zec
/
librustzcash
mirror of https://github.com/zcash/librustzcash.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Import Rust crate audits from the Bytecode Alliance

This commit is contained in:
Jack Grigg 2024-04-23 00:02:25 +00:00
parent d99edccaa3
commit 03627b1de5
2 changed files with 315 additions and 76 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

79
supply-chain/config.toml
View File

@ -4,6 +4,9 @@
[cargo-vet]
version = "0.9"
[imports.bytecode-alliance]
url = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml"
[imports.google]
url = "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml"
@ -59,10 +62,6 @@ audit-as-crates-io = true
version = "0.21.0"
criteria = "safe-to-deploy"
[[exemptions.adler]]
version = "1.0.2"
criteria = "safe-to-deploy"
[[exemptions.aead]]
version = "0.5.2"
criteria = "safe-to-deploy"
@ -83,18 +82,10 @@ criteria = "safe-to-deploy"
version = "0.2.16"
criteria = "safe-to-deploy"
[[exemptions.anes]]
version = "0.1.6"
criteria = "safe-to-run"
[[exemptions.anyhow]]
version = "1.0.75"
criteria = "safe-to-deploy"
[[exemptions.arrayref]]
version = "0.3.7"
criteria = "safe-to-deploy"
[[exemptions.arrayvec]]
version = "0.7.4"
criteria = "safe-to-deploy"
@ -119,10 +110,6 @@ criteria = "safe-to-deploy"
version = "0.3.69"
criteria = "safe-to-deploy"
[[exemptions.base64]]
version = "0.21.5"
criteria = "safe-to-deploy"
[[exemptions.base64ct]]
version = "1.0.1"
criteria = "safe-to-deploy"
@ -143,10 +130,6 @@ criteria = "safe-to-deploy"
version = "1.3.2"
criteria = "safe-to-deploy"
[[exemptions.bitflags]]
version = "2.4.1"
criteria = "safe-to-deploy"
[[exemptions.bitvec]]
version = "1.0.1"
criteria = "safe-to-deploy"
@ -159,10 +142,6 @@ criteria = "safe-to-deploy"
version = "1.0.1"
criteria = "safe-to-deploy"
[[exemptions.block-buffer]]
version = "0.10.4"
criteria = "safe-to-deploy"
[[exemptions.bls12_381]]
version = "0.8.0"
criteria = "safe-to-deploy"
@ -171,10 +150,6 @@ criteria = "safe-to-deploy"
version = "0.5.0"
criteria = "safe-to-deploy"
[[exemptions.bumpalo]]
version = "3.14.0"
criteria = "safe-to-deploy"
[[exemptions.bytemuck]]
version = "1.14.0"
criteria = "safe-to-run"
@ -195,10 +170,6 @@ criteria = "safe-to-run"
version = "0.1.2"
criteria = "safe-to-deploy"
[[exemptions.cc]]
version = "1.0.83"
criteria = "safe-to-deploy"
[[exemptions.chacha20]]
version = "0.9.1"
criteria = "safe-to-deploy"
@ -227,10 +198,6 @@ criteria = "safe-to-deploy"
version = "3.2.25"
criteria = "safe-to-run"
[[exemptions.constant_time_eq]]
version = "0.2.6"
criteria = "safe-to-deploy"
[[exemptions.cpp_demangle]]
version = "0.4.3"
criteria = "safe-to-run"
@ -263,10 +230,6 @@ criteria = "safe-to-deploy"
version = "0.8.16"
criteria = "safe-to-deploy"
[[exemptions.crypto-common]]
version = "0.1.6"
criteria = "safe-to-deploy"
[[exemptions.daggy]]
version = "0.8.0"
criteria = "safe-to-deploy"
@ -311,14 +274,6 @@ criteria = "safe-to-deploy"
version = "2.0.0"
criteria = "safe-to-deploy"
[[exemptions.futures-channel]]
version = "0.3.29"
criteria = "safe-to-deploy"
[[exemptions.futures-core]]
version = "0.3.29"
criteria = "safe-to-deploy"
[[exemptions.futures-macro]]
version = "0.3.29"
criteria = "safe-to-deploy"
@ -483,10 +438,6 @@ criteria = "safe-to-deploy"
version = "0.2.1"
criteria = "safe-to-deploy"
[[exemptions.miniz_oxide]]
version = "0.7.1"
criteria = "safe-to-deploy"
[[exemptions.minreq]]
version = "2.11.0"
criteria = "safe-to-deploy"
@ -547,10 +498,6 @@ criteria = "safe-to-deploy"
version = "0.10.1"
criteria = "safe-to-deploy"
[[exemptions.percent-encoding]]
version = "2.3.0"
criteria = "safe-to-deploy"
[[exemptions.petgraph]]
version = "0.6.4"
criteria = "safe-to-deploy"
