diff --git a/qa/supply-chain/config.toml b/qa/supply-chain/config.toml index 6aabef5f4..f9c72688c 100644 --- a/qa/supply-chain/config.toml +++ b/qa/supply-chain/config.toml @@ -1,6 +1,9 @@ # cargo-vet config file +[imports.bytecode-alliance] +url = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + [imports.firefox] url = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" @@ -66,14 +69,6 @@ criteria = "safe-to-deploy" version = "0.3.6" criteria = "safe-to-deploy" -[[exemptions.arrayvec]] -version = "0.7.2" -criteria = "safe-to-deploy" - -[[exemptions.backtrace]] -version = "0.3.66" -criteria = "safe-to-deploy" - [[exemptions.base64ct]] version = "1.0.1" criteria = "safe-to-deploy" @@ -110,10 +105,6 @@ criteria = "safe-to-deploy" version = "0.9.0" criteria = "safe-to-deploy" -[[exemptions.block-buffer]] -version = "0.10.3" -criteria = "safe-to-deploy" - [[exemptions.block-modes]] version = "0.8.1" criteria = "safe-to-deploy" @@ -146,18 +137,10 @@ criteria = "safe-to-deploy" version = "1.2.1" criteria = "safe-to-deploy" -[[exemptions.cc]] -version = "1.0.73" -criteria = "safe-to-deploy" - [[exemptions.cfg-if]] version = "0.1.10" criteria = "safe-to-deploy" -[[exemptions.cfg-if]] -version = "1.0.0" -criteria = "safe-to-deploy" - [[exemptions.chacha20]] version = "0.8.1" criteria = "safe-to-deploy" @@ -202,10 +185,6 @@ criteria = "safe-to-deploy" version = "0.2.2" criteria = "safe-to-deploy" -[[exemptions.crypto-common]] -version = "0.1.3" -criteria = "safe-to-deploy" - [[exemptions.crypto-mac]] version = "0.11.1" criteria = "safe-to-deploy" @@ -642,10 +621,6 @@ criteria = "safe-to-deploy" version = "0.1.3" criteria = "safe-to-deploy" -[[exemptions.rustc-demangle]] -version = "0.1.21" -criteria = "safe-to-deploy" - [[exemptions.rustc-hex]] version = "2.1.0" criteria = "safe-to-deploy" @@ -750,14 +725,6 @@ criteria = "safe-to-deploy" version = "0.2.4" criteria = "safe-to-deploy" -[[exemptions.tinyvec]] -version = "1.6.0" -criteria = "safe-to-deploy" - -[[exemptions.tinyvec_macros]] -version = "0.1.0" -criteria = "safe-to-deploy" - [[exemptions.tokio]] version = "1.21.2" criteria = "safe-to-deploy" @@ -806,10 +773,6 @@ criteria = "safe-to-deploy" version = "1.0.5" criteria = "safe-to-deploy" -[[exemptions.unicode-normalization]] -version = "0.1.22" -criteria = "safe-to-deploy" - [[exemptions.unicode-xid]] version = "0.2.4" criteria = "safe-to-deploy" diff --git a/qa/supply-chain/imports.lock b/qa/supply-chain/imports.lock index eb23a10ca..711f86088 100644 --- a/qa/supply-chain/imports.lock +++ b/qa/supply-chain/imports.lock @@ -1,6 +1,173 @@ # cargo-vet imports lock +[[audits.bytecode-alliance.audits.anyhow]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "1.0.62 -> 1.0.66" +notes = """ +This update looks to be related to minor fixes and mostly integrating with a +nightly feature in the standard library for backtrace integration. No undue +`unsafe` is added and nothing unsurprising for the `anyhow` crate is happening +here. +""" + +[[audits.bytecode-alliance.audits.arrayvec]] +who = "Nick Fitzgerald " +criteria = "safe-to-deploy" +version = "0.7.2" +notes = """ +Well documented invariants, good assertions for those invariants in unsafe code, +and tested with MIRI to boot. LGTM. +""" + +[[audits.bytecode-alliance.audits.backtrace]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "0.3.66" +notes = "I am the author of this crate." + +[[audits.bytecode-alliance.audits.block-buffer]] +who = "Benjamin Bouvier " +criteria = "safe-to-deploy" +delta = "0.9.0 -> 0.10.2" + +[[audits.bytecode-alliance.audits.bumpalo]] +who = "Nick Fitzgerald " +criteria = "safe-to-deploy" +version = "3.9.1" +notes = "I am the author of this crate." + +[[audits.bytecode-alliance.audits.bumpalo]] +who = "Nick Fitzgerald " +criteria = "safe-to-deploy" +version = "3.11.1" +notes = "I am the author of this crate." + +[[audits.bytecode-alliance.audits.cc]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "1.0.73" +notes = "I am the author of this