zec
/
librustzcash
mirror of https://github.com/zcash/librustzcash.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Add audits and bump some exemptions. 

Signed-off-by: Daira-Emma Hopwood <daira@jacaranda.org>
This commit is contained in:
Daira-Emma Hopwood 2024-05-14 12:39:16 +01:00
parent aa77be8830
commit 39a6b2b4f8
3 changed files with 1311 additions and 180 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

355
supply-chain/audits.toml
View File

@ -7,7 +7,354 @@ description = "The cryptographic code in this crate has been reviewed for correc
[criteria.license-reviewed]
description = "The license of this crate has been reviewed for compatibility with its usage in this repository."
[audits]
[[audits.anyhow]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "1.0.82 -> 1.0.83"
[[audits.async-trait]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "0.1.78 -> 0.1.80"
[[audits.autocfg]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "1.2.0 -> 1.3.0"
[[audits.bytemuck]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-run"
delta = "1.15.0 -> 1.16.0"
[[audits.cc]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "1.0.94 -> 1.0.97"
[[audits.ciborium]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-run"
delta = "0.2.1 -> 0.2.2"
[[audits.ciborium-io]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-run"
delta = "0.2.1 -> 0.2.2"
[[audits.ciborium-ll]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-run"
delta = "0.2.1 -> 0.2.2"
[[audits.errno]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "0.3.8 -> 0.3.9"
[[audits.fastrand]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "2.0.2 -> 2.1.0"
notes = """
As noted in the changelog, this version produces different output for a given seed.
The documentation did not mention stability. It is possible that some uses relying on
determinism across the update would be broken.
The new constants do appear to match WyRand v4.2 (modulo ordering issues that I have not checked):
https://github.com/wangyi-fudan/wyhash/blob/408620b6d12b7d667b3dd6ae39b7929a39e8fa05/wyhash.h#L145
I have no way to check whether these constants are an improvement or not.
"""
[[audits.futures-macro]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "0.3.29 -> 0.3.30"
[[audits.futures-sink]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "0.3.29 -> 0.3.30"
[[audits.h2]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "0.3.21 -> 0.3.26"
[[audits.half]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-run"
delta = "1.8.2 -> 2.2.1"
notes = """
All new uses of unsafe are either just accessing bit representations, or plausibly reasonable uses of intrinsics. I have not checked safety
requirements on the latter.
"""
[[audits.hashbrown]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "0.14.2 -> 0.14.5"
notes = "I did not thoroughly check the safety argument for fold_impl, but it at least seems to be well documented."
[[audits.inferno]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-run"
delta = "0.11.17 -> 0.11.19"
[[audits.is-terminal]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-run"
delta = "0.4.9 -> 0.4.12"
[[audits.js-sys]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "0.3.65 -> 0.3.66"
[[audits.lock_api]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-run"
delta = "0.4.11 -> 0.4.12"
[[audits.minreq]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "2.11.0 -> 2.11.2"
[[audits.num-bigint]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "0.4.4 -> 0.4.5"
notes = "New uses of unsafe look reasonable."
[[audits.parking_lot]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-run"
delta = "0.12.1 -> 0.12.2"
[[audits.parking_lot_core]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-run"
delta = "0.9.9 -> 0.9.10"
[[audits.pin-project-internal]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "1.1.3 -> 1.1.5"
[[audits.pkg-config]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "0.3.29 -> 0.3.30"
[[audits.prettyplease]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "0.2.15 -> 0.2.20"
[[audits.proc-macro2]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "1.0.81 -> 1.0.82"
[[audits.proptest]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "1.3.1 -> 1.4.0"
[[audits.prost]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "0.12.1 -> 0.12.3"
[[audits.prost-build]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "0.12.1 -> 0.12.3"
[[audits.prost-derive]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "0.12.1 -> 0.12.3"
[[audits.prost-types]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "0.12.1 -> 0.12.3"
[[audits.redox_syscall]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-run"
delta = "0.4.1 -> 0.5.1"
notes = "Uses of unsafe look plausible."
[[audits.rustc-demangle]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "0.1.23 -> 0.1.24"
[[audits.rustls]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "0.21.8 -> 0.21.12"
notes = """
A comment in get_sni_extension asks whether the behaviour of parsing an IPv4 or IPv6 address
