├── .github
    └── workflows
    │   └── aggregate.yml
├── CODE_OF_CONDUCT.md
├── CONTRIBUTING.md
├── LICENSE
├── README.md
├── auditing_standards.md
├── audits.toml
├── manual-sources
    ├── README.md
    └── google3-audits.toml
└── sources.list


/.github/workflows/aggregate.yml:
--------------------------------------------------------------------------------
 1 | name: CI
 2 | on:
 3 |   workflow_dispatch:
 4 |   schedule:
 5 |     # Every hour
 6 |     - cron:  '0 * * * *'
 7 | 
 8 | permissions:
 9 |   contents: write
10 | 
11 | jobs:
12 |   aggregate:
13 |     name: Aggregate Dependencies
14 |     runs-on: ubuntu-latest
15 |     env:
16 |       CARGO_VET_VERSION: 0.4.0
17 |     steps:
18 |     - uses: actions/checkout@master
19 |     - name: Install Rust
20 |       run: rustup update stable && rustup default stable
21 |     - uses: actions/cache@v4
22 |       with:
23 |         path: ${{ runner.tool_cache }}/cargo-vet
24 |         key: cargo-vet-bin-${{ env.CARGO_VET_VERSION }}
25 |     - name: Add the tool cache directory to the search path
26 |       run: echo "${{ runner.tool_cache }}/cargo-vet/bin" >> $GITHUB_PATH
27 |     - name: Ensure that the tool cache is populated with the cargo-vet binary
28 |       run: cargo install --root ${{ runner.tool_cache }}/cargo-vet --version ${{ env.CARGO_VET_VERSION }} cargo-vet
29 |     - name: Invoke cargo-vet aggregate
30 |       run: cargo vet aggregate --output-file audits.toml sources.list
31 |     - name: Commit changes (if any)
32 |       run: |
33 |         git config --global user.name "cargo-vet[bot]"
34 |         git config --global user.email "cargo-vet-aggregate@invalid"
35 |         git add audits.toml
36 |         git commit -m "Aggregate new audits" || true
37 |     - name: Push changes (if any)
38 |       run: git push origin main
39 | 


--------------------------------------------------------------------------------
/CODE_OF_CONDUCT.md:
--------------------------------------------------------------------------------
 1 | # Code of Conduct
 2 | 
 3 | ## Our Pledge
 4 | 
 5 | In the interest of fostering an open and welcoming environment, we as
 6 | contributors and maintainers pledge to making participation in our project and
 7 | our community a harassment-free experience for everyone, regardless of age, body
 8 | size, disability, ethnicity, gender identity and expression, level of
 9 | experience, education, socio-economic status, nationality, personal appearance,
10 | race, religion, or sexual identity and orientation.
11 | 
12 | ## Our Standards
13 | 
14 | Examples of behavior that contributes to creating a positive environment
15 | include:
16 | 
17 | *   Using welcoming and inclusive language
18 | *   Being respectful of differing viewpoints and experiences
19 | *   Gracefully accepting constructive criticism
20 | *   Focusing on what is best for the community
21 | *   Showing empathy towards other community members
22 | 
23 | Examples of unacceptable behavior by participants include:
24 | 
25 | *   The use of sexualized language or imagery and unwelcome sexual attention or
26 |     advances
27 | *   Trolling, insulting/derogatory comments, and personal or political attacks
28 | *   Public or private harassment
29 | *   Publishing others' private information, such as a physical or electronic
30 |     address, without explicit permission
31 | *   Other conduct which could reasonably be considered inappropriate in a
32 |     professional setting
33 | 
34 | ## Our Responsibilities
35 | 
36 | Project maintainers are responsible for clarifying the standards of acceptable
37 | behavior and are expected to take appropriate and fair corrective action in
38 | response to any instances of unacceptable behavior.
39 | 
40 | Project maintainers have the right and responsibility to remove, edit, or reject
41 | comments, commits, code, wiki edits, issues, and other contributions that are
42 | not aligned to this Code of Conduct, or to ban temporarily or permanently any
43 | contributor for other behaviors that they deem inappropriate, threatening,
44 | offensive, or harmful.
45 | 
46 | ## Scope
47 | 
48 | This Code of Conduct applies both within project spaces and in public spaces
49 | when an individual is representing the project or its community. Examples of
50 | representing a project or community include using an official project e-mail
51 | address, posting via an official social media account, or acting as an appointed
52 | representative at an online or offline event. Representation of a project may be
53 | further defined and clarified by project maintainers.
54 | 
55 | This Code of Conduct also applies outside the project spaces when the Project
56 | Steward has a reasonable belief that an individual's behavior may have a
57 | negative impact on the project or its community.
58 | 
59 | ## Conflict Resolution
60 | 
61 | We do not believe that all conflict is bad; healthy debate and disagreement
62 | often yield positive results. However, it is never okay to be disrespectful or
63 | to engage in behavior that violates the project’s code of conduct.
64 | 
65 | If you see someone violating the code of conduct, you are encouraged to address
66 | the behavior directly with those involved. Many issues can be resolved quickly
67 | and easily, and this gives people more control over the outcome of their
68 | dispute. If you are unable to resolve the matter for any reason, or if the
69 | behavior is threatening or harassing, report it. We are dedicated to providing
70 | an environment where participants feel welcome and safe.
71 | 
72 | Reports should be directed to *[PROJECT STEWARD NAME(s) AND EMAIL(s)]*, the
73 | Project Steward(s) for *[PROJECT NAME]*. It is the Project Steward’s duty to
74 | receive and address reported violations of the code of conduct. They will then
75 | work with a committee consisting of representatives from the Open Source
76 | Programs Office and the Google Open Source Strategy team. If for any reason you
77 | are uncomfortable reaching out to the Project Steward, please email
78 | opensource@google.com.
79 | 
80 | We will investigate every complaint, but you may not receive a direct response.
81 | We will use our discretion in determining when and how to follow up on reported
82 | incidents, which may range from not taking action to permanent expulsion from
83 | the project and project-sponsored spaces. We will notify the accused of the
84 | report and provide them an opportunity to discuss it before any action is taken.
85 | The identity of the reporter will be omitted from the details of the report
86 | supplied to the accused. In potentially harmful situations, such as ongoing
87 | harassment or threats to anyone's safety, we may take action without notice.
88 | 
89 | ## Attribution
90 | 
91 | This Code of Conduct is adapted from the Contributor Covenant, version 1.4,
92 | available at
93 | https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
94 | 
95 | Note: A version of this file is also available in the
96 | [New Project repo](https://github.com/google/new-project/blob/master/docs/code-of-conduct.md).


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # How to Contribute
 2 | 
 3 | We'd love to accept your patches and contributions to this project.
 4 | 
 5 | ## Before you begin
 6 | 
 7 | ### Sign our Contributor License Agreement
 8 | 
 9 | Contributions to this project must be accompanied by a
10 | [Contributor License Agreement](https://cla.developers.google.com/about) (CLA).
11 | You (or your employer) retain the copyright to your contribution; this simply
12 | gives us permission to use and redistribute your contributions as part of the
13 | project.
14 | 
15 | If you or your current employer have already signed the Google CLA (even if it
16 | was for a different project), you probably don't need to do it again.
17 | 
18 | Visit <https://cla.developers.google.com/> to see your current agreements or to
19 | sign a new one.
20 | 
21 | ### Review our Community Guidelines
22 | 
23 | This project follows
24 | [Google's Open Source Community Guidelines](https://opensource.google/conduct/).
25 | 
26 | ## Contribution process
27 | 
28 | ### Code Reviews
29 | 
30 | All submissions, including submissions by project members, require review. We
31 | use GitHub pull requests for this purpose. Consult
32 | [GitHub Help](https://help.github.com/articles/about-pull-requests/) for more
33 | information on using pull requests.
34 | 
35 | ## Contributing Rust Audits
36 | 
37 | This respository is primarily an aggregation of audits done by people employed
38 | by Google, certifying code to be used in Google software. For this reason, we
39 | unfortunately cannot accept audits directly from non-Google sources.
40 | 
41 | If you're trying to add a Google project to the set of aggregated audits, thank
42 | you! You should reach out to @djkoloski. Please note that participating
43 | requires copying all audit criteria into your `audits.toml` verbatim;
44 | deviations/customizations will break our automatic aggregation jobs.
45 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 | 
  2 |                                  Apache License
  3 |                            Version 2.0, January 2004
  4 |                         http://www.apache.org/licenses/
  5 | 
  6 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  7 | 
  8 |    1. Definitions.
  9 | 
 10 |       "License" shall mean the terms and conditions for use, reproduction,
 11 |       and distribution as defined by Sections 1 through 9 of this document.
 12 | 
 13 |       "Licensor" shall mean the copyright owner or entity authorized by
 14 |       the copyright owner that is granting the License.
 15 | 
 16 |       "Legal Entity" shall mean the union of the acting entity and all
 17 |       other entities that control, are controlled by, or are under common
 18 |       control with that entity. For the purposes of this definition,
 19 |       "control" means (i) the power, direct or indirect, to cause the
 20 |       direction or management of such entity, whether by contract or
 21 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 22 |       outstanding shares, or (iii) beneficial ownership of such entity.
 23 | 
 24 |       "You" (or "Your") shall mean an individual or Legal Entity
 25 |       exercising permissions granted by this License.
 26 | 
 27 |       "Source" form shall mean the preferred form for making modifications,
 28 |       including but not limited to software source code, documentation
 29 |       source, and configuration files.
 30 | 
 31 |       "Object" form shall mean any form resulting from mechanical
 32 |       transformation or translation of a Source form, including but
 33 |       not limited to compiled object code, generated documentation,
 34 |       and conversions to other media types.
 35 | 
 36 |       "Work" shall mean the work of authorship, whether in Source or
 37 |       Object form, made available under the License, as indicated by a
 38 |       copyright notice that is included in or attached to the work
 39 |       (an example is provided in the Appendix below).
 40 | 
 41 |       "Derivative Works" shall mean any work, whether in Source or Object
 42 |       form, that is based on (or derived from) the Work and for which the
 43 |       editorial revisions, annotations, elaborations, or other modifications
 44 |       represent, as a whole, an original work of authorship. For the purposes
 45 |       of this License, Derivative Works shall not include works that remain
 46 |       separable from, or merely link (or bind by name) to the interfaces of,
 47 |       the Work and Derivative Works thereof.
 48 | 
 49 |       "Contribution" shall mean any work of authorship, including
 50 |       the original version of the Work and any modifications or additions
 51 |       to that Work or Derivative Works thereof, that is intentionally
 52 |       submitted to Licensor for inclusion in the Work by the copyright owner
 53 |       or by an individual or Legal Entity authorized to submit on behalf of
 54 |       the copyright owner. For the purposes of this definition, "submitted"
 55 |       means any form of electronic, verbal, or written communication sent
 56 |       to the Licensor or its representatives, including but not limited to
 57 |       communication on electronic mailing lists, source code control systems,
 58 |       and issue tracking systems that are managed by, or on behalf of, the
 59 |       Licensor for the purpose of discussing and improving the Work, but
 60 |       excluding communication that is conspicuously marked or otherwise
 61 |       designated in writing by the copyright owner as "Not a Contribution."
