The `ring` crate needed to be exempted: it contains a large quantity of asm and native binary implementations of crypto primitives. It is a major undertaking to certify the safety of those implementations. ring also pulled in the wasm-bindgen family of crates for its wasm32-unknown-unknown target, which this project will not be using. Because we don't care about that platform, I added exemptions for all of these crates, so we don't have to audit them. The actual supply chain audits for rusttls, rustls-webpki, sct, and tokio-rustls were unremarkable. I also audited a small diff on wasm-bindgen-shared because it was trivial.
This commit is contained in:
Pat Hickey
@@ -426,6 +426,11 @@ criteria = "safe-to-deploy"
|
||||
version = "0.1.24"
|
||||
criteria = "safe-to-deploy"
|
||||
|
||||
[[exemptions.js-sys]]
|
||||
version = "0.3.57"
|
||||
criteria = "safe-to-deploy"
|
||||
notes = "dependency of ring for wasm32 browser platform, which our project does not target"
|
||||
|
||||
[[exemptions.js-sys]]
|
||||
version = "0.3.57"
|
||||
criteria = "safe-to-run"
|
||||
@@ -733,6 +738,11 @@ criteria = "safe-to-deploy"
|
||||
version = "0.5.3"
|
||||
criteria = "safe-to-deploy"
|
||||
|
||||
[[exemptions.ring]]
|
||||
version = "0.16.20"
|
||||
criteria = "safe-to-deploy"
|
||||
notes = "contains assembly language and object file implementations of crypto primitives for a very large number of platforms"
|
||||
|
||||
[[exemptions.rsa]]
|
||||
version = "0.5.0"
|
||||
criteria = "safe-to-deploy"
|
||||
@@ -961,25 +971,46 @@ criteria = "safe-to-deploy"
|
||||
version = "0.11.0+wasi-snapshot-preview1"
|
||||
criteria = "safe-to-deploy"
|
||||
|
||||
[[exemptions.wasm-bindgen]]
|
||||
version = "0.2.80"
|
||||
criteria = "safe-to-deploy"
|
||||
notes = "dependency of ring for wasm32 browser platform, which our project does not target"
|
||||
|
||||
[[exemptions.wasm-bindgen]]
|
||||
version = "0.2.80"
|
||||
criteria = "safe-to-run"
|
||||
|
||||
[[exemptions.wasm-bindgen-backend]]
|
||||
version = "0.2.80"
|
||||
criteria = "safe-to-deploy"
|
||||
notes = "dependency of ring for wasm32 browser platform, which our project does not target"
|
||||
|
||||
[[exemptions.wasm-bindgen-backend]]
|
||||
version = "0.2.80"
|
||||
criteria = "safe-to-run"
|
||||
|
||||
[[exemptions.wasm-bindgen-macro]]
|
||||
version = "0.2.80"
|
||||
criteria = "safe-to-deploy"
|
||||
notes = "dependency of ring for wasm32 browser platform, which our project does not target"
|
||||
|
||||
[[exemptions.wasm-bindgen-macro]]
|
||||
version = "0.2.80"
|
||||
criteria = "safe-to-run"
|
||||
|
||||
[[exemptions.wasm-bindgen-macro-support]]
|
||||
version = "0.2.80"
|
||||
criteria = "safe-to-deploy"
|
||||
notes = "dependency of ring for wasm32 browser platform, which our project does not target"
|
||||
|
||||
[[exemptions.wasm-bindgen-macro-support]]
|
||||
version = "0.2.80"
|
||||
criteria = "safe-to-run"
|
||||
|
||||
[[exemptions.wasm-bindgen-shared]]
|
||||
version = "0.2.80"
|
||||
criteria = "safe-to-run"
|
||||
[[exemptions.web-sys]]
|
||||
version = "0.3.57"
|
||||
criteria = "safe-to-deploy"
|
||||
notes = "dependency of ring for wasm32 browser platform, which our project does not target"
|
||||
|
||||
[[exemptions.web-sys]]
|
||||
version = "0.3.57"
|
||||
|
||||
Reference in New Issue
Block a user