safe-to-run" -[[exemptions.log]] -version = "0.4.20" -criteria = "safe-to-deploy" - [[exemptions.matchit]] version = "0.7.3" criteria = "safe-to-deploy" @@ -614,10 +565,6 @@ criteria = "safe-to-deploy" version = "0.4.4" criteria = "safe-to-run" -[[exemptions.num-integer]] -version = "0.1.45" -criteria = "safe-to-deploy" - [[exemptions.num-traits]] version = "0.2.17" criteria = "safe-to-deploy" @@ -846,10 +793,6 @@ criteria = "safe-to-deploy" version = "0.101.7" criteria = "safe-to-deploy" -[[exemptions.rustversion]] -version = "1.0.14" -criteria = "safe-to-deploy" - [[exemptions.rusty-fork]] version = "0.3.0" criteria = "safe-to-deploy" @@ -974,10 +917,6 @@ criteria = "safe-to-deploy" version = "3.8.1" criteria = "safe-to-deploy" -[[exemptions.textwrap]] -version = "0.16.0" -criteria = "safe-to-run" - [[exemptions.thiserror]] version = "1.0.50" criteria = "safe-to-deploy" @@ -990,14 +929,6 @@ criteria = "safe-to-deploy" version = "0.3.23" criteria = "safe-to-deploy" -[[exemptions.time-core]] -version = "0.1.1" -criteria = "safe-to-deploy" - -[[exemptions.time-macros]] -version = "0.2.10" -criteria = "safe-to-deploy" - [[exemptions.tinytemplate]] version = "1.2.1" criteria = "safe-to-run" @@ -1078,10 +1009,6 @@ criteria = "safe-to-deploy" version = "1.0.12" criteria = "safe-to-deploy" -[[exemptions.unicode-normalization]] -version = "0.1.22" -criteria = "safe-to-deploy" - [[exemptions.universal-hash]] version = "0.5.1" criteria = "safe-to-deploy" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index 9b09cc4c9..d356a3fc6 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -58,6 +58,13 @@ user-id = 169181 user-login = "nuttycom" user-name = "Kris Nuttycombe" +[[publisher.unicode-normalization]] +version = "0.1.22" +when = "2022-09-16" +user-id = 1139 +user-login = "Manishearth" +user-name = "Manish Goregaokar" + [[publisher.windows-sys]] version = "0.48.0" when = "2023-03-31" @@ -211,6 +218,221 @@ user-id = 169181 user-login = "nuttycom" user-name = "Kris Nuttycombe" +[[audits.mozilla.wildcard-audits.unicode-normalization]] +who = "Manish Goregaokar " +criteria = "safe-to-deploy" +user-id = 1139 # Manish Goregaokar (Manishearth) +start = "2019-11-06" +end = "2024-05-03" +notes = "All code written or reviewed by Manish" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.autocfg]] +who = "Josh Stone " +criteria = "safe-to-deploy" +version = "1.1.0" +notes = "All code written or reviewed by Josh Stone." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.bit-set]] +who = "Aria Beingessner " +criteria = "safe-to-deploy" +version = "0.5.2" +notes = "Another crate I own via contain-rs that is ancient and maintenance mode, no known issues." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.bit-set]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.5.2 -> 0.5.3" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.bit-vec]] +who = "Aria Beingessner " +criteria = "safe-to-deploy" +version = "0.6.3" +notes = "Another crate I own via contain-rs that is ancient and in maintenance mode but otherwise perfectly fine." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.debugid]] +who = "Gabriele Svelto " +criteria = "safe-to-deploy" +version = "0.8.0" +notes = "This crates was written by Sentry and I've fully audited it as Firefox crash reporting machinery relies on it." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.document-features]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +version = "0.2.8" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.either]] +who = "Nika Layzell " +criteria = "safe-to-deploy" +version = "1.6.1" +notes = """ +Straightforward crate providing the Either enum and trait implementations with +no unsafe code. +""" +aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.either]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.6.1 -> 1.7.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.either]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.7.0 -> 1.8.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.either]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.8.0 -> 1.8.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.fnv]] +who = "Bobby Holley " +criteria = "safe-to-deploy" +version = "1.0.7" +notes = "Simple hasher implementation with no unsafe code." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.half]] +who = "John M. Schanck " +criteria = "safe-to-deploy" +version = "1.8.2" +notes = """ +This crate contains unsafe code for bitwise casts to/from binary16 floating-point +format. I've reviewed these and found no issues. There are no uses of ambient +capabilities. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.hashbrown]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +version = "0.12.3" +notes = "This version is used in rust's libstd, so effectively we're already trusting it" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.hex]] +who = "Simon Friedberger " +criteria = "safe-to-deploy" +version = "0.4.3" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.lazy_static]] +who = "Nika Layzell " +criteria = "safe-to-deploy" +version = "1.4.0" +notes = "I have read over the macros, and audited the unsafe code." +aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.litrs]] +who = "Erich Gubler " +criteria = "safe-to-deploy" +version = "0.4.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.log]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +version = "0.4.17" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.log]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "0.4.17 -> 0.4.18" +notes = "One dependency removed, others updated (which we don't rely on), some APIs (which we don't use) changed." +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.log]] +who = "Kagami Sascha Rosylight " +criteria = "safe-to-deploy" +delta = "0.4.18 -> 0.4.20" +notes = "Only cfg attribute and internal macro changes and module refactorings" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.num-integer]] +who = "Josh Stone " +criteria = "safe-to-deploy" +version = "0.1.45" +notes = "All code written or reviewed by Josh Stone." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.rustversion]] +who = "Bobby Holley " +criteria = "safe-to-deploy" +version = "1.0.9" +notes = """ +This crate has a build-time component and procedural macro logic, which I looked +at enough to convince myself it wasn't going to do anything dramatically wrong. +I don't think logic bugs in the version parsing etc can realistically introduce +a security vulnerability. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.rustversion]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "1.0.9 -> 1.0.14" +notes = "Doc updates, minimal CI changes and a fix to build-script reruns" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.textwrap]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +version = "0.15.0" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.textwrap]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.15.0 -> 0.15.2" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.textwrap]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.15.2 -> 0.16.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.time-core]] +who = "Kershaw Chang " +criteria = "safe-to-deploy" +version = "0.1.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.time-core]] +who = "Kershaw Chang " +criteria = "safe-to-deploy" +delta = "0.1.0 -> 0.1.