From f27fa210994e42d8353a757abb014afab0351e6f Mon Sep 17 00:00:00 2001 From: Alfredo Garcia Date: Tue, 1 Nov 2022 23:42:20 -0300 Subject: [PATCH] docs(audit): Add a list of Zebra dependencies for the audit (#5395) * add a list of dependencies for auditors * change intro Co-authored-by: teor * add zebra-checkpoints to audit * replace colors in the legend as they don't render in github * make crypto deps out of the scope * add a reason to keep rocksdb out of the scope * add a not of why chrono is out of the scope * add note for bitvec dep * move structopt to out of scope * add zcash_script as partially in scope * applies suggestion, updates versions, bolds ed25519-zebra * adds zcash_proofs audit notes * Splits list of zebra deps into sections for full audits, partial audits, and out of scope. * Update book/src/dev/zebra-dependencies-for-audit.md Co-authored-by: teor * Update book/src/dev/zebra-dependencies-for-audit.md * Add missing newline * Update book/src/dev/zebra-dependencies-for-audit.md Co-authored-by: teor * updates crate versions * Update zcash_script to 0.1.8 * Only link to the audit version of each crate or file * Clarify out of scope versions * Fix source paths * Fix zcash_script paths * Improve formatting * Update zebra-dependencies-for-audit.md Co-authored-by: teor Co-authored-by: arya2 Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com> --- book/src/dev/zebra-dependencies-for-audit.md | 183 +++++++++++++++++++ 1 file changed, 183 insertions(+) create mode 100644 book/src/dev/zebra-dependencies-for-audit.md diff --git a/book/src/dev/zebra-dependencies-for-audit.md b/book/src/dev/zebra-dependencies-for-audit.md new file mode 100644 index 000000000..19a643a2c --- /dev/null +++ b/book/src/dev/zebra-dependencies-for-audit.md @@ -0,0 +1,183 @@ +# Zebra dependencies + +This is a list of production Rust code that is in scope and out of scope for Zebra's first audit. + +Test code, deployment configurations, and other configuration files in the `zebra` repository are out of scope. + +--- +## Full Audit + +### Crates + +| Name | Version | Notes +|------| ------- | ----- +| tower-batch | [0.2.32](https://github.com/ZcashFoundation/zebra/tree/v1.0.0-rc.1/tower-batch/src) | +| tower-fallback | [0.2.32](https://github.com/ZcashFoundation/zebra/tree/v1.0.0-rc.1/tower-fallback/src) | +| zebra-chain | [1.0.0-beta.17](https://github.com/ZcashFoundation/zebra/tree/v1.0.0-rc.1/zebra-chain/src) | +| zebra-consensus | [1.0.0-beta.17](https://github.com/ZcashFoundation/zebra/tree/v1.0.0-rc.1/zebra-consensus/src) | +| zebra-network | [1.0.0-beta.17](https://github.com/ZcashFoundation/zebra/tree/v1.0.0-rc.1/zebra-network/src) | +| zebra-node-services | [1.0.0-beta.17](https://github.com/ZcashFoundation/zebra/tree/v1.0.0-rc.1/zebra-node-services/src) | +| zebra-rpc | [1.0.0-beta.17](https://github.com/ZcashFoundation/zebra/tree/v1.0.0-rc.1/zebra-rpc/src) | +| zebra-script | [1.0.0-beta.17](https://github.com/ZcashFoundation/zebra/tree/v1.0.0-rc.1/zebra-script/src) | +| zebra-state | [1.0.0-beta.17](https://github.com/ZcashFoundation/zebra/tree/v1.0.0-rc.1/zebra-state/src) | +| zebrad | [1.0.0-rc.1](https://github.com/ZcashFoundation/zebra/tree/v1.0.0-rc.1/zebrad/src) | + +### Zcash/ZF dependencies + +| Name | Version | Notes +|------| ------- | ----- +| ed25519-zebra | [3.1.0](https://github.com/ZcashFoundation/ed25519-zebra/tree/3.1.0/src) + +--- +## Partial