From 7a8eed0bb17e175a01050f15d707c558a73b6c43 Mon Sep 17 00:00:00 2001 From: Kunal Mehta Date: Tue, 10 Oct 2023 13:59:45 -0400 Subject: [PATCH] Add initial `cargo vet` configuration cargo vet is a tool designed by Mozilla to record audits of Rust dependencies, and it matches nicely with the philosophy of our diff review system for Python. It can automatically present diffs and verify everything has been checked. == Trust == To reduce the number of audits we have to do, we trust the following organizations: * Bytecode Alliance (WASM/WASI) * Google * Internet Security Research Group (Let's Encrypt, etc.) * Mozilla * Zcash We also trust a number of individual developers, because they are members of the Rust Project and also trusted by one of the above organizations we trust. We also trust the two Sequoia-OpenPGP team members who release things. All of the individual trust markers have an expiry date to remind us to re-evalutate trustworthiness every so often. == Exemptions == There are a number of dependencies that appear in our tree but are not used on Linux x86_64 so we can ignore them entirely. These are marked in config.toml with a policy stanza that has an empty criteria block. These crates have been identified manually, in the future cargo-vet will hopefully let us specify specific targets we care about and take care of it automatically. The remaining exemptions in config.toml have not been reviewed yet; we can incrementally chip away at them. == Signing == Unlike diff reviews, there is no PGP signing of this file. Because these are committed into the Git repository directly, we can rely on that as a measure of trust (unlike random wiki pages). == CI == CI verifies that all dependencies have either been reviewed or exempted, so there's no need for manual tracking in PR descriptions. Upstream provides a GitHub Actions template that we use most of. Fixes #6500. --- .github/workflows/cargo-vet.yml | 26 ++ supply-chain/audits.toml | 283 ++++++++++++++++++ supply-chain/config.toml | 292 ++++++++++++++++++ supply-chain/imports.lock | 512 ++++++++++++++++++++++++++++++++ 4 files changed, 1113 insertions(+) create mode 100644 .github/workflows/cargo-vet.yml create mode 100644 supply-chain/audits.toml create mode 100644 supply-chain/config.toml create mode 100644 supply-chain/imports.lock diff --git a/.github/workflows/cargo-vet.yml b/.github/workflows/cargo-vet.yml new file mode 100644 index 00000000000..4f2605a3d7b --- /dev/null +++ b/.github/workflows/cargo-vet.yml @@ -0,0 +1,26 @@ +# Based off of https://mozilla.github.io/cargo-vet/configuring-ci.html + +name: cargo vet + +on: [push, pull_request] + +jobs: + cargo-vet: + name: Vet Dependencies + runs-on: ubuntu-latest + # Keep version in sync with rust-toolchain.toml + container: rust:1.71.1 + env: + CARGO_VET_VERSION: 0.8.0 + steps: + - uses: actions/checkout@v4 + - uses: actions/cache@v2 + with: + path: ${{ runner.tool_cache }}/cargo-vet + key: cargo-vet-bin-${{ env.CARGO_VET_VERSION }} + - name: Add the tool cache directory to the search path + run: echo "${{ runner.tool_cache }}/cargo-vet/bin" >> $GITHUB_PATH + - name: Ensure that the tool cache is populated with the cargo-vet binary + run: cargo install --root ${{ runner.tool_cache }}/cargo-vet --version ${{ env.CARGO_VET_VERSION }} cargo-vet + - name: Invoke cargo-vet + run: cargo vet --locked diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml new file mode 100644 index 00000000000..ff02203fda2 --- /dev/null +++ b/supply-chain/audits.toml @@ -0,0 +1,283 @@ + +# cargo-vet audits file + +[audits] + +[[trusted.aho-corasick]] +criteria = "safe-to-deploy" +user-id = 189 # Andrew Gallant (BurntSushi) +start = "2019-03-28" +end = "2024-10-10" +notes = "Rust Project member" + +[[trusted.anyhow]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-10-05" +end = "2024-10-10" +notes = "Rust Project member" + +[[trusted.buffered-reader]] +criteria = "safe-to-deploy" +user-id = 33886 # Neal H. Walfield (nwalfield) +start = "2023-01-06" +end = "2024-10-10" +notes = "Sequoia developer" + +[[trusted.bzip2]] +criteria = "safe-to-deploy" +user-id = 1 # Alex Crichton (alexcrichton) +start = "2020-07-06" +end = "2024-10-10" +notes = "Rust Project member" + +[[trusted.bzip2-sys]] +criteria = "safe-to-deploy" +user-id = 1 # Alex Crichton (alexcrichton) +start = "2020-02-24" +end = "2024-10-10" +notes = "Rust Project member" + +[[trusted.cc]] +criteria = "safe-to-deploy" +user-id = 1 # Alex Crichton (alexcrichton) +start = "2019-03-01" +end = "2024-10-10" +notes = "Rust Project member" + +[[trusted.dyn-clone]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-12-23" +end = "2024-10-10" +notes = "Rust Project member" + +[[trusted.either]] +criteria = "safe-to-deploy" +user-id = 539 # Josh Stone (cuviper) +start = "2019-04-02" +end = "2024-10-10" + +[[trusted.equivalent]] +criteria = "safe-to-deploy" +user-id = 539 # Josh Stone (cuviper) +start = "2023-02-05" +end = "2024-10-10" +notes = "Rust Project member" + +[[trusted.errno]] +criteria = "safe-to-deploy" +user-id = 6825 # Dan Gohman (sunfishcode) +start = "2023-08-29" +end = "2024-10-10" +notes = "Rust Project member" + +[[trusted.flate2]] +criteria = "safe-to-deploy" +user-id = 1 # Alex Crichton (alexcrichton) +start = "2019-03-14" +end = "2024-10-10" +notes = "Rust Project member" + +[[trusted.hashbrown]] +criteria = "safe-to-deploy" +user-id = 2915 # Amanieu d'Antras (Amanieu) +start = "2019-04-02" +end = "2024-10-10" +notes = "Rust Project member" + +[[trusted.indexmap]] +criteria = "safe-to-deploy" +user-id = 539 # Josh Stone (cuviper) +start = "2020-01-15" +end = "2024-10-10" +notes = "Rust Project member" + +[[trusted.indoc]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-04-28" +end = "2024-10-10" +notes = "Rust Project member" + +[[trusted.is-terminal]] +criteria = "safe-to-deploy" +user-id = 6825 # Dan Gohman (sunfishcode) +start = "2022-01-22" +end = "2024-10-10" +notes = "Rust Project member" + +[[trusted.libc]] +criteria = "safe-to-deploy" +user-id = 1 # Alex Crichton (alexcrichton) +start = "2019-03-29" +end = "2024-10-10" +notes = "Rust Project member" + +[[trusted.libc]] +criteria = "safe-to-deploy" +user-id = 2915 # Amanieu d'Antras (Amanieu) +start = "2021-01-27" +end = "2024-10-10" +notes = "Rust Project member" + +[[trusted.linux-raw-sys]] +criteria = "safe-to-deploy" +user-id = 6825 # Dan Gohman (sunfishcode) +start = "2021-06-12" +end = "2024-10-10" +notes = "Rust Project member" + +[[trusted.lock_api]] +criteria = "safe-to-deploy" +user-id = 2915 # Amanieu d'Antras (Amanieu) +start = "2019-05-04" +end = "2024-10-10" +notes = "Rust Project member" + +[[trusted.memchr]] +criteria = "safe-to-deploy" +user-id = 189 # Andrew Gallant (BurntSushi) +start = "2019-07-07" +end = "2024-10-10" +notes = "Rust Project member" + +[[trusted.num-traits]] +criteria = "safe-to-deploy" +user-id = 539 # Josh Stone (cuviper) +start = "2019-05-20" +end = "2024-10-10" +notes = "Rust Project member" + +[[trusted.parking_lot]] +criteria = "safe-to-deploy" +user-id = 2915 # Amanieu d'Antras (Amanieu) +start = "2019-05-04" +end = "2024-10-10" +notes = "Rust Project member" + +[[trusted.parking_lot_core]] +criteria = "safe-to-deploy" +user-id = 2915 # Amanieu d'Antras (Amanieu) +start = "2019-05-04" +end = "2024-10-10" +notes = "Rust Project member" + +[[trusted.proc-macro2]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-04-23" +end = "2024-10-10" +notes = "Rust Project member" + +[[trusted.quote]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-04-09" +end = "2024-10-10" +notes = "Rust Project member" + +[[trusted.regex]] +criteria = "safe-to-deploy" +user-id = 189 # Andrew Gallant (BurntSushi) +start = "2019-02-27" +end = "2024-10-10" +notes = "Rust Project member" + +[[trusted.regex-automata]] +criteria = "safe-to-deploy" +user-id = 189 # Andrew Gallant (BurntSushi) +start = "2019-02-25" +end = "2024-10-10" +notes = "Rust Project member" + +[[trusted.regex-syntax]] +criteria = "safe-to-deploy" +user-id = 189 # Andrew Gallant (BurntSushi) +start = "2019-03-30" +end = "2024-10-10" +notes = "Rust Project member" + +[[trusted.rustix]] +criteria = "safe-to-deploy" +user-id = 6825 # Dan Gohman (sunfishcode) +start = "2021-10-29" +end = "2024-10-10" +notes = "Rust Project member" + +[[trusted.rustversion]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-07-08" +end = "2024-10-10" +notes = "Rust Project member" + +[[trusted.scopeguard]] +criteria = "safe-to-deploy" +user-id = 2915 # Amanieu d'Antras (Amanieu) +start = "2020-02-16" +end = "2024-10-10" +notes = "Rust Project member" + +[[trusted.sequoia-openpgp]] +criteria = "safe-to-deploy" +user-id = 33886 # Neal H. Walfield (nwalfield) +start = "2022-11-18" +end = "2024-10-10" +notes = "Sequoia developer" + +[[trusted.sha1collisiondetection]] +criteria = "safe-to-deploy" +user-id = 33886 # Neal H. Walfield (nwalfield) +start = "2022-08-28" +end = "2024-10-10" +notes = "Sequoia developer" + +[[trusted.sha1collisiondetection]] +criteria = "safe-to-deploy" +user-id = 14969 # Wiktor Kwapisiewicz (wiktor-k) +start = "2023-05-05" +end = "2024-10-10" +notes = "Sequoia developer" + +[[trusted.syn]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-03-01" +end = "2024-10-10" +notes = "Rust Project member" + +[[trusted.target-lexicon]] +criteria = "safe-to-deploy" +user-id = 6825 # Dan Gohman (sunfishcode) +start = "2019-03-06" +end = "2024-10-10" +notes = "Rust Project member" + +[[trusted.thiserror]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-10-09" +end = "2024-10-10" +notes = "Rust Project member" + +[[trusted.thiserror-impl]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-10-09" +end = "2024-10-10" +notes = "Rust Project member" + +[[trusted.unicode-ident]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2021-10-02" +end = "2024-10-10" +notes = "Rust Project member" + +[[trusted.unindent]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-08-17" +end = "2024-10-10" +notes = "Rust Project member" diff --git a/supply-chain/config.toml b/supply-chain/config.toml new file mode 100644 index 00000000000..774933dd55a --- /dev/null +++ b/supply-chain/config.toml @@ -0,0 +1,292 @@ + +# cargo-vet config file + +[cargo-vet] +version = "0.8" + +[imports.bytecode-alliance] +url = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[imports.google] +url = "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml" + +[imports.isrg] +url = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + +[imports.mozilla] +url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml" + +[imports.zcash] +url = "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml" + +[policy.hermit-abi] +criteria = [] +notes = "Hermit OS-only" + +[policy.js-sys] +criteria = [] +notes = "WASM-only" + +[policy.redox_syscall] +criteria = [] +notes = "Redox OS-only" + +[policy.redox_users] +criteria = [] +notes = "Redox OS-only" + +[policy.wasi] +criteria = [] +notes = "WASM-only" + +[policy.wasm-bindgen] +criteria = [] +notes = "WASM-only" + +[policy.wasm-bindgen-backend] +criteria = [] +notes = "WASM-only" + +[policy.wasm-bindgen-macro] +criteria = [] +notes = "WASM-only" + +[policy.wasm-bindgen-macro-support] +criteria = [] +notes = "WASM-only" + +[policy.wasm-bindgen-shared] +criteria = [] +notes = "WASM-only" + +[policy.winapi] +criteria = [] +notes = "Windows-only" + +[policy.winapi-i686-pc-windows-gnu] +criteria = [] +notes = "Windows-only" + +[policy.winapi-x86_64-pc-windows-gnu] +criteria = [] +notes = "Windows-only" + +[policy.windows-sys] +criteria = [] +notes = "Windows-only" + +[policy.windows-targets] +criteria = [] +notes = "Windows-only" + +[policy.windows_aarch64_gnullvm] +criteria = [] +notes = "Windows-only" + +[policy.windows_aarch64_msvc] +criteria = [] +notes = "Windows-only" + +[policy.windows_i686_gnu] +criteria = [] +notes = "Windows-only" + +[policy.windows_i686_msvc] +criteria = [] +notes = "Windows-only" + +[policy.windows_x86_64_gnu] +criteria = [] +notes = "Windows-only" + +[policy.windows_x86_64_gnullvm] +criteria = [] +notes = "Windows-only" + +[policy.windows_x86_64_msvc] +criteria = [] +notes = "Windows-only" + +[[exemptions.ascii-canvas]] +version = "3.0.0" +criteria = "safe-to-deploy" + +[[exemptions.bitflags]] +version = "2.4.0" +criteria = "safe-to-deploy" + +[[exemptions.cc]] +version = "1.0.83" +criteria = "safe-to-deploy" + +[[exemptions.chrono]] +version = "0.4.31" +criteria = "safe-to-deploy" + +[[exemptions.crc32fast]] +version = "1.3.2" +criteria = "safe-to-deploy" + +[[exemptions.diff]] +version = "0.1.13" +criteria = "safe-to-deploy" + +[[exemptions.digest]] +version = "0.9.0" +criteria = "safe-to-deploy" + +[[exemptions.dirs-next]] +version = "2.0.0" +criteria = "safe-to-deploy" + +[[exemptions.dirs-sys-next]] +version = "0.1.2" +criteria = "safe-to-deploy" + +[[exemptions.ena]] +version = "0.14.2" +criteria = "safe-to-deploy" + +[[exemptions.fastrand]] +version = "2.0.1" +criteria = "safe-to-run" + +[[exemptions.fixedbitset]] +version = "0.4.2" +criteria = "safe-to-deploy" + +[[exemptions.flate2]] +version = "1.0.27" +criteria = "safe-to-deploy" + +[[exemptions.generic-array]] +version = "0.14.7" +criteria = "safe-to-deploy" + +[[exemptions.getrandom]] +version = "0.1.16" +criteria = "safe-to-deploy" + +[[exemptions.getrandom]] +version = "0.2.10" +criteria = "safe-to-deploy" + +[[exemptions.itertools]] +version = "0.10.5" +criteria = "safe-to-deploy" + +[[exemptions.lalrpop]] +version = "0.19.12" +criteria = "safe-to-deploy" + +[[exemptions.lalrpop-util]] +version = "0.19.12" +criteria = "safe-to-deploy" + +[[exemptions.libc]] +version = "0.2.149" +criteria = "safe-to-deploy" + +[[exemptions.memoffset]] +version = "0.8.0" +criteria = "safe-to-deploy" + +[[exemptions.memsec]] +version = "0.6.3" +criteria = "safe-to-deploy" + +[[exemptions.once_cell]] +version = "1.18.0" +criteria = "safe-to-deploy" + +[[exemptions.openssl]] +version = "0.10.57" +criteria = "safe-to-deploy" + +[[exemptions.openssl-sys]] +version = "0.9.93" +criteria = "safe-to-deploy" + +[[exemptions.petgraph]] +version = "0.6.4" +criteria = "safe-to-deploy" + +[[exemptions.phf_shared]] +version = "0.10.0" +criteria = "safe-to-deploy" + +[[exemptions.pkg-config]] +version = "0.3.27" +criteria = "safe-to-deploy" + +[[exemptions.ppv-lite86]] +version = "0.2.17" +criteria = "safe-to-deploy" + +[[exemptions.pyo3]] +version = "0.18.3" +criteria = "safe-to-deploy" + +[[exemptions.pyo3-build-config]] +version = "0.18.3" +criteria = "safe-to-deploy" + +[[exemptions.pyo3-ffi]] +version = "0.18.3" +criteria = "safe-to-deploy" + +[[exemptions.pyo3-macros]] +version = "0.18.3" +criteria = "safe-to-deploy" + +[[exemptions.pyo3-macros-backend]] +version = "0.18.3" +criteria = "safe-to-deploy" + +[[exemptions.rand]] +version = "0.7.3" +criteria = "safe-to-deploy" + +[[exemptions.rand_chacha]] +version = "0.2.2" +criteria = "safe-to-deploy" + +[[exemptions.rand_core]] +version = "0.5.1" +criteria = "safe-to-deploy" + +[[exemptions.rand_hc]] +version = "0.2.0" +criteria = "safe-to-deploy" + +[[exemptions.siphasher]] +version = "0.3.11" +criteria = "safe-to-deploy" + +[[exemptions.smallvec]] +version = "1.11.1" +criteria = "safe-to-deploy" + +[[exemptions.string_cache]] +version = "0.8.7" +criteria = "safe-to-deploy" + +[[exemptions.tempfile]] +version = "3.8.0" +criteria = "safe-to-run" + +[[exemptions.term]] +version = "0.7.0" +criteria = "safe-to-deploy" + +[[exemptions.tiny-keccak]] +version = "2.0.2" +criteria = "safe-to-deploy" + +[[exemptions.typenum]] +version = "1.17.0" +criteria = "safe-to-deploy" + +[[exemptions.xxhash-rust]] +version = "0.8.7" +criteria = "safe-to-deploy" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock new file mode 100644 index 00000000000..bec1f5c449b --- /dev/null +++ b/supply-chain/imports.lock @@ -0,0 +1,512 @@ + +# cargo-vet imports lock + +[[publisher.aho-corasick]] +version = "1.1.2" +when = "2023-10-09" +user-id = 189 +user-login = "BurntSushi" +user-name = "Andrew Gallant" + +[[publisher.anyhow]] +version = "1.0.75" +when = "2023-08-17" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + +[[publisher.buffered-reader]] +version = "1.2.0" +when = "2023-05-17" +user-id = 33886 +user-login = "nwalfield" +user-name = "Neal H. Walfield" + +[[publisher.bzip2]] +version = "0.4.4" +when = "2023-01-05" +user-id = 1 +user-login = "alexcrichton" +user-name = "Alex Crichton" + +[[publisher.bzip2-sys]] +version = "0.1.11+1.0.8" +when = "2021-06-09" +user-id = 1 +user-login = "alexcrichton" +user-name = "Alex Crichton" + +[[publisher.dyn-clone]] +version = "1.0.14" +when = "2023-09-19" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + +[[publisher.either]] +version = "1.9.0" +when = "2023-07-22" +user-id = 539 +user-login = "cuviper" +user-name = "Josh Stone" + +[[publisher.equivalent]] +version = "1.0.1" +when = "2023-07-10" +user-id = 539 +user-login = "cuviper" +user-name = "Josh Stone" + +[[publisher.errno]] +version = "0.3.5" +when = "2023-10-08" +user-id = 6825 +user-login = "sunfishcode" +user-name = "Dan Gohman" + +[[publisher.hashbrown]] +version = "0.14.1" +when = "2023-09-29" +user-id = 2915 +user-login = "Amanieu" +user-name = "Amanieu d'Antras" + +[[publisher.indexmap]] +version = "2.0.2" +when = "2023-09-29" +user-id = 539 +user-login = "cuviper" +user-name = "Josh Stone" + +[[publisher.indoc]] +version = "1.0.9" +when = "2023-01-29" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + +[[publisher.is-terminal]] +version = "0.4.9" +when = "2023-07-06" +user-id = 6825 +user-login = "sunfishcode" +user-name = "Dan Gohman" + +[[publisher.linux-raw-sys]] +version = "0.4.10" +when = "2023-10-09" +user-id = 6825 +user-login = "sunfishcode" +user-name = "Dan Gohman" + +[[publisher.lock_api]] +version = "0.4.10" +when = "2023-06-05" +user-id = 2915 +user-login = "Amanieu" +user-name = "Amanieu d'Antras" + +[[publisher.memchr]] +version = "2.6.4" +when = "2023-10-01" +user-id = 189 +user-login = "BurntSushi" +user-name = "Andrew Gallant" + +[[publisher.num-traits]] +version = "0.2.17" +when = "2023-10-07" +user-id = 539 +user-login = "cuviper" +user-name = "Josh Stone" + +[[publisher.parking_lot]] +version = "0.12.1" +when = "2022-05-31" +user-id = 2915 +user-login = "Amanieu" +user-name = "Amanieu d'Antras" + +[[publisher.parking_lot_core]] +version = "0.9.8" +when = "2023-06-05" +user-id = 2915 +user-login = "Amanieu" +user-name = "Amanieu d'Antras" + +[[publisher.proc-macro2]] +version = "1.0.69" +when = "2023-10-09" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + +[[publisher.quote]] +version = "1.0.33" +when = "2023-08-17" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + +[[publisher.regex]] +version = "1.10.0" +when = "2023-10-09" +user-id = 189 +user-login = "BurntSushi" +user-name = "Andrew Gallant" + +[[publisher.regex-automata]] +version = "0.4.1" +when = "2023-10-09" +user-id = 189 +user-login = "BurntSushi" +user-name = "Andrew Gallant" + +[[publisher.regex-syntax]] +version = "0.6.29" +when = "2023-03-21" +user-id = 189 +user-login = "BurntSushi" +user-name = "Andrew Gallant" + +[[publisher.regex-syntax]] +version = "0.8.0" +when = "2023-10-09" +user-id = 189 +user-login = "BurntSushi" +user-name = "Andrew Gallant" + +[[publisher.rustix]] +version = "0.38.18" +when = "2023-10-09" +user-id = 6825 +user-login = "sunfishcode" +user-name = "Dan Gohman" + +[[publisher.rustversion]] +version = "1.0.14" +when = "2023-07-15" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + +[[publisher.scopeguard]] +version = "1.2.0" +when = "2023-07-17" +user-id = 2915 +user-login = "Amanieu" +user-name = "Amanieu d'Antras" + +[[publisher.sequoia-openpgp]] +version = "1.16.1" +when = "2023-09-26" +user-id = 33886 +user-login = "nwalfield" +user-name = "Neal H. Walfield" + +[[publisher.sha1collisiondetection]] +version = "0.2.7" +when = "2023-05-05" +user-id = 14969 +user-login = "wiktor-k" +user-name = "Wiktor Kwapisiewicz" + +[[publisher.syn]] +version = "1.0.109" +when = "2023-02-24" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + +[[publisher.syn]] +version = "2.0.38" +when = "2023-10-05" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + +[[publisher.target-lexicon]] +version = "0.12.11" +when = "2023-07-31" +user-id = 6825 +user-login = "sunfishcode" +user-name = "Dan Gohman" + +[[publisher.thiserror]] +version = "1.0.49" +when = "2023-09-27" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + +[[publisher.thiserror-impl]] +version = "1.0.49" +when = "2023-09-27" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + +[[publisher.unicode-ident]] +version = "1.0.12" +when = "2023-09-13" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + +[[publisher.unicode-normalization]] +version = "0.1.22" +when = "2022-09-16" +user-id = 1139 +user-login = "Manishearth" +user-name = "Manish Goregaokar" + +[[publisher.unicode-xid]] +version = "0.2.4" +when = "2022-09-15" +user-id = 1139 +user-login = "Manishearth" +user-name = "Manish Goregaokar" + +[[publisher.unindent]] +version = "0.1.11" +when = "2022-12-17" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + +[[audits.bytecode-alliance.audits.adler]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "1.0.2" +notes = "This is a small crate which forbids unsafe code and is a straightforward implementation of the adler hashing algorithm." + +[[audits.bytecode-alliance.audits.base64]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.21.0" +notes = "This crate has no dependencies, no build.rs, and contains no unsafe code." + +[[audits.bytecode-alliance.audits.foreign-types]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.3.2" +notes = "This crate defined a macro-rules which creates wrappers working with FFI types. The implementation of this crate appears to be safe, but each use of this macro would need to be vetted for correctness as well." + +[[audits.bytecode-alliance.audits.foreign-types-shared]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.1.1" + +[[audits.bytecode-alliance.audits.idna]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "0.3.0" +notes = """ +This is a crate without unsafe code or usage of the standard library. The large +size of this crate comes from the large generated unicode tables file. This +crate is broadly used throughout the ecosystem and does not contain anything +suspicious. +""" + +[[audits.bytecode-alliance.audits.miniz_oxide]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "0.7.1" +notes = """ +This crate is a Rust implementation of zlib compression/decompression and has +been used by default by the Rust standard library for quite some time. It's also +a default dependency of the popular `backtrace` crate for decompressing debug +information. This crate forbids unsafe code and does not otherwise access system +resources. It's originally a port of the `miniz.c` library as well, and given +its own longevity should be relatively hardened against some of the more common +compression-related issues. +""" + +[[audits.bytecode-alliance.audits.tinyvec]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "1.6.0" +notes = """ +This crate, while it implements collections, does so without `std::*` APIs and +without `unsafe`. Skimming the crate everything looks reasonable and what one +would expect from idiomatic safe collections in Rust. +""" + +[[audits.bytecode-alliance.audits.tinyvec_macros]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "0.1.0" +notes = """ +This is a trivial crate which only contains a singular macro definition which is +intended to multiplex across the internal representation of a tinyvec, +presumably. This trivially doesn't contain anything bad. +""" + +[[audits.bytecode-alliance.audits.unicode-bidi]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "0.3.8" +notes = """ +This crate has no unsafe code and does not use `std::*`. Skimming the crate it +does not attempt to out of the bounds of what it's already supposed to be doing. +""" + +[[audits.bytecode-alliance.audits.vcpkg]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.2.15" +notes = "no build.rs, no macros, no unsafe. It reads the filesystem and makes copies of DLLs into OUT_DIR." + +[[audits.google.audits.cfg-if]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "1.0.