zecfoundation
/
zcashd
mirror of https://github.com/ZcashFoundation/zcashd.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

qa: Import Rust crate audits from the Bytecode Alliance

This commit is contained in:
Jack Grigg 2023-01-10 14:56:06 +00:00
parent 3ed999c397
commit ea9dab68e4
2 changed files with 170 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
qa/supply-chain/config.toml
View File

@ -1,6 +1,9 @@
# cargo-vet config file
[imports.bytecode-alliance]
url = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml"
[imports.firefox]
url = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
@ -66,14 +69,6 @@ criteria = "safe-to-deploy"
version = "0.3.6"
criteria = "safe-to-deploy"
[[exemptions.arrayvec]]
version = "0.7.2"
criteria = "safe-to-deploy"
[[exemptions.backtrace]]
version = "0.3.66"
criteria = "safe-to-deploy"
[[exemptions.base64ct]]
version = "1.0.1"
criteria = "safe-to-deploy"
@ -110,10 +105,6 @@ criteria = "safe-to-deploy"
version = "0.9.0"
criteria = "safe-to-deploy"
[[exemptions.block-buffer]]
version = "0.10.3"
criteria = "safe-to-deploy"
[[exemptions.block-modes]]
version = "0.8.1"
criteria = "safe-to-deploy"
@ -146,18 +137,10 @@ criteria = "safe-to-deploy"
version = "1.2.1"
criteria = "safe-to-deploy"
[[exemptions.cc]]
version = "1.0.73"
criteria = "safe-to-deploy"
[[exemptions.cfg-if]]
version = "0.1.10"
criteria = "safe-to-deploy"
[[exemptions.cfg-if]]
version = "1.0.0"
criteria = "safe-to-deploy"
[[exemptions.chacha20]]
version = "0.8.1"
criteria = "safe-to-deploy"
@ -202,10 +185,6 @@ criteria = "safe-to-deploy"
version = "0.2.2"
criteria = "safe-to-deploy"
[[exemptions.crypto-common]]
version = "0.1.3"
criteria = "safe-to-deploy"
[[exemptions.crypto-mac]]
version = "0.11.1"
criteria = "safe-to-deploy"
@ -642,10 +621,6 @@ criteria = "safe-to-deploy"
version = "0.1.3"
criteria = "safe-to-deploy"
[[exemptions.rustc-demangle]]
version = "0.1.21"
criteria = "safe-to-deploy"
[[exemptions.rustc-hex]]
version = "2.1.0"
criteria = "safe-to-deploy"
@ -750,14 +725,6 @@ criteria = "safe-to-deploy"
version = "0.2.4"
criteria = "safe-to-deploy"
[[exemptions.tinyvec]]
version = "1.6.0"
criteria = "safe-to-deploy"
[[exemptions.tinyvec_macros]]
version = "0.1.0"
criteria = "safe-to-deploy"
[[exemptions.tokio]]
version = "1.21.2"
criteria = "safe-to-deploy"
@ -806,10 +773,6 @@ criteria = "safe-to-deploy"
version = "1.0.5"
criteria = "safe-to-deploy"
[[exemptions.unicode-normalization]]
version = "0.1.22"
criteria = "safe-to-deploy"
[[exemptions.unicode-xid]]
version = "0.2.4"
criteria = "safe-to-deploy"

