From fc45ccc125edb2c11cbc8b32e98c7a80df503121 Mon Sep 17 00:00:00 2001 From: Bobby Holley Date: Tue, 7 Mar 2023 16:24:56 -0800 Subject: [PATCH] Update cargo-vet imports (#5959) * Switch cargo-vet import to Mozilla's aggregated audit set. * Import audits from embark studios. * Import audits from chromeos. * Import audits from ISRG. --- supply-chain/config.toml | 51 +++---------- supply-chain/imports.lock | 146 ++++++++++++++++++++++++++++++++++---- 2 files changed, 144 insertions(+), 53 deletions(-) diff --git a/supply-chain/config.toml b/supply-chain/config.toml index b3f8f6b1ea..e8eb3e2b86 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -1,8 +1,17 @@ # cargo-vet config file +[imports.chromeos] +url = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/main/cargo-vet/audits.toml?format=TEXT" + +[imports.embark-studios] +url = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" + +[imports.isrg] +url = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + [imports.mozilla] -url = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml" [policy.isle-fuzz] criteria = "safe-to-run" @@ -54,10 +63,6 @@ criteria = "safe-to-deploy" version = "0.0.1" criteria = "safe-to-deploy" -[[exemptions.anyhow]] -version = "1.0.57" -criteria = "safe-to-deploy" - [[exemptions.async-trait]] version = "0.1.53" criteria = "safe-to-deploy" @@ -78,10 +83,6 @@ criteria = "safe-to-deploy" version = "1.3.2" criteria = "safe-to-deploy" -[[exemptions.block-buffer]] -version = "0.9.0" -criteria = "safe-to-deploy" - [[exemptions.bstr]] version = "0.2.17" criteria = "safe-to-run" @@ -186,10 +187,6 @@ criteria = "safe-to-deploy" version = "0.8.0" criteria = "safe-to-deploy" -[[exemptions.cty]] -version = "0.2.2" -criteria = "safe-to-run" - [[exemptions.curve25519-dalek]] version = "3.2.0" criteria = "safe-to-deploy" @@ -242,10 +239,6 @@ criteria = "safe-to-deploy" version = "0.6.0" criteria = "safe-to-run" -[[exemptions.either]] -version = "1.6.1" -criteria = "safe-to-deploy" - [[exemptions.elliptic-curve]] version = "0.10.6" criteria = "safe-to-deploy" @@ -390,18 +383,10 @@ criteria = "safe-to-run" version = "0.9.6" criteria = "safe-to-deploy" -[[exemptions.lazy_static]] -version = "1.4.0" -criteria = "safe-to-deploy" - [[exemptions.libc]] version = "0.2.133" criteria = "safe-to-deploy" -[[exemptions.libfuzzer-sys]] -version = "0.4.3" -criteria = "safe-to-run" - [[exemptions.libloading]] version = "0.7.3" criteria = "safe-to-deploy" @@ -438,10 +423,6 @@ criteria = "safe-to-deploy" version = "0.6.5" criteria = "safe-to-deploy" -[[exemptions.miniz_oxide]] -version = "0.5.1" -criteria = "safe-to-run" - [[exemptions.mio]] version = "0.8.2" criteria = "safe-to-deploy" @@ -490,10 +471,6 @@ criteria = "safe-to-deploy" version = "11.1.3" criteria = "safe-to-run" -[[exemptions.opaque-debug]] -version = "0.3.0" -criteria = "safe-to-deploy" - [[exemptions.openvino-finder]] version = "0.4.1" criteria = "safe-to-deploy" @@ -774,10 +751,6 @@ criteria = "safe-to-deploy" version = "1.2.0" criteria = "safe-to-deploy" -[[exemptions.static_assertions]] -version = "1.1.0" -criteria = "safe-to-run" - [[exemptions.strsim]] version = "0.10.0" criteria = "safe-to-deploy" @@ -870,10 +843,6 @@ criteria = "safe-to-deploy" version = "0.2.3" criteria = "safe-to-deploy" -[[exemptions.universal-hash]] -version = "0.4.1" -criteria = "safe-to-deploy" - [[exemptions.uuid]] version = "1.0.0" criteria = "safe-to-deploy" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index 71f3733b4b..4f333db009 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -1,62 +1,166 @@ # cargo-vet imports lock -[[audits.mozilla.audits.anyhow]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "1.0.57 -> 1.0.61" +[audits.chromeos.criteria.crypto-safe] +description = """ +All crypto algorithms in this crate have been reviewed by a relevant expert. -[[audits.mozilla.audits.anyhow]] -who = "Mike Hommey " +**Note**: If a crate does not implement crypto, use `does-not-implement-crypto`, +which implies `crypto-safe`, but does not require expert review in order to +audit for.""" + +[audits.chromeos.criteria.does-not-implement-crypto] +description = """ +Inspection reveals that the crate in question does not attempt to implement any +cryptographic algorithms on its own. + +Note that certification of this does not require an expert on all forms of +cryptography: it's expected for crates