From 910d3166d9a09f81a4d81c22769e16440be1a0c3 Mon Sep 17 00:00:00 2001 From: Robin Thunstrom Date: Wed, 26 Jun 2024 12:51:12 +0200 Subject: [PATCH] Fix cargo vet --- supply-chain/config.toml | 48 +----------- supply-chain/imports.lock | 159 +++++++++++++++++++++++++++++++++----- 2 files changed, 143 insertions(+), 64 deletions(-) diff --git a/supply-chain/config.toml b/supply-chain/config.toml index 2895b240..2ff0a637 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -31,10 +31,6 @@ url = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-c [imports.zcash] url = "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml" -[policy.errno-dragonfly] -criteria = [] -notes = "Not used, unsupported target" - [policy.orbclient] criteria = [] notes = "Not used, Redox OS-only" @@ -143,10 +139,6 @@ criteria = "safe-to-deploy" version = "0.2.0" criteria = "safe-to-deploy" -[[exemptions.cast]] -version = "0.3.0" -criteria = "safe-to-run" - [[exemptions.cesu8]] version = "1.1.0" criteria = "safe-to-deploy" @@ -191,14 +183,6 @@ criteria = "safe-to-deploy" version = "2.4.0" criteria = "safe-to-deploy" -[[exemptions.core-foundation]] -version = "0.9.4" -criteria = "safe-to-deploy" - -[[exemptions.core-graphics-types]] -version = "0.1.3" -criteria = "safe-to-deploy" - [[exemptions.crc32fast]] version = "1.3.2" criteria = "safe-to-deploy" @@ -211,14 +195,6 @@ criteria = "safe-to-run" version = "0.5.0" criteria = "safe-to-run" -[[exemptions.crossbeam-deque]] -version = "0.8.5" -criteria = "safe-to-run" - -[[exemptions.crossbeam-epoch]] -version = "0.9.18" -criteria = "safe-to-run" - [[exemptions.crossbeam-utils]] version = "0.8.8" criteria = "safe-to-deploy" @@ -239,10 +215,6 @@ criteria = "safe-to-deploy" version = "0.5.2" criteria = "safe-to-deploy" -[[exemptions.downcast-rs]] -version = "1.2.0" -criteria = "safe-to-deploy" - [[exemptions.env_logger]] version = "0.10.1" criteria = "safe-to-deploy" @@ -363,14 +335,6 @@ criteria = "safe-to-deploy" version = "0.11.2" criteria = "safe-to-deploy" -[[exemptions.memmap2]] -version = "0.5.4" -criteria = "safe-to-deploy" - -[[exemptions.memoffset]] -version = "0.6.5" -criteria = "safe-to-deploy" - [[exemptions.memoffset]] version = "0.9.1" criteria = "safe-to-deploy" @@ -427,6 +391,10 @@ criteria = "safe-to-deploy" version = "0.15.10" criteria = "safe-to-deploy" +[[exemptions.paste]] +version = "1.0.15" +criteria = "safe-to-run" + [[exemptions.pkg-config]] version = "0.3.28" criteria = "safe-to-deploy" @@ -455,10 +423,6 @@ criteria = "safe-to-deploy" version = "3.0.0" criteria = "safe-to-deploy" -[[exemptions.quick-xml]] -version = "0.30.0" -criteria = "safe-to-deploy" - [[exemptions.regex-syntax]] version = "0.7.2" criteria = "safe-to-deploy" @@ -535,10 +499,6 @@ criteria = "safe-to-deploy" version = "0.2.9" criteria = "safe-to-deploy" -[[exemptions.tinytemplate]] -version = "1.2.1" -criteria = "safe-to-run" - [[exemptions.toml]] version = "0.8.8" criteria = "safe-to-deploy" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index 3aa7ce83..634adf2e 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -42,6 +42,13 @@ user-id = 6743 user-login = "epage" user-name = "Ed Page" +[[publisher.core-foundation]] +version = "0.9.3" +when = "2022-02-07" +user-id = 5946 +user-login = "jrmuizel" +user-name = "Jeff Muizelaar" + [[publisher.core-foundation-sys]] version = "0.8.4" when = "2023-04-03" @@ -56,6 +63,13 @@ user-id = 5946 user-login = "jrmuizel" user-name = "Jeff Muizelaar" +[[publisher.core-graphics-types]] +version = "0.1.1" +when = "2020-09-15" +user-id = 2396 +user-login = "jdm" +user-name = "Josh Matthews" + [[publisher.ecolor]] version = "0.27.1" when = "2024-03-29" @@ -620,6 +634,15 @@ who = "Radu Matei " criteria = "safe-to-run" version = "11.1.3" +[[audits.firefox.wildcard-audits.core-foundation]] +who = "Bobby Holley " +criteria = "safe-to-deploy" +user-id = 5946 # Jeff Muizelaar (jrmuizel) +start = "2019-03-29" +end = "2023-05-04" +renew = false +notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." + [[audits.firefox.wildcard-audits.core-foundation-sys]] who = "Bobby Holley " criteria = "safe-to-deploy" @@ -638,6 +661,15 @@ end = "2023-05-04" renew = false notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." +[[audits.firefox.wildcard-audits.core-graphics-types]] +who = "Bobby Holley " +criteria = "safe-to-deploy" +user-id = 2396 # Josh Matthews (jdm) +start = "2020-07-20" +end = "2023-05-04" +renew = false +notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." + [[audits.firefox.wildcard-audits.unicode-segmentation]] who = "Manish Goregaokar " criteria = "safe-to-deploy" @@ -667,11 +699,28 @@ who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.0.73 -> 1.0.78" +[[audits.firefox.audits.core-foundation]] +who = "Teodor Tanasoaia " +criteria = "safe-to-deploy" +delta = "0.9.3 -> 