diff options
Diffstat (limited to 'supply-chain/config.toml')
-rw-r--r-- | supply-chain/config.toml | 824 |
1 files changed, 824 insertions, 0 deletions
diff --git a/supply-chain/config.toml b/supply-chain/config.toml new file mode 100644 index 0000000000..9c863175c4 --- /dev/null +++ b/supply-chain/config.toml @@ -0,0 +1,824 @@ + +# cargo-vet config file + +[cargo-vet] +version = "0.9" + +[imports.bytecode-alliance] +url = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" + +[imports.embark-studios] +url = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" + +[imports.google] +url = "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml" + +[imports.isrg] +url = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" + +[imports.mozilla] +url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml" + +[policy.autocfg] +audit-as-crates-io = true +notes = "This is the upstream code plus a few local fixes, see bug 1685697." + +[policy.chardetng] +audit-as-crates-io = true +notes = "This is a crate Henri wrote which is also published. We should probably update Firefox to tip and certify that." + +[policy.chardetng_c] +audit-as-crates-io = true +notes = "This is a crate Henri wrote which is also published. We should probably update Firefox to tip and certify that." + +[policy.coremidi] +audit-as-crates-io = true +notes = "This is a pinned version of the upstream code, presumably to get a fix that hadn't been released yet. We should consider switching to the latest official release." + +[policy.cose] +audit-as-crates-io = true +notes = "This is upstream plus a warning fix from bug 1823866." + +[policy.cssparser] +audit-as-crates-io = true +notes = "Upstream release plus a couple unpublished changes" + +[policy.cssparser-macros] +audit-as-crates-io = true +notes = "Upstream release plus a couple unpublished changes" + +[policy.d3d12] +audit-as-crates-io = true +notes = "Part of the wgpu repository, pinned as the rest of wgpu crates." + +[policy.firefox-on-glean] +audit-as-crates-io = false +notes = "The crates.io version of this is just a placeholder to allow public crates to depend on firefox-on-glean." + +[policy.geckodriver] +audit-as-crates-io = false +criteria = "safe-to-run" +notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here. It's also used only for automation, so its subtree can be safe-to-run." + +[policy.gkrust-gtest] +criteria = "safe-to-run" +notes = "Used for testing." + +[policy.gkrust-shared] +dependency-criteria = { tokio-reactor = [], tokio-threadpool = [] } +notes = "The dependencies on tokio-reactor and tokio-threadpools are just a hack to pin the version used by audioipc-{client,server}. Suppress vetting on those for the same reasons behind the policy entries." + +[policy.gluesmith] +criteria = "safe-to-run" +notes = "Used for fuzzing." + +[policy.http3server] +criteria = "safe-to-run" +notes = "Used for testing." + +[policy.icu_capi] +audit-as-crates-io = true +notes = "Patched version of upstream" + +[policy.icu_segmenter_data] +audit-as-crates-io = true +notes = "Patched version of upstream" + +[policy.l10nregistry] +dependency-criteria = { fluent-testing = "safe-to-run", tokio = "safe-to-run" } +notes = "This crate has two testing-only dependencies which are specified as regular-but-optional rather than a dev-dependencies, because they need to be available to both benchmarks and integration tests." + +[policy.libudev-sys] +audit-as-crates-io = false +notes = "This override is an api-compatible fork with an orthogonal implementation." + +[policy.malloc_size_of_derive] +audit-as-crates-io = false +notes = "This was originally servo code which Bobby Holley put on crates.io some years ago and that was moved in-tree as first-party code later on." + +[policy.marionette] +audit-as-crates-io = false +notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here." + +[policy.midir] +audit-as-crates-io = true +notes = "This is a pinned version of the upstream code, presumably to get a fix that hadn't been released yet. We should consider switching to the latest official release." + +[policy."mio:0.6.23"] +audit-as-crates-io = true +notes = "Version 0.6.23 is a local fork of upstream which just twiddles some dependencies." + +[policy."mio:0.8.8@git:9a2ef335c366044ffe73b1c4acabe50a1daefe05"] +audit-as-crates-io = true +notes = "This is 0.8.8 + https://github.com/tokio-rs/mio/commit/eea9e3e0c469480e5c59c01e6c3c7e5fd88f0848." + +[policy.mozbuild] +audit-as-crates-io = false +notes = "The crates.io version of this is just a placeholder to allow public crates to depend on mozbuild." + +[policy.mozdevice] +audit-as-crates-io = false +notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here." + +[policy.mozglue-static] +dependency-criteria = { rustc_version = "safe-to-run" } +notes = "The rustc_version dependency is only used in the build script, and does not generate any runtime code" + +[policy.mozilla-central-workspace-hack] +audit-as-crates-io = false +criteria = "safe-to-run" +notes = "This is a first-party crate which is also published to crates.io as a convenience for other in-tree crates that depend on it and are published as well. The dependencies from this crate are dependencies of other crates that will get the right criteria through them, but using safe-to-deploy for this one would be too broad." + +[policy.mozprofile] +audit-as-crates-io = false +notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here." + +[policy.mozrunner] +audit-as-crates-io = false +notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here." + +[policy.mozversion] +audit-as-crates-io = false +notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here." + +[policy.mp4parse] +audit-as-crates-io = false + +[policy.mp4parse_capi] +audit-as-crates-io = false + +[policy.naga] +audit-as-crates-io = true +notes = "Part of the wgpu repository, pinned as the rest of wgpu crates." + +[policy.peek-poke] +audit-as-crates-io = false + +[policy.peek-poke-derive] +audit-as-crates-io = false + +[policy.pulse] +audit-as-crates-io = false +notes = "This is a first-party crate which is entirely unrelated to the crates.io package of the same name." + +[policy.qcms] +audit-as-crates-io = true +notes = "This is a first-party crate which is also published to crates.io, but we should publish audits for it for the benefit of the ecosystem." + +[policy.qlog] +audit-as-crates-io = true +notes = "Use this revision (09ea4b244096a013071cfe2175bbf2945fb7f8d1) of qlog temporarily." + +[policy.rure] +audit-as-crates-io = true +notes = "Identical to upstream, but with cdylib and staticlib targets disabled to avoid unnecessary build artifacts and linker errors." + +[policy.selectors] +audit-as-crates-io = true +notes = "This is a first-party crate which is also published to crates.io, but we should publish audits for it for the benefit of