From 4816dbc0d0175e9f839e80dca62399e7f8fea8c4 Mon Sep 17 00:00:00 2001 From: str4d Date: Thu, 26 Sep 2024 14:53:47 +0000 Subject: [PATCH] Update aggregated cargo-vet audits --- supply-chain/audits.toml | 204 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 204 insertions(+) diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml index dfaccf0..4dc70d2 100644 --- a/supply-chain/audits.toml +++ b/supply-chain/audits.toml @@ -83,6 +83,13 @@ criteria = "safe-to-deploy" delta = "0.2.16 -> 0.2.18" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.ambassador]] +who = "Kris Nuttycombe " +criteria = "safe-to-deploy" +version = "0.4.1" +notes = "Crate uses no unsafe code and the macros introduced by this crate generate the expected trait implementations without introducing additional unexpected operations." +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + [[audits.anyhow]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" @@ -161,6 +168,19 @@ criteria = "safe-to-deploy" delta = "0.3.6 -> 0.3.7" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.arrayref]] +who = "Daira-Emma Hopwood " +criteria = "safe-to-deploy" +delta = "0.3.6 -> 0.3.8" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.arrayref]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.3.8 -> 0.3.9" +notes = "Changes to `unsafe` lines are to make some existing `unsafe fn`s `const`." +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + [[audits.async-trait]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" @@ -387,6 +407,12 @@ and appear correct as far as I can see. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.bytes]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.7.1 -> 1.7.2" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + [[audits.cc]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" @@ -411,6 +437,12 @@ I did not review the use of library handles in the `com` package on Windows. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.cc]] +who = "Daira-Emma Hopwood " +criteria = "safe-to-deploy" +delta = "1.1.6 -> 1.1.13" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + [[audits.chacha20]] who = "Jack Grigg " criteria = ["crypto-reviewed", "safe-to-deploy"] @@ -534,6 +566,12 @@ delta = "0.2.6 -> 0.3.0" notes = "Replaces some `unsafe` code by bumping MSRV to 1.66 (to access `core::hint::black_box`)." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.constant_time_eq]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.3.0 -> 0.3.1" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + [[audits.cpufeatures]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -570,6 +608,16 @@ criteria = "safe-to-deploy" delta = "0.2.11 -> 0.2.12" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.cpufeatures]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.2.13 -> 0.2.14" +notes = """ +New `unsafe` block is to call `sysctlbyname` to detect DIT on Apple ARM64, which +is done in the same way as existing target feature checks on that arch. +""" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + [[audits.crossbeam-channel]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -845,6 +893,16 @@ notes = """ """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.cxx]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.126 -> 1.0.128" +notes = """ +`unsafe` changes are to copy the `SyncUnsafeCell` type from nightly Rust. It is +used as the ZST `SyncUnsafeCell>` to fix an LLVM miscompilation. +""" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + [[audits.cxxbridge-flags]] who = "Daira Hopwood " criteria = "safe-to-deploy" @@ -1029,6 +1087,12 @@ delta = "1.0.122 -> 1.0.124" notes = "Only changes to lints." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.cxxbridge-macro]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.126 -> 1.0.128" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + [[audits.darling]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -1232,6 +1296,12 @@ criteria = "safe-to-deploy" delta = "2.0.2 -> 2.1.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.fastrand]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "2.1.0 -> 2.1.1" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + [[audits.ff]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -1730,6 +1800,12 @@ criteria = "safe-to-deploy" delta = "2.8.0 -> 2.9.0" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.ipnet]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "2.9.0 -> 2.10.0" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + [[audits.is-terminal]] who = "Daira-Emma Hopwood " criteria = "safe-to-run" @@ -2818,6 +2894,13 @@ be set correctly by `cargo`. """ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.rustc_version]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.4.0 -> 0.4.1" +notes = "Changes to `Command` usage are to add support for `RUSTC_WRAPPER`." +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + [[audits.rustix]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" @@ -3351,6 +3434,12 @@ delta = "3.5.0 -> 3.6.0" notes = "New `build.rs` file uses `autocfg` crate to conditionally enable new trait impls." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.tempfile]] +who = "Daira-Emma Hopwood " +criteria = "safe-to-run" +delta = "3.5.0 -> 3.12.0" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + [[audits.tempfile]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -3844,6 +3933,17 @@ criteria = "safe-to-run" delta = "0.2.1 -> 0.2.2" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" +[[audits.visibility]] +who = "Kris Nuttycombe " +criteria = ["safe-to-deploy", "license-reviewed"] +version = "0.1.1" +notes = """ +- Crate has no unsafe code, and sets `#![forbid(unsafe_code)]`. +- Crate has no powerful imports, and exclusively provides a proc macro + that safely malleates a visibility modifier. +""" +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + [[audits.wagyu-zcash-parameters]] who = "Sean Bowe " criteria = ["safe-to-deploy", "crypto-reviewed"] @@ -4040,6 +4140,40 @@ criteria = "safe-to-deploy" delta = "2.5.0 -> 2.5.2" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.zcash_address]] +who = "Kris Nuttycombe " +criteria = "safe-to-deploy" +delta = "0.3.2 -> 0.4.0" +notes = "This release contains no unsafe code and consists soley of added convenience methods." +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + +[[audits.zcash_encoding]] +who = "Kris Nuttycombe " +criteria = "safe-to-deploy" +delta = "0.2.0 -> 0.2.1" +notes = "This release adds minor convenience methods and involves no unsafe code." +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + +[[audits.zcash_keys]] +who = "Kris Nuttycombe " +criteria = "safe-to-deploy" +delta = "0.2.0 -> 0.3.0" +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + +[[audits.zcash_primitives]] +who = "Kris Nuttycombe " +criteria = "safe-to-deploy" +delta = "0.15.1 -> 0.16.0" +notes = "The primary change here is the switch from the `hdwallet` dependency to using `bip32`." +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + +[[audits.zcash_proofs]] +who = "Kris Nuttycombe " +criteria = "safe-to-deploy" +delta = "0.15.0 -> 0.16.0" +notes = "This release involves only updates of previously-vetted dependencies." +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + [[audits.zerocopy]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" @@ -4242,6 +4376,20 @@ start = "2022-10-19" end = "2025-04-22" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" +[[trusted.orchard]] +criteria = "safe-to-deploy" +user-id = 169181 +start = "2024-08-12" +end = "2025-08-12" +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + +[[trusted.orchard]] +criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] +user-id = 169181 +start = "2024-08-12" +end = "2025-08-12" +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + [[trusted.orchard]] criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] user-id = 6289 @@ -4263,6 +4411,20 @@ start = "2024-01-26" end = "2025-04-22" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" +[[trusted.sapling-crypto]] +criteria = "safe-to-deploy" +user-id = 169181 +start = "2024-08-12" +end = "2025-08-12" +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + +[[trusted.sapling-crypto]] +criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] +user-id = 169181 +start = "2024-08-12" +end = "2025-08-12" +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + [[trusted.sapling-crypto]] criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] user-id = 6289 @@ -4438,6 +4600,13 @@ start = "2021-03-07" end = "2025-04-22" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" +[[trusted.zcash_address]] +criteria = "safe-to-deploy" +user-id = 169181 +start = "2024-08-20" +end = "2025-08-26" +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + [[trusted.zcash_address]] criteria = "safe-to-deploy" user-id = 1244 @@ -4452,6 +4621,13 @@ start = "2021-03-07" end = "2025-03-18" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[trusted.zcash_address]] +criteria = "safe-to-deploy" +user-id = 169181 +start = "2024-08-20" +end = "2025-08-26" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + [[trusted.zcash_client_backend]] criteria = "safe-to-deploy" user-id = 169181 @@ -4550,6 +4726,13 @@ start = "2019-10-08" end = "2025-04-22" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" +[[trusted.zcash_primitives]] +criteria = "safe-to-deploy" +user-id = 169181 +start = "2024-08-20" +end = "2025-08-26" +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + [[trusted.zcash_primitives]] criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] user-id = 6289 @@ -4564,6 +4747,13 @@ start = "2019-10-08" end = "2024-09-21" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[trusted.zcash_primitives]] +criteria = "safe-to-deploy" +user-id = 169181 +start = "2024-08-20" +end = "2025-08-26" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + [[trusted.zcash_proofs]] criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] user-id = 6289 @@ -4571,6 +4761,13 @@ start = "2021-03-26" end = "2025-04-22" aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" +[[trusted.zcash_proofs]] +criteria = "safe-to-deploy" +user-id = 169181 +start = "2024-08-20" +end = "2025-08-26" +aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml" + [[trusted.zcash_proofs]] criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] user-id = 6289 @@ -4578,6 +4775,13 @@ start = "2021-03-26" end = "2024-09-21" aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[trusted.zcash_proofs]] +criteria = "safe-to-deploy" +user-id = 169181 +start = "2024-08-20" +end = "2025-08-26" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + [[trusted.zcash_protocol]] criteria = "safe-to-deploy" user-id = 169181