0.9.4" +notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." + [[audits.firefox.audits.core-graphics]] who = "Teodor Tanasoaia " criteria = "safe-to-deploy" delta = "0.22.3 -> 0.23.1" +[[audits.firefox.audits.core-graphics-types]] +who = "Teodor Tanasoaia " +criteria = "safe-to-deploy" +delta = "0.1.1 -> 0.1.2" + +[[audits.firefox.audits.core-graphics-types]] +who = "Teodor Tanasoaia " +criteria = "safe-to-deploy" +delta = "0.1.2 -> 0.1.3" +notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." + [[audits.firefox.audits.crossbeam-utils]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -758,26 +807,6 @@ not entirely certain is technically sound, but in either case I am reasonably co it's not exploitable. """ -[[audits.firefox.audits.memmap2]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.5.4 -> 0.5.7" - -[[audits.firefox.audits.memmap2]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.5.7 -> 0.5.8" - -[[audits.firefox.audits.memmap2]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.5.8 -> 0.5.9" - -[[audits.firefox.audits.memmap2]] -who = "Gabriele Svelto " -criteria = "safe-to-deploy" -delta = "0.5.9 -> 0.8.0" - [[audits.firefox.audits.memmap2]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -945,6 +974,12 @@ criteria = "safe-to-deploy" version = "1.5.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.cast]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "0.3.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + [[audits.google.audits.cfg-if]] who = "George Burgess IV " criteria = "safe-to-deploy" @@ -980,12 +1015,36 @@ criteria = "safe-to-deploy" delta = "0.5.7 -> 0.5.8" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.crossbeam-deque]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "0.8.3" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.crossbeam-epoch]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "0.9.14" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.crossbeam-epoch]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +delta = "0.9.14 -> 0.9.15" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + [[audits.google.audits.dirs-sys-next]] who = "George Burgess IV " criteria = "safe-to-deploy" version = "0.1.2" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.downcast-rs]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "1.2.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + [[audits.google.audits.either]] who = "George Burgess IV " criteria = "safe-to-deploy" @@ -1095,6 +1154,18 @@ criteria = "safe-to-deploy" delta = "0.4.17 -> 0.4.20" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.memmap2]] +who = "Ying Hsu " +criteria = "safe-to-deploy" +version = "0.8.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.memoffset]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "0.6.5" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + [[audits.google.audits.miniz_oxide]] who = "George Burgess IV " criteria = "safe-to-deploy" @@ -1170,6 +1241,12 @@ delta = "0.2.9 -> 0.2.13" notes = "Audited at https://fxrev.dev/946396" aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.quick-xml]] +who = "Matthew DeVore " +criteria = "safe-to-deploy" +version = "0.30.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + [[audits.google.audits.quote]] who = "ChromeOS" criteria = "safe-to-deploy" @@ -1229,6 +1306,12 @@ criteria = "safe-to-deploy" delta = "1.4.0 -> 1.4.1" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.tinytemplate]] +who = "Ying Hsu " +criteria = "safe-to-deploy" +version = "1.2.1" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + [[audits.google.audits.tracing-core]] who = "David Koloski " criteria = "safe-to-deploy" @@ -1471,6 +1554,42 @@ changes in the build environment. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.zcash.audits.crossbeam-deque]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.8.3 -> 0.8.4" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.crossbeam-deque]] +who = "Daira-Emma Hopwood " +criteria = "safe-to-deploy" +delta = "0.8.4 -> 0.8.5" +notes = "Changes to `unsafe` code look okay." +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.crossbeam-epoch]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.9.15 -> 0.9.16" +notes = "Moved an `unsafe` block while removing `scopeguard` dependency." +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.crossbeam-epoch]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.9.16 -> 0.9.17" +notes = """ +Changes to `unsafe` code are to replace manual pointer logic with equivalent +`unsafe` stdlib methods, now that MSRV is high enough to use them. +""" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.crossbeam-epoch]] +who = "Daira-Emma Hopwood " +criteria = "safe-to-deploy" +delta = "0.9.17 -> 0.9.18" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + [[audits.zcash.audits.errno]] who = "Jack Grigg " criteria = "safe-to-deploy"