 62 | 
 63 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 64 |       on behalf of whom a Contribution has been received by Licensor and
 65 |       subsequently incorporated within the Work.
 66 | 
 67 |    2. Grant of Copyright License. Subject to the terms and conditions of
 68 |       this License, each Contributor hereby grants to You a perpetual,
 69 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 70 |       copyright license to reproduce, prepare Derivative Works of,
 71 |       publicly display, publicly perform, sublicense, and distribute the
 72 |       Work and such Derivative Works in Source or Object form.
 73 | 
 74 |    3. Grant of Patent License. Subject to the terms and conditions of
 75 |       this License, each Contributor hereby grants to You a perpetual,
 76 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 77 |       (except as stated in this section) patent license to make, have made,
 78 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 79 |       where such license applies only to those patent claims licensable
 80 |       by such Contributor that are necessarily infringed by their
 81 |       Contribution(s) alone or by combination of their Contribution(s)
 82 |       with the Work to which such Contribution(s) was submitted. If You
 83 |       institute patent litigation against any entity (including a
 84 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 85 |       or a Contribution incorporated within the Work constitutes direct
 86 |       or contributory patent infringement, then any patent licenses
 87 |       granted to You under this License for that Work shall terminate
 88 |       as of the date such litigation is filed.
 89 | 
 90 |    4. Redistribution. You may reproduce and distribute copies of the
 91 |       Work or Derivative Works thereof in any medium, with or without
 92 |       modifications, and in Source or Object form, provided that You
 93 |       meet the following conditions:
 94 | 
 95 |       (a) You must give any other recipients of the Work or
 96 |           Derivative Works a copy of this License; and
 97 | 
 98 |       (b) You must cause any modified files to carry prominent notices
 99 |           stating that You changed the files; and
100 | 
101 |       (c) You must retain, in the Source form of any Derivative Works
102 |           that You distribute, all copyright, patent, trademark, and
103 |           attribution notices from the Source form of the Work,
104 |           excluding those notices that do not pertain to any part of
105 |           the Derivative Works; and
106 | 
107 |       (d) If the Work includes a "NOTICE" text file as part of its
108 |           distribution, then any Derivative Works that You distribute must
109 |           include a readable copy of the attribution notices contained
110 |           within such NOTICE file, excluding those notices that do not
111 |           pertain to any part of the Derivative Works, in at least one
112 |           of the following places: within a NOTICE text file distributed
113 |           as part of the Derivative Works; within the Source form or
114 |           documentation, if provided along with the Derivative Works; or,
115 |           within a display generated by the Derivative Works, if and
116 |           wherever such third-party notices normally appear. The contents
117 |           of the NOTICE file are for informational purposes only and
118 |           do not modify the License. You may add Your own attribution
119 |           notices within Derivative Works that You distribute, alongside
120 |           or as an addendum to the NOTICE text from the Work, provided
121 |           that such additional attribution notices cannot be construed
122 |           as modifying the License.
123 | 
124 |       You may add Your own copyright statement to Your modifications and
125 |       may provide additional or different license terms and conditions
126 |       for use, reproduction, or distribution of Your modifications, or
127 |       for any such Derivative Works as a whole, provided Your use,
128 |       reproduction, and distribution of the Work otherwise complies with
129 |       the conditions stated in this License.
130 | 
131 |    5. Submission of Contributions. Unless You explicitly state otherwise,
132 |       any Contribution intentionally submitted for inclusion in the Work
133 |       by You to the Licensor shall be under the terms and conditions of
134 |       this License, without any additional terms or conditions.
135 |       Notwithstanding the above, nothing herein shall supersede or modify
136 |       the terms of any separate license agreement you may have executed
137 |       with Licensor regarding such Contributions.
138 | 
139 |    6. Trademarks. This License does not grant permission to use the trade
140 |       names, trademarks, service marks, or product names of the Licensor,
141 |       except as required for reasonable and customary use in describing the
142 |       origin of the Work and reproducing the content of the NOTICE file.
143 | 
144 |    7. Disclaimer of Warranty. Unless required by applicable law or
145 |       agreed to in writing, Licensor provides the Work (and each
146 |       Contributor provides its Contributions) on an "AS IS" BASIS,
147 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
148 |       implied, including, without limitation, any warranties or conditions
149 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
150 |       PARTICULAR PURPOSE. You are solely responsible for determining the
151 |       appropriateness of using or redistributing the Work and assume any
152 |       risks associated with Your exercise of permissions under this License.
153 | 
154 |    8. Limitation of Liability. In no event and under no legal theory,
155 |       whether in tort (including negligence), contract, or otherwise,
156 |       unless required by applicable law (such as deliberate and grossly
157 |       negligent acts) or agreed to in writing, shall any Contributor be
158 |       liable to You for damages, including any direct, indirect, special,
159 |       incidental, or consequential damages of any character arising as a
160 |       result of this License or out of the use or inability to use the
161 |       Work (including but not limited to damages for loss of goodwill,
162 |       work stoppage, computer failure or malfunction, or any and all
163 |       other commercial damages or losses), even if such Contributor
164 |       has been advised of the possibility of such damages.
165 | 
166 |    9. Accepting Warranty or Additional Liability. While redistributing
167 |       the Work or Derivative Works thereof, You may choose to offer,
168 |       and charge a fee for, acceptance of support, warranty, indemnity,
169 |       or other liability obligations and/or rights consistent with this
170 |       License. However, in accepting such obligations, You may act only
171 |       on Your own behalf and on Your sole responsibility, not on behalf
172 |       of any other Contributor, and only if You agree to indemnify,
173 |       defend, and hold each Contributor harmless for any liability
174 |       incurred by, or claims asserted against, such Contributor by reason
175 |       of your accepting any such warranty or additional liability.
176 | 
177 |    END OF TERMS AND CONDITIONS
178 | 
179 |    APPENDIX: How to apply the Apache License to your work.
180 | 
181 |       To apply the Apache License to your work, attach the following
182 |       boilerplate notice, with the fields enclosed by brackets "[]"
183 |       replaced with your own identifying information. (Don't include
184 |       the brackets!)  The text should be enclosed in the appropriate
185 |       comment syntax for the file format. We also recommend that a
186 |       file or class name and description of purpose be included on the
187 |       same "printed page" as the copyright notice for easier
188 |       identification within third-party archives.
189 | 
190 |    Copyright [yyyy] [name of copyright owner]
191 | 
192 |    Licensed under the Apache License, Version 2.0 (the "License");
193 |    you may not use this file except in compliance with the License.
194 |    You may obtain a copy of the License at
195 | 
196 |        http://www.apache.org/licenses/LICENSE-2.0
197 | 
198 |    Unless required by applicable law or agreed to in writing, software
199 |    distributed under the License is distributed on an "AS IS" BASIS,
200 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
201 |    See the License for the specific language governing permissions and
202 |    limitations under the License.


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Google's Rust Crate Audits
  2 | 
  3 | Google uses cargo-vet to ensure third-party Rust dependencies have been audited
  4 | by Googlers or other trusted entities.
  5 | 
  6 | This repository automatically aggregates Google's audits from various
  7 | repositories to make them easily reusable by others.
  8 | 
  9 | To import Google's audits into another cargo-vet instance, add the following
 10 | lines to your config.toml:
 11 | 
 12 | ```toml
 13 | [imports.google]
 14 | url = "https://raw.githubusercontent.com/google/rust-crate-audits/main/audits.toml"
 15 | ```
 16 | 
 17 | ## Aggregated projects
 18 | 
 19 | These audits are automatically aggregated from the following Google projects:
 20 | 
 21 | - [Chromium]
 22 | - [ChromiumOS]
 23 | - [Fuchsia]
 24 | 
 25 | and other [manual sources] from within Google.
 26 | 
 27 | [Chromium]: https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain
 28 | [ChromiumOS]: https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/
 29 | [Fuchsia]: https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/
 30 | [manual sources]: https://github.com/google/rust-crate-audits/tree/main/manual-sources
 31 | 
 32 | ## Disclaimer
 33 | 
 34 | As with the audits from its contributing projects, this aggregation is provided
 35 | on a best-effort basis. These audits should not be construed as reflecting
 36 | material safety or security properties of Rust crates. We do our best to
 37 | aggregate valuable information; use at your own risk.
 38 | 
 39 | ## Auditing criteria
 40 | 
 41 | Google audits Rust crates using both built-in and custom cargo-vet criteria.
 42 | Below are the formal descriptions of the criteria used across Google. We
 43 | recommend cross-referencing these criteria with the corresponding
 44 | [auditing standards] for a better understanding of what they mean.
 45 | 
 46 | [auditing standards]: https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md
 47 | 
 48 | ### Cryptography
 49 | 
 50 | #### `crypto-safe`
 51 | 
 52 | [Auditing standards](https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#crypto-safe)
 53 | 
 54 | > All crypto algorithms in this crate have been reviewed by a relevant expert.
 55 | >
 56 | > **Note**: If a crate does not implement crypto, use `does-not-implement-crypto`,
 57 | > which implies `crypto-safe`, but does not require expert review in order to
 58 | > audit for.
 59 | 
 60 | #### `does-not-implement-crypto`
 61 | 
 62 | [Auditing standards](https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#does-not-implement-crypto)
 63 | 
 64 | > Inspection reveals that the crate in question does not attempt to implement
 65 | > any cryptographic algorithms on its own.
 66 | >
 67 | > Note that certification of this does not require an expert on all forms of
 68 | > cryptography: it's expected for crates we import to be \"good enough\"
 69 | > citizens, so they'll at least be forthcoming if they try to implement
 70 | > something cryptographic. When in doubt, please ask an expert.
 71 | 
 72 | ### Deployment
 73 | 
 74 | #### `safe-to-run`
 75 | 
 76 | [Auditing standards](https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#safe-to-run)
 77 | 
 78 | > This crate can be compiled, run, and tested on a local workstation or in
 79 | > controlled automation without surprising consequences, such as:
 80 | > * Reading or writing data from sensitive or unrelated parts of the filesystem.
 81 | > * Installing software or reconfiguring the device.
 82 | > * Connecting to untrusted network endpoints.
 83 | > * Misuse of system resources (e.g. cryptocurrency mining).
 84 | 
 85 | #### `safe-to-deploy`
 86 | 
 87 | [Auditing standards](https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#safe-to-deploy)
 88 | 
 89 | > This crate will not introduce a serious security vulnerability to production
 90 | > software exposed to untrusted input.
 91 | >
 92 | > Auditors are not required to perform a full logic review of the entire crate.
 93 | > Rather, they must review enough to fully reason about the behavior of all
 94 | > unsafe blocks and usage of powerful imports. For any reasonable usage of the
 95 | > crate in real-world software, an attacker must not be able to manipulate the
 96 | > runtime behavior of these sections in an exploitable or surprising way.