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.time-macros]] +who = "Kershaw Chang " +criteria = "safe-to-deploy" +version = "0.2.6" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.time-macros]] +who = "Kershaw Chang " +criteria = "safe-to-deploy" +delta = "0.2.6 -> 0.2.10" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.zcash.audits.either]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.8.1 -> 1.9.0" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + [[audits.zcash.audits.inout]] who = "Daira Hopwood " criteria = "safe-to-deploy" From 12334b3a18d98c7baa37d7780cf1e67f4fbe000c Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Tue, 23 Apr 2024 00:00:52 +0000 Subject: [PATCH 07/15] Import Rust crate audits from Google --- supply-chain/config.toml | 115 +------------ supply-chain/imports.lock | 340 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 343 insertions(+), 112 deletions(-) diff --git a/supply-chain/config.toml b/supply-chain/config.toml index 76d34161b..ebabd3b77 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -4,6 +4,9 @@ [cargo-vet] version = "0.9" +[imports.google] +url = "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml" + [imports.mozilla] url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml" @@ -97,22 +100,10 @@ criteria = "safe-to-deploy" version = "1.5.0" criteria = "safe-to-deploy" -[[exemptions.async-stream]] -version = "0.3.5" -criteria = "safe-to-deploy" - -[[exemptions.async-stream-impl]] -version = "0.3.5" -criteria = "safe-to-deploy" - [[exemptions.async-trait]] version = "0.1.78" criteria = "safe-to-deploy" -[[exemptions.atty]] -version = "0.2.14" -criteria = "safe-to-run" - [[exemptions.axum]] version = "0.6.20" criteria = "safe-to-deploy" @@ -205,10 +196,6 @@ criteria = "safe-to-deploy" version = "1.0.83" criteria = "safe-to-deploy" -[[exemptions.cfg-if]] -version = "1.0.0" -criteria = "safe-to-deploy" - [[exemptions.chacha20]] version = "0.9.1" criteria = "safe-to-deploy" @@ -237,10 +224,6 @@ criteria = "safe-to-deploy" version = "3.2.25" criteria = "safe-to-run" -[[exemptions.clap_lex]] -version = "0.2.4" -criteria = "safe-to-run" - [[exemptions.constant_time_eq]] version = "0.2.6" criteria = "safe-to-deploy" @@ -293,10 +276,6 @@ criteria = "safe-to-deploy" version = "0.10.7" criteria = "safe-to-deploy" -[[exemptions.equivalent]] -version = "1.0.1" -criteria = "safe-to-deploy" - [[exemptions.errno]] version = "0.3.6" criteria = "safe-to-deploy" @@ -309,10 +288,6 @@ criteria = "safe-to-deploy" version = "0.1.9" criteria = "safe-to-deploy" -[[exemptions.fastrand]] -version = "2.0.1" -criteria = "safe-to-deploy" - [[exemptions.ff]] version = "0.13.0" criteria = "safe-to-deploy" @@ -401,10 +376,6 @@ criteria = "safe-to-deploy" version = "0.4.1" criteria = "safe-to-deploy" -[[exemptions.heck]] -version = "0.4.1" -criteria = "safe-to-deploy" - [[exemptions.hermit-abi]] version = "0.1.19" criteria = "safe-to-run" @@ -433,10 +404,6 @@ criteria = "safe-to-deploy" version = "1.8.0" criteria = "safe-to-deploy" -[[exemptions.httpdate]] -version = "1.0.3" -criteria = "safe-to-deploy" - [[exemptions.hyper]] version = "0.14.27" criteria = "safe-to-deploy" @@ -457,14 +424,6 @@ criteria = "safe-to-deploy" version = "0.11.17" criteria = "safe-to-run" -[[exemptions.is-terminal]] -version = "0.4.9" -criteria = "safe-to-run" - -[[exemptions.itertools]] -version = "0.10.5" -criteria = "safe-to-run" - [[exemptions.itertools]] version = "0.11.0" criteria = "safe-to-deploy" @@ -545,14 +504,6 @@ criteria = "safe-to-deploy" version = "0.8.3" criteria = "safe-to-deploy" -[[exemptions.nix]] -version = "0.26.4" -criteria = "safe-to-run" - -[[exemptions.nom]] -version = "7.1.3" -criteria = "safe-to-deploy" - [[exemptions.nonempty]] version = "0.7.0" criteria = "safe-to-deploy" @@ -597,10 +548,6 @@ criteria = "safe-to-run" version = "0.23.0" criteria = "safe-to-deploy" -[[exemptions.parking_lot]] -version = "0.12.1" -criteria = "safe-to-run" - [[exemptions.parking_lot_core]] version = "0.9.9" criteria = "safe-to-run" @@ -633,10 +580,6 @@ criteria = "safe-to-deploy" version = "1.1.3" criteria = "safe-to-deploy" -[[exemptions.pin-project-lite]] -version = "0.2.13" -criteria = "safe-to-deploy" - [[exemptions.pin-utils]] version = "0.1.0" criteria = "safe-to-deploy" @@ -677,10 +620,6 @@ criteria = "safe-to-deploy" version = "0.12.2" criteria = "safe-to-deploy" -[[exemptions.proc-macro2]] -version = "1.0.79" -criteria = "safe-to-deploy" - [[exemptions.proptest]] version = "1.3.1" criteria = "safe-to-deploy" @@ -709,10 +648,6 @@ criteria = "safe-to-deploy" version = "0.26.0" criteria = "safe-to-run" -[[exemptions.quote]] -version = "1.0.35" -criteria = "safe-to-deploy" - [[exemptions.radium]] version = "0.7.0" criteria = "safe-to-deploy" @@ -801,10 +736,6 @@ criteria = "safe-to-deploy" version = "1.0.15" criteria = "safe-to-run" -[[exemptions.same-file]] -version = "1.0.6" -criteria = "safe-to-run" - [[exemptions.schemer]] version = "0.2.1" criteria = "safe-to-deploy" @@ -841,10 +772,6 @@ criteria = "safe-to-deploy" version = "1.0.192" criteria = "safe-to-deploy" -[[exemptions.serde_json]] -version = "1.0.108" -criteria = "safe-to-run" - [[exemptions.sha2]] version = "0.10.8" criteria = "safe-to-deploy" @@ -873,14 +800,6 @@ criteria = "safe-to-deploy" version = "0.9.8" criteria = "safe-to-deploy" -[[exemptions.stable_deref_trait]] -version = "1.2.0" -criteria = "safe-to-run" - -[[exemptions.static_assertions]] -version = "1.1.0" -criteria = "safe-to-deploy" - [[exemptions.str_stack]] version = "0.1.0" criteria = "safe-to-run" @@ -897,10 +816,6 @@ criteria = "safe-to-run" version = "10.2.1" criteria = "safe-to-run" -[[exemptions.syn]] -version = "1.0.109" -criteria = "safe-to-run" - [[exemptions.syn]] version = "2.0.53" criteria = "safe-to-deploy" @@ -933,14 +848,6 @@ criteria = "safe-to-deploy" version = "1.2.1" criteria = "safe-to-run" -[[exemptions.tinyvec]] -version = "1.6.0" -criteria = "safe-to-deploy" - -[[exemptions.tinyvec_macros]] -version = "0.1.1" -criteria = "safe-to-deploy" - [[exemptions.tokio]] version = "1.35.1" criteria = "safe-to-deploy" @@ -949,10 +856,6 @@ criteria = "safe-to-deploy" version = "1.2.0" criteria = "safe-to-deploy" -[[exemptions.tokio-stream]] -version = "0.1.14" -criteria = "safe-to-deploy" - [[exemptions.tokio-util]] version = "0.7.10" criteria = "safe-to-deploy" @@ -1005,10 +908,6 @@ criteria = "safe-to-deploy" version = "0.1.4" criteria = "safe-to-deploy" -[[exemptions.unicode-ident]] -version = "1.0.12" -criteria = "safe-to-deploy" - [[exemptions.universal-hash]] version = "0.5.1" criteria = "safe-to-deploy" @@ -1029,10 +928,6 @@ criteria = "safe-to-deploy" version = "0.2.15" criteria = "safe-to-deploy" -[[exemptions.version_check]] -version = "0.9.4" -criteria = "safe-to-deploy" - [[exemptions.wait-timeout]] version = "0.2.0" criteria = "safe-to-deploy" @@ -1089,10 +984,6 @@ criteria = "safe-to-deploy" version = "0.4.0" criteria = "safe-to-deploy" -[[exemptions.winapi-util]] -version = "0.1.6" -criteria = "safe-to-run" - [[exemptions.winapi-x86_64-pc-windows-gnu]] version = "0.4.0" criteria = "safe-to-deploy" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index d356a3fc6..d3d7beafe 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -218,6 +218,313 @@ user-id = 169181 user-login = "nuttycom" user-name = "Kris Nuttycombe" +[[audits.google.audits.async-stream]] +who = "Tyler Mandry " +criteria = "safe-to-deploy" +version = "0.3.4" +notes = "Reviewed on https://fxrev.dev/761470" +aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.async-stream]] +who = "David Koloski " +criteria = "safe-to-deploy" +delta = "0.3.4 -> 0.3.5" +notes = "Reviewed on https://fxrev.dev/906795" +aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.async-stream-impl]] +who = "Tyler Mandry " +criteria = "safe-to-deploy" +version = "0.3.4" +notes = "Reviewed on https://fxrev.dev/761470" +aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.async-stream-impl]] +who = "David Koloski " +criteria = "safe-to-deploy" +delta = "0.3.4 -> 0.3.5" +notes = "Reviewed on https://fxrev.dev/906795" +aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.atty]] +who = "Android Legacy" +criteria = "safe-to-run" +version = "0.2.14" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.cfg-if]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "1.0.