we import to be \"good enough\" citizens, +so they'll at least be forthcoming if they try to implement something +cryptographic. When in doubt, please ask an expert.""" +implies = "crypto-safe" + +[audits.chromeos.criteria.rule-of-two-safe-to-deploy] +description = """ +This is a stronger requirement than the built-in safe-to-deploy criteria, +motivated by Chromium's rule-of-two related requirements: +https://chromium.googlesource.com/chromium/src/+/master/docs/security/rule-of-2.md#unsafe-code-in-safe-languages + +This crate will not introduce a serious security vulnerability to production +software exposed to untrusted input. + +Auditors are not required to perform a full logic review of the entire crate. +Rather, they must review enough to fully reason about the behavior of all unsafe +blocks and usage of powerful imports. For any reasonable usage of the crate in +real-world software, an attacker must not be able to manipulate the runtime +behavior of these sections in an exploitable or surprising way. + +Ideally, ambient capabilities (e.g. filesystem access) are hardened against +manipulation and consistent with the advertised behavior of the crate. However, +some discretion is permitted. In such cases, the nature of the discretion should +be recorded in the `notes` field of the audit record. + +Any unsafe code in this crate must, in general, be kept well-contained, and +documentation must exist to describe how Rust's invariants are being upheld +despite the unsafe block(s). Nontrivial uses of unsafe must be reviewed by an +expert in Rust's unsafety guarantees/non-guarantees. + +For crates which generate deployed code (e.g. build dependencies or procedural +macros), reasonable usage of the crate should output code which meets the above +criteria.""" +implies = "safe-to-deploy" + +[[audits.chromeos.audits.libfuzzer-sys]] +who = "ChromeOS" +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "0.4.4" + +[[audits.chromeos.audits.miniz_oxide]] +who = "George Burgess IV " +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "0.6.2" + +[[audits.chromeos.audits.static_assertions]] +who = "ChromeOS" +criteria = ["safe-to-run", "does-not-implement-crypto"] +version = "1.1.0" + +[[audits.embark-studios.audits.anyhow]] +who = "Johan Andersson " criteria = "safe-to-deploy" -delta = "1.0.61 -> 1.0.62" +version = "1.0.58" + +[[audits.embark-studios.audits.anyhow]] +who = "Johan Andersson " +criteria = "safe-to-deploy" +delta = "1.0.58 -> 1.0.66" +notes = "New unsafe usage, looks sane. Expert maintainer" + +[[audits.embark-studios.audits.cty]] +who = "Johan Andersson " +criteria = "safe-to-deploy" +version = "0.2.2" +notes = "Inspected it and is a tiny crate with just type definitions" + +[[audits.isrg.audits.block-buffer]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "0.9.0" + +[[audits.isrg.audits.opaque-debug]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "0.3.0" + +[[audits.isrg.audits.universal-hash]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "0.4.1" [[audits.mozilla.audits.autocfg]] who = "Josh Stone " criteria = "safe-to-deploy" version = "1.1.0" notes = "All code written or reviewed by Josh Stone." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.bit-set]] who = "Aria Beingessner " criteria = "safe-to-deploy" version = "0.5.2" notes = "Another crate I own via contain-rs that is ancient and maintenance mode, no known issues." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.bit-vec]] who = "Aria Beingessner " criteria = "safe-to-deploy" version = "0.6.3" notes = "Another crate I own via contain-rs that is ancient and in maintenance mode but otherwise perfectly fine." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.crypto-common]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.1.3 -> 0.1.6" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.either]] +who = "Nika Layzell " +criteria = "safe-to-deploy" +version = "1.6.1" +notes = """ +Straightforward crate providing the Either enum and trait implementations with +no unsafe code. +""" +aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" [[audits.mozilla.audits.encoding_rs]] who = "Henri Sivonen " criteria = "safe-to-deploy" version = "0.8.31" notes = "I, Henri Sivonen, wrote encoding_rs for Gecko and have reviewed contributions by others. There are two caveats to the certification: 1) The crate does things that are documented to be UB but that do not appear to actually be UB due to integer types differing from the general rule; https://github.com/hsivonen/encoding_rs/issues/79 . 