in a host_name field of a server_name extension, but then ignoring the extension (because
'Literal IPv4 and IPv6 addresses are not permitted in \"HostName\"'), as the server, is
compliant with RFC 6066. As an original author of RFC 3546 which has very similar wording,
I can speak to the intent: yes this is fine. The client is clearly nonconformant in this
case, but the server isn't.
RFC 3546 said \"If the server understood the client hello extension but does not recognize
the server name, it SHOULD send an \"unrecognized_name\" alert (which MAY be fatal).\"
This wording was preserved in RFC 5746, and then updated in RFC 6066 to:
If the server understood the ClientHello extension but
does not recognize the server name, the server SHOULD take one of two
actions: either abort the handshake by sending a fatal-level
unrecognized_name(112) alert or continue the handshake. It is NOT
RECOMMENDED to send a warning-level unrecognized_name(112) alert,
because the client's behavior in response to warning-level alerts is
unpredictable. If there is a mismatch between the server name used
by the client application and the server name of the credential
chosen by the server, this mismatch will become apparent when the
client application performs the server endpoint identification, at
which point the client application will have to decide whether to
proceed with the communication.
To me it's clear that it is reasonable to consider an IP address as a name that the
server does not recognize. And so the server SHOULD *either* send a fatal unrecognized_name
alert, *or* continue the handshake and let the client application decide when it \"performs
the server endpoint identification\". There's no conformance requirement for the server to
take any notice of a host_name that is \"not permitted\". (It would have been clearer to
express this by specifying the allowed client and server behaviour separately, i.e. saying
that the client MUST NOT send an IP address in host_name, and then explicitly specifying
the server behaviour if it does so anyway. That's how I would write it now. But honestly
this extension was one of the most bikeshedded parts of RFC 3546, to a much greater extent
than I'd anticipated, and I was tired.)
"""
[[audits.rustversion]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "1.0.15 -> 1.0.16"
[[audits.rustversion]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "1.0.16 -> 1.0.17"
[[audits.ryu]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-run"
delta = "1.0.17 -> 1.0.18"
[[audits.serde]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "1.0.201 -> 1.0.202"
[[audits.serde_derive]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "1.0.201 -> 1.0.202"
[[audits.serde_json]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-run"
delta = "1.0.116 -> 1.0.117"
[[audits.smallvec]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "1.11.1 -> 1.13.2"
[[audits.socket2]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "0.5.6 -> 0.5.7"
notes = "The new uses of unsafe to access getsockopt/setsockopt look reasonable."
[[audits.syn]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "2.0.60 -> 2.0.63"
[[audits.thiserror]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "1.0.58 -> 1.0.60"
[[audits.thiserror-impl]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "1.0.58 -> 1.0.60"
[[audits.tokio-stream]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "0.1.14 -> 0.1.15"
[[audits.tokio-util]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "0.7.10 -> 0.7.11"
[[audits.tonic]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "0.10.2 -> 0.11.0"
[[audits.tonic-build]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "0.10.2 -> 0.11.0"
[[audits.walkdir]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-run"
delta = "2.4.0 -> 2.5.0"
[[audits.wasm-bindgen-backend]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "0.2.88 -> 0.2.89"
[[audits.wasm-bindgen-macro]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "0.2.88 -> 0.2.89"
[[audits.web-sys]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "0.3.65 -> 0.3.66"
[[audits.webpki-roots]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "0.25.2 -> 0.25.4"
notes = "I have not checked consistency with the Mozilla IncludedCACertificateReportPEMCSV report."
[[audits.winapi-util]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-run"
delta = "0.1.6 -> 0.1.8"
[[audits.zerocopy]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "0.7.32 -> 0.7.34"
[[audits.zerocopy-derive]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "0.7.32 -> 0.7.34"
[[audits.zeroize]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "1.6.0 -> 1.7.0"
[[trusted.equihash]]
criteria = "safe-to-deploy"
@ -111,6 +458,12 @@ user-id = 64539 # Kenny Kerr (kennykerr)
start = "2021-10-28"
end = "2025-04-22"
[[trusted.windows_i686_gnullvm]]
criteria = "safe-to-deploy"
user-id = 64539 # Kenny Kerr (kennykerr)
start = "2024-04-02"
end = "2025-05-15"
[[trusted.windows_i686_msvc]]
criteria = "safe-to-deploy"
user-id = 64539 # Kenny Kerr (kennykerr)