the ecosystem." + +[policy.servo_arc] +audit-as-crates-io = true +notes = "This is a first-party crate which is also published to crates.io, but we should publish audits for it for the benefit of the ecosystem." + +[policy.smoosh] +criteria = "safe-to-run" +notes = "We're not shipping this and have no plans to ship it." + +[policy.storage] +audit-as-crates-io = false +notes = "This is a first-party crate which is entirely unrelated to the crates.io package of the same name." + +[policy.tabs] +audit-as-crates-io = false +notes = "This is a first-party crate, maintained by the appservices team, which is entirely unrelated to the crates.io package of the same name." + +[policy.viaduct] +audit-as-crates-io = false +notes = "This is a first-party crate, maintained by the appservices team, which is entirely unrelated to the crates.io package of the same name." + +[policy.warp] +audit-as-crates-io = true +notes = "This is a third-party crate, with an extra patch." + +[policy.webdriver] +audit-as-crates-io = false +criteria = "safe-to-run" +notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here. It's also used only for automation, so its subtree can be safe-to-run." + +[policy.webrender] +audit-as-crates-io = false + +[policy.webrender_api] +audit-as-crates-io = false + +[policy.webrender_build] +audit-as-crates-io = false + +[policy.wgpu-core] +audit-as-crates-io = true +notes = "Upstream project which we pin." + +[policy.wgpu-hal] +audit-as-crates-io = true +notes = "Upstream project which we pin." + +[policy.wgpu-types] +audit-as-crates-io = true +notes = "Upstream project which we pin." + +[policy.windows] +audit-as-crates-io = true +notes = "Local override of the crates.io crate that uses a non-vendored local copy of the downloaded crate" + +[policy.wr_malloc_size_of] +audit-as-crates-io = false + +[[exemptions.ahash]] +version = "0.7.6" +criteria = "safe-to-deploy" + +[[exemptions.alsa]] +version = "0.4.3" +criteria = "safe-to-deploy" + +[[exemptions.alsa-sys]] +version = "0.3.1" +criteria = "safe-to-deploy" + +[[exemptions.android_log-sys]] +version = "0.2.0" +criteria = "safe-to-deploy" + +[[exemptions.askama_derive]] +version = "0.11.2" +criteria = "safe-to-deploy" + +[[exemptions.askama_escape]] +version = "0.10.3" +criteria = "safe-to-deploy" + +[[exemptions.async-task]] +version = "4.0.3" +criteria = "safe-to-deploy" + +[[exemptions.bincode]] +version = "1.3.3" +criteria = "safe-to-deploy" + +[[exemptions.bitflags]] +version = "1.3.2" +criteria = "safe-to-deploy" + +[[exemptions.bitreader]] +version = "0.3.6" +criteria = "safe-to-deploy" + +[[exemptions.block]] +version = "0.1.6" +criteria = "safe-to-deploy" + +[[exemptions.cache-padded]] +version = "1.2.0" +criteria = "safe-to-deploy" + +[[exemptions.camino]] +version = "1.0.9" +criteria = "safe-to-deploy" + +[[exemptions.chrono]] +version = "0.4.19" +criteria = "safe-to-deploy" + +[[exemptions.chunky-vec]] +version = "0.1.0" +criteria = "safe-to-deploy" + +[[exemptions.clang-sys]] +version = "1.3.3" +criteria = "safe-to-deploy" + +[[exemptions.cookie]] +version = "0.16.0" +criteria = "safe-to-run" + +[[exemptions.coreaudio-sys]] +version = "0.2.10" +criteria = "safe-to-deploy" + +[[exemptions.coremidi]] +version = "0.6.0@git:fc68464b5445caf111e41f643a2e69ccce0b4f83" +criteria = "safe-to-deploy" + +[[exemptions.coremidi-sys]] +version = "3.1.0" +criteria = "safe-to-deploy" + +[[exemptions.cose]] +version = "0.1.4" +criteria = "safe-to-deploy" + +[[exemptions.cose-c]] +version = "0.1.5" +criteria = "safe-to-deploy" + +[[exemptions.cpufeatures]] +version = "0.2.2" +criteria = "safe-to-deploy" + +[[exemptions.crc32fast]] +version = "1.3.2" +criteria = "safe-to-deploy" + +[[exemptions.crossbeam-channel]] +version = "0.5.4" +criteria = "safe-to-deploy" + +[[exemptions.crossbeam-deque]] +version = "0.8.1" +criteria = "safe-to-deploy" + +[[exemptions.crossbeam-epoch]] +version = "0.9.8" +criteria = "safe-to-deploy" + +[[exemptions.crossbeam-utils]] +version = "0.8.8" +criteria = "safe-to-deploy" + +[[exemptions.d3d12]] +version = "0.4.1" +criteria = "safe-to-deploy" + +[[exemptions.darling]] +version = "0.13.4" +criteria = "safe-to-deploy" + +[[exemptions.darling_core]] +version = "0.13.4" +criteria = "safe-to-deploy" + +[[exemptions.darling_macro]] +version = "0.13.4" +criteria = "safe-to-deploy" + +[[exemptions.data-encoding]] +version = "2.3.2" +criteria = "safe-to-deploy" + +[[exemptions.dbus]] +version = "0.6.5" +criteria = "safe-to-deploy" + +[[exemptions.derive_more-impl]] +version = "1.0.0-beta.2" +criteria = "safe-to-deploy" +notes = "The crate is new to version 1.0.x, and derived from older versions of derive_more. The differences against 0.99.17 have been audited, but cargo-vet cannot record this information." + +[[exemptions.devd-rs]] +version = "0.3.4" +criteria = "safe-to-deploy" + +[[exemptions.digest]] +version = "0.10.3" +criteria = "safe-to-deploy" + +[[exemptions.dirs]] +version = "4.0.0" +criteria = "safe-to-deploy" + +[[exemptions.dirs-sys]] +version = "0.3.7" +criteria = "safe-to-deploy" + +[[exemptions.dns-parser]] +version = "0.8.0" +criteria = "safe-to-deploy" + +[[exemptions.enumset]] +version = "1.0.11" +criteria = "safe-to-deploy" + +[[exemptions.enumset_derive]] +version = "0.6.0" +criteria = "safe-to-deploy" + +[[exemptions.env_logger]] +version = "0.9.0" +criteria = "safe-to-deploy" + +[[exemptions.error-chain]] +version = "0.12.4" +criteria = "safe-to-deploy" + +[[exemptions.fallible-iterator]] +version = "0.2.0" +criteria = "safe-to-deploy" + +[[exemptions.fallible-streaming-iterator]] +version = "0.1.9" +criteria = "safe-to-deploy" + +[[exemptions.fallible_collections]] +version = "0.4.4" +criteria = "safe-to-deploy" + +[[exemptions.ffi-support]] +version = "0.4.4" +criteria = "safe-to-deploy" + +[[exemptions.float-cmp]] +version = "0.6.0" +criteria = "safe-to-deploy" + +[[exemptions.fs-err]] +version = "2.7.0" +criteria = "safe-to-deploy" + +[[exemptions.fuchsia-zircon]] +version = "0.3.3" +criteria = "safe-to-run" + +[[exemptions.fuchsia-zircon-sys]] +version = "0.3.3" +criteria = "safe-to-run" + +[[exemptions.futures-macro]] +version = "0.3.21" +criteria = "safe-to-deploy" + +[[exemptions.futures-task]] +version = "0.3.21" +criteria = "safe-to-deploy" + +[[exemptions.futures-util]] +version = "0.3.21" +criteria = "safe-to-deploy" + +[[exemptions.generic-array]] +version = "0.14.5" +criteria = "safe-to-deploy" + +[[exemptions.getrandom]] +version = "0.2.6" +criteria = "safe-to-deploy" + +[[exemptions.gl_generator]] +version = "0.14.0" +criteria = "safe-to-deploy" + +[[exemptions.glsl]] +version = "6.0.1" +criteria = "safe-to-deploy" + +[[exemptions.goblin]] +version = "0.1.3" +criteria = "safe-to-deploy" + +[[exemptions.gpu-alloc]] +version = "0.5.3" +criteria = "safe-to-deploy" + +[[exemptions.gpu-alloc-types]] +version = "0.2.0" +criteria = "safe-to-deploy" + +[[exemptions.gpu-descriptor]] +version = "0.2.2" +criteria = "safe-to-deploy" + +[[exemptions.gpu-descriptor-types]] +version = "0.1.1" +criteria = "safe-to-deploy" + +[[exemptions.hashlink]] +version = "0.7.0" +criteria = "safe-to-deploy" + +[[exemptions.hermit-abi]] +version = "0.1.19" +criteria = "safe-to-deploy" + +[[exemptions.hexf-parse]] +version = "0.2.1" +criteria = "safe-to-deploy" + +[[exemptions.ioctl-sys]] +version = "0.7.1" +criteria = "safe-to-deploy" + +[[exemptions.itertools]] +version = "0.10.3" +criteria = "safe-to-deploy" + +[[exemptions.khronos-egl]] +version = "4.1.0" +criteria = "safe-to-deploy" + +[[exemptions.khronos_api]] +version = "3.1.0" +criteria = "safe-to-deploy" + +[[exemptions.lazycell]] +version = "1.3.0" +criteria = "safe-to-deploy" + +[[exemptions.libdbus-sys]] +version = "0.2.2" +criteria = "safe-to-deploy" + +[[exemptions.libloading]] +version = "0.7.3" +criteria = "safe-to-deploy" + +[[exemptions.libsqlite3-sys]] +version = "0.25.2" +criteria = "safe-to-deploy" +suggest = false +notes = "The in-gecko feature that we enable makes only pre-built bindings used, and none of the embedded C code is built. The build script was audited and is not doing anything besides exposing those bindings" + +[[exemptions.libudev]] +version = "0.2.0" +criteria = "safe-to-deploy" + +[[exemptions.lmdb-rkv-sys]] +version = "0.11.2" +criteria = "safe-to-deploy" +suggest = false +notes = "This crate is forked from another crate and not developed in-house. Given that LMDB-backed RKV is going away, we will probably never bother auditing this" + +[[exemptions.mach]] +version = "0.3.2" +criteria = "safe-to-deploy" + +[[exemptions.memalloc]] +version = "0.1.0" +criteria = "safe-to-deploy" + +[[exemptions.memmap2]] +version = "0.5.4" +criteria = "safe-to-deploy" + +[[exemptions.memoffset]] +version = "0.6.5" +criteria = "safe-to-deploy" + +[[exemptions.midir]] +version = "0.7.0" +criteria = "safe-to-deploy" + +[[exemptions.mime_guess]] +version = "2.0.4" +criteria = "safe-to-deploy" + +[[exemptions.minimal-lexical]] +version = "0.2.1" +criteria = "safe-to-deploy" + +[[exemptions.mio]] +version = "0.8.0" +criteria = "safe-to-deploy" + +[[exemptions.mio-extras]] +version = "2.0.6" +criteria = "safe-to-run" + +[[exemptions.miow]] +version = "0.3.7" +criteria = "safe-to-run" + +[[exemptions.murmurhash3]] +version = "0.0.5" +criteria = "safe-to-deploy" + +[[exemptions.net2]] +version = "0.2.37" +criteria = "safe-to-run" + +[[exemptions.nix]] +version = "0.15.0" +criteria = "safe-to-deploy" + +[[exemptions.nom]] +version = "7.1.1" +criteria = "safe-to-deploy" + +[[exemptions.objc]] +version = "0.2.7" +criteria = "safe-to-deploy" + +[[exemptions.objc_exception]] +version = "0.1.2" +criteria = "safe-to-deploy" + +[[exemptions.object]] +version = "0.28.4" +criteria = "safe-to-deploy" + +[[exemptions.once_cell]] +version = "1.12.0" +criteria = "safe-to-deploy" + +[[exemptions.owning_ref]] +version = "0.4.1" +criteria = "safe-to-deploy" + +[[exemptions.packed_simd]] +version = "0.3.8" +criteria = "safe-to-deploy" + +[[exemptions.phf]] +version = "0.10.1" +criteria = "safe-to-deploy" + +[[exemptions.phf_codegen]] +version = "0.10.0" +criteria = "safe-to-deploy" + +[[exemptions.phf_generator]] +version = "0.10.0" +criteria = "safe-to-deploy" + +[[exemptions.phf_macros]] +version = "0.10.0" +criteria = "safe-to-deploy" + +[[exemptions.phf_shared]] +version = "0.10.0" +criteria = "safe-to-deploy" + +[[exemptions.plain]] +version = "0.2.3" +criteria = "safe-to-deploy" + +[[exemptions.plist]] +version = "1.3.1" +criteria = "safe-to-run" + +[[exemptions.ppv-lite86]] +version = "0.2.16" +criteria = "safe-to-deploy" + +[[exemptions.profiling]] +version = "1.0.6" +criteria = "safe-to-deploy" + +[[exemptions.prost]] +version = "0.8.0" +criteria = "safe-to-deploy" + +[[exemptions.prost-derive]] +version = "0.8.0" +criteria = "safe-to-deploy" + +[[exemptions.quick-error]] +version = "1.2.3" +criteria = "safe-to-deploy" + +[[exemptions.rand]] +version = "0.8.5" +criteria = "safe-to-deploy" + +[[exemptions.remove_dir_all]] +version = "0.5.3" +criteria = "safe-to-deploy" + +[[exemptions.replace_with]] +version = "0.1.7" +criteria = "safe-to-deploy" + +[[exemptions.ringbuf]] +version = "0.2.8" +criteria = "safe-to-deploy" + +[[exemptions.ron]] +version = "0.7.0" +criteria = "safe-to-deploy" + +[[exemptions.runloop]] +version = "0.1.0" +criteria = "safe-to-deploy" + +[[exemptions.rusqlite]] +version = "0.27.0" +criteria = "safe-to-deploy" + +[[exemptions.rust-ini]] +version = "0.10.3" +criteria = "safe-to-deploy" + +[[exemptions.rust_decimal]] +version = "1.24.0" +criteria = "safe-to-deploy" + +[[exemptions.scroll]] +version = "0.10.2" +criteria = "safe-to-deploy" + +[[exemptions.scroll_derive]] +version = "0.10.5" +criteria = "safe-to-deploy" + +[[exemptions.self_cell]] +version = "0.10.2" +criteria = "safe-to-deploy" + +[[exemptions.serde_with]] +version = "1.14.0" +criteria = "safe-to-deploy" + +[[exemptions.serde_with_macros]] +version = "1.5.2" +criteria = "safe-to-deploy" + +[[exemptions.sfv]] +version = "0.9.2" +criteria = "safe-to-deploy" + +[[exemptions.shlex]] +version = "1.1.0" +criteria = "safe-to-deploy" + +[[exemptions.siphasher]] +version = "0.3.10" +criteria = "safe-to-deploy" + +[[exemptions.socket2]] +version = "0.4.4" +criteria = "safe-to-deploy" + +[[exemptions.spirv]] +version = "0.2.0+1.5.4" +criteria = "safe-to-deploy" + +[[exemptions.stable_deref_trait]] +version = "1.2.0" +criteria = "safe-to-deploy" + +[[exemptions.static_assertions]] +version = "1.1.0" +criteria = "safe-to-deploy" + +[[exemptions.strsim]] +version = "0.10.0" +criteria = "safe-to-deploy" + +[[exemptions.tempfile]] +version = "3.3.0" +criteria = "safe-to-deploy" + +[[exemptions.time]] +version = "0.1.44" +criteria = "safe-to-deploy" + +[[exemptions.triple_buffer]] +version = "5.0.6" +criteria = "safe-to-deploy" + +[[exemptions.type-map]] +version = "0.4.0" +criteria = "safe-to-deploy" + +[[exemptions.typenum]] +version = "1.15.0" +criteria = "safe-to-deploy" + +[[exemptions.unix_path]] +version = "1.0.1" +criteria = "safe-to-run" + +[[exemptions.unix_str]] +version = "1.0.0" +criteria = "safe-to-run" + +[[exemptions.uuid]] +version = "0.8.2" +criteria = "safe-to-deploy" + +[[exemptions.webrtc-sdp]] +version = "0.3.9" +criteria = "safe-to-deploy" + +[[exemptions.winapi]] +version = "0.3.9" +criteria = "safe-to-deploy" + +[[exemptions.winapi-i686-pc-windows-gnu]] +version = "0.4.0" +criteria = "safe-to-deploy" + +[[exemptions.winapi-x86_64-pc-windows-gnu]] +version = "0.4.0" +criteria = "safe-to-deploy" + +[[exemptions.wio]] +version = "0.2.2" +criteria = "safe-to-deploy" + +[[exemptions.xml-rs]] +version = "0.8.4" +criteria = "safe-to-deploy" + +[[exemptions.zip]] +version = "0.6.2" +criteria = "safe-to-run" |