167
qa/supply-chain/imports.lock
View File

@ -1,6 +1,173 @@
# cargo-vet imports lock
[[audits.bytecode-alliance.audits.anyhow]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "1.0.62 -> 1.0.66"
notes = """
This update looks to be related to minor fixes and mostly integrating with a
nightly feature in the standard library for backtrace integration. No undue
`unsafe` is added and nothing unsurprising for the `anyhow` crate is happening
here.
"""
[[audits.bytecode-alliance.audits.arrayvec]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
version = "0.7.2"
notes = """
Well documented invariants, good assertions for those invariants in unsafe code,
and tested with MIRI to boot. LGTM.
"""
[[audits.bytecode-alliance.audits.backtrace]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.3.66"
notes = "I am the author of this crate."
[[audits.bytecode-alliance.audits.block-buffer]]
who = "Benjamin Bouvier <public@benj.me>"
criteria = "safe-to-deploy"
delta = "0.9.0 -> 0.10.2"
[[audits.bytecode-alliance.audits.bumpalo]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
version = "3.9.1"
notes = "I am the author of this crate."
[[audits.bytecode-alliance.audits.bumpalo]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
version = "3.11.1"
notes = "I am the author of this crate."
[[audits.bytecode-alliance.audits.cc]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.0.73"
notes = "I am the author of this crate."
[[audits.bytecode-alliance.audits.cfg-if]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.0.0"
notes = "I am the author of this crate."
[[audits.bytecode-alliance.audits.crypto-common]]
who = "Benjamin Bouvier <public@benj.me>"
criteria = "safe-to-deploy"
version = "0.1.3"
[[audits.bytecode-alliance.audits.digest]]
who = "Benjamin Bouvier <public@benj.me>"
criteria = "safe-to-deploy"
delta = "0.9.0 -> 0.10.3"
[[audits.bytecode-alliance.audits.libm]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.2.2 -> 0.2.4"
notes = """
This diff primarily fixes a few issues with the `fma`-related functions,
but also contains some other minor fixes as well. Everything looks A-OK and
as expected.
"""
[[audits.bytecode-alliance.audits.rustc-demangle]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.1.21"
notes = "I am the author of this crate."
[[audits.bytecode-alliance.audits.sha2]]
who = "Benjamin Bouvier <public@benj.me>"
criteria = "safe-to-deploy"
delta = "0.9.9 -> 0.10.2"
notes = "This upgrade is mostly a code refactor, as far as I can tell. No new uses of unsafe nor any new ambient capabilities usage."
[[audits.bytecode-alliance.audits.spin]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-run"
version = "0.9.4"
notes = """
I've verified the contents of this crate and that while they contain `unsafe`
it's exclusively around implementing atomic primitive where some `unsafe` is to
be expected. Otherwise this crate does not unduly access ambient capabilities
and does what it says on the tin, providing spin-based synchronization
primitives.
"""
[[audits.bytecode-alliance.audits.tinyvec]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.6.0"
notes = """
This crate, while it implements collections, does so without `std::*` APIs and
without `unsafe`. Skimming the crate everything looks reasonable and what one
would expect from idiomatic safe collections in Rust.
"""
[[audits.bytecode-alliance.audits.tinyvec_macros]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.1.0"
notes = """
This is a trivial crate which only contains a singular macro definition which is
intended to multiplex across the internal representation of a tinyvec,
presumably. This trivially doesn't contain anything bad.
"""
[[audits.bytecode-alliance.audits.unicode-normalization]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.1.19"
notes = """
This crate contains one usage of `unsafe` which I have manually checked to see
it as correct. This crate's size comes in large part due to the generated
unicode tables that it contains. This crate is additionally widely used
throughout the ecosystem and skimming the crate shows no usage of `std::*` APIs
and nothing suspicious.
"""
[[audits.bytecode-alliance.audits.windows-sys]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.42.0"
notes = "This is a Windows API bindings library maintained by Microsoft themselves."
[[audits.bytecode-alliance.audits.windows_aarch64_msvc]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.42.0"
notes = "This is a Windows API bindings library maintained by Microsoft themselves."
[[audits.bytecode-alliance.audits.windows_i686_gnu]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.42.0"
notes = "This is a Windows API bindings library maintained by Microsoft themselves."
[[audits.bytecode-alliance.audits.windows_i686_msvc]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.42.0"
notes = "This is a Windows API bindings library maintained by Microsoft themselves."
[[audits.bytecode-alliance.audits.windows_x86_64_gnu]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.42.0"
notes = "This is a Windows API bindings library maintained by Microsoft themselves."
[[audits.bytecode-alliance.audits.windows_x86_64_msvc]]
who = "Dan Gohman <dev@sunfishcode.online>"
criteria = "safe-to-deploy"
version = "0.42.0"
notes = "This is a Windows API bindings library maintained by Microsoft themselves."
[[audits.firefox.audits.aho-corasick]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"