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.clap_lex]] +who = "ChromeOS" +criteria = "safe-to-run" +version = "0.2.4" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.equivalent]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "1.0.1" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.fastrand]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "1.9.0" +notes = """ +`does-not-implement-crypto` is certified because this crate explicitly says +that the RNG here is not cryptographically secure. +""" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.heck]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "0.4.1" +notes = """ +Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'`` +and there were no hits. + +`heck` (version `0.3.3`) has been added to Chromium in +https://source.chromium.org/chromium/chromium/src/+/28841c33c77833cc30b286f9ae24c97e7a8f4057 +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.httpdate]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "1.0.3" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.is-terminal]] +who = "George Burgess IV " +criteria = "safe-to-run" +version = "0.4.2" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.is-terminal]] +who = "George Burgess IV " +criteria = "safe-to-run" +delta = "0.4.2 -> 0.4.9" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.itertools]] +who = "ChromeOS" +criteria = "safe-to-run" +version = "0.10.5" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.nix]] +who = "David Koloski " +criteria = "safe-to-run" +version = "0.26.2" +notes = """ +Reviewed on https://fxrev.dev/780283 +Issues: +- https://github.com/nix-rust/nix/issues/1975 +- https://github.com/nix-rust/nix/issues/1977 +- https://github.com/nix-rust/nix/pull/1978 +- https://github.com/nix-rust/nix/pull/1979 +- https://github.com/nix-rust/nix/issues/1980 +- https://github.com/nix-rust/nix/issues/1981 +- https://github.com/nix-rust/nix/pull/1983 +- https://github.com/nix-rust/nix/issues/1990 +- https://github.com/nix-rust/nix/pull/1992 +- https://github.com/nix-rust/nix/pull/1993 +""" +aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.nom]] +who = "danakj@chromium.org" +criteria = "safe-to-deploy" +version = "7.1.3" +notes = """ +Reviewed in https://chromium-review.googlesource.com/c/chromium/src/+/5046153 +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.parking_lot]] +who = "George Burgess IV " +criteria = "safe-to-run" +version = "0.11.2" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.parking_lot]] +who = "George Burgess IV " +criteria = "safe-to-run" +delta = "0.11.2 -> 0.12.1" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.pin-project-lite]] +who = "David Koloski " +criteria = "safe-to-deploy" +version = "0.2.9" +notes = "Reviewed on https://fxrev.dev/824504" +aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.pin-project-lite]] +who = "David Koloski " +criteria = "safe-to-deploy" +delta = "0.2.9 -> 0.2.13" +notes = "Audited at https://fxrev.dev/946396" +aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.0.78" +notes = """ +Grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits +(except for a benign \"fs\" hit in a doc comment) + +Notes from the `unsafe` review can be found in https://crrev.com/c/5385745. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "Adrian Taylor " +criteria = "safe-to-deploy" +delta = "1.0.78 -> 1.0.79" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.quote]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.0.35" +notes = """ +Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits +(except for benign \"net\" hit in tests and \"fs\" hit in README.md) +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.same-file]] +who = "Android Legacy" +criteria = "safe-to-run" +version = "1.0.6" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.serde_json]] +who = "danakj@chromium.org" +criteria = "safe-to-run" +version = "1.0.108" +notes = """ +Reviewed in https://crrev.com/c/5171063 + +Previously reviewed during security review and the audit is grandparented in. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.stable_deref_trait]] +who = "George Burgess IV " +criteria = "safe-to-run" +version = "1.2.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.static_assertions]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.1.0" +notes = """ +Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'` +and there were no hits except for one `unsafe`. + +The lambda where `unsafe` is used is never invoked (e.g. the `unsafe` code +never runs) and is only introduced for some compile-time checks. Additional +unsafe review comments can be found in https://crrev.com/c/5353376. + +This crate has been added to Chromium in https://crrev.com/c/3736562. The CL +description contains a link to a document with an additional security review. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.syn]] +who = "danakj@chromium.org" +criteria = "safe-to-run" +version = "1.0.109" +notes = """ +Reviewed in https://crrev.com/c/5171063 + +Previously reviewed during security review and the audit is grandparented in. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.tinyvec]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.6.0" +notes = """ +Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'`` +and there were no hits except for some \"unsafe\" appearing in comments: + +``` +src/arrayvec.rs: // Note: This shouldn't use A::CAPACITY, because unsafe code can't rely on +src/lib.rs://! All of this is done with no `unsafe` code within the crate. Technically the +src/lib.rs://! `Vec` type from the standard library uses `unsafe` internally, but *this +src/lib.rs://! crate* introduces no new `unsafe` code into your project. +src/array.rs:/// Just a reminder: this trait is 100% safe, which means that `unsafe` code +``` + +This crate has been added to Chromium in +https://source.chromium.org/chromium/chromium/src/+/24773c33e1b7a1b5069b9399fd034375995f290b +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.tinyvec_macros]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "0.1.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.tokio-stream]] +who = "David Koloski " +criteria = "safe-to-deploy" +version = "0.1.11" +notes = "Reviewed on https://fxrev.dev/804724" +aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.tokio-stream]] +who = "David Koloski " +criteria = "safe-to-deploy" +delta = "0.1.11 -> 0.1.14" +notes = "Reviewed on https://fxrev.dev/907732." +aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.unicode-ident]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.0.12" +notes = ''' +I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits. + +All two functions from the public API of this crate use `unsafe` to avoid bound +checks for an array access. Cross-module analysis shows that the offsets can +be statically proven to be within array bounds. More details can be found in +the unsafe review CL at https://crrev.com/c/5350386. + +This crate has been added to Chromium in https://crrev.com/c/3891618. +''' +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.version_check]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "0.9.4" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.winapi-util]] +who = "danakj@chromium.org" +criteria = "safe-to-run" +version = "0.1.6" +notes = """ +Reviewed in https://crrev.com/c/5171063 + +Previously reviewed during security review and the audit is grandparented in. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.mozilla.wildcard-audits.unicode-normalization]] who = "Manish Goregaokar " criteria = "safe-to-deploy" @@ -295,6 +602,12 @@ criteria = "safe-to-deploy" delta = "1.8.0 -> 1.8.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.fastrand]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.9.0 -> 2.0.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.fnv]] who = "Bobby Holley " criteria = "safe-to-deploy" @@ -433,6 +746,12 @@ criteria = "safe-to-deploy" delta = "1.8.1 -> 1.9.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.zcash.audits.fastrand]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "2.0.0 -> 2.0.1" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + [[audits.zcash.audits.inout]] who = "Daira Hopwood " criteria = "safe-to-deploy" @@ -469,6 +788,20 @@ criteria = "safe-to-deploy" version = "0.1.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.zcash.audits.nix]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.26.2 -> 0.26.4" +notes = """ +Most of the `unsafe` changes are cleaning up their usage: +- Replacing `data.len() * std::mem::size_of::<$ty>()` with `std::mem::size_of_val(data)`. +- Removing some `mem::transmute`s. +- Using `*mut` instead of `*const` to convey intended semantics. + +A new unsafe trait method `SockaddrLike::set_length` is added; it's impls look fine. +""" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + [[audits.zcash.audits.rand_xorshift]] who = "Sean Bowe " criteria = "safe-to-deploy" @@ -499,6 +832,13 @@ criteria = "safe-to-deploy" delta = "0.7.5 -> 0.8.