 97 | >
 98 | > Ideally, all unsafe code is fully sound, and ambient capabilities (e.g.
 99 | > filesystem access) are hardened against manipulation and consistent with the
100 | > advertised behavior of the crate. However, some discretion is permitted. In
101 | > such cases, the nature of the discretion should be recorded in the `notes`
102 | > field of the audit record.
103 | >
104 | > For crates which generate deployed code (e.g. build dependencies or procedural
105 | > macros), reasonable usage of the crate should output code which meets the
106 | > above criteria.
107 | 
108 | ### Soundness
109 | 
110 | #### `ub-risk-0`
111 | 
112 | [Auditing standards](https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#ub-risk-0)
113 | 
114 | > This crate cannot cause undefined behavior because it contains no unsafe code.
115 | 
116 | #### `ub-risk-1`
117 | 
118 | [Auditing standards](https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#ub-risk-1)
119 | 
120 | > A designated unsafe code reviewer has audited the unsafe code in this crate.
121 | > No risk of causing undefined behavior was found.
122 | >
123 | > UB-RISK-1 crates are suitable for applications with the strictest memory
124 | > safety requirements:
125 | > - Safety documentation is comprehensive and precise. Unsafe APIs can be used
126 | >   soundly.
127 | > - Unsafe blocks rely on clear invariants and preconditions, and are
128 | >   well-justified by them.
129 | > - No way to cause undefined behavior was found during review.
130 | >
131 | > UB-RISK-1 crates are exceptionally well-documented and justified, leaving
132 | > little to no room for error.
133 | 
134 | #### `ub-risk-1-thorough`
135 | 
136 | A more thorough version of `ub-risk-1`. See [thorough soundness audits] for a
137 | description of "thorough" audits.
138 | 
139 | #### `ub-risk-2`
140 | 
141 | [Auditing standards](https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#ub-risk-2)
142 | 
143 | > A designated unsafe code reviewer has audited the unsafe code in this crate.
144 | > It has been found to pose a trivial risk of causing undefined behavior.
145 | >
146 | > UB-RISK-2 crates are suitable for most applications:
147 | > - Safety documentation is relatively comprehensive, though it may not be
148 | >   adequately precise. Unsafe APIs can be used soundly with very minor caution.
149 | > - Unsafe blocks may rely on informal invariants and preconditions. The
150 | >   reasoning required to justify them may be especially difficult or
151 | >   under-documented.
152 | > - Undefined behavior may be possible under extraordinary circumstances.
153 | >
154 | > UB-RISK-2 crates are effectively "the average good crate". While they may
155 | > have very slight (but real) soundness issues, they are safe to use in general
156 | > without much worry. These crates may exhibit undefined behavior under
157 | > "extraordinary circumstances", which is ultimately up to reviewer discretion.
158 | > Users may expect that reasonable use of the crate will not cause undefined
159 | > behavior.
160 | 
161 | #### `ub-risk-2-thorough`
162 | 
163 | A more thorough version of `ub-risk-2`. See [thorough soundness audits] for a
164 | description of "thorough" audits.
165 | 
166 | [thorough soundness audits]: https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#thoroughness
167 | 
168 | #### `ub-risk-3`
169 | 
170 | [Auditing standards](https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#ub-risk-3)
171 | 
172 | > A designated unsafe code reviewer has audited the unsafe code in this crate.
173 | > It has been found to pose a significant risk of causing undefined behavior.
174 | >
175 | > UB-RISK-3 crates are suitable for select applications:
176 | > - Safety documentation may not be adequately comprehensive or precise. Unsafe
177 | >   APIs can be used soundly with a decent amount of caution.
178 | > - Unsafe blocks may rely on under-documented or inferred invariants and
179 | >   preconditions. The reasoning required to justify them may rely on specific
180 | >   interpretations of undefined behavior that are under-specified. Those
181 | >   interpretations must not actively cause UB, and should be unlikely to begin
182 | >   causing UB in the future.
183 | > - Undefined behavior may be possible under uncommon circumstances.
184 | >
185 | > UB-RISK-3 crates may not uphold the typical standards required for unsafe
186 | > code, but are still used because they have been widely adopted and will
187 | > inevitably be leveraged by indirect dependencies. These crates may exhibit
188 | > undefined behavior under \"uncommon circumstances\", which is ultimately up to
189 | > reviewer discretion. A decent amount of experience with unsafe code will be
190 | > required to avoid undefined behavior.
191 | 
192 | #### `ub-risk-4`
193 | 
194 | [Auditing standards](https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#ub-risk-4)
195 | 
196 | > A designated unsafe code reviewer has audited the unsafe code in this crate.
197 | > It has been found to pose a high risk of causing undefined behavior.
198 | >
199 | > UB-RISK-4 crates are unsuitable except in specific situations:
200 | > - Safety documentation may be nonexistent. Unsafe APIs may be difficult to use
201 | >   safely even with experience writing unsafe code and specific domain
202 | >   expertise.
203 | > - Unsafe blocks may rely on undocumented invarianats or platform-specific
204 | >   behavior. It may be difficult or impossible to reason about all possible
205 | >   situations that may cause undefined behavior. Even a best-effort review is
206 | >   expected to miss at least some possible unsoundness.
207 | > - Undefined behavior may be possible under common circumstances.
208 | >
209 | > UB-RISK-4 crates may have APIs that are difficult to use without causing
210 | > undefined behavior. They may require a large amount of domain expertise to use
211 | > correctly, have large unsafe APIs with insufficient documentation, or perform
212 | > many operations from safe code that could cause undefined behavior.
213 | 


--------------------------------------------------------------------------------
/auditing_standards.md:
--------------------------------------------------------------------------------
  1 | # Rust Crate Auditing Standards
  2 | 
  3 | ## Why we need standards for auditing
  4 | 
  5 | When auditing third-party crates, we're reading a standard described by a few short paragraphs and judging whether some code satisfies them. That judgment adds a new fact to our shared understanding of third-party code. As a legal analogy, an auditing criteria description is like a _law_. The job of the auditor is to play judge and decide whether some code upholds or breaks the law. From this analogy, it's easy to understand how different auditors may interpret the same criteria differently. Some auditors may be more lenient than others, and real-world experience uniquely informs our decisions.
  6 | 
  7 | To ensure that our audits are usable throughout Google, we need to be confident that different auditors will come to the same conclusions about the same code. These auditing standards increase our confidence through clarifying remarks, case studies, and required processes. Continuing the legal analogy, these standards are like case law.
  8 | 
  9 | ## Summary
 10 | 
 11 | Below are a list of all the auditing criteria and the requirements for someone to audit for them. If you're a contributor looking for criteria you can help audit, this table can help point you towards criteria you're qualified to audit for.
 12 | 
 13 | | **Criteria**                          | **Requires**                                      |
 14 | |---------------------------------------|---------------------------------------------------|
 15 | | [`crypto-safe`]                       | **Cryptography expertise** and **Rust expertise** |
 16 | | [`does-not-implement-crypto`]         | **Generalist SWE**                                |
 17 | | [`safe-to-run`]                       | **Generalist SWE**                                |
 18 | | [`safe-to-deploy`]                    | **Generalist SWE**                                |
 19 | | [`ub-risk-0`]                         | **Automation** or **Generalist SWE**              |
 20 | | [`ub-risk-1`], [`ub-risk-1-thorough`] | **Unsafe Rust expertise**                         |
 21 | | [`ub-risk-2`], [`ub-risk-2-thorough`] | **Unsafe Rust expertise**                         |
 22 | | [`ub-risk-3`]                         | **Unsafe Rust expertise**                         |
 23 | | [`ub-risk-4`]                         | **Unsafe Rust expertise**                         |
 24 | 
 25 | [`crypto-safe`]: #crypto-safe
 26 | [`does-not-implement-crypto`]: #does-not-implement-crypto
 27 | [`safe-to-run`]: #safe-to-run
 28 | [`safe-to-deploy`]: #safe-to-deploy
 29 | [`ub-risk-0`]: #ub-risk-0
 30 | [`ub-risk-1`]: #ub-risk-1
 31 | [`ub-risk-1-thorough`]: #ub-risk-1-thorough
 32 | [`ub-risk-2`]: #ub-risk-2
 33 | [`ub-risk-2-thorough`]: #ub-risk-2-thorough
 34 | [`ub-risk-3`]: #ub-risk-3
 35 | [`ub-risk-4`]: #ub-risk-4
 36 | 
 37 | ## Common criteria
 38 | 
 39 | ### Cryptography
 40 | 
 41 | #### `crypto-safe`
 42 | 
 43 | Requires **Cryptography expertise** and **Rust expertise** 
 44 | 
 45 | Crates with this criteria contain implementations of cryptographic algorithms which have been reviewed by an expert and deemed acceptable. Cryptography is always mission-critical. Even though we don't expect to catch every issue in review, a crate audited as crypto-safe is sufficient for use.
 46 | 
 47 | #### Guidelines
 48 | 
 49 | *   An expert must review the cryptographic algorithms and deem them acceptable. Generalist SWEs and others without adequate experience in cryptographic algorithms may not audit for this criteria.
 50 | *   It is not acceptable to just compare the written code against reference pseudocode or another accepted implementation.
 51 | *   It is recommended that a cryptography expert work with a Rust language expert to verify that the implementation works as intended.
 52 | 
 53 | ### `does-not-implement-crypto`
 54 | 
 55 | Requires **Generalist SWE**
 56 | 
 57 | Crates with this criteria do not implement cryptographic algorithms.
 58 | 
 59 | #### Criteria guidelines
 60 | 
 61 | *   Generalist SWEs have the ability to determine whether a crate contains implementations of cryptographic algorithms.
 62 | *   Many crates use but do not implement cryptographic algorithms. The way they use those cryptographic algorithms may have material implications on the security or soundness of the algorithms. These issues may be raised while auditing deployment criteria, but are not relevant to this criteria. Those crates may still be audited as `does-not-implement-crypto`.
 63 | 
 64 | ## Deployment
 65 | 
 66 | ### `safe-to-run`
 67 | 
 68 | Requires **Generalist SWE**
 69 | 
 70 | This criteria is built-in to cargo vet and describes a crate which "can be compiled, run, and tested on a local workstation or in controlled automation without surprising consequences". It lists a few examples of what it considers "surprising consequences" which will be repeated here along with any additional guidelines specific to Google.
 71 | 
 72 | #### Criteria guidelines
 73 | 
 74 | *   Generalist SWEs have the ability to determine whether a crate is safe to run.
 75 | *   Crates must not do any of the following unless it is their express purpose and have been explicitly directed to do so by a developer or user:
 76 |     *   Read or write data from sensitive or unrelated parts of the filesystem
 77 |     *   Install software or reconfigure the device
 78 |     *   Connect to untrusted network endpoints
 79 | *   Crates must not do any of the following under any circumstances:
 80 |     *   Misuse system resources (e.g. cryptocurrency mining).