Audit + +### Crates + +| Name | Version | Notes +|------| ------- | ----- +| zebra-utils | 1.0.0-beta.17 | Only the [zebra-checkpoints](https://github.com/ZcashFoundation/zebra/tree/v1.0.0-rc.1/zebra-utils/src/bin/zebra-checkpoints) utility needs to be audited. + +### Zcash/ZF dependencies + +| Name | Version | Audited | Notes +|------| --------|-------- | ----- +| zcash_proofs | 0.8.0 | [qedit](https://hackmd.io/@qedit/zcash-nu5-audit) | Most of `zcash_proofs` got audited as part of the ECC audit, so we only need to audit the proof parameter download code in:
- [downloadreader.rs](https://github.com/zcash/librustzcash/blob/zcash_proofs-0.8.0/zcash_proofs/src/downloadreader.rs),
- [hashreader.rs](https://github.com/zcash/librustzcash/blob/zcash_proofs-0.8.0/zcash_proofs/src/hashreader.rs), and
- [lib.rs](https://github.com/zcash/librustzcash/blob/zcash_proofs-0.8.0/zcash_proofs/src/lib.rs). +| zcash_script | 0.1.8 || The C++ parts of `zcashd` got audited as part of the ECC audit, so we only need to audit:
- [zcash_script.cpp](https://github.com/ZcashFoundation/zcash_script/blob/v0.1.8/depend/zcash/src/script/zcash_script.cpp),
- [zcash_script.h](https://github.com/ZcashFoundation/zcash_script/blob/v0.1.8/depend/zcash/src/script/zcash_script.h), and
- [the rust code in the zcash_script crate](https://github.com/ZcashFoundation/zcash_script/tree/v0.1.8/src). + +--- +## Out of Scope + +The following list of dependencies is out of scope for the audit. + +Please ignore the dependency versions in these tables, some of them are are outdated. All versions of these dependencies are out of scope. + +The latest versions of Zebra's dependencies are in [`Cargo.lock`](https://github.com/ZcashFoundation/zebra/tree/v1.0.0-rc.1/Cargo.lock), including transitive dependencies. They can be viewed using `cargo tree`. + +Click the triangle for details: +
+ +### Zcash/ZF dependencies + +| Name | Version | Audited | Notes +|------| --------|-------- | ----- +| [equihash](https://github.com/zcash/librustzcash) | [0.2.0](https://github.com/zcash/librustzcash/releases/tag/0.2.0) | [qedit](https://hackmd.io/@qedit/zcash-nu5-audit) | +| [halo2_proofs](https://github.com/zcash/halo2) | [0.2.0](https://github.com/zcash/halo2/tree/halo2_proofs-0.2.0) | [qedit](https://hackmd.io/@qedit/zcash-nu5-audit) [mary](https://z.cash/halo2-audit/) | +| [incrementalmerkletree](https://github.com/zcash/incrementalmerkletree) | [0.3.0](https://github.com/zcash/incrementalmerkletree/releases/tag/v0.3.0) | | +| [zcash_encoding](https://github.com/zcash/librustzcash) | [0.1.0](https://github.com/zcash/librustzcash/releases/tag/0.1.0) | [qedit](https://hackmd.io/@qedit/zcash-nu5-audit) | +| [zcash_history](https://github.com/zcash/librustzcash) | 0.3.0 | [qedit](https://hackmd.io/@qedit/zcash-nu5-audit) | +| [zcash_note_encryption](https://github.com/zcash/librustzcash) | [0.1.0](https://github.com/zcash/librustzcash/releases/tag/0.1.0) | [qedit](https://hackmd.io/@qedit/zcash-nu5-audit) | +| [zcash_primitives](https://github.com/zcash/librustzcash) | 0.7.0 | [qedit](https://hackmd.io/@qedit/zcash-nu5-audit) | +| [redjubjub](https://github.com/ZcashFoundation/redjubjub) | [0.5.0](https://github.com/ZcashFoundation/redjubjub/releases/tag/0.5.0) | [jp](https://github.com/ZcashFoundation/redjubjub/raw/main/zcash-frost-audit-report-20210323.pdf) | +| [orchard](https://github.com/zcash/orchard) | [0.2.0](https://github.com/zcash/orchard/releases/tag/0.2.0) | [qedit](https://hackmd.io/@qedit/zcash-nu5-audit) | + +### Cryptography