diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml new file mode 100644 index 00000000000..360cb150bb6 --- /dev/null +++ b/supply-chain/audits.toml @@ -0,0 +1,14 @@ + +# cargo-vet audits file + +[[audits.libc]] +who = "Kunal Mehta " +criteria = "safe-to-deploy" +version = "0.2.126" +notes = "Managed by Rust project" + +[[audits.rustversion]] +who = "Kunal Mehta " +criteria = "safe-to-deploy" +delta = "1.0.9 -> 1.0.11" + diff --git a/supply-chain/config.toml b/supply-chain/config.toml new file mode 100644 index 00000000000..abb575a3f98 --- /dev/null +++ b/supply-chain/config.toml @@ -0,0 +1,61 @@ + +# cargo-vet config file + +[imports.firefox] +url = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[policy.js-sys] +criteria = [] +notes = "WASM-only" + +[policy.redox_syscall] +criteria = [] +notes = "Redox OS-only" + +[policy.redox_users] +criteria = [] +notes = "Redox OS-only" + +[policy.redwood] +audit-as-crates-io = false + +[policy.wasi] +criteria = [] +notes = "WASM-only" + +[policy.wasm-bindgen] +criteria = [] +notes = "WASM-only" + +[policy.winapi] +criteria = [] +notes = "Windows-only" + +[policy.windows-sys] +criteria = [] +notes = "Windows-only" + +[policy.windows_aarch64_gnullvm] +criteria = [] +notes = "Windows-only" + +[policy.windows_aarch64_msvc] +criteria = [] +notes = "Windows-only" + +[policy.windows_i686_gnu] +criteria = [] +notes = "Windows-only" + +[policy.windows_x86_64_gnu] +criteria = [] +notes = "Windows-only" + +[policy.windows_x86_64_gnullvm] +criteria = [] +notes = "Windows-only" + +[policy.windows_x86_64_msvc] +criteria = [] +notes = "Windows-only" + diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock new file mode 100644 index 00000000000..7781ead97c0 --- /dev/null +++ b/supply-chain/imports.lock @@ -0,0 +1,403 @@ + +# cargo-vet imports lock + +[[audits.firefox.audits.aho-corasick]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.7.18 -> 0.7.20" + +[[audits.firefox.audits.anyhow]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.57 -> 1.0.61" + +[[audits.firefox.audits.anyhow]] +who = "Bobby Holley " +criteria = "safe-to-deploy" +delta = "1.0.58 -> 1.0.57" +notes = "No functional differences, just CI config and docs." + +[[audits.firefox.audits.anyhow]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.61 -> 1.0.62" + +[[audits.firefox.audits.anyhow]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.62 -> 1.0.68" + +[[audits.firefox.audits.autocfg]] +who = "Josh Stone " +criteria = "safe-to-deploy" +version = "1.1.0" +notes = "All code written or reviewed by Josh Stone." + +[[audits.firefox.audits.base64]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.13.0 -> 0.13.1" + +[[audits.firefox.audits.bit-set]] +who = "Aria Beingessner " +criteria = "safe-to-deploy" +version = "0.5.2" +notes = "Another crate I own via contain-rs that is ancient and maintenance mode, no known issues." + +[[audits.firefox.audits.bit-set]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.5.2 -> 0.5.3" + +[[audits.firefox.audits.bit-vec]] +who = "Aria Beingessner " +criteria = "safe-to-deploy" +version = "0.6.3" +notes = "Another crate I own via contain-rs that is ancient and in maintenance mode but otherwise perfectly fine." + +[[audits.firefox.audits.bumpalo]] +who = "Bobby Holley " +criteria = "safe-to-run" +delta = "3.9.1 -> 3.10.0" +notes = """ +Some nontrivial functional changes but certainly meets the no-malware bar of +safe-to-run. If we needed safe-to-deploy for this in m-c I'd ask Nick to re- +certify this version, but we don't, so this is fine for now. +""" + +[[audits.firefox.audits.digest]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.10.3 -> 0.10.6" + +[[audits.firefox.audits.either]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.6.1 -> 1.7.0" + +[[audits.firefox.audits.either]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.7.0 -> 1.8.0" + +[[audits.firefox.audits.fastrand]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.7.0 -> 1.8.0" + +[[audits.firefox.audits.flate2]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.24 -> 1.0.25" + +[[audits.firefox.audits.generic-array]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.14.5 -> 0.14.6" + +[[audits.firefox.audits.getrandom]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.2.6 -> 0.2.7" + +[[audits.firefox.audits.getrandom]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.2.7 -> 0.2.8" + +[[audits.firefox.audits.hashbrown]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +version = "0.12.3" +notes = "This version is used in rust's libstd, so effectively we're already trusting it" + +[[audits.firefox.audits.indexmap]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.8.2 -> 1.9.1" + +[[audits.firefox.audits.indexmap]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.9.1 -> 1.9.2" + +[[audits.firefox.audits.itertools]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.10.3 -> 0.10.5" + +[[audits.firefox.audits.libc]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.2.126 -> 0.2.132" + +[[audits.firefox.audits.libc]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.2.132 -> 0.2.138" + +[[audits.firefox.audits.libc]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.2.138 -> 0.2.139" + +[[audits.firefox.audits.lock_api]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.4.7 -> 0.4.9" + +[[audits.firefox.audits.log]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +version = "0.4.17" + +[[audits.firefox.audits.memoffset]] +who = "Gabriele Svelto " +criteria = "safe-to-deploy" +delta = "0.6.5 -> 0.7.1" + +[[audits.firefox.audits.miniz_oxide]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.5.3 -> 0.6.2" + +[[audits.firefox.audits.new_debug_unreachable]] +who = "Bobby Holley " +criteria = "safe-to-deploy" +version = "1.0.4" +notes = "This is a trivial crate." + +[[audits.firefox.audits.num-integer]] +who = "Josh Stone " +criteria = "safe-to-deploy" +version = "0.1.45" +notes = "All code written or reviewed by Josh Stone." + +[[audits.firefox.audits.num-traits]] +who = "Josh Stone " +criteria = "safe-to-deploy" +version = "0.2.15" +notes = "All code written or