 81 | 
 82 | ### `safe-to-deploy`
 83 | 
 84 | Requires **Generalist SWE**
 85 | 
 86 | This criteria is built-in to cargo vet and describes a crate which "will not introduce a serious security vulnerability to production software exposed to untrusted input". It clarifies some specific practices which will be repeated here along with any additional guidelines specific to Google.
 87 | 
 88 | #### Criteria guidelines
 89 | 
 90 | *   While this criteria does not require specific expertise, a generalist SWE must have familiarity with all auditing criteria and standards. Many organizations have additional requirements for code to be safe to deploy which may be relevant to the crate being reviewed.
 91 | *   Per the criteria description:
 92 |     *   Reviewers are not required to perform a full logic review of the entire crate. Rather, they must review enough to fully reason about the behavior of all unsafe blocks and usage of powerful imports. For any reasonable usage of the crate in real-world software, an attacker must not be able to manipulate the runtime behavior of these sections in an exploitable or surprising way.
 93 |     *   Ideally, all unsafe code is fully sound, and ambient capabilities (e.g. filesystem access) are hardened against manipulation and consistent with the advertised behavior of the crate. However, some discretion is permitted. In such cases, the nature of the discretion should be recorded in the `notes` field of the audit record.
 94 |     *   For crates which generate deployed code (e.g. build dependencies or procedural macros), reasonable usage of the crate should output code which meets the above criteria.
 95 | *   This criteria is not a proper soundness review. See the "Soundness" group for criteria pertaining to soundness.
 96 | *   This criteria does not satisfy a general requirement for deploying code. Google's requirements for deploying code may vary across organizations.
 97 | 
 98 | ## Soundness
 99 | 
100 | Most criteria in this group require training and experience in reviewing unsafe Rust code. Getting approval to do these unsafe reviews varies across organizations, but generally requires learning a wide variety of unsafe Rust topics and doing in-person shadowing.
101 | 
102 | ### Thoroughness
103 | 
104 | The goal of a soundness review is to correctly classify the code as either "sound" or "unsound", then assign a risk level based on the code classified as "unsound". A perfect test would classify all of the sound code as "sound" and all of the unsound code as "unsound", with no classification errors. Soundness reviews are already very precise and technical work, and reaching such high levels of confidence may require an inordinate amount of effort. With this limitation in mind, review "thoroughness" is a way to increase the effort applied to a review and the confidence of its conclusion.
105 | 
106 | A "thorough" soundness review aims to increase the sensitivity of the review and correctly classify all unsound code. It should be considered the "gold standard" of reviewing; it should not be feasible to more accurately detect unsoundness than with a thorough review. Because thoroughness only focuses on reducing the false negative rate, thoroughness only matters when auditing for `ub-risk-1` and `ub-risk-2`. If the code is known to be riskier than `ub-risk-2`, then the thoroughness of the review is not consequential.
107 | 
108 | #### All soundness reviews
109 | 
110 | For all soundness reviews, an unsafe Rust reviewer must:
111 | 
112 | *   Look at each line of unsafe code
113 | *   Reason about the unsafe Rust patterns found
114 | 
115 | It is acceptable if similar-looking unsafe blocks are skimmed over during a review. It is recommended (but not required) for the reviewer to document each unsafe block with a comment.
116 | 
117 | #### Thorough soundness reviews
118 | 
119 | For thorough soundness reviews, an unsafe Rust reviewer must additionally:
120 | 
121 | *   Explicitly justify the code in each unsafe block
122 |     *   All unsafe operations must be identified and the safety conditions for each must be addressed.
123 |     *   If the review is done in a group, then any nontrivial reasoning should be voiced for discussion.
124 | *   Document the justification for each unsafe block with a comment
125 |     *   For structurally identical unsafe blocks, it is acceptable for the reasoning to be “same as above” or "ditto".
126 | 
127 | Unless an unsafe Rust reviewer is very experienced, a group of two or more should perform thorough soundness reviews.
128 | 
129 | [thorough]: #thorough-soundness-reviews
130 | 
131 | ### `ub-risk-0`
132 | 
133 | Also called: "No unsafe code"
134 | 
135 | Requires **Automation** or **Generalist SWE** 
136 | 
137 | Crates with this criteria do not contain unsafe Rust code.
138 | 
139 | #### Criteria guidelines
140 | 
141 | *   Because this criteria merely describes whether a crate contains unsafe Rust code, generalist SWEs may audit for it. Unless there is unambiguously no unsafe code, automation may not audit for this criteria. Even if automation audits for this criteria, a real person **must** sign off on the final audit. As a baseline, automation should reject any code containing the string `unsafe`. It may - but is not required to - allow **only** the following exceptions if robust and very well-tested:
142 |     *   When not a whole-word textual match: e.g. `struct Unsafe`, `UnsafeCell`, `let not_unsafe`, etc
143 |     *   Comments: e.g. `// This is not unsafe`
144 |     *   Literals: e.g. `"hello unsafe"`
145 |     *   Tests: i.e. code gated behind `#[cfg(test)]`. Note that unsafe blocks that are included in downstream binaries (e.g. `#[cfg(debug_assertions)]`) may not be ignored.
146 |     *   In the future, unsafe code that is disabled via `cfg` may be ignored if the disabled features are recorded with the audit and `cargo vet` handles these exclusions programmatically. See [this issue](https://github.com/mozilla/cargo-vet/issues/380) for tracking.
147 | 
148 | ### `ub-risk-1`
149 | 
150 | Also called: "No detectable unsoundness", "Excellent soundness"
151 | 
152 | Requires **Unsafe Rust expertise**
153 | 
154 | Crates with this criteria contain unsafe Rust code which is very high quality and poses near-zero risk of introducing undefined behavior. This risk level can be considered the `crypto-safe` of soundness, and these crates are suitable for the most demanding situations.
155 | 
156 | #### Criteria guidelines
157 | 
158 | *   Auditing for this criteria requires expertise with unsafe Rust. See the group documentation for details.
159 | *   Per the criteria description:
160 |     *   Unsafe blocks rely on clear invariants and preconditions, and are well-justified by them.
161 |     *   No way to cause undefined behavior was found during review.
162 |     *   Safety documentation is comprehensive and precise. Unsafe APIs can be used soundly.
163 | *   The unsafe code in this crate must be sound even when held to the highest possible standard.
164 | *   It may not be good enough for a crate to have sound unsafe code if that unsafe code is too difficult to confidently review.
165 | *   Unsafe blocks should have safety comments. We prefer standard safety justifications of the form `// SAFETY: <justification>` but any comments which fulfill the same purpose are acceptable.
166 | *   Every unsafe trait and function must have safety documentation clearly describing the preconditions and postconditions (if any) which are required to maintain memory safety.
167 | 
168 | ### `ub-risk-1-thorough`
169 | 
170 | A more [thorough] version of [`ub-risk-1`].
171 | 
172 | ### `ub-risk-2`
173 | 
174 | Also called: "Negligible unsoundness", "Average good crate"
175 | 
176 | Requires **Unsafe Rust expertise**
177 | 
178 | Crates with this criteria contain unsafe Rust code which is of good quality and pose a trivial risk of causing undefined behavior. The "average good crate" typically falls in this risk level. They are suitable for most applications.
179 | 
180 | #### Criteria guidelines
181 | 
182 | *   Auditing for this criteria requires expertise with unsafe Rust. See the group documentation for details.
183 | *   Per the criteria description:
184 |     *   Safety documentation is relatively comprehensive, though it may not be adequately precise. Unsafe APIs can be used soundly with very minor caution.
185 |     *   Unsafe blocks may rely on informal invariants and preconditions. The reasoning required to justify them may be especially difficult or under-documented.
186 |     *   Undefined behavior may be possible under extraordinary circumstances.
187 | *   Most crates involving unsafe code belong here. Avoid putting crates in `ub-risk-1` unless they genuinely meet the stated criteria.
188 | *   The definition of "extraordinary circumstances" is open to interpretation. Some examples of circumstances that can cause UB generally considered "extraordinary" are:
189 |     *   Violating some obvious but unwritten rules about how to use an unsafe API. Even if an unsafe API doesn't specify that a pointer must be properly aligned, it's safe to assume that passing an unaligned pointer can cause UB.
190 |     *   Violating work-in-progress rules around unsafe code that are being designed by `t-opsem` (e.g. Stacked Borrows and Tree Borrows), provided that stable alternatives for performing the same operation do not exist or have only recently been stabilized. This may include code that triggers errors in MIRI.
191 |     *   Working in gray areas of unsafe semantics that are still under discussion and yet to be decided by `t-opsem`, provided that stable alternatives for performing the same operation do not exist or have only recently been stabilized, or that the general trend of current discussion of `t-opsem` can be shown to be in the direction that allows the pattern to be sound.
192 |     *   Being able to cause UB with malicious code. The code should be complex enough that it would never be written by accident. For example: panicking in a callback you gave to the API, then catching it and performing some specific operations that normal code would not do.
193 |     *   Using or implementing `#[doc(hidden)]` items to cause UB without unsafe code.
194 | *   Users may expect that reasonable use of these crates will not cause UB.
195 | 
196 | ### `ub-risk-2-thorough`
197 | 
198 | A more [thorough] version of [`ub-risk-2`].
199 | 
200 | ### `ub-risk-3`
201 | 
202 | Also called: "Mild unsoundness", "Suboptimal soundness"
203 | 
204 | Requires **Unsafe Rust expertise**
205 | 
206 | Crates with this criteria contain unsafe Rust code which doesn't uphold the typical standards required for unsafe code. They pose a nontrivial, but not necessarily unacceptable risk of causing undefined behavior. Projects are encouraged to allow the use of these crates on a case-by-case basis, based on their own specific constraints.
207 | 
208 | #### Criteria guidelines
209 | 
210 | *   Auditing for this criteria requires expertise with unsafe Rust. See the group documentation for details.
211 | *   Per the criteria description:
212 |     *   Safety documentation may not be adequately comprehensive or precise. Unsafe APIs can be used soundly with a decent amount of caution.
213 |     *   Unsafe blocks may rely on under-documented or inferred invariants and preconditions. The reasoning required to justify them may rely on specific interpretations of undefined behavior that are under-specified. Those interpretations must not actively cause UB, and should be unlikely to begin causing UB in the future.
214 |     *   Undefined behavior may be possible under uncommon circumstances.
215 | *   These are crates that we would prefer not to use because of their unsafe code, but we may still do so begrudgingly.
216 | *   The definition of "uncommon circumstances" is open to interpretation. Some examples of circumstances that can cause UB generally considered "uncommon" are:
217 |     *   Leveraging incorrect variance on type lifetimes to violate memory safety.
218 |     *   Writing implementations of traits not marked `unsafe` by violating documented invariants.
219 |     *   Writing implementations of traits not marked `unsafe` that are not really intended to be implemented by the user.
220 |     *   Explicitly forgetting values that have important drop behavior to cause UB when combined with operations that would not be expected to follow normally.
221 | *   Some caution may be required to avoid undefined behavior.