@ -563,10 +510,6 @@ criteria = "safe-to-deploy"
version = "1.1.3"
criteria = "safe-to-deploy"
[[exemptions.pin-utils]]
version = "0.1.0"
criteria = "safe-to-deploy"
[[exemptions.pkg-config]]
version = "0.3.27"
criteria = "safe-to-deploy"
@ -679,10 +622,6 @@ criteria = "safe-to-deploy"
version = "0.29.0"
criteria = "safe-to-deploy"
[[exemptions.rustc-demangle]]
version = "0.1.23"
criteria = "safe-to-deploy"
[[exemptions.rustix]]
version = "0.38.21"
criteria = "safe-to-deploy"
@ -859,10 +798,6 @@ criteria = "safe-to-deploy"
version = "0.1.32"
criteria = "safe-to-deploy"
[[exemptions.try-lock]]
version = "0.2.4"
criteria = "safe-to-deploy"
[[exemptions.typenum]]
version = "1.17.0"
criteria = "safe-to-deploy"
@ -883,10 +818,6 @@ criteria = "safe-to-deploy"
version = "1.5.0"
criteria = "safe-to-deploy"
[[exemptions.vcpkg]]
version = "0.2.15"
criteria = "safe-to-deploy"
[[exemptions.wait-timeout]]
version = "0.2.0"
criteria = "safe-to-deploy"
@ -895,10 +826,6 @@ criteria = "safe-to-deploy"
version = "2.4.0"
criteria = "safe-to-run"
[[exemptions.want]]
version = "0.3.1"
criteria = "safe-to-deploy"
[[exemptions.wasi]]
version = "0.11.0+wasi-snapshot-preview1"
criteria = "safe-to-deploy"

312
supply-chain/imports.lock
View File

@ -1,6 +1,13 @@
# cargo-vet imports lock
[[publisher.bumpalo]]
version = "3.14.0"
when = "2023-09-14"
user-id = 696
user-login = "fitzgen"
user-name = "Nick Fitzgerald"
[[publisher.equihash]]
version = "0.2.0"
when = "2022-06-24"
@ -218,6 +225,145 @@ user-id = 169181
user-login = "nuttycom"
user-name = "Kris Nuttycombe"
[[audits.bytecode-alliance.wildcard-audits.bumpalo]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
user-id = 696 # Nick Fitzgerald (fitzgen)
start = "2019-03-16"
end = "2024-03-10"
[[audits.bytecode-alliance.audits.adler]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.0.2"
notes = "This is a small crate which forbids unsafe code and is a straightforward implementation of the adler hashing algorithm."
[[audits.bytecode-alliance.audits.anes]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.1.6"
notes = "Contains no unsafe code, no IO, no build.rs."
[[audits.bytecode-alliance.audits.arrayref]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
version = "0.3.6"
notes = """
Unsafe code, but its logic looks good to me. Necessary given what it is
doing. Well tested, has quickchecks.
"""
[[audits.bytecode-alliance.audits.base64]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.21.0"
notes = "This crate has no dependencies, no build.rs, and contains no unsafe code."
[[audits.bytecode-alliance.audits.bitflags]]
who = "Jamey Sharp <jsharp@fastly.com>"
criteria = "safe-to-deploy"
delta = "2.1.0 -> 2.2.1"
notes = """
This version adds unsafe impls of traits from the bytemuck crate when built
with that library enabled, but I believe the impls satisfy the documented
safety requirements for bytemuck. The other changes are minor.
"""
[[audits.bytecode-alliance.audits.bitflags]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "2.3.2 -> 2.3.3"
notes = """
Nothing outside the realm of what one would expect from a bitflags generator,
all as expected.
"""
[[audits.bytecode-alliance.audits.block-buffer]]
who = "Benjamin Bouvier <public@benj.me>"
criteria = "safe-to-deploy"
delta = "0.9.0 -> 0.10.2"
[[audits.bytecode-alliance.audits.cc]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "1.0.73"
notes = "I am the author of this crate."
[[audits.bytecode-alliance.audits.constant_time_eq]]
who = "Nick Fitzgerald <fitzgen@gmail.com>"
criteria = "safe-to-deploy"
version = "0.2.4"
notes = "A few tiny blocks of `unsafe` but each of them is very obviously correct."
