diff --git a/supply-chain/config.toml b/supply-chain/config.toml index 2f7ebea..a050c23 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -133,10 +133,6 @@ criteria = "safe-to-deploy" version = "0.1.11+1.0.8" criteria = "safe-to-deploy" -[[exemptions.cast]] -version = "0.3.0" -criteria = "safe-to-run" - [[exemptions.cbc]] version = "0.1.2" criteria = "safe-to-deploy" @@ -213,10 +209,6 @@ criteria = "safe-to-run" version = "0.3.2" criteria = "safe-to-deploy" -[[exemptions.cpp_demangle]] -version = "0.4.3" -criteria = "safe-to-run" - [[exemptions.cpufeatures]] version = "0.2.2" criteria = "safe-to-deploy" @@ -305,18 +297,6 @@ criteria = "safe-to-deploy" version = "0.13.0" criteria = "safe-to-deploy" -[[exemptions.futures]] -version = "0.3.30" -criteria = "safe-to-deploy" - -[[exemptions.futures-executor]] -version = "0.3.30" -criteria = "safe-to-deploy" - -[[exemptions.futures-io]] -version = "0.3.30" -criteria = "safe-to-deploy" - [[exemptions.futures-macro]] version = "0.3.30" criteria = "safe-to-deploy" @@ -349,10 +329,6 @@ criteria = "safe-to-deploy" version = "0.28.1" criteria = "safe-to-run" -[[exemptions.half]] -version = "2.2.1" -criteria = "safe-to-run" - [[exemptions.hashbrown]] version = "0.14.3" criteria = "safe-to-deploy" @@ -441,10 +417,6 @@ criteria = "safe-to-deploy" version = "2.6.3" criteria = "safe-to-deploy" -[[exemptions.memmap2]] -version = "0.9.4" -criteria = "safe-to-run" - [[exemptions.minimal-lexical]] version = "0.2.1" criteria = "safe-to-deploy" @@ -453,10 +425,6 @@ criteria = "safe-to-deploy" version = "0.26.1" criteria = "safe-to-deploy" -[[exemptions.nom]] -version = "7.1.1" -criteria = "safe-to-deploy" - [[exemptions.num-bigint-dig]] version = "0.8.4" criteria = "safe-to-deploy" @@ -481,10 +449,6 @@ criteria = "safe-to-deploy" version = "0.1.1" criteria = "safe-to-deploy" -[[exemptions.object]] -version = "0.32.2" -criteria = "safe-to-run" - [[exemptions.once_cell]] version = "1.15.0" criteria = "safe-to-deploy" @@ -537,10 +501,6 @@ criteria = "safe-to-deploy" version = "0.10.2" criteria = "safe-to-deploy" -[[exemptions.pkg-config]] -version = "0.3.29" -criteria = "safe-to-deploy" - [[exemptions.plotters]] version = "0.3.5" criteria = "safe-to-run" @@ -733,10 +693,6 @@ criteria = "safe-to-deploy" version = "0.1.0" criteria = "safe-to-run" -[[exemptions.strsim]] -version = "0.10.0" -criteria = "safe-to-deploy" - [[exemptions.symbolic-common]] version = "12.8.0" criteria = "safe-to-run" @@ -781,10 +737,6 @@ criteria = "safe-to-deploy" version = "0.1.44" criteria = "safe-to-deploy" -[[exemptions.tinytemplate]] -version = "1.2.1" -criteria = "safe-to-run" - [[exemptions.tokio]] version = "1.35.0" criteria = "safe-to-run" @@ -833,10 +785,6 @@ criteria = "safe-to-deploy" version = "1.7.0" criteria = "safe-to-run" -[[exemptions.wait-timeout]] -version = "0.2.0" -criteria = "safe-to-run" - [[exemptions.walkdir]] version = "2.4.0" criteria = "safe-to-deploy" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index b2b5b05..14069cb 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -353,6 +353,17 @@ criteria = "safe-to-deploy" version = "0.3.27" notes = "Unsafe used to implement a concurrency primitive AtomicWaker. Well-commented and not obviously incorrect. Like my other audits of these concurrency primitives inside the futures family, I couldn't certify that it is correct without formal methods, but that is out of scope for this vetting." +[[audits.bytecode-alliance.audits.futures-executor]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.3.27" +notes = "Unsafe used to implement the unpark mutex, which is well commented and not obviously incorrect. Like with futures-channel I wouldn't be able to certify it as correct without formal methods." + +[[audits.bytecode-alliance.audits.futures-io]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.3.27" + [[audits.bytecode-alliance.audits.heck]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -406,6 +417,12 @@ its own longevity should be relatively hardened against some of the more common compression-related issues. """ +[[audits.bytecode-alliance.audits.object]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.30.3 -> 0.31.1" +notes = "A large-ish update to the crate but nothing out of the ordering. Support for new formats like xcoff, new constants, minor refactorings, etc. Nothing out of the ordinary." + [[audits.bytecode-alliance.audits.percent-encoding]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -421,6 +438,21 @@ who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.1.0" +[[audits.bytecode-alliance.audits.pkg-config]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.3.25" +notes = "This crate shells out to the pkg-config executable, but it appears to sanitize inputs reasonably." + +[[audits.bytecode-alliance.audits.pkg-config]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.3.26 -> 0.3.29" +notes = """ +No `unsafe` additions or anything outside of the purview of the crate in this +change. +""" + [[audits.bytecode-alliance.audits.proc-macro2]] who = "Pat Hickey " criteria = "safe-to-deploy" @@ -515,6 +547,18 @@ criteria = "safe-to-run" version = "0.3.67" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.cast]] +who = "George Burgess IV " +criteria = "safe-to-run" +version = "0.3.