222 | 
223 | 
224 | `ub-risk-3` is the highest risk level at which non-experts could reasonably avoid causing undefined behavior. These crates are unsound, but the risk they pose may be acceptable in some situations. Projects need to make judgement calls about where, when, and by whom these crates may be used. For example, a project may deem a `ub-risk-3` crate acceptable to use if it contains unsoundness that:
225 | 
226 |  * Is only triggered on platforms that the codebase does not care about.
227 |  * May only become a problem in future versions of Rust, by which time there is confidence that it will have been patched.
228 |  * Is triggered by a pattern of use which the project discourages and can confidently avoid long-term.
229 | 
230 | 
231 | All audit levels should strive to detail the safety issues found. However, those details are especially important for `ub-risk-3` audits because projects depend on those details to determine whether high-risk crates are acceptable to use.
232 | 
233 | ### `ub-risk-4`
234 | 
235 | Also called: "Extreme unsoundness", "Very risky"
236 | 
237 | Requires **Unsafe Rust expertise**
238 | 
239 | Crates with this criteria contain very dangerous unsafe rust code. They pose a risk of causing undefined behavior with typical use.
240 | 
241 | #### Criteria guidelines
242 | 
243 | *   Auditing for this criteria requires expertise with unsafe Rust. See the group documentation for details.
244 | *   Per the criteria description:
245 |     *   Safety documentation may be nonexistent. Unsafe APIs may be difficult to use safely even with experience writing unsafe code and specific domain expertise.
246 |     *   Unsafe blocks may rely on undocumented invariants or platform-specific behavior. It may be difficult or impossible to reason about all possible situations that may cause undefined behavior. Even a best-effort review is expected to miss at least some possible unsoundness.
247 |     *   Undefined behavior may be possible under common circumstances.
248 | *   Most crates that try to be sound but don't quite make the cut go in `ub-risk-3`, not here. These crates are wildly unsafe, and the only time we should use them is when they are a necessary evil.
249 | *   Everything worse than `ub-risk-3` goes in here and we should do our best to avoid using them.
250 | 
251 | ## Criteria-agnostic guidelines
252 | 
253 | ### Delta audits should describe the final version
254 | 
255 | In general, delta audits should always take the previous, baseline audit into
256 | account.  In particular, note that
257 | [Cargo Vet's documentation](https://mozilla.github.io/cargo-vet/audit-entries.html#delta)
258 | asks the auditor to acquire sufficient context when working on delta
259 | audits:
260 | 
261 | > The [auditing] standard here is that the properties are actually
262 | > preserved, not merely that that the diff doesn't obviously violate
263 | > them. It is the responsibility of the auditor to acquire sufficient
264 | > context to certify the former.
265 | 
266 | Since the delta audits only determine which criteria from the baseline version
267 | are preserved, you should perform and record a non-delta audit to lower the
268 | `UB-risk-N` level, or to downgrade from `crypto-safe` to
269 | `does-not-contain-crypto`. In other words, a delta audit should never result in
270 | lowering the `UB-risk-N` value from the previous audit, or downgrading
271 | `crypto-safe` to `does-not-contain-crypto`.
272 | 
273 | For example, even though
274 | [the 1.0.79 to 1.0.80 delta of the `proc-macro2` crate](https://chromium-review.googlesource.com/c/chromium/src/+/5453972/2..6)
275 | doesn't add or change any `unsafe` code, it shouldn't be recorded as
276 | `ub-risk-0`, because there is still `unsafe` outside of the delta
277 | (e.g. `unsafe { imp::Literal::from_str_unchecked(repr) }` in
278 | [`lib.rs` on line 1282](https://chromium-review.googlesource.com/c/chromium/src/+/5453972/2..6/third_party/rust/chromium_crates_io/vendor/proc-macro2-1.0.80/src/lib.rs#1282)).
279 | 
280 | Another example is the improvements in `flate2` between version 1.0.27
281 | (`ub-risk-4` because of https://github.com/rust-lang/flate2-rs/issues/220) and
282 | 1.0.28 (`ub-risk-3` because of https://github.com/rust-lang/flate2-rs/pull/373).
283 | Recording this improvement as a delta audit would be insufficient to pass `cargo
284 | vet check` presumits (as tested by
285 | [this ad-hoc Chromium CL](https://crrev.com/c/5532326)).
286 | 
287 | ### Audits should be as precise as possible
288 | 
289 | *e.g. Audits should not account for `config.toml` policy*
290 | 
291 | Audits should record the most precise criteria for each crate, without
292 | accounting for a project's `config.toml` policy. In some cases, a project's
293 | policy may only require a crate to meet a minimum level of certification.
294 | Although it may be less work to audit a crate at that minimum level, we
295 | should always audit crates with the most precise criteria available. This
296 | ensures that our audits are as shareable as possible between project
297 | participants.
298 | 
299 | For example, Chromium requires `ub-risk-2` for crates used in the browser
300 | process. The following `config.toml` is auto-generated for the quote crate:
301 | entry for the `quote` crate:
302 | 
303 | ```
304 | # supply-chain/config.toml:
305 | [policy."quote:1.0.36"]
306 | criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-2"]
307 | ```
308 | 
309 | This means that certifying this crate as `ub-risk-2` is sufficient for `cargo
310 | vet` checks/presubmits to pass and `cargo vet check` will actually only ask
311 | to certify at the `ub-risk-2` level:
312 | 
313 | ```
314 | $ tools/crates/run_cargo_vet.py check
315 | Vetting Failed!
316 | 
317 | 1 unvetted dependencies:
318 |   quote:1.0.36 missing ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"]
319 | 
320 | recommended audits for safe-to-deploy, does-not-implement-crypto, ub-risk-2:
321 |     Command                             Publisher  Used By                                    Audit Size
322 |     cargo vet diff quote 1.0.35 1.0.36  dtolnay    syn, chromium, prost-derive, and 6 others  6 files changed, 568 insertions(+), 548 deletions(-)
323 | 
324 | estimated audit backlog: 1116 lines
325 | 
326 | Use |cargo vet certify| to record the audits.
327 | ```
328 | 
329 | Although it is recommended to audit at `ub-risk-2`, the audit should always
330 | certify `quote` 1.0.36 at the most precise ub-risk level possible. In this case,
331 | the crate should be audited as `ub-risk-0` because it doesn't contain any
332 | unsafe code.
333 | 


--------------------------------------------------------------------------------
/manual-sources/README.md:
--------------------------------------------------------------------------------
 1 | # Manual audit sources
 2 | 
 3 | This repo aggregates audits from other sources like Android and Fuchsia; however it is the source of truth for some audits that are not otherwise public, for example for Rust crates being imported into the [google3](https://opensource.google/documentation/reference/glossary#google3) monorepo.
 4 | 
 5 | The primary source of truth for these is stored in audits.toml files in this folder, and aggregated into the toplevel audits.toml by CI.
 6 | 
 7 | If you are performing an audit for such a source, you may submit your audits to these files directly. You do not need to update the toplevel audits.toml as that will be done by CI, though you can if you'd like (it's finicky).
 8 | 
 9 | You may directly depend on these audit files if you wish, however their locations may move around in the long term. It is recommended to depend on the toplevel audit file in this repo.
10 | 


--------------------------------------------------------------------------------
/manual-sources/google3-audits.toml:
--------------------------------------------------------------------------------
   1 | [criteria.crypto-safe]
   2 | description = """
   3 | All crypto algorithms in this crate have been reviewed by a relevant expert.
   4 | 
   5 | **Note**: If a crate does not implement crypto, use `does-not-implement-crypto`,
   6 | which implies `crypto-safe`, but does not require expert review in order to
   7 | audit for."""
   8 | 
   9 | [criteria.does-not-implement-crypto]
  10 | description = """
  11 | Inspection reveals that the crate in question does not attempt to implement any
  12 | cryptographic algorithms on its own.
  13 | 
  14 | Note that certification of this does not require an expert on all forms of
  15 | cryptography: it's expected for crates we import to be \"good enough\" citizens,
  16 | so they'll at least be forthcoming if they try to implement something
  17 | cryptographic. When in doubt, please ask an expert."""
  18 | implies = "crypto-safe"
  19 | 
  20 | [criteria.ub-risk-0]
  21 | description = """
  22 | No unsafe code.
  23 | 
  24 | Full description of the audit criteria can be found at
  25 | https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#ub-risk-0
  26 | """
  27 | implies = "ub-risk-1"
  28 | 
  29 | [criteria.ub-risk-1]
  30 | description = """
  31 | Excellent soundness.
  32 | 
  33 | Full description of the audit criteria can be found at
  34 | https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#ub-risk-1
  35 | """
  36 | implies = "ub-risk-2"
  37 | 
  38 | [criteria.ub-risk-1-thorough]
  39 | description = """
  40 | Excellent soundness (established in a thorough review).
  41 | 
  42 | Full description of the audit criteria can be found at
  43 | https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#ub-risk-1-thorough
  44 | """
  45 | implies = "ub-risk-1"
  46 | 
  47 | [criteria.ub-risk-2]
  48 | description = """
  49 | Negligible unsoundness or average soundness.
  50 | 
  51 | Full description of the audit criteria can be found at
  52 | https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#ub-risk-2
  53 | """
  54 | implies = "ub-risk-3"
  55 | 
  56 | [criteria.ub-risk-2-thorough]
  57 | description = """
  58 | Negligible unsoundness or average soundness (established in a thorough review).
  59 | 
  60 | Full description of the audit criteria can be found at
  61 | https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#ub-risk-2-thorough
  62 | """
  63 | implies = "ub-risk-2"
  64 | 
  65 | [criteria.ub-risk-3]
  66 | description = """
  67 | Mild unsoundness or suboptimal soundness.
  68 | 
  69 | Full description of the audit criteria can be found at
  70 | https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#ub-risk-3
  71 | """
  72 | implies = "ub-risk-4"
  73 | 
  74 | [criteria.ub-risk-4]
  75 | description = """
  76 | Extreme unsoundness.
