diff --git a/supply-chain/config.toml b/supply-chain/config.toml index 86bb2aa..0fec24e 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -2,7 +2,7 @@ # cargo-vet config file [cargo-vet] -version = "0.9" +version = "0.10" [imports.bytecode-alliance] url = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" @@ -53,10 +53,6 @@ criteria = "safe-to-deploy" version = "0.10.3" criteria = "safe-to-deploy" -[[exemptions.ahash]] -version = "0.8.6" -criteria = "safe-to-run" - [[exemptions.aho-corasick]] version = "1.1.1" criteria = "safe-to-deploy" @@ -121,10 +117,6 @@ criteria = "safe-to-deploy" version = "0.9.1" criteria = "safe-to-deploy" -[[exemptions.byteorder]] -version = "1.4.3" -criteria = "safe-to-deploy" - [[exemptions.bzip2]] version = "0.4.4" criteria = "safe-to-deploy" @@ -445,10 +437,6 @@ criteria = "safe-to-deploy" version = "0.4.12" criteria = "safe-to-deploy" -[[exemptions.log]] -version = "0.4.22" -criteria = "safe-to-deploy" - [[exemptions.memchr]] version = "2.6.3" criteria = "safe-to-deploy" @@ -725,10 +713,6 @@ criteria = "safe-to-deploy" version = "0.1.0" criteria = "safe-to-run" -[[exemptions.strsim]] -version = "0.11.1" -criteria = "safe-to-deploy" - [[exemptions.symbolic-common]] version = "12.10.0" criteria = "safe-to-run" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index 294cef0..a89961e 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -517,6 +517,28 @@ delta = "0.8.2 -> 0.8.4" notes = "Audited at https://fxrev.dev/987054" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.ahash]] +who = "Nicholas Bishop " +criteria = "safe-to-run" +version = "0.8.3" +notes = """ +Note on does-not-implement-crypto: the aHash documentation explicitly +states it is not a cryptographically secure hash. +""" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.ahash]] +who = "Nicholas Bishop " +criteria = "safe-to-run" +delta = "0.8.3 -> 0.8.5" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.ahash]] +who = "Nicholas Bishop " +criteria = "safe-to-run" +delta = "0.8.5 -> 0.8.11" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + [[audits.google.audits.arrayvec]] who = "Nicholas Bishop " criteria = "safe-to-run" @@ -608,6 +630,13 @@ instead (see also https://crrev.com/c/5771867). """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.byteorder]] +who = "danakj " +criteria = "safe-to-deploy" +version = "1.5.0" +notes = "Unsafe review in https://crrev.com/c/5838022" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.cast]] who = "George Burgess IV " criteria = "safe-to-run" @@ -779,6 +808,18 @@ delta = "1.4.0 -> 1.5.0" notes = "Unsafe review notes: https://crrev.com/c/5650836" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.log]] +who = "danakj " +criteria = "safe-to-deploy" +version = "0.4.22" +notes = """ +Unsafe review in https://docs.google.com/document/d/1IXQbD1GhTRqNHIGxq6yy7qHqxeO4CwN5noMFXnqyDIM/edit?usp=sharing + +Unsafety is generally very well-documented, with one exception, which we +describe in the review doc. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.memmap2]] who = "Ying Hsu " criteria = "safe-to-run" @@ -1383,12 +1424,6 @@ renew = false notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" -[[audits.mozilla.audits.ahash]] -who = "Erich Gubler " -criteria = "safe-to-deploy" -delta = "0.8.7 -> 0.8.11" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - [[audits.mozilla.audits.android_system_properties]] who = "Nicolas Silva " criteria = "safe-to-deploy" @@ -1710,6 +1745,12 @@ version = "1.1.0" notes = "Straightforward crate with no unsafe code, does what it says on the tin." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.strsim]] +who = "Ben Dean-Kawamura " +criteria = "safe-to-deploy" +delta = "0.10.0 -> 0.11.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.subtle]] who = "Simon Friedberger " criteria = "safe-to-deploy" @@ -1839,13 +1880,6 @@ criteria = "safe-to-deploy" delta = "0.5.1 -> 0.5.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" -[[audits.zcash.audits.ahash]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.8.6 -> 0.8.7" -notes = "Build-time `stdsimd` detection is replaced with a nightly-only feature flag." -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - [[audits.zcash.audits.aho-corasick]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -1889,17 +1923,6 @@ delta = "0.10.3 -> 0.10.4" notes = "Adds panics to prevent a block size of zero from causing unsoundness." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" -[[audits.zcash.audits.byteorder]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.4.3 -> 1.5.0" -notes = """ -- Adds two assertions to check the safety of `slice::from_raw_parts_mut` calls. -- Replaces a bunch of `unsafe` blocks containing `copy_nonoverlapping` calls - with safe `<&mut [u8]>::copy_from_slice` calls. -""" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - [[audits.zcash.audits.cipher]] who = "Daira Hopwood " criteria = "safe-to-deploy"