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.cpp_demangle]] +who = "Hidenori Kobayashi " +criteria = "safe-to-run" +version = "0.4.3" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + [[audits.google.audits.crossbeam-deque]] who = "George Burgess IV " criteria = "safe-to-run" @@ -549,6 +593,16 @@ that the RNG here is not cryptographically secure. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.futures]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "0.3.28" +notes = """ +`futures` has no logic other than tests - it simply `pub use`s things from +other crates. +""" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + [[audits.google.audits.glob]] who = "George Burgess IV " criteria = "safe-to-deploy" @@ -579,6 +633,12 @@ criteria = "safe-to-run" delta = "1.0.6 -> 1.0.9" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.memmap2]] +who = "Ying Hsu " +criteria = "safe-to-run" +version = "0.8.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + [[audits.google.audits.nix]] who = "David Koloski " criteria = "safe-to-run" @@ -599,12 +659,34 @@ Issues: """ aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.nom]] +who = "danakj@chromium.org" +criteria = "safe-to-deploy" +version = "7.1.3" +notes = """ +Reviewed in https://chromium-review.googlesource.com/c/chromium/src/+/5046153 +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.normalize-line-endings]] who = "Max Lee " criteria = "safe-to-run" version = "0.3.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.object]] +who = "George Burgess IV " +criteria = "safe-to-run" +version = "0.30.3" +notes = "I'm not counting the code related to the GNU Hash section as crypto for the sake of this review." +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.object]] +who = "George Burgess IV " +criteria = "safe-to-run" +delta = "0.31.1 -> 0.32.1" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + [[audits.google.audits.pin-project-lite]] who = "David Koloski " criteria = "safe-to-deploy" @@ -642,12 +724,35 @@ criteria = "safe-to-run" version = "1.2.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.strsim]] +who = "danakj@chromium.org" +criteria = "safe-to-deploy" +version = "0.10.0" +notes = """ +Reviewed in https://crrev.com/c/5171063 + +Previously reviewed during security review and the audit is grandparented in. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.tinytemplate]] +who = "Ying Hsu " +criteria = "safe-to-run" +version = "1.2.1" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + [[audits.google.audits.version_check]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "0.9.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.wait-timeout]] +who = "George Burgess IV " +criteria = "safe-to-run" +version = "0.2.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + [[audits.google.audits.zerocopy]] who = "ChromeOS" criteria = "safe-to-run" @@ -1202,6 +1307,18 @@ criteria = "safe-to-deploy" delta = "0.3.27 -> 0.3.28" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.futures-executor]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.3.27 -> 0.3.28" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.futures-io]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.3.27 -> 0.3.28" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.futures-task]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -1238,6 +1355,17 @@ criteria = "safe-to-deploy" delta = "0.3.26 -> 0.3.28" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.half]] +who = "John M. Schanck " +criteria = "safe-to-deploy" +version = "1.8.2" +notes = """ +This crate contains unsafe code for bitwise casts to/from binary16 floating-point +format. I've reviewed these and found no issues. There are no uses of ambient +capabilities. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.heck]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -1300,18 +1428,18 @@ it's not exploitable. """ aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.memmap2]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.8.0 -> 0.9.3" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.nix]] who = "Gabriele Svelto " criteria = "safe-to-deploy" delta = "0.26.2 -> 0.27.