  77 | 
  78 | Full description of the audit criteria can be found at
  79 | https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#ub-risk-4
  80 | """
  81 | 
  82 | [[audits.alloc-no-stdlib]]
  83 | who = [
  84 |     "Luca Versari <veluca@google.com>",
  85 |     "Manish Goregaokar <manishearth@google.com>"
  86 | ]
  87 | criteria = ["ub-risk-4"]
  88 | version = "2.0.4"
  89 | notes = """Reviewed in CL 636730294
  90 | Issues found:
  91 |  - unsafe functions have no documented safety invariants
  92 |  - CallocBackingStore returns uninitialized memory
  93 | """
  94 | 
  95 | [[audits.alloc-stdlib]]
  96 | who = "Taylor Cramer <cramertj@google.com>"
  97 | criteria = ["ub-risk-2"]
  98 | version = "0.2.2"
  99 | notes = "Reviewed in CL 636730499"
 100 | 
 101 | [[audits.android_logger]]
 102 | who = "Manish Goregaokar <manishearth@google.com>"
 103 | criteria = ["ub-risk-3", "does-not-implement-crypto"]
 104 | version = "0.13.3"
 105 | notes = "Reviewed in CL 559548165"
 106 | 
 107 | [[audits.anstream]]
 108 | who = "Manish Goregaokar <manishearth@google.com>"
 109 | criteria = ["ub-risk-3"]
 110 | version = "0.3.2"
 111 | notes = "Reviewed in CL 559376670"
 112 | 
 113 | [[audits.anstream]]
 114 | who = "Ben Saunders <bsaunders@google.com>"
 115 | criteria = ["ub-risk-4"]
 116 | version = "0.6.5"
 117 | notes = """Reviewed in CL 596713982
 118 | Issues found:
 119 |  - https://github.com/rust-cli/anstyle/issues/156
 120 |  - Exhaustive review of utf8 soundness not performed
 121 | """
 122 | 
 123 | [[audits.anstyle]]
 124 | who = "Ben Saunders <bsaunders@google.com>"
 125 | criteria = ["ub-risk-1", "does-not-implement-crypto"]
 126 | version = "1.0.0"
 127 | notes = "Reviewed in CL 559404826"
 128 | 
 129 | [[audits.anstyle_query]]
 130 | who = "Ben Saunders <bsaunders@google.com>"
 131 | criteria = ["ub-risk-2", "does-not-implement-crypto"]
 132 | version = "1.0.0"
 133 | notes = "Reviewed in CL 559375925"
 134 | 
 135 | [[audits.anstyle-parse]]
 136 | who = "Manish Goregaokar <manishearth@google.com>"
 137 | criteria = ["ub-risk-3"]
 138 | version = "0.2.1"
 139 | notes = "Reviewed in CL 559131783"
 140 | 
 141 | [[audits.anymap]]
 142 | who = "Manish Goregaokar <manishearth@google.com>"
 143 | criteria = ["ub-risk-3", "does-not-implement-crypto"]
 144 | version = "1.0.0-beta2"
 145 | notes = "Reviewed in CL 558118223"
 146 | 
 147 | [[audits.archery]]
 148 | who = "Taylor Cramer <cramertj@google.com>"
 149 | criteria = ["ub-risk-2"]
 150 | version = "1.2.1"
 151 | notes = "Reviewed in CL 689387930"
 152 | 
 153 | [[audits.argminmax]]
 154 | who = "Augie Fackler <augie@google.com>"
 155 | criteria = ["ub-risk-2"]
 156 | version = "0.6.2"
 157 | notes = "Reviewed in CL 645900200"
 158 | 
 159 | [[audits.array-init-cursor]]
 160 | who = "Manish Goregaokar <manishearth@google.com>"
 161 | criteria = ["ub-risk-3"]
 162 | version = "0.2.0"
 163 | notes = """Reviewed in CL 702364774
 164 | Could have more comments. into_buf can probably be written safely.
 165 | """
 166 | 
 167 | [[audits.arrayref]]
 168 | who = [
 169 |     "Luca Versari <veluca@google.com>",
 170 |     "Manish Goregaokar <manishearth@google.com>"
 171 | ]
 172 | criteria = ["ub-risk-3"]
 173 | version = "0.3.7"
 174 | notes = """Reviewed in CL 636647431
 175 | Issues found:
 176 |  - Macros do not overflow check before adding pre/post and can cause hard-to-trigger UB. https://github.com/droundy/arrayref/issues/26
 177 | """
 178 | 
 179 | [[audits.arrayref]]
 180 | who = "Manish Goregaokar <manishearth@google.com>"
 181 | criteria = ["ub-risk-2"]
 182 | delta = "0.3.7 -> 0.3.9"
 183 | notes = """Reviewed in CL 693504716
 184 | Diff fixes https://github.com/droundy/arrayref/issues/26
 185 | """
 186 | 
 187 | [[audits.arrow_select]]
 188 | who = "Taylor Cramer <cramertj@google.com>"
 189 | criteria = ["ub-risk-3"]
 190 | version = "53.1.0"
 191 | notes = """Reviewed in CL 683334337
 192 | Issues found:
 193 |  - filter_run_end_array needs a patch to check its preconditions https://github.com/apache/arrow-rs/issues/6569
 194 | """
 195 | 
 196 | [[audits.arrow-buffer]]
 197 | who = "Augie Fackler <augie@google.com>"
 198 | criteria = ["ub-risk-2"]
 199 | version = "51.0.0"
 200 | notes = "Reviewed in CL 637904132"
 201 | 
 202 | [[audits.arrow-cast]]
 203 | who = "Augie Fackler <augie@google.com>"
 204 | criteria = ["ub-risk-2"]
 205 | version = "51.0.0"
 206 | notes = "Reviewed in CL 638739847"
 207 | 
 208 | [[audits.arrow-data]]
 209 | who = "Ben Saunders <bsaunders@google.com>"
 210 | criteria = ["ub-risk-3"]
 211 | version = "51.0.0"
 212 | notes = "Reviewed in CL 638739833"
 213 | 
 214 | [[audits.arrow-select]]
 215 | who = "Augie Fackler <augie@google.com>"
 216 | criteria = ["ub-risk-3"]
 217 | version = "51.0.0"
 218 | notes = "Reviewed in CL 638739853"
 219 | 
 220 | [[audits.base64ct]]
 221 | who = "Taylor Cramer <cramertj@google.com>"
 222 | criteria = ["ub-risk-2"]
 223 | version = "1.6.0"
 224 | notes = "Reviewed in CL 592910669"
 225 | 
 226 | [[audits.bit-set]]
 227 | who = [
 228 |     "Manish Goregaokar <manishearth@google.com>",
 229 |     "Augie Fackler <augie@google.com>"
 230 | ]
 231 | criteria = ["ub-risk-2"]
 232 | version = "0.5.3"
 233 | notes = """Reviewed in CL 615008047
 234 | Uses unsafe operations from bit-vec that are not actually unsafe.
 235 | """
 236 | 
 237 | [[audits.bitflags]]
 238 | who = "Taylor Cramer <cramertj@google.com>"
 239 | criteria = ["ub-risk-1", "does-not-implement-crypto"]
 240 | version = "2.3.3"
 241 | notes = "Reviewed in CL 545304270"
 242 | 
 243 | [[audits.brotli]]
 244 | who = "Ben Saunders <bsaunders@google.com>"
 245 | criteria = ["ub-risk-2"]
 246 | version = "3.5.0"
 247 | notes = "Reviewed in CL 641306142"
 248 | 
 249 | [[audits.btoi]]
 250 | who = "Ben Saunders <bsaunders@google.com>"
 251 | criteria = ["ub-risk-0", "does-not-implement-crypto"]
 252 | version = "0.4.3"
 253 | notes = "Reviewed in CL 581228675"
 254 | 
 255 | [[audits.bulletproofs]]
 256 | who = "Manish Goregaokar <manishearth@google.com>"
 257 | criteria = ["ub-risk-0"]
 258 | version = "5.0.0"
 259 | notes = """Reviewed in CL 666491560
 260 | Only unsafe is in tests
 261 | """
 262 | 
 263 | [[audits.bumpalo]]
 264 | who = "Taylor Cramer <cramertj@google.com>"
 265 | criteria = ["ub-risk-2"]
 266 | version = "3.14.0"
 267 | notes = "Reviewed in CL 574186321"
 268 | 
 269 | [[audits.bytecount]]
 270 | who = "Manish Goregaokar <manishearth@google.com>"
 271 | criteria = ["ub-risk-3"]
 272 | version = "0.6.7"
 273 | notes = """Reviewed in CL 596699465
 274 | Is sound, but needs safety docs
 275 | """
 276 | 
 277 | [[audits.bytemuck]]
 278 | who = [
 279 |     "Manish Goregaokar <manishearth@google.com>",
 280 |     "Łukasz Anforowicz <lukasza@google.com>"
 281 | ]
 282 | criteria = ["ub-risk-2", "does-not-implement-crypto"]
 283 | version = "1.13.1"
 284 | notes = "Reviewed in CL 561111794"
 285 | 
 286 | [[audits.byteorder]]
 287 | who = "Alyssa Haroldsen <kupiakos@google.com>"
 288 | criteria = ["ub-risk-3", "does-not-implement-crypto"]
 289 | version = "1.4.3"
 290 | notes = """Reviewed in CL 559206679
 291 | Issues found:
 292 |  - https://github.com/BurntSushi/byteorder/issues/194
 293 | """
 294 | 
 295 | [[audits.caliptra_cfi]]
 296 | who = "Taylor Cramer <cramertj@google.com>"
 297 | criteria = ["ub-risk-4"]
 298 | version = "0.1.0"
 299 | notes = """Reviewed in CL 609792409
 300 | Rating is ub-risk-4 because this crate makes assumptions about single-threadedness.
 301 | However, on the platform it is intended for, this is fine and can be treated as having ub-risk-3.
