From 3a6ece4bdc62fcc61a7016e030b31487b3b130f5 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Mon, 12 Jun 2023 01:26:31 +0000 Subject: [PATCH] cargo vet prune --- supply-chain/config.toml | 60 ------------- supply-chain/imports.lock | 176 ++++++++++++++++++++++++++++++++------ 2 files changed, 150 insertions(+), 86 deletions(-) diff --git a/supply-chain/config.toml b/supply-chain/config.toml index b10f33c..fe27f1d 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -183,10 +183,6 @@ criteria = "safe-to-deploy" version = "0.3.2" criteria = "safe-to-deploy" -[[exemptions.core-foundation-sys]] -version = "0.8.3" -criteria = "safe-to-deploy" - [[exemptions.cpp_demangle]] version = "0.3.5" criteria = "safe-to-run" @@ -291,10 +287,6 @@ criteria = "safe-to-deploy" version = "0.2.8" criteria = "safe-to-deploy" -[[exemptions.errno-dragonfly]] -version = "0.1.2" -criteria = "safe-to-deploy" - [[exemptions.fastrand]] version = "1.8.0" criteria = "safe-to-deploy" @@ -327,30 +319,10 @@ criteria = "safe-to-deploy" version = "0.3.21" criteria = "safe-to-deploy" -[[exemptions.futures-channel]] -version = "0.3.25" -criteria = "safe-to-deploy" - -[[exemptions.futures-core]] -version = "0.3.25" -criteria = "safe-to-deploy" - -[[exemptions.futures-executor]] -version = "0.3.21" -criteria = "safe-to-deploy" - -[[exemptions.futures-io]] -version = "0.3.27" -criteria = "safe-to-deploy" - [[exemptions.futures-macro]] version = "0.3.21" criteria = "safe-to-deploy" -[[exemptions.futures-sink]] -version = "0.3.21" -criteria = "safe-to-deploy" - [[exemptions.futures-task]] version = "0.3.25" criteria = "safe-to-deploy" @@ -495,10 +467,6 @@ criteria = "safe-to-deploy" version = "0.4.9" criteria = "safe-to-deploy" -[[exemptions.malloc_buf]] -version = "0.0.6" -criteria = "safe-to-deploy" - [[exemptions.man]] version = "0.3.0" criteria = "safe-to-run" @@ -611,10 +579,6 @@ criteria = "safe-to-deploy" version = "0.2.9" criteria = "safe-to-deploy" -[[exemptions.pin-utils]] -version = "0.1.0" -criteria = "safe-to-deploy" - [[exemptions.pinentry]] version = "0.5.0" criteria = "safe-to-deploy" @@ -627,10 +591,6 @@ criteria = "safe-to-deploy" version = "0.9.0" criteria = "safe-to-deploy" -[[exemptions.pkg-config]] -version = "0.3.26" -criteria = "safe-to-deploy" - [[exemptions.plotters]] version = "0.3.4" criteria = "safe-to-run" @@ -675,10 +635,6 @@ criteria = "safe-to-run" version = "1.0.3" criteria = "safe-to-run" -[[exemptions.quickcheck_macros]] -version = "1.0.0" -criteria = "safe-to-run" - [[exemptions.rand]] version = "0.7.3" criteria = "safe-to-deploy" @@ -799,10 +755,6 @@ criteria = "safe-to-deploy" version = "1.0.81" criteria = "safe-to-deploy" -[[exemptions.sha1]] -version = "0.10.5" -criteria = "safe-to-deploy" - [[exemptions.sha2]] version = "0.10.6" criteria = "safe-to-deploy" @@ -811,10 +763,6 @@ criteria = "safe-to-deploy" version = "1.6.4" criteria = "safe-to-deploy" -[[exemptions.slab]] -version = "0.4.7" -criteria = "safe-to-deploy" - [[exemptions.smallvec]] version = "1.10.0" criteria = "safe-to-deploy" @@ -931,14 +879,6 @@ criteria = "safe-to-deploy" version = "1.15.0" criteria = "safe-to-deploy" -[[exemptions.unicode-width]] -version = "0.1.10" -criteria = "safe-to-deploy" - -[[exemptions.unicode-xid]] -version = "0.2.4" -criteria = "safe-to-deploy" - [[exemptions.users]] version = "0.11.0" criteria = "safe-to-deploy" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index 04df9ab..d01d130 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -1,6 +1,27 @@ # cargo-vet imports lock +[[publisher.core-foundation-sys]] +version = "0.8.3" +when = "2021-10-12" +user-id = 2396 +user-login = "jdm" +user-name = "Josh Matthews" + +[[publisher.unicode-width]] +version = "0.1.10" +when = "2022-09-13" +user-id = 1139 +user-login = "Manishearth" +user-name = "Manish Goregaokar" + +[[publisher.unicode-xid]] +version = "0.2.4" +when = "2022-09-15" +user-id = 1139 +user-login = "Manishearth" +user-name = "Manish Goregaokar" + [[audits.bytecode-alliance.audits.addr2line]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -78,6 +99,40 @@ who = "Benjamin Bouvier " criteria = "safe-to-deploy" delta = "0.9.0 -> 0.10.3" +[[audits.bytecode-alliance.audits.errno-dragonfly]] +who = "Jamey Sharp " +criteria = "safe-to-deploy" +version = "0.1.2" +notes = "This should be portable to any POSIX system and seems like it should be part of the libc crate, but at any rate it's safe as is." + +[[audits.bytecode-alliance.audits.futures-channel]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.3.27" +notes = "build.rs is just detecting the target and setting cfg. unsafety is for implementing a concurrency primitives using atomics and unsafecell, and is not obviously incorrect (this is the sort of thing I wouldn't certify as correct without formal methods)" + +[[audits.bytecode-alliance.audits.futures-core]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.3.27" +notes = "Unsafe used to implement a concurrency primitive AtomicWaker. Well-commented and not obviously incorrect. Like my other audits of these concurrency primitives inside the futures family, I couldn't certify that it is correct without formal methods, but that is out of scope for this vetting." + +[[audits.bytecode-alliance.audits.futures-executor]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.3.27" +notes = "Unsafe used to implement the unpark mutex, which is well commented and not obviously incorrect. Like with futures-channel I wouldn't be able to certify it as correct without formal methods." + +[[audits.bytecode-alliance.audits.futures-io]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.3.27" + +[[audits.bytecode-alliance.audits.futures-sink]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.3.27" + [[audits.bytecode-alliance.audits.gimli]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -118,12 +173,29 @@ a few `unsafe` blocks related to utf-8 validation which are locally verifiable as correct and otherwise this crate is good to go. """ +[[audits.bytecode-alliance.audits.pin-utils]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.1.0" + +[[audits.bytecode-alliance.audits.pkg-config]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.3.25" +notes = "This crate shells out to the pkg-config executable, but it appears to sanitize inputs reasonably." + [[audits.bytecode-alliance.audits.rustc-demangle]] who = "Alex Crichton " criteria = "safe-to-deploy" version = "0.1.21" notes = "I am the author of this crate." +[[audits.bytecode-alliance.audits.slab]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.4.6" +notes = "provides a datastructure implemented using std's Vec. all uses of unsafe are just delegating to the underlying unsafe Vec methods." + [[audits.bytecode-alliance.audits.windows-sys]] who = "Dan Gohman " criteria = "safe-to-deploy" @@ -232,6 +304,12 @@ criteria = "safe-to-deploy" violation = "<0.20.0" notes = "Specified crate license does not include licenses of embedded fonts if using default features or the `default_fonts` feature. Tracked in: https://github.com/emilk/egui/issues/2321" +[[audits.embark-studios.audits.quickcheck_macros]] +who = "Johan Andersson " +criteria = "safe-to-deploy" +version = "1.0.0" +notes = "Proc macro. No unsafe usage or ambient capabilities" + [[audits.isrg.audits.block-buffer]] who = "David Cook " criteria = "safe-to-deploy" @@ -302,6 +380,34 @@ who = "David Cook " criteria = "safe-to-deploy" version = "0.2.83" +[[audits.mozilla.wildcard-audits.core-foundation-sys]] +who = "Bobby Holley " +criteria = "safe-to-deploy" +user-id = 2396 # Josh Matthews (jdm) +start = "2019-11-12" +end = "2023-05-04" +renew = false +notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.wildcard-audits.unicode-width]] +who = "Manish Goregaokar " +criteria = "safe-to-deploy" +user-id = 1139 # Manish Goregaokar (Manishearth) +start = "2019-12-05" +end = "2024-05-03" +notes = "All code written or reviewed by Manish" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.wildcard-audits.unicode-xid]] +who = "Manish Goregaokar " +criteria = "safe-to-deploy" +user-id = 1139 # Manish Goregaokar (Manishearth) +start = "2019-07-25" +end = "2024-05-03" +notes = "All code written or reviewed by Manish" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.aho-corasick]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -449,21 +555,9 @@ delta = "0.3.25 -> 0.3.26" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.futures-channel]] -who = "Mike Hommey " +who = "Bobby Holley " criteria = "safe-to-deploy" -delta = "0.3.25 -> 0.3.26" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.futures-core]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.3.25 -> 0.3.26" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.futures-executor]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.3.21 -> 0.3.23" +delta = "0.3.27 -> 0.3.26" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.futures-executor]] @@ -478,6 +572,12 @@ criteria = "safe-to-deploy" delta = "0.3.25 -> 0.3.26" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.futures-executor]] +who = "Bobby Holley " +criteria = "safe-to-deploy" +delta = "0.3.27 -> 0.3.23" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.futures-macro]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -496,12 +596,6 @@ criteria = "safe-to-deploy" delta = "0.3.25 -> 0.3.26" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" -[[audits.mozilla.audits.futures-sink]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.3.21 -> 0.3.23" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - [[audits.mozilla.audits.futures-sink]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -514,6 +608,12 @@ criteria = "safe-to-deploy" delta = "0.3.25 -> 0.3.26" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.futures-sink]] +who = "Bobby Holley " +criteria = "safe-to-deploy" +delta = "0.3.27 -> 0.3.23" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.futures-task]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -623,6 +723,18 @@ criteria = "safe-to-deploy" version = "0.4.17" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.malloc_buf]] +who = "Bobby Holley " +criteria = "safe-to-deploy" +version = "0.0.6" +notes = """ +Very small crate for managing malloc-ed buffers, primarily for use in the objc crate. +There is an edge-case condition that passes slice::from_raw_parts(0x1, 0) which I'm +not entirely certain is technically sound, but in either case I am reasonably confident +it's not exploitable. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.memoffset]] who = "Gabriele Svelto " criteria = "safe-to-deploy" @@ -692,6 +804,12 @@ criteria = "safe-to-deploy" delta = "6.3.0 -> 6.4.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.pkg-config]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.3.25 -> 0.3.26" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.ppv-lite86]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -915,6 +1033,18 @@ criteria = "safe-to-deploy" delta = "1.0.91 -> 1.0.93" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.sha1]] +who = "Dana Keeler " +criteria = "safe-to-deploy" +version = "0.10.5" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.slab]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.4.6 -> 0.4.7" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.slab]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -1200,12 +1330,6 @@ criteria = "safe-to-deploy" delta = "1.0.91 -> 1.0.92" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" -[[audits.zcash.audits.futures-core]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.3.26 -> 0.3.27" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - [[audits.zcash.audits.futures-task]] who = "Jack Grigg " criteria = "safe-to-deploy"