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.zcash.audits.tinyvec_macros]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.1.0 -> 0.1.1" +notes = "Adds `#![forbid(unsafe_code)]` and license files." +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + [[audits.zcash.audits.wagyu-zcash-parameters]] who = "Sean Bowe " criteria = "safe-to-deploy" From d99edccaa3647a8571943f8339e53050b7c42fd0 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Tue, 23 Apr 2024 00:01:23 +0000 Subject: [PATCH 08/15] Import Rust crate audits from ISRG --- supply-chain/config.toml | 47 +------------ supply-chain/imports.lock | 134 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 137 insertions(+), 44 deletions(-) diff --git a/supply-chain/config.toml b/supply-chain/config.toml index ebabd3b77..ac0a4e6ff 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -7,6 +7,9 @@ version = "0.9" [imports.google] url = "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml" +[imports.isrg] +url = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + [imports.mozilla] url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml" @@ -260,10 +263,6 @@ criteria = "safe-to-deploy" version = "0.8.16" criteria = "safe-to-deploy" -[[exemptions.crunchy]] -version = "0.2.2" -criteria = "safe-to-deploy" - [[exemptions.crypto-common]] version = "0.1.6" criteria = "safe-to-deploy" @@ -384,10 +383,6 @@ criteria = "safe-to-run" version = "0.3.3" criteria = "safe-to-deploy" -[[exemptions.hmac]] -version = "0.12.1" -criteria = "safe-to-deploy" - [[exemptions.home]] version = "0.5.5" criteria = "safe-to-deploy" @@ -508,18 +503,10 @@ criteria = "safe-to-deploy" version = "0.7.0" criteria = "safe-to-deploy" -[[exemptions.num-bigint]] -version = "0.4.4" -criteria = "safe-to-deploy" - [[exemptions.num-format]] version = "0.4.4" criteria = "safe-to-run" -[[exemptions.num-traits]] -version = "0.2.17" -criteria = "safe-to-deploy" - [[exemptions.num_cpus]] version = "1.16.0" criteria = "safe-to-deploy" @@ -536,10 +523,6 @@ criteria = "safe-to-deploy" version = "11.1.3" criteria = "safe-to-run" -[[exemptions.opaque-debug]] -version = "0.3.0" -criteria = "safe-to-deploy" - [[exemptions.os_str_bytes]] version = "6.6.1" criteria = "safe-to-run" @@ -656,22 +639,6 @@ criteria = "safe-to-deploy" version = "0.8.5" criteria = "safe-to-deploy" -[[exemptions.rand_chacha]] -version = "0.3.1" -criteria = "safe-to-deploy" - -[[exemptions.rand_core]] -version = "0.6.4" -criteria = "safe-to-deploy" - -[[exemptions.rayon]] -version = "1.8.0" -criteria = "safe-to-deploy" - -[[exemptions.rayon-core]] -version = "1.12.0" -criteria = "safe-to-deploy" - [[exemptions.reddsa]] version = "0.5.1" criteria = "safe-to-deploy" @@ -908,14 +875,6 @@ criteria = "safe-to-deploy" version = "0.1.4" criteria = "safe-to-deploy" -[[exemptions.universal-hash]] -version = "0.5.1" -criteria = "safe-to-deploy" - -[[exemptions.untrusted]] -version = "0.7.1" -criteria = "safe-to-deploy" - [[exemptions.untrusted]] version = "0.9.0" criteria = "safe-to-deploy" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index d3d7beafe..15ede8f83 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -525,6 +525,81 @@ Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +[[audits.isrg.audits.crunchy]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "0.2.2" + +[[audits.isrg.audits.hmac]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "0.12.1" + +[[audits.isrg.audits.num-bigint]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "0.4.3 -> 0.4.4" + +[[audits.isrg.audits.num-traits]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "0.2.15 -> 0.2.16" + +[[audits.isrg.audits.num-traits]] +who = "Ameer Ghani " +criteria = "safe-to-deploy" +delta = "0.2.16 -> 0.2.17" + +[[audits.isrg.audits.opaque-debug]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "0.3.0" + +[[audits.isrg.audits.rand_chacha]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "0.3.1" + +[[audits.isrg.audits.rand_core]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "0.6.3" + +[[audits.isrg.audits.rayon]] +who = "Brandon Pitman " +criteria = "safe-to-deploy" +delta = "1.6.1 -> 1.7.0" + +[[audits.isrg.audits.rayon]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "1.7.0 -> 1.8.0" + +[[audits.isrg.audits.rayon-core]] +who = "Brandon Pitman " +criteria = "safe-to-deploy" +delta = "1.10.2 -> 1.11.0" + +[[audits.isrg.audits.rayon-core]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "1.11.0 -> 1.12.0" + +[[audits.isrg.audits.universal-hash]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "0.4.1" + +[[audits.isrg.audits.universal-hash]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "0.5.0 -> 0.5.1" + +[[audits.isrg.audits.untrusted]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "0.7.1" + [[audits.mozilla.wildcard-audits.unicode-normalization]] who = "Manish Goregaokar " criteria = "safe-to-deploy" @@ -672,6 +747,13 @@ delta = "0.4.18 -> 0.4.20" notes = "Only cfg attribute and internal macro changes and module refactorings" aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" +[[audits.mozilla.audits.num-bigint]] +who = "Josh Stone " +criteria = "safe-to-deploy" +version = "0.4.3" +notes = "All code written or reviewed by Josh Stone." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.num-integer]] who = "Josh Stone " criteria = "safe-to-deploy" @@ -679,6 +761,51 @@ version = "0.1.45" notes = "All code written or reviewed by Josh Stone." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.num-traits]] +who = "Josh Stone " +criteria = "safe-to-deploy" +version = "0.2.15" +notes = "All code written or reviewed by Josh Stone." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.rand_core]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.6.3 -> 0.6.4" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.rayon]] +who = "Josh Stone " +criteria = "safe-to-deploy" +version = "1.5.3" +notes = "All code written or reviewed by Josh Stone or Niko Matsakis." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.rayon]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.5.3 -> 1.6.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.rayon-core]] +who = "Josh Stone " +criteria = "safe-to-deploy" +version = "1.9.3" +notes = "All code written or reviewed by Josh Stone or Niko Matsakis." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.rayon-core]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.9.3 -> 1.10.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.rayon-core]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.10.1 -> 1.10.2" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.rustversion]] who = "Bobby Holley " criteria = "safe-to-deploy" @@ -839,6 +966,13 @@ delta = "0.1.0 -> 0.1.1" notes = "Adds `#![forbid(unsafe_code)]` and license files." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.zcash.audits.universal-hash]] +who = "Daira Hopwood " +criteria = "safe-to-deploy" +delta = "0.4.1 -> 0.5.0" +notes = "I checked correctness of to_blocks which uses unsafe code in a safe function." +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + [[audits.zcash.audits.wagyu-zcash-parameters]] who = "Sean Bowe " criteria = "safe-to-deploy" From 03627b1de577a767f46813e26840fee7629dc46e Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Tue, 23 Apr 2024 00:02:25 +0000 Subject: [PATCH 09/15] Import Rust crate audits from the Bytecode Alliance --- supply-chain/config.toml | 79 +--------- supply-chain/imports.lock | 312 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 315 insertions(+), 76 deletions(-) diff --git a/supply-chain/config.toml b/supply-chain/config.toml index ac0a4e6ff..0075f01ad 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -4,6 +4,9 @@ [cargo-vet] version = "0.9" +[imports.bytecode-alliance] +url = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [imports.google] url = "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml" @@ -59,10 +62,6 @@ audit-as-crates-io = true version = "0.21.0" criteria = "safe-to-deploy" -[[exemptions.adler]] -version = "1.0.2" -criteria = "safe-to-deploy" - [[exemptions.aead]] version = "0.5.2" criteria = "safe-to-deploy" @@ -83,18 +82,10 @@ criteria = "safe-to-deploy" version = "0.2.16" criteria = "safe-to-deploy" -[[exemptions.anes]] -version = "0.1.6" -criteria = "safe-to-run" - [[exemptions.anyhow]] version = "1.0.75" criteria = "safe-to-deploy" -[[exemptions.arrayref]] -version = "0.3.7" -criteria = "safe-to-deploy" - [[exemptions.arrayvec]] version = "0.7.4" criteria = "safe-to-deploy" @@ -119,10 +110,6 @@ criteria = "safe-to-deploy" version = "0.3.69" criteria = "safe-to-deploy" -[[exemptions.base64]] -version = "0.21.5" -criteria = "safe-to-deploy" - [[exemptions.base64ct]] version = "1.0.1" criteria = "safe-to-deploy" @@ -143,10 +130,6 @@ criteria = "safe-to-deploy" version = "1.3.2" criteria = "safe-to-deploy" -[[exemptions.bitflags]] -version = "2.4.1" -criteria = "safe-to-deploy" - [[exemptions.bitvec]] version = "1.0.1" criteria = "safe-to-deploy" @@ -159,10 +142,6 @@ criteria = "safe-to-deploy" version = "1.0.1" criteria = "safe-to-deploy" -[[exemptions.block-buffer]] -version = "0.10.4" -criteria = "safe-to-deploy" - [[exemptions.bls12_381]] version = "0.8.0" criteria = "safe-to-deploy" @@ -171,10 +150,6 @@ criteria = "safe-to-deploy" version = "0.5.0" criteria = "safe-to-deploy" -[[exemptions.bumpalo]] -version = "3.14.0" -criteria = "safe-to-deploy" - [[exemptions.bytemuck]] version = "1.14.0" criteria = "safe-to-run" @@ -195,10 +170,6 @@ criteria = "safe-to-run" version = "0.1.2" criteria = "safe-to-deploy" -[[exemptions.cc]] -version = "1.0.83" -criteria = "safe-to-deploy" - [[exemptions.chacha20]] version = "0.9.1" criteria = "safe-to-deploy" @@ -227,10 +198,6 @@ criteria = "safe-to-deploy" version = "3.2.25" criteria = "safe-to-run" -[[exemptions.constant_time_eq]] -version = "0.2.6" -criteria = "safe-to-deploy" - [[exemptions.cpp_demangle]] version = "0.4.3" criteria = "safe-to-run" @@ -263,10 +230,6 @@ criteria = "safe-to-deploy" version = "0.8.16" criteria = "safe-to-deploy" -[[exemptions.crypto-common]] -version = "0.1.6" -criteria = "safe-to-deploy" - [[exemptions.daggy]] version = "0.8.0" criteria = "safe-to-deploy" @@ -311,14 +274,6 @@ criteria = "safe-to-deploy" version = "2.0.0" criteria = "safe-to-deploy" -[[exemptions.futures-channel]] -version = "0.3.29" -criteria = "safe-to-deploy" - -[[exemptions.futures-core]] -version = "0.3.29" -criteria = "safe-to-deploy" - [[exemptions.futures-macro]] version = "0.3.29" criteria = "safe-to-deploy" @@ -483,10 +438,6 @@ criteria = "safe-to-deploy" version = "0.2.1" criteria = "safe-to-deploy" -[[exemptions.miniz_oxide]] -version = "0.7.1" -criteria = "safe-to-deploy" - [[exemptions.minreq]] version = "2.11.0" criteria = "safe-to-deploy" @@ -547,10 +498,6 @@ criteria = "safe-to-deploy" version = "0.10.1" criteria = "safe-to-deploy" -[[exemptions.percent-encoding]] -version = "2.3.0" -criteria = "safe-to-deploy" - [[exemptions.petgraph]] version = "0.6.4" criteria = "safe-to-deploy" @@ -563,10 +510,6 @@ criteria = "safe-to-deploy" version = "1.1.3" criteria = "safe-to-deploy" -[[exemptions.pin-utils]] -version = "0.1.0" -criteria = "safe-to-deploy" - [[exemptions.pkg-config]] version = "0.3.27" criteria = "safe-to-deploy" @@ -679,10 +622,6 @@ criteria = "safe-to-deploy" version = "0.29.0" criteria = "safe-to-deploy" -[[exemptions.rustc-demangle]] -version = "0.1.23" -criteria = "safe-to-deploy" - [[exemptions.rustix]] version = "0.38.21" criteria = "safe-to-deploy" @@ -859,10 +798,6 @@ criteria = "safe-to-deploy" version = "0.1.32" criteria = "safe-to-deploy" -[[exemptions.try-lock]] -version = "0.2.4" -criteria = "safe-to-deploy" - [[exemptions.typenum]] version = "1.17.0" criteria = "safe-to-deploy" @@ -883,10 +818,6 @@ criteria = "safe-to-deploy" version = "1.5.0" criteria = "safe-to-deploy" -[[exemptions.vcpkg]] -version = "0.2.15" -criteria = "safe-to-deploy" - [[exemptions.wait-timeout]] version = "0.2.0" criteria = "safe-to-deploy" @@ -895,10 +826,6 @@ criteria = "safe-to-deploy" version = "2.4.0" criteria = "safe-to-run" -[[exemptions.want]] -version = "0.3.1" -criteria = "safe-to-deploy" - [[exemptions.wasi]] version = "0.11.0+wasi-snapshot-preview1" criteria = "safe-to-deploy" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index 15ede8f83..c2df5cbe9 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -1,6 +1,13 @@ # cargo-vet imports lock +[[publisher.bumpalo]] +version = "3.14.0" +when = "2023-09-14" +user-id = 696 +user-login = "fitzgen" +user-name = "Nick Fitzgerald" + [[publisher.equihash]] version = "0.2.0" when = "2022-06-24" @@ -218,6 +225,145 @@ user-id = 169181 user-login = "nuttycom" user-name = "Kris Nuttycombe" +[[audits.bytecode-alliance.wildcard-audits.bumpalo]] +who = "Nick Fitzgerald " +criteria = "safe-to-deploy" +user-id = 696 # Nick Fitzgerald (fitzgen) +start = "2019-03-16" +end = "2024-03-10" + +[[audits.bytecode-alliance.audits.adler]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "1.0.2" +notes = "This is a small crate which forbids unsafe code and is a straightforward implementation of the adler hashing algorithm." + +[[audits.bytecode-alliance.audits.anes]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.1.6" +notes = "Contains no unsafe code, no IO, no build.rs." + +[[audits.bytecode-alliance.audits.arrayref]] +who = "Nick Fitzgerald " +criteria = "safe-to-deploy" +version = "0.3.6" +notes = """ +Unsafe code, but its logic looks good to me. Necessary given what it is +doing. Well tested, has quickchecks. +""" + +[[audits.bytecode-alliance.audits.base64]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.21.0" +notes = "This crate has no dependencies, no build.rs, and contains no unsafe code." + +[[audits.bytecode-alliance.audits.bitflags]] +who = "Jamey Sharp " +criteria = "safe-to-deploy" +delta = "2.1.0 -> 2.2.1" +notes = """ +This version adds unsafe impls of traits from the bytemuck crate when built +with that library enabled, but I believe the impls satisfy the documented +safety requirements for bytemuck. The other changes are minor. +""" + +[[audits.bytecode-alliance.audits.bitflags]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "2.3.2 -> 2.3.3" +notes = """ +Nothing outside the realm of what one would expect from a bitflags generator, +all as expected. +""" + +[[audits.bytecode-alliance.audits.block-buffer]] +who = "Benjamin Bouvier " +criteria = "safe-to-deploy" +delta = "0.9.0 -> 0.10.2" + +[[audits.bytecode-alliance.audits.cc]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "1.0.73" +notes = "I am the author of this crate." + +[[audits.bytecode-alliance.audits.constant_time_eq]] +who = "Nick Fitzgerald " +criteria = "safe-to-deploy" +version = "0.2.4" +notes = "A few tiny blocks of `unsafe` but each of them is very obviously correct." + +[[audits.bytecode-alliance.audits.crypto-common]] +who = "Benjamin Bouvier " +criteria = "safe-to-deploy" +version = "0.1.3" + +[[audits.bytecode-alliance.audits.futures-channel]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.3.27" +notes = "build.rs is just detecting the target and setting cfg. unsafety is for implementing a concurrency primitives using atomics and unsafecell, and is not obviously incorrect (this is the sort of thing I wouldn't certify as correct without formal methods)" + +[[audits.bytecode-alliance.audits.futures-core]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.3.27" +notes = "Unsafe used to implement a concurrency primitive AtomicWaker. Well-commented and not obviously incorrect. Like my other audits of these concurrency primitives inside the futures family, I couldn't certify that it is correct without formal methods, but that is out of scope for this vetting." + +[[audits.bytecode-alliance.audits.miniz_oxide]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "0.7.1" +notes = """ +This crate is a Rust implementation of zlib compression/decompression and has +been used by default by the Rust standard library for quite some time. It's also +a default dependency of the popular `backtrace` crate for decompressing debug +information. This crate forbids unsafe code and does not otherwise access system +resources. It's originally a port of the `miniz.c` library as well, and given +its own longevity should be relatively hardened against some of the more common +compression-related issues. +""" + +[[audits.bytecode-alliance.audits.percent-encoding]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "2.2.0" +notes = """ +This crate is a single-file crate that does what it says on the tin. There are +a few `unsafe` blocks related to utf-8 validation which are locally verifiable +as correct and otherwise this crate is good to go. +""" + +[[audits.bytecode-alliance.audits.pin-utils]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.1.0" + +[[audits.bytecode-alliance.audits.rustc-demangle]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "0.1.21" +notes = "I am the author of this crate." + +[[audits.bytecode-alliance.audits.try-lock]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.2.4" +notes = "Implements a concurrency primitive with atomics, and is not obviously incorrect" + +[[audits.bytecode-alliance.audits.vcpkg]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.2.15" +notes = "no build.rs, no macros, no unsafe. It reads the filesystem and makes copies of DLLs into OUT_DIR." + +[[audits.bytecode-alliance.audits.want]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.3.0" + [[audits.google.audits.async-stream]] who = "Tyler Mandry " criteria = "safe-to-deploy" @@ -525,6 +671,26 @@ Previously reviewed during security review and the audit is grandparented in. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +[[audits.isrg.audits.base64]] +who = "Tim Geoghegan " +criteria = "safe-to-deploy" +delta = "0.21.0 -> 0.21.1" + +[[audits.isrg.audits.base64]] +who = "Brandon Pitman " +criteria = "safe-to-deploy" +delta = "0.21.1 -> 0.21.2" + +[[audits.isrg.audits.base64]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "0.21.2 -> 0.21.3" + +[[audits.isrg.audits.block-buffer]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "0.9.0" + [[audits.isrg.audits.crunchy]] who = "David Cook " criteria = "safe-to-deploy" @@ -636,6 +802,62 @@ version = "0.6.3" notes = "Another crate I own via contain-rs that is ancient and in maintenance mode but otherwise perfectly fine." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.bitflags]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +delta = "1.3.2 -> 2.0.2" +notes = "Removal of some unsafe code/methods. No changes to externals, just some refactoring (mostly internal)." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.bitflags]] +who = "Nicolas Silva " +criteria = "safe-to-deploy" +delta = "2.0.2 -> 2.1.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.bitflags]] +who = "Teodor Tanasoaia " +criteria = "safe-to-deploy" +delta = "2.2.1 -> 2.3.2" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.bitflags]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "2.3.3 -> 2.4.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.bitflags]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "2.4.0 -> 2.4.1" +notes = "Only allowing new clippy lints" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.block-buffer]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.10.2 -> 0.10.3" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.cc]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.73 -> 1.0.78" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.cc]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "1.0.78 -> 1.0.83" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.crypto-common]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.1.3 -> 0.1.6" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.debugid]] who = "Gabriele Svelto " criteria = "safe-to-deploy" @@ -690,6 +912,18 @@ version = "1.0.7" notes = "Simple hasher implementation with no unsafe code." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.futures-channel]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.3.27 -> 0.3.28" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.futures-core]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.3.27 -> 0.3.28" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.half]] who = "John M. Schanck " criteria = "safe-to-deploy" @@ -768,6 +1002,12 @@ version = "0.2.15" notes = "All code written or reviewed by Josh Stone." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.percent-encoding]] +who = "Valentin Gosu " +criteria = "safe-to-deploy" +delta = "2.2.0 -> 2.3.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.rand_core]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -867,6 +1107,44 @@ criteria = "safe-to-deploy" delta = "0.2.6 -> 0.2.10" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.zcash.audits.arrayref]] +who = "Sean Bowe " +criteria = "safe-to-deploy" +delta = "0.3.6 -> 0.3.7" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.base64]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.21.3 -> 0.21.4" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.base64]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.21.4 -> 0.21.5" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.block-buffer]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.10.3 -> 0.10.4" +notes = "Adds panics to prevent a block size of zero from causing unsoundness." +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.constant_time_eq]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.2.4 -> 0.2.5" +notes = "No code changes." +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.constant_time_eq]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.2.5 -> 0.2.6" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + [[audits.zcash.audits.either]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -879,6 +1157,18 @@ criteria = "safe-to-deploy" delta = "2.0.0 -> 2.0.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.zcash.audits.futures-channel]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.3.28 -> 0.3.29" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.futures-core]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.3.28 -> 0.3.29" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + [[audits.zcash.audits.inout]] who = "Daira Hopwood " criteria = "safe-to-deploy" @@ -959,6 +1249,18 @@ criteria = "safe-to-deploy" delta = "0.7.5 -> 0.8.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.zcash.audits.rustc-demangle]] +who = "Sean Bowe " +criteria = "safe-to-deploy" +delta = "0.1.21 -> 0.1.22" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.rustc-demangle]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.1.22 -> 0.1.23" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + [[audits.zcash.audits.tinyvec_macros]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -1014,3 +1316,13 @@ who = "Sean Bowe " criteria = "safe-to-deploy" version = "0.2.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.want]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.3.0 -> 0.3.1" +notes = """ +Migrates to `try-lock 0.2.4` to replace some unsafe APIs that were not marked +`unsafe` (but that were being used safely). +""" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" From 846d9860f14187b9fa902573b87e586fe9762cc2 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Tue, 23 Apr 2024 00:03:36 +0000 Subject: [PATCH 10/15] Import Rust crate audits from Embark Studios --- supply-chain/config.toml | 15 ++------ supply-chain/imports.lock | 73 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 76 insertions(+), 12 deletions(-) diff --git a/supply-chain/config.toml b/supply-chain/config.toml index 0075f01ad..ed682f0d1 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -7,6 +7,9 @@ version = "0.9" [imports.bytecode-alliance] url = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" +[imports.embark-studios] +url = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" + [imports.google] url = "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml" @@ -82,10 +85,6 @@ criteria = "safe-to-deploy" version = "0.2.16" criteria = "safe-to-deploy" -[[exemptions.anyhow]] -version = "1.0.75" -criteria = "safe-to-deploy" - [[exemptions.arrayvec]] version = "0.7.4" criteria = "safe-to-deploy" @@ -730,10 +729,6 @@ criteria = "safe-to-deploy" version = "0.1.2" criteria = "safe-to-deploy" -[[exemptions.tap]] -version = "1.0.1" -criteria = "safe-to-deploy" - [[exemptions.tempfile]] version = "3.8.1" criteria = "safe-to-deploy" @@ -854,10 +849,6 @@ criteria = "safe-to-deploy" version = "0.3.65" criteria = "safe-to-deploy" -[[exemptions.webpki-roots]] -version = "0.25.2" -criteria = "safe-to-deploy" - [[exemptions.which]] version = "4.4.2" criteria = "safe-to-deploy" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index c2df5cbe9..abd69157f 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -244,6 +244,11 @@ criteria = "safe-to-deploy" version = "0.1.6" notes = "Contains no unsafe code, no IO, no build.rs." +[[audits.bytecode-alliance.audits.anyhow]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +delta = "1.0.69 -> 1.0.71" + [[audits.bytecode-alliance.audits.arrayref]] who = "Nick Fitzgerald " criteria = "safe-to-deploy" @@ -364,6 +369,33 @@ who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.3.0" +[[audits.bytecode-alliance.audits.webpki-roots]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +delta = "0.22.4 -> 0.23.0" + +[[audits.bytecode-alliance.audits.webpki-roots]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +delta = "0.23.0 -> 0.25.2" + +[[audits.embark-studios.audits.anyhow]] +who = "Johan Andersson " +criteria = "safe-to-deploy" +version = "1.0.58" + +[[audits.embark-studios.audits.tap]] +who = "Johan Andersson " +criteria = "safe-to-deploy" +version = "1.0.1" +notes = "No unsafe usage or ambient capabilities" + +[[audits.embark-studios.audits.webpki-roots]] +who = "Johan Andersson " +criteria = "safe-to-deploy" +version = "0.22.4" +notes = "Inspected it to confirm that it only contains data definitions and no runtime code" + [[audits.google.audits.async-stream]] who = "Tyler Mandry " criteria = "safe-to-deploy" @@ -775,6 +807,37 @@ end = "2024-05-03" notes = "All code written or reviewed by Manish" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.anyhow]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.57 -> 1.0.61" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.anyhow]] +who = "Bobby Holley " +criteria = "safe-to-deploy" +delta = "1.0.58 -> 1.0.57" +notes = "No functional differences, just CI config and docs." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.anyhow]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.61 -> 1.0.62" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.anyhow]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.62 -> 1.0.68" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.anyhow]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.68 -> 1.0.69" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.autocfg]] who = "Josh Stone " criteria = "safe-to-deploy" @@ -1107,6 +1170,16 @@ criteria = "safe-to-deploy" delta = "0.2.6 -> 0.2.10" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.zcash.audits.anyhow]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.71 -> 1.0.75" +notes = """ +`unsafe` changes are migrating from `core::any::Demand` to `std::error::Request` when the +nightly features are available. +""" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + [[audits.zcash.audits.arrayref]] who = "Sean Bowe " criteria = "safe-to-deploy" From e574c2775511c9df1cc77d2a18a2ef0eaa5865ad Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Tue, 23 Apr 2024 00:04:49 +0000 Subject: [PATCH 11/15] Import Rust crate audits from Fermyon --- supply-chain/config.toml | 7 +++---- supply-chain/imports.lock | 5 +++++ 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/supply-chain/config.toml b/supply-chain/config.toml index ed682f0d1..ab50b42a3 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -10,6 +10,9 @@ url = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-c [imports.embark-studios] url = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" +[imports.fermyon] +url = "https://raw.githubusercontent.com/fermyon/spin/main/supply-chain/audits.toml" + [imports.google] url = "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml" @@ -469,10 +472,6 @@ criteria = "safe-to-deploy" version = "1.18.0" criteria = "safe-to-deploy" -[[exemptions.oorandom]] -version = "11.1.3" -criteria = "safe-to-run" - [[exemptions.os_str_bytes]] version = "6.6.1" criteria = "safe-to-run" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index abd69157f..2c2dd9e41 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -396,6 +396,11 @@ criteria = "safe-to-deploy" version = "0.22.4" notes = "Inspected it to confirm that it only contains data definitions and no runtime code" +[[audits.fermyon.audits.oorandom]] +who = "Radu Matei " +criteria = "safe-to-run" +version = "11.1.3" + [[audits.google.audits.async-stream]] who = "Tyler Mandry " criteria = "safe-to-deploy" From 08cd7e20bd7f11a403c4081594f59ab73e1ee0ee Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Tue, 23 Apr 2024 00:31:02 +0000 Subject: [PATCH 12/15] CI: Add audit check for `cargo vet` --- .github/workflows/audits.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 .github/workflows/audits.yml diff --git a/.github/workflows/audits.yml b/.github/workflows/audits.yml new file mode 100644 index 000000000..327969b35 --- /dev/null +++ b/.github/workflows/audits.yml @@ -0,0 +1,21 @@ +name: Audits + +on: + pull_request: + push: + branches: main + +permissions: + contents: read + +jobs: + cargo-vet: + name: Vet Rust dependencies + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: dtolnay/rust-toolchain@stable + id: toolchain + - run: rustup override set ${{steps.toolchain.outputs.name}} + - run: cargo install cargo-vet --version ~0.9 + - run: cargo vet --locked From 66f11ce29fc40acc112decfe526e6f4fa5d0a10e Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Tue, 23 Apr 2024 00:32:38 +0000 Subject: [PATCH 13/15] Add config file for `cargo deny check licenses` Most of the config is copied from `zcash/zcash`, but with a few extra license exceptions due to the `download-params` feature of `zcash_proofs` and the `lightwalletd-tonic-transport` feature of `zcash_client_backend`. --- deny.toml | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 deny.toml diff --git a/deny.toml b/deny.toml new file mode 100644 index 000000000..79248160d --- /dev/null +++ b/deny.toml @@ -0,0 +1,51 @@ +# Configuration file for cargo-deny + +[graph] +targets = [ + # Targets used by zcashd + { triple = "aarch64-unknown-linux-gnu" }, + { triple = "x86_64-apple-darwin" }, + { triple = "x86_64-pc-windows-gnu" }, + { triple = "x86_64-unknown-freebsd" }, + { triple = "x86_64-unknown-linux-gnu" }, + # Targets used by zcash-android-wallet-sdk + { triple = "aarch64-linux-android" }, + { triple = "armv7-linux-androideabi" }, + { triple = "i686-linux-android" }, + { triple = "x86_64-linux-android" }, + # Targets used by zcash-swift-wallet-sdk + { triple = "aarch64-apple-darwin" }, + { triple = "aarch64-apple-ios" }, + { triple = "aarch64-apple-ios-sim" }, + { triple = "x86_64-apple-darwin" }, + { triple = "x86_64-apple-ios" }, +] +all-features = true +exclude-dev = true + +[licenses] +version = 2 +allow = [ + "Apache-2.0", + "MIT", +] +exceptions = [ + { name = "arrayref", allow = ["BSD-2-Clause"] }, + { name = "matchit", allow = ["BSD-3-Clause"] }, + { name = "minreq", allow = ["ISC"] }, + { name = "ring", allow = ["LicenseRef-ring"] }, + { name = "rustls-webpki", allow = ["ISC"] }, + { name = "secp256k1", allow = ["CC0-1.0"] }, + { name = "secp256k1-sys", allow = ["CC0-1.0"] }, + { name = "subtle", allow = ["BSD-3-Clause"] }, + { name = "unicode-ident", allow = ["Unicode-DFS-2016"] }, + { name = "untrusted", allow = ["ISC"] }, + { name = "webpki-roots", allow = ["MPL-2.0"] }, +] + +[[licenses.clarify]] +name = "ring" +expression = "LicenseRef-ring" +license-files = [ + { path = "LICENSE", hash = 0xbd0eed23 }, +] From 011909d609df76c46a055f05b4c24758acd07532 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Tue, 23 Apr 2024 00:34:03 +0000 Subject: [PATCH 14/15] CI: Add audit check for `cargo deny check licenses` --- .github/workflows/audits.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/audits.yml b/.github/workflows/audits.yml index 327969b35..7e58402de 100644 --- a/.github/workflows/audits.yml +++ b/.github/workflows/audits.yml @@ -19,3 +19,12 @@ jobs: - run: rustup override set ${{steps.toolchain.outputs.name}} - run: cargo install cargo-vet --version ~0.9 - run: cargo vet --locked + + cargo-deny: + name: Check licenses + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: EmbarkStudios/cargo-deny-action@v1 + with: + command: check licenses From 069109b69170bc38ba72fbac8538788285a84fa4 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Tue, 23 Apr 2024 00:40:33 +0000 Subject: [PATCH 15/15] Adjust versions of pinned dependencies to cover more audits --- Cargo.lock | 20 +++--- supply-chain/config.toml | 10 +-- supply-chain/imports.lock | 140 ++++++++++++++++++++++++-------------- 3 files changed, 100 insertions(+), 70 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index f9e789fa8..5fc9e6bab 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -282,9 +282,9 @@ checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a" [[package]] name = "bitflags" -version = "2.4.1" +version = "2.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "327762f6e5a765692301e5bb513e0d9fef63be86bbc14528052b1cd3e6f03e07" +checksum = "ed570934406eb16438a4e976b1b4500774099c13b8cb96eec99f620f05090ddf" [[package]] name = "bitvec" @@ -1751,7 +1751,7 @@ checksum = "7c003ac8c77cb07bb74f5f198bce836a689bcd5a42574612bf14d17bfd08c20e" dependencies = [ "bit-set", "bit-vec", - "bitflags 2.4.1", + "bitflags 2.4.2", "lazy_static", "num-traits", "rand", @@ -2034,7 +2034,7 @@ version = "0.29.