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.openssl-macros]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "0.1.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.openssl-macros]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +delta = "0.1.0 -> 0.1.1" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.version_check]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "0.9.4" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.isrg.audits.base64]] +who = "Tim Geoghegan " +criteria = "safe-to-deploy" +delta = "0.21.0 -> 0.21.1" + +[[audits.isrg.audits.base64]] +who = "Brandon Pitman " +criteria = "safe-to-deploy" +delta = "0.21.1 -> 0.21.2" + +[[audits.isrg.audits.base64]] +who = "David Cook " +criteria = "safe-to-deploy" +delta = "0.21.2 -> 0.21.3" + +[[audits.isrg.audits.crunchy]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "0.2.2" + +[[audits.mozilla.wildcard-audits.unicode-normalization]] +who = "Manish Goregaokar " +criteria = "safe-to-deploy" +user-id = 1139 # Manish Goregaokar (Manishearth) +start = "2019-11-06" +end = "2024-05-03" +notes = "All code written or reviewed by Manish" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.wildcard-audits.unicode-xid]] +who = "Manish Goregaokar " +criteria = "safe-to-deploy" +user-id = 1139 # Manish Goregaokar (Manishearth) +start = "2019-07-25" +end = "2024-05-03" +notes = "All code written or reviewed by Manish" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.autocfg]] +who = "Josh Stone " +criteria = "safe-to-deploy" +version = "1.1.0" +notes = "All code written or reviewed by Josh Stone." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.bit-set]] +who = "Aria Beingessner " +criteria = "safe-to-deploy" +version = "0.5.2" +notes = "Another crate I own via contain-rs that is ancient and maintenance mode, no known issues." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.bit-set]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.5.2 -> 0.5.3" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.bit-vec]] +who = "Aria Beingessner " +criteria = "safe-to-deploy" +version = "0.6.3" +notes = "Another crate I own via contain-rs that is ancient and in maintenance mode but otherwise perfectly fine." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.lazy_static]] +who = "Nika Layzell " +criteria = "safe-to-deploy" +version = "1.4.0" +notes = "I have read over the macros, and audited the unsafe code." +aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.log]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +version = "0.4.17" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.log]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "0.4.17 -> 0.4.18" +notes = "One dependency removed, others updated (which we don't rely on), some APIs (which we don't use) changed." +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.new_debug_unreachable]] +who = "Bobby Holley " +criteria = "safe-to-deploy" +version = "1.0.4" +notes = "This is a trivial crate." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.precomputed-hash]] +who = "Bobby Holley " +criteria = "safe-to-deploy" +version = "0.1.1" +notes = "This is a trivial crate." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.unicode-bidi]] +who = "Makoto Kato " +criteria = "safe-to-deploy" +delta = "0.3.8 -> 0.3.13" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.zcash.audits.base64]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.21.3 -> 0.21.4" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.log]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.4.18 -> 0.4.19" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.log]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.4.19 -> 0.4.20" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.tinyvec_macros]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.1.0 -> 0.1.1" +notes = "Adds `#![forbid(unsafe_code)]` and license files." +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"