[[audits.bytecode-alliance.audits.crypto-common]]
who = "Benjamin Bouvier <public@benj.me>"
criteria = "safe-to-deploy"
version = "0.1.3"
[[audits.bytecode-alliance.audits.futures-channel]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.3.27"
notes = "build.rs is just detecting the target and setting cfg. unsafety is for implementing a concurrency primitives using atomics and unsafecell, and is not obviously incorrect (this is the sort of thing I wouldn't certify as correct without formal methods)"
[[audits.bytecode-alliance.audits.futures-core]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.3.27"
notes = "Unsafe used to implement a concurrency primitive AtomicWaker. Well-commented and not obviously incorrect. Like my other audits of these concurrency primitives inside the futures family, I couldn't certify that it is correct without formal methods, but that is out of scope for this vetting."
[[audits.bytecode-alliance.audits.miniz_oxide]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.7.1"
notes = """
This crate is a Rust implementation of zlib compression/decompression and has
been used by default by the Rust standard library for quite some time. It's also
a default dependency of the popular `backtrace` crate for decompressing debug
information. This crate forbids unsafe code and does not otherwise access system
resources. It's originally a port of the `miniz.c` library as well, and given
its own longevity should be relatively hardened against some of the more common
compression-related issues.
"""
[[audits.bytecode-alliance.audits.percent-encoding]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "2.2.0"
notes = """
This crate is a single-file crate that does what it says on the tin. There are
a few `unsafe` blocks related to utf-8 validation which are locally verifiable
as correct and otherwise this crate is good to go.
"""
[[audits.bytecode-alliance.audits.pin-utils]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.1.0"
[[audits.bytecode-alliance.audits.rustc-demangle]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
version = "0.1.21"
notes = "I am the author of this crate."
[[audits.bytecode-alliance.audits.try-lock]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.2.4"
notes = "Implements a concurrency primitive with atomics, and is not obviously incorrect"
[[audits.bytecode-alliance.audits.vcpkg]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.2.15"
notes = "no build.rs, no macros, no unsafe. It reads the filesystem and makes copies of DLLs into OUT_DIR."
[[audits.bytecode-alliance.audits.want]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.3.0"
[[audits.google.audits.async-stream]]
who = "Tyler Mandry <tmandry@google.com>"
criteria = "safe-to-deploy"
@ -525,6 +671,26 @@ Previously reviewed during security review and the audit is grandparented in.
"""
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.isrg.audits.base64]]
who = "Tim Geoghegan <timg@letsencrypt.org>"
criteria = "safe-to-deploy"
delta = "0.21.0 -> 0.21.1"
[[audits.isrg.audits.base64]]
who = "Brandon Pitman <bran@bran.land>"
criteria = "safe-to-deploy"
delta = "0.21.1 -> 0.21.2"
[[audits.isrg.audits.base64]]
who = "David Cook <dcook@divviup.org>"
criteria = "safe-to-deploy"
delta = "0.21.2 -> 0.21.3"
[[audits.isrg.audits.block-buffer]]
who = "David Cook <dcook@divviup.org>"
criteria = "safe-to-deploy"
version = "0.9.0"
[[audits.isrg.audits.crunchy]]
who = "David Cook <dcook@divviup.org>"
criteria = "safe-to-deploy"
@ -636,6 +802,62 @@ version = "0.6.3"
notes = "Another crate I own via contain-rs that is ancient and in maintenance mode but otherwise perfectly fine."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.bitflags]]
who = "Alex Franchuk <afranchuk@mozilla.com>"
criteria = "safe-to-deploy"
delta = "1.3.2 -> 2.0.2"
notes = "Removal of some unsafe code/methods. No changes to externals, just some refactoring (mostly internal)."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.bitflags]]
who = "Nicolas Silva <nical@fastmail.com>"
criteria = "safe-to-deploy"
delta = "2.0.2 -> 2.1.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.bitflags]]
who = "Teodor Tanasoaia <ttanasoaia@mozilla.com>"
criteria = "safe-to-deploy"
delta = "2.2.1 -> 2.3.2"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.bitflags]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "2.3.3 -> 2.4.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.bitflags]]
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
criteria = "safe-to-deploy"
delta = "2.4.0 -> 2.4.1"
notes = "Only allowing new clippy lints"
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
[[audits.mozilla.audits.block-buffer]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.10.2 -> 0.10.3"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.cc]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "1.0.73 -> 1.0.78"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.cc]]
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
criteria = "safe-to-deploy"
delta = "1.0.78 -> 1.0.83"
aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml"
[[audits.mozilla.audits.crypto-common]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.1.3 -> 0.1.6"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.debugid]]
who = "Gabriele Svelto <gsvelto@mozilla.com>"
criteria = "safe-to-deploy"
@ -690,6 +912,18 @@ version = "1.0.7"
notes = "Simple hasher implementation with no unsafe code."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.futures-channel]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.3.27 -> 0.3.28"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.futures-core]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.3.27 -> 0.3.28"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.half]]
who = "John M. Schanck <jschanck@mozilla.com>"
criteria = "safe-to-deploy"
@ -768,6 +1002,12 @@ version = "0.2.15"
notes = "All code written or reviewed by Josh Stone."