 302 | Issues found: https://github.com/chipsalliance/caliptra-cfi/pull/10
 303 | """
 304 | 
 305 | [[audits.castaway]]
 306 | who = "Taylor Cramer <cramertj@google.com>"
 307 | criteria = ["ub-risk-2"]
 308 | version = "0.2.3"
 309 | notes = "Reviewed in CL 683065028"
 310 | 
 311 | [[audits.chacha20]]
 312 | who = "<mmaurer@google.com>"
 313 | criteria = ["ub-risk-2"]
 314 | version = "0.9.1"
 315 | notes = "Reviewed in CL 640124703"
 316 | 
 317 | [[audits.chalk_ir]]
 318 | who = "Manish Goregaokar <manishearth@google.com>"
 319 | criteria = ["ub-risk-2"]
 320 | version = "0.92.0"
 321 | notes = "Reviewed in CL 558137822"
 322 | 
 323 | [[audits.chalk_ir]]
 324 | who = "Manish Goregaokar <manishearth@google.com>"
 325 | criteria = ["ub-risk-0"]
 326 | version = "0.95.0"
 327 | notes = "Reviewed in CL 599467162"
 328 | 
 329 | [[audits.clap_lex]]
 330 | who = "Ben Saunders <bsaunders@google.com>"
 331 | criteria = ["ub-risk-3", "does-not-implement-crypto"]
 332 | version = "0.5.0"
 333 | notes = """Reviewed in CL 559377426
 334 | Issues:
 335 |  - Unsound transmutes from OsStr to [u8] (https://github.com/clap-rs/clap/issues/5280)
 336 |  - (optional) Incorrect safety comment (https://github.com/clap-rs/clap/pull/5281)
 337 | """
 338 | 
 339 | [[audits.clap_lex]]
 340 | who = "Manish Goregaokar <manishearth@google.com>"
 341 | criteria = ["ub-risk-3"]
 342 | delta = "0.5.1 -> 0.6.0"
 343 | notes = """Reviewed in CL 596708333
 344 | Issues:
 345 |  - Unsound transmutes from OsStr to [u8] (https://github.com/clap-rs/clap/issues/5280)
 346 |  - (optional) Incorrect safety comment (https://github.com/clap-rs/clap/pull/5281)
 347 | """
 348 | 
 349 | [[audits.clap_lex]]
 350 | who = "Manish Goregaokar <manishearth@google.com>"
 351 | criteria = ["ub-risk-3"]
 352 | delta = "0.7.2 -> 0.7.3"
 353 | notes = "Reviewed in CL 701531434"
 354 | 
 355 | [[audits.clear_on_drop]]
 356 | who = "Manish Goregaokar <manishearth@google.com>"
 357 | criteria = ["ub-risk-3"]
 358 | version = "0.2.5"
 359 | notes = """Reviewed in CL 666491561
 360 | Issues:
 361 |  - Could use some safety comments
 362 |  - Clear::clear() would ideally discard the &mut self and only work with raw pointers to avoid tripping anything around reference validity. Impl is *probably* fine given the way T-opsem is leaning
 363 | """
 364 | 
 365 | [[audits.clru]]
 366 | who = "Ben Saunders <bsaunders@google.com>"
 367 | criteria = ["ub-risk-1", "does-not-implement-crypto"]
 368 | version = "0.6.1"
 369 | notes = "Reviewed in CL 581562557"
 370 | 
 371 | [[audits.command_group]]
 372 | who = "Ben Saunders <bsaunders@google.com>"
 373 | criteria = ["ub-risk-4", "does-not-implement-crypto"]
 374 | version = "2.0.1"
 375 | notes = """Reviewed in CL 561009596
 376 | Issues found:
 377 |  - https://github.com/watchexec/command-group/issues/20
 378 |  - https://github.com/watchexec/command-group/issues/19
 379 | """
 380 | 
 381 | [[audits.compact_str]]
 382 | who = "Augie Fackler <augie@google.com>"
 383 | criteria = ["ub-risk-2"]
 384 | version = "0.7.1"
 385 | notes = "Reviewed in CL 639198555"
 386 | 
 387 | [[audits.console]]
 388 | who = "<devinj@google.com>"
 389 | criteria = ["ub-risk-2"]
 390 | version = "0.15.8"
 391 | notes = "Reviewed in CL 683999046"
 392 | 
 393 | [[audits.constant_time_eq]]
 394 | who = "Ben Saunders <bsaunders@google.com>"
 395 | criteria = ["ub-risk-1", "does-not-implement-crypto"]
 396 | version = "0.3.0"
 397 | notes = "Reviewed in CL 587904821"
 398 | 
 399 | [[audits.constcat]]
 400 | who = "Manish Goregaokar <manishearth@google.com>"
 401 | criteria = ["ub-risk-2"]
 402 | version = "0.5.1"
 403 | notes = "Reviewed in CL 706930648"
 404 | 
 405 | [[audits.countme]]
 406 | who = "Manish Goregaokar <manishearth@google.com>"
 407 | criteria = ["ub-risk-3"]
 408 | version = "3.0.1"
 409 | notes = "Reviewed in CL 558181122"
 410 | 
 411 | [[audits.cranelift-entity]]
 412 | who = "Ben Saunders <bsaunders@google.com>"
 413 | criteria = ["ub-risk-2", "does-not-implement-crypto"]
 414 | version = "0.113.1"
 415 | notes = "Reviewed in CL 698407144"
 416 | 
 417 | [[audits.cranelift-entity]]
 418 | who = "Manish Goregaokar <manishearth@google.com>"
 419 | criteria = ["ub-risk-2", "does-not-implement-crypto"]
 420 | delta = "1.113.1 -> 1.114.0"
 421 | notes = """Reviewed in CL 699228957
 422 | No change in unsafe code since last import
 423 | """
 424 | 
 425 | [[audits.crc32c]]
 426 | who = "Manish Goregaokar <manishearth@google.com>"
 427 | criteria = ["ub-risk-3"]
 428 | version = "0.6.5"
 429 | notes = """Reviewed in CL 608991681
 430 | Does not have much unsafe (some use of hardware intrinsics, one bit of pointer manipulation). However, the unsafe isn't documented enough. Can be upgraded to a rating 2 or 1 with some unsafe documentation.
 431 | """
 432 | 
 433 | [[audits.crc32fast]]
 434 | who = "Manish Goregaokar <manishearth@google.com>"
 435 | criteria = ["ub-risk-2"]
 436 | version = "1.3.2"
 437 | notes = "Reviewed in CL 558895300"
 438 | 
 439 | [[audits.crossterm]]
 440 | who = "Ben Saunders <bsaunders@google.com>"
 441 | criteria = ["ub-risk-3", "does-not-implement-crypto"]
 442 | version = "0.26.1"
 443 | notes = """Reviewed in CL 562140151
 444 | Issues:
 445 |  - Internal API permits buffer overruns (https://github.com/crossterm-rs/crossterm/pull/821)
 446 | """
 447 | 
 448 | [[audits.crossterm]]
 449 | who = "Ben Saunders <bsaunders@google.com>"
 450 | criteria = ["ub-risk-3", "does-not-implement-crypto"]
 451 | delta = "0.26.1 -> 0.27.0"
 452 | notes = """Reviewed in CL 566337315
 453 | Issues:
 454 |  - Internal API permits buffer overruns (https://github.com/crossterm-rs/crossterm/pull/821)
 455 | """
 456 | 
 457 | [[audits.ctor]]
 458 | who = "Ben Saunders <bsaunders@google.com>"
 459 | criteria = ["ub-risk-3", "does-not-implement-crypto"]
 460 | version = "0.2.4"
 461 | notes = """Reviewed in CL 552861146
 462 | Issues found:
 463 |  - https://github.com/mmastrac/rust-ctor/pull/294
 464 |  - https://github.com/mmastrac/rust-ctor/pull/293
 465 | """
 466 | 
 467 | [[audits.ctrlc]]
 468 | who = "Taylor Cramer <cramertj@google.com>"
 469 | criteria = ["ub-risk-3"]
 470 | version = "3.4.0"
 471 | notes = "Reviewed in CL 587904024"
 472 | 
 473 | [[audits.curve25519-dalek]]
 474 | who = "Ben Saunders <bsaunders@google.com>"
 475 | criteria = ["ub-risk-1"]
 476 | version = "4.0.0"
 477 | notes = "Reviewed in CL 557134163"
 478 | 
 479 | [[audits.curve25519-dalek-derive]]
 480 | who = "Ben Saunders <bsaunders@google.com>"
 481 | criteria = ["ub-risk-3", "does-not-implement-crypto"]
 482 | version = "0.1.0"
 483 | notes = """Reviewed in CL 557129495
 484 | Issues found:
 485 |  - https://github.com/dalek-cryptography/curve25519-dalek/issues/563
 486 | """
 487 | 
 488 | [[audits.daemonize]]
 489 | who = "Taylor Cramer <cramertj@google.com>"
 490 | criteria = ["ub-risk-2"]
 491 | version = "0.5.0"
 492 | notes = "Reviewed in CL 670551760"
 493 | 
 494 | [[audits.deduplicating_array]]
 495 | who = "Manish Goregaokar <manishearth@google.com>"
 496 | criteria = ["ub-risk-2", "does-not-implement-crypto"]
 497 | version = "0.1.7"
 498 | notes = """Reviewed in CL 700071397
 499 | Safe, but needs safety comments
 500 | """
 501 | 
 502 | [[audits.deranged]]
 503 | who = "Manish Goregaokar <manishearth@google.com>"
 504 | criteria = ["ub-risk-2"]
 505 | version = "0.3.0"
 506 | notes = "Reviewed in CL 683999039"
 507 | 
 508 | [[audits.deranged]]
 509 | who = "Taylor Cramer <cramertj@google.com>"
 510 | criteria = ["ub-risk-1"]
 511 | version = "0.3.9"
 512 | notes = "Reviewed in CL 579385986"
 513 | 
 514 | [[audits.derive_builder]]
 515 | who = "Manish Goregaokar <manishearth@google.com>"
 516 | criteria = ["ub-risk-0"]
 517 | version = "0.20.0"
 518 | notes = "Reviewed in CL 644303353"
 519 | 
 520 | [[audits.dyn-clone]]
 521 | who = [
 522 |     "Ben Saunders <bsaunders@google.com>",
 523 |     "Augie Fackler <augie@google.com>",
 524 |     "Luca Versari <veluca@google.com>"
 525 | ]
 526 | criteria = ["ub-risk-2"]
 527 | version = "1.0.17"
 528 | notes = "Reviewed in CL 637023476"
 529 | 
 530 | [[audits.encode_unicode]]
 531 | who = "Taylor Cramer <cramertj@google.com>"
 532 | criteria = ["ub-risk-2"]
 533 | version = "1.0.0"
 534 | notes = "Reviewed in CL 683999023"
 535 | 
 536 | [[audits.encoding_rs]]
 537 | who = "Manish Goregaokar <manishearth@google.com>"
 538 | criteria = ["ub-risk-3"]
 539 | version = "0.8.33"
 540 | notes = """Reviewed in CL 605370461
 541 | Needs extensive safety comments:
 542 |  - https://github.com/hsivonen/encoding_rs/pull/101
 543 | """
 544 | 
 545 | [[audits.enumflags2]]
 546 | who = "Ben Saunders <bsaunders@google.com>"
 547 | criteria = ["ub-risk-1", "does-not-implement-crypto"]
 548 | version = "0.7.8"
 549 | notes = "Reviewed in CL 603523557"
 550 | 
 551 | [[audits.errno]]
 552 | who = "Ben Saunders <bsaunders@google.com>"
 553 | criteria = ["ub-risk-2", "does-not-implement-crypto"]
 554 | version = "0.2.8"
 555 | notes = "Reviewed in CL 567624402"
 556 | 
 557 | [[audits.error-chain]]
 558 | who = "Ben Saunders <bsaunders@google.com>"
 559 | criteria = ["ub-risk-2", "does-not-implement-crypto"]
 560 | version = "0.12.4"
 561 | notes = "Reviewed in CL 545732008"
 562 | 
 563 | [[audits.ethnum]]
 564 | who = "Ben Saunders <bsaunders@google.com>"
 565 | criteria = ["ub-risk-4"]
 566 | version = "1.5.0"
 567 | notes = """Reviewed in CL 624267108
 568 | Issues found:
 569 |  - error.rs: Unsoundly transmutes into std error types, making assumptions about stability and layout
 570 |  - fmt.rs: GenericRadix trait should be unsafe
 571 |  - fmt.rs: fmt_u256 has safety comments that are incorrect
 572 | """
 573 | 
 574 | [[audits.fast-float]]
 575 | who = [
 576 |     "Augie Fackler <augie@google.com>",
 577 |     "< manishearth@google.com>"
 578 | ]
 579 | criteria = ["ub-risk-4"]
 580 | version = "0.2.0"
 581 | notes = """Reviewed in 
 582 | Issues found:
 583 |  - https://github.com/aldanor/fast-float-rust/issues/37 (multiple issues)
 584 | """
 585 | 
 586 | [[audits.faster-hex]]
 587 | who = "Ben Saunders <bsaunders@google.com>"
 588 | criteria = ["ub-risk-4", "does-not-implement-crypto"]
 589 | version = "0.8.1"
 590 | notes = """Reviewed in CL 579318683
 591 | Issues found:
 592 | - https://github.com/nervosnetwork/faster-hex/pull/39
 593 | """
 594 | 
 595 | [[audits.fdt]]
 596 | who = "Manish Goregaokar <manishearth@google.com>"
 597 | criteria = ["ub-risk-2"]
 598 | version = "0.1.5"
 599 | notes = """Reviewed in CL 565675584
 600 | No usage of unsafe; one public unsafe function with documented invariants.