2) It would be prudent to re-review the code that reinterprets buffers of integers as SIMD vectors; see https://github.com/hsivonen/encoding_rs/issues/87 ." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.flagset]] who = "Ryan Hunt " criteria = "safe-to-deploy" version = "0.4.3" notes = "Uses no ambient capabilities, vetted the one instance of unsafe." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.fnv]] who = "Bobby Holley " criteria = "safe-to-deploy" version = "1.0.7" notes = "Simple hasher implementation with no unsafe code." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.fxhash]] who = "Bobby Holley " criteria = "safe-to-deploy" version = "0.2.1" notes = "Straightforward crate with no unsafe code, does what it says on the tin." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.half]] who = "John M. Schanck " @@ -67,70 +171,84 @@ This crate contains unsafe code for bitwise casts to/from binary16 floating-poin format. I've reviewed these and found no issues. There are no uses of ambient capabilities. """ +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.hashbrown]] who = "Mike Hommey " criteria = "safe-to-deploy" version = "0.12.3" notes = "This version is used in rust's libstd, so effectively we're already trusting it" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.hermit-abi]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.1.19 -> 0.2.6" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.lazy_static]] +who = "Nika Layzell " +criteria = "safe-to-deploy" +version = "1.4.0" +notes = "I have read over the macros, and audited the unsafe code." +aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" [[audits.mozilla.audits.log]] who = "Mike Hommey " criteria = "safe-to-deploy" version = "0.4.17" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.memoffset]] who = "Gabriele Svelto " criteria = "safe-to-deploy" delta = "0.6.5 -> 0.7.1" - -[[audits.mozilla.audits.miniz_oxide]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.5.3 -> 0.6.2" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.num-integer]] who = "Josh Stone " criteria = "safe-to-deploy" version = "0.1.45" notes = "All code written or reviewed by Josh Stone." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.num-iter]] who = "Josh Stone " criteria = "safe-to-deploy" version = "0.1.43" notes = "All code written or reviewed by Josh Stone." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.num-traits]] who = "Josh Stone " criteria = "safe-to-deploy" version = "0.2.15" notes = "All code written or reviewed by Josh Stone." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.num_cpus]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.13.1 -> 1.14.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.num_cpus]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.14.0 -> 1.15.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.once_cell]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.12.0 -> 1.13.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.once_cell]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "1.13.1 -> 1.16.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.quote]] who = "Nika Layzell " @@ -146,6 +264,7 @@ This crate contains no unsafe code, and the internal logic, while difficult to read, is generally straightforward. I have audited the the quote macros, ident formatter, and runtime logic. """ +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.synstructure]] who = "Nika Layzell " @@ -156,14 +275,17 @@ I am the primary author of the `synstructure` crate, and its current maintainer. The one use of `unsafe` is unnecessary, but documented and harmless. It will be removed in the next version. """ +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.unicode-normalization]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.1.19 -> 0.1.20" notes = "I am the author of most of these changes upstream, and prepared the release myself, at which point I looked at the other changes since 0.1.19." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.unicode-normalization]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.1.20 -> 0.1.21" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"