From bf1aaba06d6a2305aaa8c0b9cb019096b24ccedd Mon Sep 17 00:00:00 2001 From: Pat Hickey Date: Mon, 3 Apr 2023 15:19:23 -0700 Subject: [PATCH] add supply chain audits for #5929's rustls changes (#6137) The `ring` crate needed to be exempted: it contains a large quantity of asm and native binary implementations of crypto primitives. It is a major undertaking to certify the safety of those implementations. ring also pulled in the wasm-bindgen family of crates for its wasm32-unknown-unknown target, which this project will not be using. Because we don't care about that platform, I added exemptions for all of these crates, so we don't have to audit them. The actual supply chain audits for rusttls, rustls-webpki, sct, and tokio-rustls were unremarkable. I also audited a small diff on wasm-bindgen-shared because it was trivial. --- supply-chain/audits.toml | 33 +++++++++++++++++++++++++++++++++ supply-chain/config.toml | 37 ++++++++++++++++++++++++++++++++++--- supply-chain/imports.lock | 16 ++++++++++++++++ 3 files changed, 83 insertions(+), 3 deletions(-) diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml index 20d22b719e..5dfa660686 100644 --- a/supply-chain/audits.toml +++ b/supply-chain/audits.toml @@ -817,6 +817,23 @@ criteria = "safe-to-deploy" delta = "0.36.7 -> 0.36.8" notes = "The Bytecode Alliance is the author of this crate." +[[audits.rustls]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.21.0" +notes = "no unsafe code, ambient capabilities only used in tests" + +[[audits.rustls-webpki]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.100.1" + +[[audits.sct]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.7.0" +notes = "no unsafe, no build, no ambient capabilities" + [[audits.semver]] who = "Pat Hickey " criteria = "safe-to-deploy" @@ -901,6 +918,12 @@ criteria = "safe-to-deploy" version = "0.3.1" notes = "unsafety is used for smuggling std::task::Context as a raw pointer. Lifetime and type safety appears to be taken care of correctly." +[[audits.tokio-rustls]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +version = "0.24.0" +notes = "no unsafe, no build, no ambient capabilities" + [[audits.tokio-util]] who = "Pat Hickey " criteria = "safe-to-deploy" @@ -967,6 +990,11 @@ who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.3.0" +[[audits.wasm-bindgen-shared]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +delta = "0.2.83 -> 0.2.80" + [[audits.wasm-coredump-builder]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -1602,6 +1630,11 @@ criteria = "safe-to-deploy" delta = "1.0.48 -> 1.0.49" notes = "The Bytecode Alliance is the author of this crate." +[[audits.webpki-roots]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +delta = "0.22.4 -> 0.23.0" + [[audits.windows-sys]] who = "Dan Gohman " criteria = "safe-to-deploy" diff --git a/supply-chain/config.toml b/supply-chain/config.toml index 9d9bb54c93..9492be5e20 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -426,6 +426,11 @@ criteria = "safe-to-deploy" version = "0.1.24" criteria = "safe-to-deploy" +[[exemptions.js-sys]] +version = "0.3.57" +criteria = "safe-to-deploy" +notes = "dependency of ring for wasm32 browser platform, which our project does not target" + [[exemptions.js-sys]] version = "0.3.57" criteria = "safe-to-run" @@ -733,6 +738,11 @@ criteria = "safe-to-deploy" version = "0.5.3" criteria = "safe-to-deploy" +[[exemptions.ring]] +version = "0.16.20" +criteria = "safe-to-deploy" +notes = "contains assembly language and object file implementations of crypto primitives for a very large number of platforms" + [[exemptions.rsa]] version = "0.5.0" criteria = "safe-to-deploy" @@ -961,25 +971,46 @@ criteria = "safe-to-deploy" version = "0.11.0+wasi-snapshot-preview1" criteria = "safe-to-deploy" +[[exemptions.wasm-bindgen]] +version = "0.2.80" +criteria = "safe-to-deploy" +notes = "dependency of ring for wasm32 browser platform, which our project does not target" + [[exemptions.wasm-bindgen]] version = "0.2.80" criteria = "safe-to-run" +[[exemptions.wasm-bindgen-backend]] +version = "0.2.80" +criteria = "safe-to-deploy" +notes = "dependency of ring for wasm32 browser platform, which our project does not target" + [[exemptions.wasm-bindgen-backend]] version = "0.2.80" criteria = "safe-to-run" +[[exemptions.wasm-bindgen-macro]] +version = "0.2.80" +criteria = "safe-to-deploy" +notes = "dependency of ring for wasm32 browser platform, which our project does not target" + [[exemptions.wasm-bindgen-macro]] version = "0.2.80" criteria = "safe-to-run" +[[exemptions.wasm-bindgen-macro-support]] +version = "0.2.80" +criteria = "safe-to-deploy" +notes = "dependency of ring for wasm32 browser platform, which our project does not target" + [[exemptions.wasm-bindgen-macro-support]] version = "0.2.80" criteria = "safe-to-run" -[[exemptions.wasm-bindgen-shared]] -version = "0.2.80" -criteria = "safe-to-run" +[[exemptions.web-sys]] +version = "0.3.57" +criteria = "safe-to-deploy" +notes = "dependency of ring for wasm32 browser platform, which our project does not target" [[exemptions.web-sys]] version = "0.3.57" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index 09054c4440..b50fdf6acb 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -32,6 +32,12 @@ criteria = "safe-to-deploy" version = "0.2.2" notes = "Inspected it and is a tiny crate with just type definitions" +[[audits.embark-studios.audits.webpki-roots]] +who = "Johan Andersson " +criteria = "safe-to-deploy" +version = "0.22.4" +notes = "Inspected it to confirm that it only contains data definitions and no runtime code" + [[audits.google.audits.libfuzzer-sys]] who = "ChromeOS" criteria = "safe-to-run" @@ -71,6 +77,16 @@ who = "David Cook " criteria = "safe-to-deploy" version = "0.4.1" +[[audits.isrg.audits.untrusted]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "0.7.1" + +[[audits.isrg.audits.wasm-bindgen-shared]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "0.2.83" + [[audits.mozilla.audits.autocfg]] who = "Josh Stone " criteria = "safe-to-deploy"