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.percent-encoding]]
who = "Valentin Gosu <valentin.gosu@gmail.com>"
criteria = "safe-to-deploy"
delta = "2.2.0 -> 2.3.0"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.rand_core]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
@ -867,6 +1107,44 @@ criteria = "safe-to-deploy"
delta = "0.2.6 -> 0.2.10"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.zcash.audits.arrayref]]
who = "Sean Bowe <ewillbefull@gmail.com>"
criteria = "safe-to-deploy"
delta = "0.3.6 -> 0.3.7"
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
[[audits.zcash.audits.base64]]
who = "Jack Grigg <jack@electriccoin.co>"
criteria = "safe-to-deploy"
delta = "0.21.3 -> 0.21.4"
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
[[audits.zcash.audits.base64]]
who = "Jack Grigg <jack@electriccoin.co>"
criteria = "safe-to-deploy"
delta = "0.21.4 -> 0.21.5"
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
[[audits.zcash.audits.block-buffer]]
who = "Jack Grigg <jack@electriccoin.co>"
criteria = "safe-to-deploy"
delta = "0.10.3 -> 0.10.4"
notes = "Adds panics to prevent a block size of zero from causing unsoundness."
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
[[audits.zcash.audits.constant_time_eq]]
who = "Jack Grigg <jack@electriccoin.co>"
criteria = "safe-to-deploy"
delta = "0.2.4 -> 0.2.5"
notes = "No code changes."
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
[[audits.zcash.audits.constant_time_eq]]
who = "Jack Grigg <jack@electriccoin.co>"
criteria = "safe-to-deploy"
delta = "0.2.5 -> 0.2.6"
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
[[audits.zcash.audits.either]]
who = "Jack Grigg <jack@electriccoin.co>"
criteria = "safe-to-deploy"
@ -879,6 +1157,18 @@ criteria = "safe-to-deploy"
delta = "2.0.0 -> 2.0.1"
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
[[audits.zcash.audits.futures-channel]]
who = "Jack Grigg <jack@electriccoin.co>"
criteria = "safe-to-deploy"
delta = "0.3.28 -> 0.3.29"
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
[[audits.zcash.audits.futures-core]]
who = "Jack Grigg <jack@electriccoin.co>"
criteria = "safe-to-deploy"
delta = "0.3.28 -> 0.3.29"
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
[[audits.zcash.audits.inout]]
who = "Daira Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
@ -959,6 +1249,18 @@ criteria = "safe-to-deploy"
delta = "0.7.5 -> 0.8.2"
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
[[audits.zcash.audits.rustc-demangle]]
who = "Sean Bowe <ewillbefull@gmail.com>"
criteria = "safe-to-deploy"
delta = "0.1.21 -> 0.1.22"
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
[[audits.zcash.audits.rustc-demangle]]
who = "Jack Grigg <jack@electriccoin.co>"
criteria = "safe-to-deploy"
delta = "0.1.22 -> 0.1.23"
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
[[audits.zcash.audits.tinyvec_macros]]
who = "Jack Grigg <jack@z.cash>"
criteria = "safe-to-deploy"
@ -1014,3 +1316,13 @@ who = "Sean Bowe <ewillbefull@gmail.com>"
criteria = "safe-to-deploy"
version = "0.2.0"
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
[[audits.zcash.audits.want]]
who = "Jack Grigg <jack@electriccoin.co>"
criteria = "safe-to-deploy"
delta = "0.3.0 -> 0.3.1"
notes = """
Migrates to `try-lock 0.2.4` to replace some unsafe APIs that were not marked
`unsafe` (but that were being used safely).
"""
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"