reviewed by Josh Stone." + +[[audits.firefox.audits.once_cell]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.12.0 -> 1.13.1" + +[[audits.firefox.audits.once_cell]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.13.1 -> 1.16.0" + +[[audits.firefox.audits.parking_lot_core]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.8.5 -> 0.8.6" + +[[audits.firefox.audits.pkg-config]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.3.25 -> 0.3.26" + +[[audits.firefox.audits.ppv-lite86]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.2.16 -> 0.2.17" + +[[audits.firefox.audits.precomputed-hash]] +who = "Bobby Holley " +criteria = "safe-to-deploy" +version = "0.1.1" +notes = "This is a trivial crate." + +[[audits.firefox.audits.proc-macro2]] +who = "Nika Layzell " +criteria = "safe-to-deploy" +version = "1.0.39" +notes = """ +`proc-macro2` acts as either a thin(-ish) wrapper around the std-provided +`proc_macro` crate, or as a fallback implementation of the crate, depending on +where it is used. + +If using this crate on older versions of rustc (1.56 and earlier), it will +temporarily replace the panic handler while initializing in order to detect if +it is running within a `proc_macro`, which could lead to surprising behaviour. +This should not be an issue for more recent compiler versions, which support +`proc_macro::is_available()`. + +The `proc-macro2` crate's fallback behaviour is not identical to the complex +behaviour of the rustc compiler (e.g. it does not perform unicode normalization +for identifiers), however it behaves well enough for its intended use-case +(tests and scripts processing rust code). + +`proc-macro2` does not use unsafe code, however exposes one `unsafe` API to +allow bypassing checks in the fallback implementation when constructing +`Literal` using `from_str_unchecked`. This was intended to only be used by the +`quote!` macro, however it has been removed +(https://github.com/dtolnay/quote/commit/f621fe64a8a501cae8e95ebd6848e637bbc79078), +and is likely completely unused. Even when used, this API shouldn't be able to +cause unsoundness. +""" + +[[audits.firefox.audits.proc-macro2]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.39 -> 1.0.43" + +[[audits.firefox.audits.proc-macro2]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.43 -> 1.0.49" + +[[audits.firefox.audits.quote]] +who = "Nika Layzell " +criteria = "safe-to-deploy" +version = "1.0.18" +notes = """ +`quote` is a utility crate used by proc-macros to generate TokenStreams +conveniently from source code. The bulk of the logic is some complex +interlocking `macro_rules!` macros which are used to parse and build the +`TokenStream` within the proc-macro. + +This crate contains no unsafe code, and the internal logic, while difficult to +read, is generally straightforward. I have audited the the quote macros, ident +formatter, and runtime logic. +""" + +[[audits.firefox.audits.quote]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.18 -> 1.0.21" + +[[audits.firefox.audits.quote]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.21 -> 1.0.23" + +[[audits.firefox.audits.rand_core]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.6.3 -> 0.6.4" + +[[audits.firefox.audits.redox_syscall]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.2.13 -> 0.2.16" + +[[audits.firefox.audits.regex]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.5.6 -> 1.6.0" + +[[audits.firefox.audits.regex]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.6.0 -> 1.7.0" + +[[audits.firefox.audits.regex-syntax]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.6.26 -> 0.6.27" + +[[audits.firefox.audits.regex-syntax]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.6.27 -> 0.6.28" + +[[audits.firefox.audits.rustversion]] +who = "Bobby Holley " +criteria = "safe-to-deploy" +version = "1.0.9" +notes = """ +This crate has a build-time component and procedural macro logic, which I looked +at enough to convince myself it wasn't going to do anything dramatically wrong. +I don't think logic bugs in the version parsing etc can realistically introduce +a security vulnerability. +""" + +[[audits.firefox.audits.rustversion]] +who = "Mike Hommey " +criteria = "safe-to-run" +delta = "1.0.9 -> 1.0.11" + +[[audits.firefox.audits.smallvec]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.8.0 -> 1.9.0" + +[[audits.firefox.audits.smallvec]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.9.0 -> 1.10.0" + +[[audits.firefox.audits.syn]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.96 -> 1.0.99" + +[[audits.firefox.audits.syn]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.99 -> 1.0.107" + +[[audits.firefox.audits.thiserror]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.31 -> 1.0.32" + +[[audits.firefox.audits.thiserror]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.32 -> 1.0.38" + +[[audits.firefox.audits.thiserror-impl]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.31 -> 1.0.32" + +[[audits.firefox.audits.thiserror-impl]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.32 -> 1.0.38" + +[[audits.firefox.audits.typenum]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.15.0 -> 1.16.0" + +[[audits.firefox.audits.unicode-ident]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.0 -> 1.0.1" + +[[audits.firefox.audits.unicode-ident]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.1 -> 1.0.3" + +[[audits.firefox.audits.unicode-ident]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.3 -> 1.0.6" + +[[audits.firefox.audits.unicode-normalization]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.1.19 -> 0.1.20" +notes = "I am the author of most of these changes upstream, and prepared the release myself, at which point I looked at the other changes since 0.1.19." + +[[audits.firefox.audits.unicode-normalization]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.1.20 -> 0.1.21" + +[[audits.firefox.audits.unicode-normalization]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.1.21 -> 0.1.22" + +[[audits.firefox.audits.unicode-xid]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.2.3 -> 0.2.4" +