From b4793ace4cb711a117518366eb617d46bdb9419b Mon Sep 17 00:00:00 2001 From: Conrado Gouvea Date: Mon, 2 Oct 2023 19:29:54 -0300 Subject: [PATCH] initial cargo vet support --- supply-chain/audits.toml | 4 + supply-chain/config.toml | 703 ++++++++++++++++++++++++++++++++++++++ supply-chain/imports.lock | 233 +++++++++++++ 3 files changed, 940 insertions(+) create mode 100644 supply-chain/audits.toml create mode 100644 supply-chain/config.toml create mode 100644 supply-chain/imports.lock diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml new file mode 100644 index 0000000..2772ccb --- /dev/null +++ b/supply-chain/audits.toml @@ -0,0 +1,4 @@ + +# cargo-vet audits file + +[audits] diff --git a/supply-chain/config.toml b/supply-chain/config.toml new file mode 100644 index 0000000..4b1b475 --- /dev/null +++ b/supply-chain/config.toml @@ -0,0 +1,703 @@ + +# cargo-vet config file + +[cargo-vet] +version = "0.8" + +[imports.google] +url = "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml" + +[imports.mozilla] +url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml" + +[imports.zcash] +url = "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml" + +[policy.frost-core] +audit-as-crates-io = true + +[policy.frost-ed25519] +audit-as-crates-io = true + +[policy.frost-ed448] +audit-as-crates-io = true + +[policy.frost-p256] +audit-as-crates-io = true + +[policy.frost-rerandomized] +audit-as-crates-io = true + +[policy.frost-ristretto255] +audit-as-crates-io = true + +[policy.frost-secp256k1] +audit-as-crates-io = true + +[[exemptions.aho-corasick]] +version = "1.0.5" +criteria = "safe-to-deploy" + +[[exemptions.anes]] +version = "0.1.6" +criteria = "safe-to-deploy" + +[[exemptions.anstyle]] +version = "1.0.3" +criteria = "safe-to-deploy" + +[[exemptions.atomic-polyfill]] +version = "0.1.11" +criteria = "safe-to-deploy" + +[[exemptions.base16ct]] +version = "0.2.0" +criteria = "safe-to-deploy" + +[[exemptions.base64ct]] +version = "1.6.0" +criteria = "safe-to-deploy" + +[[exemptions.bitflags]] +version = "1.3.2" +criteria = "safe-to-deploy" + +[[exemptions.bitflags]] +version = "2.4.0" +criteria = "safe-to-deploy" + +[[exemptions.block-buffer]] +version = "0.10.4" +criteria = "safe-to-deploy" + +[[exemptions.bumpalo]] +version = "3.14.0" +criteria = "safe-to-deploy" + +[[exemptions.byteorder]] +version = "1.4.3" +criteria = "safe-to-deploy" + +[[exemptions.cast]] +version = "0.3.0" +criteria = "safe-to-deploy" + +[[exemptions.cc]] +version = "1.0.83" +criteria = "safe-to-deploy" + +[[exemptions.ciborium]] +version = "0.2.1" +criteria = "safe-to-deploy" + +[[exemptions.ciborium-io]] +version = "0.2.1" +criteria = "safe-to-deploy" + +[[exemptions.ciborium-ll]] +version = "0.2.1" +criteria = "safe-to-deploy" + +[[exemptions.clap]] +version = "4.4.3" +criteria = "safe-to-deploy" + +[[exemptions.clap_builder]] +version = "4.4.2" +criteria = "safe-to-deploy" + +[[exemptions.clap_lex]] +version = "0.5.1" +criteria = "safe-to-deploy" + +[[exemptions.cobs]] +version = "0.2.3" +criteria = "safe-to-deploy" + +[[exemptions.const-crc32]] +version = "1.3.0" +criteria = "safe-to-deploy" + +[[exemptions.const-oid]] +version = "0.9.5" +criteria = "safe-to-deploy" + +[[exemptions.cpufeatures]] +version = "0.2.9" +criteria = "safe-to-deploy" + +[[exemptions.criterion]] +version = "0.5.1" +criteria = "safe-to-deploy" + +[[exemptions.criterion-plot]] +version = "0.5.0" +criteria = "safe-to-deploy" + +[[exemptions.critical-section]] +version = "1.1.2" +criteria = "safe-to-deploy" + +[[exemptions.crossbeam-channel]] +version = "0.5.8" +criteria = "safe-to-deploy" + +[[exemptions.crossbeam-deque]] +version = "0.8.3" +criteria = "safe-to-deploy" + +[[exemptions.crossbeam-epoch]] +version = "0.9.15" +criteria = "safe-to-deploy" + +[[exemptions.crossbeam-utils]] +version = "0.8.16" +criteria = "safe-to-deploy" + +[[exemptions.crypto-bigint]] +version = "0.5.3" +criteria = "safe-to-deploy" + +[[exemptions.crypto-common]] +version = "0.1.6" +criteria = "safe-to-deploy" + +[[exemptions.curve25519-dalek]] +version = "4.1.0" +criteria = "safe-to-deploy" + +[[exemptions.curve25519-dalek-derive]] +version = "0.1.0" +criteria = "safe-to-deploy" + +[[exemptions.debugless-unwrap]] +version = "0.0.4" +criteria = "safe-to-deploy" + +[[exemptions.der]] +version = "0.7.8" +criteria = "safe-to-deploy" + +[[exemptions.derive-getters]] +version = "0.3.0" +criteria = "safe-to-deploy" + +[[exemptions.digest]] +version = "0.10.7" +criteria = "safe-to-deploy" + +[[exemptions.ecdsa]] +version = "0.16.8" +criteria = "safe-to-deploy" + +[[exemptions.ed25519]] +version = "2.2.2" +criteria = "safe-to-run" + +[[exemptions.ed25519-dalek]] +version = "2.0.0" +criteria = "safe-to-run" + +[[exemptions.ed448-goldilocks]] +version = "0.9.0" +criteria = "safe-to-deploy" + +[[exemptions.elliptic-curve]] +version = "0.13.5" +criteria = "safe-to-deploy" + +[[exemptions.encode_unicode]] +version = "0.3.6" +criteria = "safe-to-run" + +[[exemptions.errno]] +version = "0.3.3" +criteria = "safe-to-deploy" + +[[exemptions.errno-dragonfly]] +version = "0.1.2" +criteria = "safe-to-deploy" + +[[exemptions.ff]] +version = "0.13.0" +criteria = "safe-to-deploy" + +[[exemptions.fiat-crypto]] +version = "0.1.20" +criteria = "safe-to-deploy" + +[[exemptions.fiat-crypto]] +version = "0.2.1" +criteria = "safe-to-deploy" + +[[exemptions.frost-core]] +version = "0.7.0" +criteria = "safe-to-deploy" + +[[exemptions.frost-ed25519]] +version = "0.7.0" +criteria = "safe-to-deploy" + +[[exemptions.frost-ed448]] +version = "0.7.0" +criteria = "safe-to-deploy" + +[[exemptions.frost-p256]] +version = "0.7.0" +criteria = "safe-to-deploy" + +[[exemptions.frost-rerandomized]] +version = "0.7.0" +criteria = "safe-to-deploy" + +[[exemptions.frost-ristretto255]] +version = "0.7.0" +criteria = "safe-to-deploy" + +[[exemptions.frost-secp256k1]] +version = "0.7.0" +criteria = "safe-to-deploy" + +[[exemptions.generic-array]] +version = "0.14.7" +criteria = "safe-to-deploy" + +[[exemptions.getrandom]] +version = "0.2.10" +criteria = "safe-to-deploy" + +[[exemptions.group]] +version = "0.13.0" +criteria = "safe-to-deploy" + +[[exemptions.hash32]] +version = "0.2.1" +criteria = "safe-to-deploy" + +[[exemptions.heapless]] +version = "0.7.16" +criteria = "safe-to-deploy" + +[[exemptions.hermit-abi]] +version = "0.3.2" +criteria = "safe-to-deploy" + +[[exemptions.hmac]] +version = "0.12.1" +criteria = "safe-to-deploy" + +[[exemptions.insta]] +version = "1.31.0" +criteria = "safe-to-run" + +[[exemptions.is-terminal]] +version = "0.4.9" +criteria = "safe-to-deploy" + +[[exemptions.itertools]] +version = "0.10.5" +criteria = "safe-to-deploy" + +[[exemptions.itertools]] +version = "0.11.0" +criteria = "safe-to-deploy" + +[[exemptions.itoa]] +version = "1.0.9" +criteria = "safe-to-deploy" + +[[exemptions.js-sys]] +version = "0.3.64" +criteria = "safe-to-deploy" + +[[exemptions.k256]] +version = "0.13.1" +criteria = "safe-to-deploy" + +[[exemptions.keccak]] +version = "0.1.4" +criteria = "safe-to-deploy" + +[[exemptions.libc]] +version = "0.2.148" +criteria = "safe-to-deploy" + +[[exemptions.libm]] +version = "0.2.7" +criteria = "safe-to-deploy" + +[[exemptions.linux-raw-sys]] +version = "0.4.7" +criteria = "safe-to-deploy" + +[[exemptions.litrs]] +version = "0.2.3" +criteria = "safe-to-deploy" + +[[exemptions.lock_api]] +version = "0.4.10" +criteria = "safe-to-deploy" + +[[exemptions.memchr]] +version = "2.6.3" +criteria = "safe-to-deploy" + +[[exemptions.memoffset]] +version = "0.9.0" +criteria = "safe-to-deploy" + +[[exemptions.num-traits]] +version = "0.2.16" +criteria = "safe-to-deploy" + +[[exemptions.num_cpus]] +version = "1.16.0" +criteria = "safe-to-deploy" + +[[exemptions.once_cell]] +version = "1.18.0" +criteria = "safe-to-deploy" + +[[exemptions.oorandom]] +version = "11.1.3" +criteria = "safe-to-deploy" + +[[exemptions.p256]] +version = "0.13.2" +criteria = "safe-to-deploy" + +[[exemptions.pem-rfc7468]] +version = "0.7.0" +criteria = "safe-to-deploy" + +[[exemptions.pkcs8]] +version = "0.10.2" +criteria = "safe-to-deploy" + +[[exemptions.plotters]] +version = "0.3.5" +criteria = "safe-to-deploy" + +[[exemptions.plotters-backend]] +version = "0.3.5" +criteria = "safe-to-deploy" + +[[exemptions.plotters-svg]] +version = "0.3.5" +criteria = "safe-to-deploy" + +[[exemptions.postcard]] +version = "1.0.7" +criteria = "safe-to-deploy" + +[[exemptions.ppv-lite86]] +version = "0.2.17" +criteria = "safe-to-deploy" + +[[exemptions.primeorder]] +version = "0.13.2" +criteria = "safe-to-deploy" + +[[exemptions.proc-macro2]] +version = "1.0.67" +criteria = "safe-to-deploy" + +[[exemptions.proptest]] +version = "1.2.0" +criteria = "safe-to-deploy" + +[[exemptions.quick-error]] +version = "1.2.3" +criteria = "safe-to-deploy" + +[[exemptions.quote]] +version = "1.0.33" +criteria = "safe-to-deploy" + +[[exemptions.rand]] +version = "0.8.5" +criteria = "safe-to-deploy" + +[[exemptions.rand_chacha]] +version = "0.3.1" +criteria = "safe-to-deploy" + +[[exemptions.rand_core]] +version = "0.6.4" +criteria = "safe-to-deploy" + +[[exemptions.rayon]] +version = "1.7.0" +criteria = "safe-to-deploy" + +[[exemptions.rayon-core]] +version = "1.11.0" +criteria = "safe-to-deploy" + +[[exemptions.redox_syscall]] +version = "0.3.5" +criteria = "safe-to-deploy" + +[[exemptions.regex]] +version = "1.9.5" +criteria = "safe-to-deploy" + +[[exemptions.regex-automata]] +version = "0.3.8" +criteria = "safe-to-deploy" + +[[exemptions.regex-syntax]] +version = "0.6.29" +criteria = "safe-to-deploy" + +[[exemptions.regex-syntax]] +version = "0.7.5" +criteria = "safe-to-deploy" + +[[exemptions.rfc6979]] +version = "0.4.0" +criteria = "safe-to-deploy" + +[[exemptions.rustix]] +version = "0.38.13" +criteria = "safe-to-deploy" + +[[exemptions.rusty-fork]] +version = "0.3.0" +criteria = "safe-to-deploy" + +[[exemptions.ryu]] +version = "1.0.15" +criteria = "safe-to-deploy" + +[[exemptions.same-file]] +version = "1.0.6" +criteria = "safe-to-deploy" + +[[exemptions.scopeguard]] +version = "1.2.0" +criteria = "safe-to-deploy" + +[[exemptions.sec1]] +version = "0.7.3" +criteria = "safe-to-deploy" + +[[exemptions.semver]] +version = "1.0.18" +criteria = "safe-to-deploy" + +[[exemptions.serde]] +version = "1.0.188" +criteria = "safe-to-deploy" + +[[exemptions.serde_derive]] +version = "1.0.188" +criteria = "safe-to-deploy" + +[[exemptions.serde_json]] +version = "1.0.107" +criteria = "safe-to-deploy" + +[[exemptions.serdect]] +version = "0.2.0" +criteria = "safe-to-deploy" + +[[exemptions.sha2]] +version = "0.10.7" +criteria = "safe-to-deploy" + +[[exemptions.sha3]] +version = "0.10.8" +criteria = "safe-to-deploy" + +[[exemptions.similar]] +version = "2.2.1" +criteria = "safe-to-run" + +[[exemptions.spin]] +version = "0.9.8" +criteria = "safe-to-deploy" + +[[exemptions.spki]] +version = "0.7.2" +criteria = "safe-to-deploy" + +[[exemptions.stable_deref_trait]] +version = "1.2.0" +criteria = "safe-to-deploy" + +[[exemptions.syn]] +version = "1.0.109" +criteria = "safe-to-deploy" + +[[exemptions.syn]] +version = "2.0.33" +criteria = "safe-to-deploy" + +[[exemptions.tempfile]] +version = "3.8.0" +criteria = "safe-to-deploy" + +[[exemptions.thiserror]] +version = "1.0.48" +criteria = "safe-to-deploy" + +[[exemptions.thiserror-impl]] +version = "1.0.48" +criteria = "safe-to-deploy" + +[[exemptions.tinytemplate]] +version = "1.2.1" +criteria = "safe-to-deploy" + +[[exemptions.typenum]] +version = "1.16.0" +criteria = "safe-to-deploy" + +[[exemptions.unarray]] +version = "0.1.4" +criteria = "safe-to-deploy" + +[[exemptions.unicode-ident]] +version = "1.0.12" +criteria = "safe-to-deploy" + +[[exemptions.visibility]] +version = "0.1.0" +criteria = "safe-to-deploy" + +[[exemptions.wait-timeout]] +version = "0.2.0" +criteria = "safe-to-deploy" + +[[exemptions.walkdir]] +version = "2.4.0" +criteria = "safe-to-deploy" + +[[exemptions.wasi]] +version = "0.11.0+wasi-snapshot-preview1" +criteria = "safe-to-deploy" + +[[exemptions.wasm-bindgen]] +version = "0.2.87" +criteria = "safe-to-deploy" + +[[exemptions.wasm-bindgen-backend]] +version = "0.2.87" +criteria = "safe-to-deploy" + +[[exemptions.wasm-bindgen-macro]] +version = "0.2.87" +criteria = "safe-to-deploy" + +[[exemptions.wasm-bindgen-macro-support]] +version = "0.2.87" +criteria = "safe-to-deploy" + +[[exemptions.wasm-bindgen-shared]] +version = "0.2.87" +criteria = "safe-to-deploy" + +[[exemptions.web-sys]] +version = "0.3.64" +criteria = "safe-to-deploy" + +[[exemptions.winapi]] +version = "0.3.9" +criteria = "safe-to-deploy" + +[[exemptions.winapi-i686-pc-windows-gnu]] +version = "0.4.0" +criteria = "safe-to-deploy" + +[[exemptions.winapi-util]] +version = "0.1.5" +criteria = "safe-to-deploy" + +[[exemptions.winapi-x86_64-pc-windows-gnu]] +version = "0.4.0" +criteria = "safe-to-deploy" + +[[exemptions.windows-sys]] +version = "0.45.0" +criteria = "safe-to-run" + +[[exemptions.windows-sys]] +version = "0.48.0" +criteria = "safe-to-deploy" + +[[exemptions.windows-targets]] +version = "0.42.2" +criteria = "safe-to-run" + +[[exemptions.windows-targets]] +version = "0.48.5" +criteria = "safe-to-deploy" + +[[exemptions.windows_aarch64_gnullvm]] +version = "0.42.2" +criteria = "safe-to-run" + +[[exemptions.windows_aarch64_gnullvm]] +version = "0.48.5" +criteria = "safe-to-deploy" + +[[exemptions.windows_aarch64_msvc]] +version = "0.42.2" +criteria = "safe-to-run" + +[[exemptions.windows_aarch64_msvc]] +version = "0.48.5" +criteria = "safe-to-deploy" + +[[exemptions.windows_i686_gnu]] +version = "0.42.2" +criteria = "safe-to-run" + +[[exemptions.windows_i686_gnu]] +version = "0.48.5" +criteria = "safe-to-deploy" + +[[exemptions.windows_i686_msvc]] +version = "0.42.2" +criteria = "safe-to-run" + +[[exemptions.windows_i686_msvc]] +version = "0.48.5" +criteria = "safe-to-deploy" + +[[exemptions.windows_x86_64_gnu]] +version = "0.42.2" +criteria = "safe-to-run" + +[[exemptions.windows_x86_64_gnu]] +version = "0.48.5" +criteria = "safe-to-deploy" + +[[exemptions.windows_x86_64_gnullvm]] +version = "0.42.2" +criteria = "safe-to-run" + +[[exemptions.windows_x86_64_gnullvm]] +version = "0.48.5" +criteria = "safe-to-deploy" + +[[exemptions.windows_x86_64_msvc]] +version = "0.42.2" +criteria = "safe-to-run" + +[[exemptions.windows_x86_64_msvc]] +version = "0.48.5" +criteria = "safe-to-deploy" + +[[exemptions.yaml-rust]] +version = "0.4.5" +criteria = "safe-to-run" + +[[exemptions.zeroize]] +version = "1.6.0" +criteria = "safe-to-deploy" + +[[exemptions.zeroize_derive]] +version = "1.4.2" +criteria = "safe-to-deploy" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock new file mode 100644 index 0000000..164bc5c --- /dev/null +++ b/supply-chain/imports.lock @@ -0,0 +1,233 @@ + +# cargo-vet imports lock + +[[audits.google.audits.cfg-if]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "1.0.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.console]] +who = "George Burgess IV " +criteria = "safe-to-run" +version = "0.15.5" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.console]] +who = "George Burgess IV " +criteria = "safe-to-run" +delta = "0.15.5 -> 0.15.7" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.document-features]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "0.2.7" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.fastrand]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "1.9.0" +notes = """ +`does-not-implement-crypto` is certified because this crate explicitly says +that the RNG here is not cryptographically secure. +""" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.version_check]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "0.9.4" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.mozilla.audits.autocfg]] +who = "Josh Stone " +criteria = "safe-to-deploy" +version = "1.1.0" +notes = "All code written or reviewed by Josh Stone." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.bit-set]] +who = "Aria Beingessner " +criteria = "safe-to-deploy" +version = "0.5.2" +notes = "Another crate I own via contain-rs that is ancient and maintenance mode, no known issues." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.bit-set]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.5.2 -> 0.5.3" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.bit-vec]] +who = "Aria Beingessner " +criteria = "safe-to-deploy" +version = "0.6.3" +notes = "Another crate I own via contain-rs that is ancient and in maintenance mode but otherwise perfectly fine." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.either]] +who = "Nika Layzell " +criteria = "safe-to-deploy" +version = "1.6.1" +notes = """ +Straightforward crate providing the Either enum and trait implementations with +no unsafe code. +""" +aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.either]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.6.1 -> 1.7.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.either]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.7.0 -> 1.8.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.either]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.8.0 -> 1.8.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.fastrand]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.9.0 -> 2.0.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.fnv]] +who = "Bobby Holley " +criteria = "safe-to-deploy" +version = "1.0.7" +notes = "Simple hasher implementation with no unsafe code." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.half]] +who = "John M. Schanck " +criteria = "safe-to-deploy" +version = "1.8.2" +notes = """ +This crate contains unsafe code for bitwise casts to/from binary16 floating-point +format. I've reviewed these and found no issues. There are no uses of ambient +capabilities. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.hex]] +who = "Simon Friedberger " +criteria = "safe-to-deploy" +version = "0.4.3" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.lazy_static]] +who = "Nika Layzell " +criteria = "safe-to-deploy" +version = "1.4.0" +notes = "I have read over the macros, and audited the unsafe code." +aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.linked-hash-map]] +who = "Aria Beingessner " +criteria = "safe-to-deploy" +version = "0.5.4" +notes = "I own this crate (I am contain-rs) and 0.5.4 passes miri. This code is very old and used by lots of people, so I'm pretty confident in it, even though it's in maintenance-mode and missing some nice-to-have APIs." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.linked-hash-map]] +who = "Mike Hommey " +criteria = "safe-to-run" +delta = "0.5.4 -> 0.5.6" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.log]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +version = "0.4.17" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.log]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "0.4.17 -> 0.4.18" +notes = "One dependency removed, others updated (which we don't rely on), some APIs (which we don't use) changed." +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.subtle]] +who = "Simon Friedberger " +criteria = "safe-to-deploy" +version = "2.5.0" +notes = "The goal is to provide some constant-time correctness for cryptographic implementations. The approach is reasonable, it is known to be insufficient but this is pointed out in the documentation." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.zcash.audits.either]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.8.1 -> 1.9.0" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.log]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.4.18 -> 0.4.19" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.log]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.4.19 -> 0.4.20" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.platforms]] +who = "Daira Emma Hopwood " +criteria = "safe-to-deploy" +version = "3.0.2" +notes = """ +This crate uses `#![forbid(unsafe_code)]` and its build script is safe. It only \"provides programmatic access to +information about valid Rust platforms, sourced from the Rust compiler\"; it does not attempt any detection that +would require unsafety. +""" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.platforms]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "3.0.2 -> 3.1.2" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.rand_xorshift]] +who = "Sean Bowe " +criteria = "safe-to-deploy" +version = "0.3.0" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.rustc_version]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +version = "0.4.0" +notes = """ +Most of the crate is code to parse and validate the output of `rustc -vV`. The caller can +choose which `rustc` to use, or can use `rustc_version::{version, version_meta}` which will +try `$RUSTC` followed by `rustc`. + +If an adversary can arbitrarily set the `$RUSTC` environment variable then this crate will +execute arbitrary code. But when this crate is used within a build script, `$RUSTC` should +be set correctly by `cargo`. +""" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.signature]] +who = "Daira Emma Hopwood " +criteria = "safe-to-deploy" +version = "2.1.0" +notes = """ +This crate uses `#![forbid(unsafe_code)]`, has no build script, and only provides traits with some trivial default implementations. +I did not review whether implementing these APIs would present any undocumented cryptographic hazards. +""" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"