dependencies + +**All crypto dependencies are out of scope of the 1st audit** + +| Name | Version | Audited | Notes +|------| ------- | ------- | ----- +| [aes](https://github.com/RustCrypto/block-ciphers) | 0.7.5 | [audited](https://github.com/RustCrypto/block-ciphers#warnings) | `struct aes::Aes256` +| [bech32](https://github.com/rust-bitcoin/rust-bech32) | [0.9.1](https://github.com/rust-bitcoin/rust-bech32/releases/tag/v0.9.1) | no audit, but seems simple enough +| [blake2b_simd](https://github.com/oconnor663/blake2_simd) | [1.0.0](https://github.com/oconnor663/blake2_simd/releases/tag/1.0.0) | no audit, but is widely used +| [blake2s_simd](https://github.com/oconnor663/blake2_simd) | [1.0.0](https://github.com/oconnor663/blake2_simd/releases/tag/1.0.0) | no audit, but is widely used +| [bls12_381](https://github.com/zkcrypto/bls12_381) | [0.7.0](https://github.com/zkcrypto/bls12_381/releases/tag/0.7.0) | no audit, but seems widely used +| [bs58](https://github.com/mycorrhiza/bs58-rs) | [0.4.0](https://github.com/mycorrhiza/bs58-rs/releases/tag/0.4.0) | no audit, but seems simple enough +| [rand](https://github.com/rust-random/rand) | [0.8.5](https://github.com/rust-random/rand/releases/tag/0.8.5) | no audits, but seems widely used +| [rand_core](https://github.com/rust-random/rand) | [0.6.4](https://github.com/rust-random/rand/releases/tag/0.6.4) | no audits, but seems widely used +| [sha2](https://github.com/RustCrypto/hashes) | 0.9.9 | no audits, but seems widely used +| [ripemd](https://github.com/RustCrypto/hashes) | 0.1.3 | no audits, but seems widely used +| [secp256k1](https://github.com/rust-bitcoin/rust-secp256k1/) | 0.21.3 | no audits, but seems widely used +| [subtle](https://github.com/dalek-cryptography/subtle) | [2.4.1](https://github.com/dalek-cryptography/subtle/releases/tag/2.4.1) | no audits, but seems widely used +| [fpe](https://github.com/str4d/fpe) | 0.5.1 | I think it's not being used yet +| [group](https://github.com/zkcrypto/group) | [0.12.0](https://github.com/zkcrypto/group/releases/tag/0.12.0) | no audits but it's just traits, seems widely used +| [x25519-dalek](https://github.com/dalek-cryptography/x25519-dalek) | [1.2.0](https://github.com/dalek-cryptography/x25519-dalek/releases/tag/1.2.0) | no audits, but seems widely used +| [jubjub](https://github.com/zkcrypto/jubjub) | [0.9.0](https://github.com/zkcrypto/jubjub/releases/tag/0.9.0) | not sure if were covered by ECC audits. Seem widely used. +| [bellman](https://github.com/zkcrypto/bellman) | 0.13.1 | not sure if were covered by ECC audits. Seem widely used. + +### Async code and services + +| Name | Version | Notes +|------| ------- | ----- +| [futures](https://github.com/rust-lang/futures-rs) | [0.3.24](https://github.com/rust-lang/futures-rs/releases/tag/0.3.24) | +| [futures-core](https://github.com/rust-lang/futures-rs) | [0.3.24](https://github.com/rust-lang/futures-rs/releases/tag/0.3.24) | +| [pin-project](https://github.com/taiki-e/pin-project) | [1.0.12](https://github.com/taiki-e/pin-project/releases/tag/v1.0.12) | +| [rayon](https://github.com/rayon-rs/rayon) | [1.5.3](https://github.com/rayon-rs/rayon/releases/tag/v1.5.3) | +| [tokio](https://github.com/tokio-rs/tokio) | 1.21.2 | +| [tokio-util](https://github.com/tokio-rs/tokio) | 0.7.4 | +| [tower](https://github.com/tower-rs/tower) | 0.4.13 | +| [futures-util](https://github.com/rust-lang/futures-rs) | [0.3.24](https://github.com/rust-lang/futures-rs/releases/tag/0.3.24) | +| [tokio-stream](https://github.com/tokio-rs/tokio) | 0.1.10 | +| [hyper](https://github.com/hyperium/hyper) | [0.14.20](https://github.com/hyperium/hyper/releases/tag/v0.14.20) | +| [jsonrpc-core](https://github.com/paritytech/jsonrpc) | [18.0.0](https://github.com/paritytech/jsonrpc/releases/tag/v18.0.0) | +| jsonrpc-derive | 18.0.0 +| [jsonrpc-http-server](https://github.com/paritytech/jsonrpc) | [18.0.0](https://github.com/paritytech/jsonrpc/releases/tag/v18.0.0) | + +### Types and encoding + +| Name | Version | Notes +|------| ------- | ----- +| [bitflags](https://github.com/bitflags/bitflags) | [1.3.2](https://github.com/bitflags/bitflags/releases/tag/1.3.2) +| [bitvec](https://github.com/bitvecto-rs/bitvec) | 1.0.1 | We use it to build bit vectors, which are used when computing commitments. It's important, but does not seem particularly risky. +| [byteorder](https://github.com/BurntSushi/byteorder) | [1.4.3](https://github.com/BurntSushi/byteorder/releases/tag/1.4.3) +| [chrono](https://github.com/chronotope/chrono) | [0.4.22](https://github.com/chronotope/chrono/releases/tag/v0.4.22) | We treat chrono as a time library, and assume it works. It only implements the consensus rule about the local clock. +| [hex](https://github.com/KokaKiwi/rust-hex) | [0.4.3](https://github.com/KokaKiwi/rust-hex/releases/tag/v0.4.3) +| [humantime](https://github.com/tailhook/humantime) | [2.1.0](https://github.com/tailhook/humantime/releases/tag/v2.1.0) +| [itertools](https://github.com/rust-itertools/itertools) | 0.10.5 +| [serde](https://github.com/serde-rs/serde) | [1.0.145](https://github.com/serde-rs/serde/releases/tag/v1.0.145) +| [serde-big-array](https://github.com/est31/serde-big-array) | [0.4.1](https://github.com/est31/serde-big-array/releases/tag/v0.4.1) +| [serde_with](https://github.com/jonasbb/serde_with) | [2.0.1](https://github.com/jonasbb/serde_with/releases/tag/v2.0.1) +| [uint](https://github.com/paritytech/parity-common) | 0.9.4 +| [bytes](https://github.com/tokio-rs/bytes) | [1.2.1](https://github.com/tokio-rs/bytes/releases/tag/v1.2.1) +| [humantime-serde](https://github.com/jean-airoldie/humantime-serde) | 1.1.1 +| [indexmap](https://github.com/bluss/indexmap) | [1.9.1](https://github.com/bluss/indexmap/releases/tag/1.9.1) +| [ordered-map](https://github.com/qwfy/ordered-map.git) | 0.4.2 +| [serde_json](https://github.com/serde-rs/json) | [1.0.85](https://github.com/serde-rs/json/releases/tag/v1.0.85) +| [bincode](https://github.com/servo/bincode) | [1.3.3](https://github.com/servo/bincode/releases/tag/v1.3.3) +| [mset](https://github.com/lonnen/mset) | [0.1.0](https://github.com/lonnen/mset/releases/tag/0.1.0) +| [tinyvec](https://github.com/Lokathor/tinyvec) | [1.6.0](https://github.com/Lokathor/tinyvec/releases/tag/v1.6.0) +| [num-integer](https://github.com/rust-num/num-integer) | 0.1.45 +| [sentry](https://github.com/getsentry/sentry-rust) | [0.27.0](https://github.com/getsentry/sentry-rust/releases/tag/0.27.0) +| [primitive-types](https://github.com/paritytech/parity-common/tree/master/primitive-types) | 0.11.1 + +### Other Zebra dependencies + +| Name | Version | Notes +|------| ------- | ----- +| [rocksdb](https://github.com/rust-rocksdb/rust-rocksdb) | [0.19.0](https://github.com/rust-rocksdb/rust-rocksdb/releases/tag/v0.19.0) | We can treat rocksdb as a database library, and assume it works. It is consensus-critical that stored data is returned without any mistakes. But we don't want to audit a huge pile of C++ code +| [abscissa_core](https://github.com/iqlusioninc/abscissa/tree/develop/) | 0.5.2 +| [gumdrop](https://github.com/murarth/gumdrop) | 0.7.0 + + +### Misc. + +| Name | Version | Reason | Notes +|------| ------- | ----- | ----- +| [proptest](https://github.com/altsysrq/proptest) | [0.10.1](https://github.com/altsysrq/proptest/releases/tag/v0.10.1) | Testing +| proptest-derive | 0.3.0 | Testing +| [tracing](https://github.com/tokio-rs/tracing) | 0.1.36 | Tracing +| [tracing-futures](https://github.com/tokio-rs/tracing) | 0.2.5 | Tracing +| [lazy_static](https://github.com/rust-lang-nursery/lazy-static.rs) | [1.4.0](https://github.com/rust-lang-nursery/lazy-static.rs/releases/tag/1.4.0) +| [static_assertions](https://github.com/nvzqz/static-assertions-rs) | [1.1.0](https://github.com/nvzqz/static-assertions-rs/releases/tag/v1.1.0) +| [thiserror](https://github.com/dtolnay/thiserror) | [1.0.37](https://github.com/dtolnay/thiserror/releases/tag/1.0.37) | Error handling +| [dirs](https://github.com/soc/dirs-rs) | 4.0.0 | +| displaydoc | 0.2.3 | Docs +| [metrics](https://github.com/metrics-rs/metrics) | 0.20.1 | Metrics +| [once_cell](https://github.com/matklad/once_cell) | [1.15.0](https://github.com/matklad/once_cell/releases/tag/v1.15.0) +| [regex](https://github.com/rust-lang/regex) | [1.6.0](https://github.com/rust-lang/regex/releases/tag/1.6.0) +| [tracing-error](https://github.com/tokio-rs/tracing) | 0.2.0 | Tracing +| [num_cpus](https://github.com/seanmonstar/num_cpus) | [1.13.1](https://github.com/seanmonstar/num_cpus/releases/tag/v1.13.1) | Trivial use +| [rlimit](https://github.com/Nugine/rlimit/) | [0.8.3](https://github.com/Nugine/rlimit//releases/tag/v0.8.3) +| [tempfile](https://github.com/Stebalien/tempfile) | [3.3.0](https://github.com/Stebalien/tempfile/releases/tag/v3.3.0) +| [color-eyre](https://github.com/yaahc/color-eyre) | [0.6.2](https://github.com/yaahc/color-eyre/releases/tag/v0.6.2) | Error handling +| [tracing-subscriber](https://github.com/tokio-rs/tracing) | 0.3.15 | Logging +| [log](https://github.com/rust-lang/log) | [0.4.17](https://github.com/rust-lang/log/releases/tag/0.4.17) +| [metrics-exporter-prometheus](https://github.com/metrics-rs/metrics) | 0.11.0 | Metrics +| [sentry-tracing](https://github.com/getsentry/sentry-rust) | [0.27.0](https://github.com/getsentry/sentry-rust/releases/tag/0.27.0) | Tracing +| [toml](https://github.com/alexcrichton/toml-rs) | [0.5.9](https://github.com/alexcrichton/toml-rs/releases/tag/0.5.9) +| [tracing-appender](https://github.com/tokio-rs/tracing) | 0.2.2 | Tracing +| [tracing-journald](https://github.com/tokio-rs/tracing) | 0.3.0 | Tracing +| [atty](https://github.com/softprops/atty) | [0.2.14](https://github.com/softprops/atty/releases/tag/0.2.14) +| [rand_chacha](https://github.com/rust-random/rand) | [0.3.1](https://github.com/rust-random/rand/releases/tag/0.3.1) | Testing +| [structopt](https://github.com/TeXitoi/structopt) | [0.3.26](https://github.com/TeXitoi/structopt/releases/tag/v0.3.26) | Trivial usage in zebra-utils + +