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "549b9d036d571d42e6e85d1c1425e2ac83491075078ca9a15be021c56b1641f2" dependencies = [ - "bitflags 2.4.1", + "bitflags 2.4.2", "fallible-iterator", "fallible-streaming-iterator", "hashlink", @@ -2055,7 +2055,7 @@ version = "0.38.21" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "2b426b0506e5d50a7d8dafcf2e81471400deb602392c7dd110815afb4eaf02a3" dependencies = [ - "bitflags 2.4.1", + "bitflags 2.4.2", "errno", "libc", "linux-raw-sys", @@ -2265,7 +2265,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "d766257c56a1bdd75479c256b97c92e72788a9afb18b5199f58faf7188dc99d9" dependencies = [ "assert_matches", - "bitflags 2.4.1", + "bitflags 2.4.2", "either", "incrementalmerkletree", "proptest", @@ -2421,18 +2421,18 @@ checksum = "222a222a5bfe1bba4a77b45ec488a741b3cb8872e5e499451fd7d0129c9c7c3d" [[package]] name = "thiserror" -version = "1.0.50" +version = "1.0.51" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f9a7210f5c9a7156bb50aa36aed4c95afb51df0df00713949448cf9e97d382d2" +checksum = "f11c217e1416d6f036b870f14e0413d480dbf28edbee1f877abaf0206af43bb7" dependencies = [ "thiserror-impl", ] [[package]] name = "thiserror-impl" -version = "1.0.50" +version = "1.0.51" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "266b2e40bc00e5a6c09c3584011e08b06f123c00362c92b975ba9843aaaa14b8" +checksum = "01742297787513b79cf8e29d1056ede1313e2420b7b3b15d0a768b4921f549df" dependencies = [ "proc-macro2", "quote", diff --git a/supply-chain/config.toml b/supply-chain/config.toml index ab50b42a3..7aea5901a 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -397,7 +397,7 @@ version = "0.2.150" criteria = "safe-to-deploy" [[exemptions.libm]] -version = "0.2.8" +version = "0.2.2" criteria = "safe-to-deploy" [[exemptions.libsqlite3-sys]] @@ -732,14 +732,6 @@ criteria = "safe-to-deploy" version = "3.8.1" criteria = "safe-to-deploy" -[[exemptions.thiserror]] -version = "1.0.50" -criteria = "safe-to-deploy" - -[[exemptions.thiserror-impl]] -version = "1.0.50" -criteria = "safe-to-deploy" - [[exemptions.time]] version = "0.3.23" criteria = "safe-to-deploy" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index 2c2dd9e41..97a43b775 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -264,25 +264,6 @@ criteria = "safe-to-deploy" version = "0.21.0" notes = "This crate has no dependencies, no build.rs, and contains no unsafe code." -[[audits.bytecode-alliance.audits.bitflags]] -who = "Jamey Sharp " -criteria = "safe-to-deploy" -delta = "2.1.0 -> 2.2.1" -notes = """ -This version adds unsafe impls of traits from the bytemuck crate when built -with that library enabled, but I believe the impls satisfy the documented -safety requirements for bytemuck. The other changes are minor. -""" - -[[audits.bytecode-alliance.audits.bitflags]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "2.3.2 -> 2.3.3" -notes = """ -Nothing outside the realm of what one would expect from a bitflags generator, -all as expected. -""" - [[audits.bytecode-alliance.audits.block-buffer]] who = "Benjamin Bouvier " criteria = "safe-to-deploy" @@ -317,6 +298,25 @@ criteria = "safe-to-deploy" version = "0.3.27" notes = "Unsafe used to implement a concurrency primitive AtomicWaker. Well-commented and not obviously incorrect. Like my other audits of these concurrency primitives inside the futures family, I couldn't certify that it is correct without formal methods, but that is out of scope for this vetting." +[[audits.bytecode-alliance.audits.libm]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.2.2 -> 0.2.4" +notes = """ +This diff primarily fixes a few issues with the `fma`-related functions, +but also contains some other minor fixes as well. Everything looks A-OK and +as expected. +""" + +[[audits.bytecode-alliance.audits.libm]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.2.4 -> 0.2.7" +notes = """ +This is a minor update which has some testing affordances as well as some +updated math algorithms. +""" + [[audits.bytecode-alliance.audits.miniz_oxide]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -390,6 +390,18 @@ criteria = "safe-to-deploy" version = "1.0.1" notes = "No unsafe usage or ambient capabilities" +[[audits.embark-studios.audits.thiserror]] +who = "Johan Andersson " +criteria = "safe-to-deploy" +version = "1.0.40" +notes = "Wrapper over implementation crate, found no unsafe or ambient capabilities used" + +[[audits.embark-studios.audits.thiserror-impl]] +who = "Johan Andersson " +criteria = "safe-to-deploy" +version = "1.0.40" +notes = "Found no unsafe or ambient capabilities used" + [[audits.embark-studios.audits.webpki-roots]] who = "Johan Andersson " criteria = "safe-to-deploy" @@ -435,6 +447,23 @@ criteria = "safe-to-run" version = "0.2.14" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.bitflags]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "2.4.2" +notes = """ +Audit notes: + +* I've checked for any discussion in Google-internal cl/546819168 (where audit + of version 2.3.3 happened) +* `src/lib.rs` contains `#![cfg_attr(not(test), forbid(unsafe_code))]` +* There are 2 cases of `unsafe` in `src/external.rs` but they seem to be + correct in a straightforward way - they just propagate the marker trait's + impl (e.g. `impl bytemuck::Pod`) from the inner to the outer type +* Additional discussion and/or notes may be found in https://crrev.com/c/5238056 +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.cfg-if]] who = "George Burgess IV " criteria = "safe-to-deploy" @@ -788,6 +817,16 @@ who = "David Cook " criteria = "safe-to-deploy" delta = "1.11.0 -> 1.12.0" +[[audits.isrg.audits.thiserror]] +who = "Brandon Pitman " +criteria = "safe-to-deploy" +delta = "1.0.40 -> 1.0.43" + +[[audits.isrg.audits.thiserror-impl]] +who = "Brandon Pitman " +criteria = "safe-to-deploy" +delta = "1.0.40 -> 1.0.43" + [[audits.isrg.audits.universal-hash]] who = "David Cook " criteria = "safe-to-deploy" @@ -870,38 +909,6 @@ version = "0.6.3" notes = "Another crate I own via contain-rs that is ancient and in maintenance mode but otherwise perfectly fine." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" -[[audits.mozilla.audits.bitflags]] -who = "Alex Franchuk " -criteria = "safe-to-deploy" -delta = "1.3.2 -> 2.0.2" -notes = "Removal of some unsafe code/methods. No changes to externals, just some refactoring (mostly internal)." -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.bitflags]] -who = "Nicolas Silva " -criteria = "safe-to-deploy" -delta = "2.0.2 -> 2.1.0" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.bitflags]] -who = "Teodor Tanasoaia " -criteria = "safe-to-deploy" -delta = "2.2.1 -> 2.3.2" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.bitflags]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "2.3.3 -> 2.4.0" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.bitflags]] -who = "Jan-Erik Rediger " -criteria = "safe-to-deploy" -delta = "2.4.0 -> 2.4.1" -notes = "Only allowing new clippy lints" -aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" - [[audits.mozilla.audits.block-buffer]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -1277,6 +1284,13 @@ Uses `unsafe` blocks to interact with `windows-sys` crate. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.zcash.audits.libm]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.2.7 -> 0.2.8" +notes = "Forces some intermediate values to not have too much precision on the x87 FPU." +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + [[audits.zcash.audits.maybe-rayon]] who = "Sean Bowe " criteria = "safe-to-deploy" @@ -1339,6 +1353,30 @@ criteria = "safe-to-deploy" delta = "0.1.22 -> 0.1.23" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.zcash.audits.thiserror]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.43 -> 1.0.48" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.thiserror]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.48 -> 1.0.51" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.thiserror-impl]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.43 -> 1.0.48" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.thiserror-impl]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.48 -> 1.0.51" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + [[audits.zcash.audits.tinyvec_macros]] who = "Jack Grigg " criteria = "safe-to-deploy"