104
supply-chain/config.toml
View File

@ -112,10 +112,6 @@ criteria = "safe-to-deploy"
version = "0.3.69"
criteria = "safe-to-deploy"
[[exemptions.base64ct]]
version = "1.0.1"
criteria = "safe-to-deploy"
[[exemptions.bech32]]
version = "0.9.1"
criteria = "safe-to-deploy"
@ -124,10 +120,6 @@ criteria = "safe-to-deploy"
version = "0.14.0"
criteria = "safe-to-deploy"
[[exemptions.bip0039]]
version = "0.10.1"
criteria = "safe-to-deploy"
[[exemptions.bitflags]]
version = "1.3.2"
criteria = "safe-to-deploy"
@ -152,10 +144,6 @@ criteria = "safe-to-deploy"
version = "0.5.0"
criteria = "safe-to-deploy"
[[exemptions.bytemuck]]
version = "1.14.0"
criteria = "safe-to-run"
[[exemptions.byteorder]]
version = "1.5.0"
criteria = "safe-to-deploy"
@ -229,7 +217,7 @@ version = "0.9.15"
criteria = "safe-to-deploy"
[[exemptions.crossbeam-utils]]
version = "0.8.16"
version = "0.8.19"
criteria = "safe-to-deploy"
[[exemptions.daggy]]
@ -240,10 +228,6 @@ criteria = "safe-to-deploy"
version = "0.10.7"
criteria = "safe-to-deploy"
[[exemptions.errno]]
version = "0.3.6"
criteria = "safe-to-deploy"
[[exemptions.fallible-iterator]]
version = "0.2.0"
criteria = "safe-to-deploy"
@ -301,7 +285,7 @@ version = "0.2.11"
criteria = "safe-to-deploy"
[[exemptions.gimli]]
version = "0.28.0"
version = "0.28.1"
criteria = "safe-to-deploy"
[[exemptions.group]]
@ -369,7 +353,7 @@ version = "1.9.3"
criteria = "safe-to-deploy"
[[exemptions.indexmap]]
version = "2.1.0"
version = "2.2.6"
criteria = "safe-to-deploy"
[[exemptions.inferno]]
@ -377,11 +361,7 @@ version = "0.11.17"
criteria = "safe-to-run"
[[exemptions.itertools]]
version = "0.11.0"
criteria = "safe-to-deploy"
[[exemptions.itoa]]
version = "1.0.9"
version = "0.10.5"
criteria = "safe-to-deploy"
[[exemptions.js-sys]]
@ -393,7 +373,7 @@ version = "0.10.0"
criteria = "safe-to-deploy"
[[exemptions.libc]]
version = "0.2.150"
version = "0.2.154"
criteria = "safe-to-deploy"
[[exemptions.libm]]
@ -405,7 +385,7 @@ version = "0.26.0"
criteria = "safe-to-deploy"
[[exemptions.linux-raw-sys]]
version = "0.4.11"
version = "0.4.12"
criteria = "safe-to-deploy"
[[exemptions.lock_api]]
@ -424,10 +404,6 @@ criteria = "safe-to-deploy"
version = "0.5.10"
criteria = "safe-to-run"
[[exemptions.memoffset]]
version = "0.9.0"
criteria = "safe-to-deploy"
[[exemptions.memuse]]
version = "0.2.1"
criteria = "safe-to-deploy"
@ -445,7 +421,7 @@ version = "2.11.0"
criteria = "safe-to-deploy"
[[exemptions.mio]]
version = "0.8.9"
version = "0.8.10"
criteria = "safe-to-deploy"
[[exemptions.multimap]]
@ -484,34 +460,22 @@ criteria = "safe-to-deploy"
version = "0.9.9"
criteria = "safe-to-run"
[[exemptions.password-hash]]
version = "0.3.2"
criteria = "safe-to-deploy"
[[exemptions.pasta_curves]]
version = "0.5.1"
criteria = "safe-to-deploy"
[[exemptions.pbkdf2]]
version = "0.10.1"
criteria = "safe-to-deploy"
[[exemptions.petgraph]]
version = "0.6.4"
version = "0.6.5"
criteria = "safe-to-deploy"
[[exemptions.pin-project]]
version = "1.1.3"
version = "1.1.5"
criteria = "safe-to-deploy"
[[exemptions.pin-project-internal]]
version = "1.1.3"
