diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index acaa482bd1..438d688d0d 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -50,7 +50,7 @@ jobs: name: Cargo vet runs-on: ubuntu-latest env: - CARGO_VET_VERSION: 0.2.0 + CARGO_VET_VERSION: 0.3.0 steps: - uses: actions/checkout@v2 with: diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml index 7612204fcf..7a332897d7 100644 --- a/supply-chain/audits.toml +++ b/supply-chain/audits.toml @@ -56,6 +56,12 @@ criteria = "safe-to-deploy" version = "0.1.21" notes = "I am the author of this crate." +[[audits.system-interface]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +version = "0.22.0" +notes = "The Bytecode Alliance is the author of this crate." + [[audits.wasm-encoder]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -194,8 +200,3 @@ criteria = "safe-to-deploy" version = "1.0.48" notes = "The Bytecode Alliance is the author of this crate." -[[audits.system-interface]] -who = "Dan Gohman " -criteria = "safe-to-deploy" -version = "0.22.0" -notes = "The Bytecode Alliance is the author of this crate." diff --git a/supply-chain/config.toml b/supply-chain/config.toml index 462ef24f2c..d8c5dbbbc2 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -1,6 +1,9 @@ # cargo-vet config file +[imports.mozilla] +url = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [policy.wasi-crypto] audit-as-crates-io = false @@ -79,14 +82,6 @@ criteria = "safe-to-deploy" version = "1.3.3" criteria = "safe-to-deploy" -[[exemptions.bit-set]] -version = "0.5.2" -criteria = "safe-to-deploy" - -[[exemptions.bit-vec]] -version = "0.6.3" -criteria = "safe-to-deploy" - [[exemptions.bitflags]] version = "1.3.2" criteria = "safe-to-deploy" @@ -99,10 +94,6 @@ criteria = "safe-to-deploy" version = "0.2.17" criteria = "safe-to-run" -[[exemptions.bumpalo]] -version = "3.9.1" -criteria = "safe-to-run" - [[exemptions.byteorder]] version = "1.4.3" criteria = "safe-to-deploy" @@ -311,10 +302,6 @@ criteria = "safe-to-deploy" version = "0.3.6" criteria = "safe-to-deploy" -[[exemptions.encoding_rs]] -version = "0.8.31" -criteria = "safe-to-deploy" - [[exemptions.env_logger]] version = "0.7.1" criteria = "safe-to-deploy" @@ -355,14 +342,6 @@ criteria = "safe-to-deploy" version = "0.2.16" criteria = "safe-to-run" -[[exemptions.flagset]] -version = "0.4.3" -criteria = "safe-to-deploy" - -[[exemptions.fnv]] -version = "1.0.7" -criteria = "safe-to-deploy" - [[exemptions.fs-set-times]] version = "0.17.0" criteria = "safe-to-deploy" @@ -371,10 +350,6 @@ criteria = "safe-to-deploy" version = "0.1.8" criteria = "safe-to-deploy" -[[exemptions.fxhash]] -version = "0.2.1" -criteria = "safe-to-deploy" - [[exemptions.generic-array]] version = "0.14.5" criteria = "safe-to-deploy" @@ -543,10 +518,6 @@ criteria = "safe-to-deploy" version = "0.4.7" criteria = "safe-to-deploy" -[[exemptions.log]] -version = "0.4.17" -criteria = "safe-to-deploy" - [[exemptions.mach]] version = "0.3.2" criteria = "safe-to-deploy" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index 428c8adae7..ed8df7fbfb 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -1,5 +1,361 @@ # cargo-vet imports lock -[audits] +[[audits.mozilla.audits.anyhow]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.57 -> 1.0.61" + +[[audits.mozilla.audits.anyhow]] +who = "Bobby Holley " +criteria = "safe-to-deploy" +delta = "1.0.58 -> 1.0.57" +notes = "No functional differences, just CI config and docs." + +[[audits.mozilla.audits.anyhow]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.61 -> 1.0.62" + +[[audits.mozilla.audits.arbitrary]] +who = "Mike Hommey " +criteria = "safe-to-run" +delta = "1.1.0 -> 1.1.1" + +[[audits.mozilla.audits.arbitrary]] +who = "Mike Hommey " +criteria = "safe-to-run" +delta = "1.1.1 -> 1.1.3" + +[[audits.mozilla.audits.async-trait]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.1.56 -> 0.1.57" + +[[audits.mozilla.audits.bit-set]] +who = "Aria Beingessner " +criteria = "safe-to-deploy" +version = "0.5.2" +notes = "Another crate I own via contain-rs that is ancient and maintenance mode, no known issues." + +[[audits.mozilla.audits.bit-set]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.5.2 -> 0.5.3" + +[[audits.mozilla.audits.bit-vec]] +who = "Aria Beingessner " +criteria = "safe-to-deploy" +version = "0.6.3" +notes = "Another crate I own via contain-rs that is ancient and in maintenance mode but otherwise perfectly fine." + +[[audits.mozilla.audits.bumpalo]] +who = "Bobby Holley " +criteria = "safe-to-run" +delta = "3.9.1 -> 3.10.0" +notes = """ +Some nontrivial functional changes but certainly meets the no-malware bar of +safe-to-run. If we needed safe-to-deploy for this in m-c I'd ask Nick to re- +certify this version, but we don't, so this is fine for now. +""" + +[[audits.mozilla.audits.bytes]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.1.0 -> 1.2.1" + +[[audits.mozilla.audits.clap_lex]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.2.0 -> 0.2.2" + +[[audits.mozilla.audits.clap_lex]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.2.2 -> 0.2.4" + +[[audits.mozilla.audits.cpufeatures]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.2.2 -> 0.2.4" + +[[audits.mozilla.audits.crossbeam-channel]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.5.4 -> 0.5.6" + +[[audits.mozilla.audits.crossbeam-deque]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.8.1 -> 0.8.2" + +[[audits.mozilla.audits.crossbeam-epoch]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.9.8 -> 0.9.10" + +[[audits.mozilla.audits.crossbeam-utils]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.8.8 -> 0.8.11" + +[[audits.mozilla.audits.derive_arbitrary]] +who = "Mike Hommey " +criteria = "safe-to-run" +delta = "1.1.0 -> 1.1.1" + +[[audits.mozilla.audits.derive_arbitrary]] +who = "Mike Hommey " +criteria = "safe-to-run" +delta = "1.1.1 -> 1.1.3" + +[[audits.mozilla.audits.either]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.6.1 -> 1.7.0" + +[[audits.mozilla.audits.either]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.7.0 -> 1.8.0" + +[[audits.mozilla.audits.encoding_rs]] +who = "Henri Sivonen " +criteria = "safe-to-deploy" +version = "0.8.31" +notes = "I, Henri Sivonen, wrote encoding_rs for Gecko and have reviewed contributions by others. There are two caveats to the certification: 1) The crate does things that are documented to be UB but that do not appear to actually be UB due to integer types differing from the general rule; https://github.com/hsivonen/encoding_rs/issues/79 . 2) It would be prudent to re-review the code that reinterprets buffers of integers as SIMD vectors; see https://github.com/hsivonen/encoding_rs/issues/87 ." + +[[audits.mozilla.audits.fastrand]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.7.0 -> 1.8.0" + +[[audits.mozilla.audits.flagset]] +who = "Ryan Hunt " +criteria = "safe-to-deploy" +version = "0.4.3" +notes = "Uses no ambient capabilities, vetted the one instance of unsafe." + +[[audits.mozilla.audits.fnv]] +who = "Bobby Holley " +criteria = "safe-to-deploy" +version = "1.0.7" +notes = "Simple hasher implementation with no unsafe code." + +[[audits.mozilla.audits.fxhash]] +who = "Bobby Holley " +criteria = "safe-to-deploy" +version = "0.2.1" +notes = "Straightforward crate with no unsafe code, does what it says on the tin." + +[[audits.mozilla.audits.generic-array]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.14.5 -> 0.14.6" + +[[audits.mozilla.audits.getrandom]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.2.6 -> 0.2.7" + +[[audits.mozilla.audits.hashbrown]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +version = "0.12.3" +notes = "This version is used in rust's libstd, so effectively we're already trusting it" + +[[audits.mozilla.audits.indexmap]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.8.2 -> 1.9.1" + +[[audits.mozilla.audits.itoa]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.2 -> 1.0.3" + +[[audits.mozilla.audits.libc]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.2.126 -> 0.2.132" + +[[audits.mozilla.audits.log]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +version = "0.4.17" + +[[audits.mozilla.audits.memmap2]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.5.4 -> 0.5.7" + +[[audits.mozilla.audits.once_cell]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.12.0 -> 1.13.1" + +[[audits.mozilla.audits.os_str_bytes]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "6.1.0 -> 6.3.0" + +[[audits.mozilla.audits.paste]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.7 -> 1.0.8" + +[[audits.mozilla.audits.proc-macro2]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.39 -> 1.0.43" + +[[audits.mozilla.audits.quote]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.18 -> 1.0.21" + +[[audits.mozilla.audits.redox_syscall]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.2.13 -> 0.2.16" + +[[audits.mozilla.audits.regex]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.5.6 -> 1.6.0" + +[[audits.mozilla.audits.regex-syntax]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.6.26 -> 0.6.27" + +[[audits.mozilla.audits.ryu]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.10 -> 1.0.11" + +[[audits.mozilla.audits.semver]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.9 -> 1.0.10" + +[[audits.mozilla.audits.semver]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.10 -> 1.0.13" + +[[audits.mozilla.audits.serde]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.137 -> 1.0.143" + +[[audits.mozilla.audits.serde]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.143 -> 1.0.144" + +[[audits.mozilla.audits.serde_derive]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.137 -> 1.0.143" + +[[audits.mozilla.audits.serde_derive]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.143 -> 1.0.144" + +[[audits.mozilla.audits.serde_json]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.81 -> 1.0.83" + +[[audits.mozilla.audits.serde_json]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.83 -> 1.0.85" + +[[audits.mozilla.audits.smallvec]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.8.0 -> 1.9.0" + +[[audits.mozilla.audits.syn]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.96 -> 1.0.99" + +[[audits.mozilla.audits.thiserror]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.31 -> 1.0.32" + +[[audits.mozilla.audits.thiserror-impl]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.0.31 -> 1.0.32" + +[[audits.mozilla.audits.tracing]] +who = "Mike Hommey " +criteria = "safe-to-run" +delta = "0.1.35 -> 0.1.36" + +[[audits.mozilla.audits.tracing-attributes]] +who = "Mike Hommey " +criteria = "safe-to-run" +delta = "0.1.21 -> 0.1.22" + +[[audits.mozilla.audits.tracing-core]] +who = "Mike Hommey " +criteria = "safe-to-run" +delta = "0.1.27 -> 0.1.29" + +[[audits.mozilla.audits.wasm-encoder]] +who = "Ryan Hunt " +criteria = "safe-to-deploy" +version = "0.7.0" +notes = "Maintained by the Bytecode Alliance, with contributions from Mozilla. This has no unsafe code and uses no ambient capabilities." + +[[audits.mozilla.audits.wasm-encoder]] +who = "Ryan Hunt " +criteria = "safe-to-deploy" +delta = "0.7.0 -> 0.14.0" +notes = "wasm-encoder has no unsafe code and uses no ambient capabilities." + +[[audits.mozilla.audits.wasm-encoder]] +who = "Yury Delendik " +criteria = "safe-to-deploy" +delta = "0.14.0 -> 0.15.0" + +[[audits.mozilla.audits.wasm-smith]] +who = "Ryan Hunt " +criteria = "safe-to-deploy" +version = "0.11.2" +notes = "Maintained by the Bytecode Alliance, with contributions from Mozilla. I've vetted the one instance of unsafe code." + +[[audits.mozilla.audits.wasm-smith]] +who = "Yury Delendik " +criteria = "safe-to-run" +delta = "0.11.2 -> 0.11.3" + +[[audits.mozilla.audits.wasmparser]] +who = "Ryan Hunt " +criteria = "safe-to-deploy" +version = "0.87.0" +notes = "Maintained by the Bytecode Alliance, with contributions from Mozilla. I've vetted the one instance of unsafe code." + +[[audits.mozilla.audits.wasmparser]] +who = "Yury Delendik " +criteria = "safe-to-deploy" +delta = "0.87.0 -> 0.88.0" + +[[audits.mozilla.audits.wast]] +who = "Ryan Hunt " +criteria = "safe-to-deploy" +version = "44.0.0" +notes = "Maintained by the Bytecode Alliance, with contributions from Mozilla. wast has no unsafe code and the only ambient capability it uses is to read the full contents of a file that is given to it." + +[[audits.mozilla.audits.wast]] +who = "Yury Delendik " +criteria = "safe-to-deploy" +delta = "44.0.0 -> 45.0.0"