crate." + +[[audits.bytecode-alliance.audits.cfg-if]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "1.0.0" +notes = "I am the author of this crate." + +[[audits.bytecode-alliance.audits.crypto-common]] +who = "Benjamin Bouvier " +criteria = "safe-to-deploy" +version = "0.1.3" + +[[audits.bytecode-alliance.audits.digest]] +who = "Benjamin Bouvier " +criteria = "safe-to-deploy" +delta = "0.9.0 -> 0.10.3" + +[[audits.bytecode-alliance.audits.libm]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.2.2 -> 0.2.4" +notes = """ +This diff primarily fixes a few issues with the `fma`-related functions, +but also contains some other minor fixes as well. Everything looks A-OK and +as expected. +""" + +[[audits.bytecode-alliance.audits.rustc-demangle]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "0.1.21" +notes = "I am the author of this crate." + +[[audits.bytecode-alliance.audits.sha2]] +who = "Benjamin Bouvier " +criteria = "safe-to-deploy" +delta = "0.9.9 -> 0.10.2" +notes = "This upgrade is mostly a code refactor, as far as I can tell. No new uses of unsafe nor any new ambient capabilities usage." + +[[audits.bytecode-alliance.audits.spin]] +who = "Alex Crichton " +criteria = "safe-to-run" +version = "0.9.4" +notes = """ +I've verified the contents of this crate and that while they contain `unsafe` +it's exclusively around implementing atomic primitive where some `unsafe` is to +be expected. Otherwise this crate does not unduly access ambient capabilities +and does what it says on the tin, providing spin-based synchronization +primitives. +""" + +[[audits.bytecode-alliance.audits.tinyvec]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "1.6.0" +notes = """ +This crate, while it implements collections, does so without `std::*` APIs and +without `unsafe`. Skimming the crate everything looks reasonable and what one +would expect from idiomatic safe collections in Rust. +""" + +[[audits.bytecode-alliance.audits.tinyvec_macros]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "0.1.0" +notes = """ +This is a trivial crate which only contains a singular macro definition which is +intended to multiplex across the internal representation of a tinyvec, +presumably. This trivially doesn't contain anything bad. +""" + +[[audits.bytecode-alliance.audits.unicode-normalization]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "0.1.19" +notes = """ +This crate contains one usage of `unsafe` which I have manually checked to see +it as correct. This crate's size comes in large part due to the generated +unicode tables that it contains. This crate is additionally widely used +throughout the ecosystem and skimming the crate shows no usage of `std::*` APIs +and nothing suspicious. +""" + +[[audits.bytecode-alliance.audits.windows-sys]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +version = "0.42.0" +notes = "This is a Windows API bindings library maintained by Microsoft themselves." + +[[audits.bytecode-alliance.audits.windows_aarch64_msvc]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +version = "0.42.0" +notes = "This is a Windows API bindings library maintained by Microsoft themselves." + +[[audits.bytecode-alliance.audits.windows_i686_gnu]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +version = "0.42.0" +notes = "This is a Windows API bindings library maintained by Microsoft themselves." + +[[audits.bytecode-alliance.audits.windows_i686_msvc]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +version = "0.42.0" +notes = "This is a Windows API bindings library maintained by Microsoft themselves." + +[[audits.bytecode-alliance.audits.windows_x86_64_gnu]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +version = "0.42.0" +notes = "This is a Windows API bindings library maintained by Microsoft themselves." + +[[audits.bytecode-alliance.audits.windows_x86_64_msvc]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +version = "0.42.0" +notes = "This is a Windows API bindings library maintained by Microsoft themselves." + [[audits.firefox.audits.aho-corasick]] who = "Mike Hommey " criteria = "safe-to-deploy"