criteria = "safe-to-deploy"
[[exemptions.pkg-config]]
version = "0.3.27"
criteria = "safe-to-deploy"
[[exemptions.plotters]]
version = "0.3.5"
criteria = "safe-to-run"
@ -586,7 +550,7 @@ criteria = "safe-to-deploy"
[[exemptions.redox_syscall]]
version = "0.4.1"
criteria = "safe-to-deploy"
criteria = "safe-to-run"
[[exemptions.regex]]
version = "1.10.2"
@ -609,7 +573,7 @@ version = "0.16.20"
criteria = "safe-to-deploy"
[[exemptions.ring]]
version = "0.17.5"
version = "0.17.8"
criteria = "safe-to-deploy"
[[exemptions.ripemd]]
@ -621,7 +585,7 @@ version = "0.29.0"
criteria = "safe-to-deploy"
[[exemptions.rustix]]
version = "0.38.21"
version = "0.38.34"
criteria = "safe-to-deploy"
[[exemptions.rustls]]
@ -648,10 +612,6 @@ criteria = "safe-to-deploy"
version = "0.2.2"
criteria = "safe-to-deploy"
[[exemptions.scopeguard]]
version = "1.2.0"
criteria = "safe-to-deploy"
[[exemptions.sct]]
version = "0.7.1"
criteria = "safe-to-deploy"
@ -668,14 +628,6 @@ criteria = "safe-to-deploy"
version = "0.8.0"
criteria = "safe-to-deploy"
[[exemptions.serde]]
version = "1.0.192"
criteria = "safe-to-deploy"
[[exemptions.serde_derive]]
version = "1.0.192"
criteria = "safe-to-deploy"
[[exemptions.sha2]]
version = "0.10.8"
criteria = "safe-to-deploy"
@ -688,10 +640,6 @@ criteria = "safe-to-deploy"
version = "1.11.1"
criteria = "safe-to-deploy"
[[exemptions.socket2]]
version = "0.4.10"
criteria = "safe-to-deploy"
[[exemptions.socket2]]
version = "0.5.5"
criteria = "safe-to-deploy"
@ -708,10 +656,6 @@ criteria = "safe-to-deploy"
version = "0.1.0"
criteria = "safe-to-run"
[[exemptions.subtle]]
version = "2.4.1"
criteria = "safe-to-deploy"
[[exemptions.symbolic-common]]
version = "10.2.1"
criteria = "safe-to-run"
@ -736,10 +680,6 @@ criteria = "safe-to-deploy"
version = "0.3.23"
criteria = "safe-to-deploy"
[[exemptions.tinytemplate]]
version = "1.2.1"
criteria = "safe-to-run"
[[exemptions.tokio]]
version = "1.35.1"
criteria = "safe-to-deploy"
@ -801,7 +741,7 @@ version = "0.9.0"
criteria = "safe-to-deploy"
[[exemptions.uuid]]
version = "1.5.0"
version = "1.8.0"
criteria = "safe-to-deploy"
[[exemptions.wait-timeout]]
@ -817,7 +757,7 @@ version = "0.11.0+wasi-snapshot-preview1"
criteria = "safe-to-deploy"
[[exemptions.wasm-bindgen]]
version = "0.2.88"
version = "0.2.92"
criteria = "safe-to-deploy"
[[exemptions.wasm-bindgen-backend]]
@ -828,14 +768,6 @@ criteria = "safe-to-deploy"
version = "0.2.88"
criteria = "safe-to-deploy"
[[exemptions.wasm-bindgen-macro-support]]
version = "0.2.88"
criteria = "safe-to-deploy"
[[exemptions.wasm-bindgen-shared]]
version = "0.2.88"
criteria = "safe-to-deploy"
[[exemptions.web-sys]]
version = "0.3.65"
criteria = "safe-to-deploy"
@ -864,14 +796,6 @@ criteria = "safe-to-deploy"
version = "2.5.2"
criteria = "safe-to-deploy"
[[exemptions.zerocopy]]
version = "0.7.25"
criteria = "safe-to-deploy"
[[exemptions.zerocopy-derive]]
version = "0.7.25"
criteria = "safe-to-deploy"
[[exemptions.zeroize]]
version = "1.6.0"
criteria = "safe-to-deploy"

1032
supply-chain/imports.lock
View File

File diff suppressed because it is too large Load Diff