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" -[[audits.mozilla.audits.nom]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "7.1.1 -> 7.1.3" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - [[audits.mozilla.audits.num-integer]] who = "Josh Stone " criteria = "safe-to-deploy" @@ -1351,6 +1479,12 @@ criteria = "safe-to-deploy" delta = "2.3.0 -> 2.3.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.pkg-config]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.3.25 -> 0.3.26" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.ppv-lite86]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -1810,6 +1944,24 @@ criteria = "safe-to-deploy" delta = "4.1.0 -> 4.1.1" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.zcash.audits.curve25519-dalek]] +who = "Daira-Emma Hopwood " +criteria = "safe-to-deploy" +delta = "4.1.1 -> 4.1.2" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.curve25519-dalek]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "4.1.2 -> 4.1.3" +notes = """ +- New unsafe is adding `core::ptr::read_volatile` calls for black box + optimization barriers. +- `build.rs` changes are to use `CARGO_CFG_TARGET_POINTER_WIDTH` instead of + `TARGET` and the `platforms` crate for deciding on the target pointer width. +""" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + [[audits.zcash.audits.curve25519-dalek-derive]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -1828,6 +1980,13 @@ criteria = "safe-to-deploy" delta = "0.3.3 -> 0.3.8" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.zcash.audits.futures]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.3.28 -> 0.3.30" +notes = "Only sub-crate updates and corresponding changes to tests." +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + [[audits.zcash.audits.futures-channel]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -1854,6 +2013,18 @@ delta = "0.3.29 -> 0.3.30" notes = "Removes `build.rs` now that it can rely on the `target_has_atomic` attribute." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.zcash.audits.futures-executor]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.3.28 -> 0.3.30" +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + +[[audits.zcash.audits.futures-io]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.3.28 -> 0.3.30" +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + [[audits.zcash.audits.futures-task]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -1898,6 +2069,16 @@ criteria = "safe-to-deploy" delta = "0.14.6 -> 0.14.7" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.zcash.audits.half]] +who = "Daira-Emma Hopwood " +criteria = "safe-to-run" +delta = "1.8.2 -> 2.2.1" +notes = """ +All new uses of unsafe are either just accessing bit representations, or plausibly reasonable uses of intrinsics. I have not checked safety +requirements on the latter. +""" +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + [[audits.zcash.audits.indexmap]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -1983,6 +2164,12 @@ code (but adapted to `u16` and `u8` reads, instead of `u32`). """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.zcash.audits.memmap2]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.9.3 -> 0.9.4" +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + [[audits.zcash.audits.nix]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -2004,41 +2191,18 @@ A new unsafe trait method `SockaddrLike::set_length` is added; it's impls look f """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.zcash.audits.object]] +who = "Daira-Emma Hopwood " +criteria = "safe-to-deploy" +delta = "0.32.1 -> 0.32.2" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + [[audits.zcash.audits.pin-project-lite]] who = "Jack Grigg " criteria = "safe-to-deploy" delta = "0.2.9 -> 0.2.13" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" -[[audits.zcash.audits.platforms]] -who = "Daira Emma Hopwood " -criteria = "safe-to-deploy" -version = "3.0.2" -notes = """ -This crate uses `#![forbid(unsafe_code)]` and its build script is safe. It only \"provides programmatic access to -information about valid Rust platforms, sourced from the Rust compiler\"; it does not attempt any detection that -would require unsafety. -""" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.platforms]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "3.0.2 -> 3.1.2" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.platforms]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "3.1.2 -> 3.2.0" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.platforms]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "3.2.0 -> 3.3.0" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - [[audits.zcash.audits.proc-macro2]] who = "Jack Grigg " criteria = "safe-to-deploy"