 601 | """
 602 | 
 603 | [[audits.filetime]]
 604 | who = "Manish Goregaokar <manishearth@google.com>"
 605 | criteria = ["ub-risk-3", "does-not-implement-crypto"]
 606 | version = "0.2.19"
 607 | notes = "Reviewed in CL 559795004"
 608 | 
 609 | [[audits.fixedbitset]]
 610 | who = "Manish Goregaokar <manishearth@google.com>"
 611 | criteria = ["ub-risk-3"]
 612 | version = "0.2.0"
 613 | notes = "Reviewed in CL 559071858"
 614 | 
 615 | [[audits.flatbuffers]]
 616 | who = "Taylor Cramer <cramertj@google.com>"
 617 | criteria = ["ub-risk-1"]
 618 | version = "23.5.26"
 619 | notes = "Reviewed in CL 638739860"
 620 | 
 621 | [[audits.flate2]]
 622 | who = "Manish Goregaokar <manishearth@google.com>"
 623 | criteria = ["ub-risk-4"]
 624 | version = "1.0.24"
 625 | notes = """Reviewed in CL 558916134
 626 | Issues found:
 627 |  - Uninitialized memory: https://github.com/rust-lang/flate2-rs/pull/373
 628 | Minor code quality suggestions:
 629 |  - Defense in depth on dangling pointers (https://github.com/rust-lang/flate2-rs/issues/379)
 630 |  - set_len usage relies on tricky undocumented invariants (incidentally fixed by PR #373)
 631 | """
 632 | 
 633 | [[audits.flate2]]
 634 | who = "Manish Goregaokar <manishearth@google.com>"
 635 | criteria = ["ub-risk-4"]
 636 | delta = "1.0.24 -> 1.0.27"
 637 | notes = """Reviewed in CL 572611911
 638 | Same review as previous
 639 | """
 640 | 
 641 | [[audits.flate2]]
 642 | who = "Manish Goregaokar <manishearth@google.com>"
 643 | criteria = ["ub-risk-3"]
 644 | delta = "1.0.27 -> 1.0.28"
 645 | notes = """Reviewed in CL 573223148
 646 | Issues from previous review (#379, #220) fixed (PRs #380, #373).
 647 | """
 648 | 
 649 | [[audits.fleetspeak]]
 650 | who = "Manish Goregaokar <manishearth@google.com>"
 651 | criteria = ["ub-risk-3", "does-not-implement-crypto"]
 652 | version = "0.4.0"
 653 | notes = """Reviewed in CL 551181045
 654 | Opens files from file descriptors obtained from potentially untrusted sources. This may be okay depending on your use case, and is a common pattern for IPC, but should be included in your project with care since opening the wrong mmaped fd may cause UB.
 655 | """
 656 | 
 657 | [[audits.font-types]]
 658 | who = "Augie Fackler <augie@google.com>"
 659 | criteria = ["ub-risk-1", "does-not-implement-crypto"]
 660 | version = "0.5.0"
 661 | notes = "Reviewed in CL 617547813"
 662 | 
 663 | [[audits.fragile]]
 664 | who = "Taylor Cramer <cramertj@google.com>"
 665 | criteria = ["ub-risk-4"]
 666 | version = "2.0.0"
 667 | notes = """Reviewed in CL 655309625
 668 | Issues found:
 669 |  - https://github.com/mitsuhiko/fragile/issues/34
 670 | """
 671 | 
 672 | [[audits.gif]]
 673 | who = "Ben Saunders <bsaunders@google.com>"
 674 | criteria = ["ub-risk-1"]
 675 | version = "0.12.1"
 676 | notes = "Reviewed in CL 637680029"
 677 | 
 678 | [[audits.gimli]]
 679 | who = "Manish Goregaokar <manishearth@google.com>"
 680 | criteria = ["ub-risk-2"]
 681 | version = "0.26.2"
 682 | notes = """Reviewed in CL 694412583
 683 | Based off of existing review for 0.31, diff reviewed was *backwards*.
 684 | """
 685 | 
 686 | [[audits.gimli]]
 687 | who = "Manish Goregaokar <manishearth@google.com>"
 688 | criteria = ["ub-risk-2"]
 689 | version = "0.31.0"
 690 | notes = """Reviewed in CL 675488712
 691 | Could have better documented invariants.
 692 | """
 693 | 
 694 | [[audits.gix]]
 695 | who = "Manish Goregaokar <manishearth@google.com>"
 696 | criteria = ["ub-risk-4"]
 697 | version = "0.55.2"
 698 | notes = """Reviewed in CL 581562516
 699 | Issues found:
 700 |  - Unsafe transmute of lifetime (https://github.com/Byron/gitoxide/pull/1154)
 701 |  - Interrupt handler function should be unsafe
 702 | """
 703 | 
 704 | [[audits.gix_packetline]]
 705 | who = "Taylor Cramer <cramertj@google.com>"
 706 | criteria = ["ub-risk-2"]
 707 | version = "0.17.5"
 708 | notes = "Reviewed in CL 651814949"
 709 | 
 710 | [[audits.gix-attributes]]
 711 | who = "<devinj@google.com>"
 712 | criteria = ["ub-risk-4"]
 713 | version = "0.22.2"
 714 | notes = """Reviewed in CL 653264864
 715 | Issues found:
 716 |  - https://github.com/Byron/gitoxide/issues/1460
 717 | """
 718 | 
 719 | [[audits.gix-commitgraph]]
 720 | who = "Manish Goregaokar <manishearth@google.com>"
 721 | criteria = ["ub-risk-3"]
 722 | version = "0.22.0"
 723 | notes = "Reviewed in CL 581562496"
 724 | 
 725 | [[audits.gix-config-value]]
 726 | who = "Manish Goregaokar <manishearth@google.com>"
 727 | criteria = ["ub-risk-3"]
 728 | version = "0.14.0"
 729 | notes = "Reviewed in CL 581042137"
 730 | 
 731 | [[audits.gix-features]]
 732 | who = "Ben Saunders <bsaunders@google.com>"
 733 | criteria = ["ub-risk-4", "does-not-implement-crypto"]
 734 | version = "0.36.0"
 735 | notes = """Reviewed in CL 580908504
 736 | Issues:
 737 |  - Illegal mutable aliasing (https://github.com/Byron/gitoxide/pull/1115)
 738 | """
 739 | 
 740 | [[audits.gix-filter]]
 741 | who = "Taylor Cramer <cramertj@google.com>"
 742 | criteria = ["ub-risk-2"]
 743 | version = "0.11.2"
 744 | notes = "Reviewed in CL 652491636"
 745 | 
 746 | [[audits.gix-filter]]
 747 | who = "Manish Goregaokar <manishearth@google.com>"
 748 | criteria = ["ub-risk-2"]
 749 | delta = "0.11.3 -> 0.13.0"
 750 | notes = """Reviewed in CL 666834466
 751 | No change to unsafe code
 752 | """
 753 | 
 754 | [[audits.gix-hash]]
 755 | who = "Taylor Cramer <cramertj@google.com>"
 756 | criteria = ["ub-risk-2"]
 757 | version = "0.13.1"
 758 | notes = "Reviewed in CL 580781568"
 759 | 
 760 | [[audits.gix-index]]
 761 | who = "Ben Saunders <bsaunders@google.com>"
 762 | criteria = ["ub-risk-2-thorough", "does-not-implement-crypto"]
 763 | version = "0.26.0"
 764 | notes = """Reviewed in CL 581562538
 765 | Relies on mmap'd file being untouched externally.
 766 | """
 767 | 
 768 | [[audits.gix-index]]
 769 | who = "Manish Goregaokar <manishearth@google.com>"
 770 | criteria = ["ub-risk-2"]
 771 | delta = "0.27.1 -> 0.33.0"
 772 | notes = "Reviewed in CL 636423069"
 773 | 
 774 | [[audits.gix-pack]]
 775 | who = "Taylor Cramer <cramertj@google.com>"
 776 | criteria = ["ub-risk-4"]
 777 | version = "0.44.0"
 778 | notes = """Reviewed in CL 581562540
 779 | Issues:
 780 |  - https://github.com/Byron/gitoxide/pull/113
 781 |  - https://github.com/Byron/gitoxide/pull/1115
 782 |  - https://github.com/Byron/gitoxide/pull/1116
 783 | """
 784 | 
 785 | [[audits.gix-pack]]
 786 | who = "Manish Goregaokar <manishearth@google.com>"
 787 | criteria = ["ub-risk-4"]
 788 | delta = "0.44.0 -> 0.45.0"
 789 | notes = """Reviewed in CL 594331347
 790 | Issues found:
 791 |  - https://github.com/Byron/gitoxide/pull/1230
 792 |  - https://github.com/Byron/gitoxide/issues/1231
 793 | (previously found issues have been fixed)
 794 | """
 795 | 
 796 | [[audits.gix-ref]]
 797 | who = "Manish Goregaokar <manishearth@google.com>"
 798 | criteria = ["ub-risk-2-thorough"]
 799 | version = "0.38.0"
 800 | notes = "Reviewed in CL 581562488"
 801 | 
 802 | [[audits.gix-ref]]
 803 | who = "Manish Goregaokar <manishearth@google.com>"
 804 | criteria = ["ub-risk-2"]
 805 | version = "0.47.0"
 806 | notes = """Reviewed in CL 666834467
 807 | Uses mmap, otherwise minimal use of unsafe, well commented
 808 | """
 809 | 
 810 | [[audits.gix-revision]]
 811 | who = "Taylor Cramer <cramertj@google.com>"
 812 | criteria = ["ub-risk-2"]
 813 | version = "0.23.0"
 814 | notes = "Reviewed in CL 581562502"
 815 | 
 816 | [[audits.gix-revision]]
 817 | who = "Manish Goregaokar <manishearth@google.com>"
 818 | criteria = ["ub-risk-2"]
 819 | delta = "0.23.0 -> 0.24.0"
 820 | notes = "Reviewed in CL 594331337"
 821 | 
 822 | [[audits.gix-revision]]
 823 | who = "Ben Saunders <bsaunders@google.com>"
 824 | criteria = ["ub-risk-1", "does-not-implement-crypto"]
 825 | version = "0.29.0"
 826 | notes = "Reviewed in CL 666885060"
 827 | 
 828 | [[audits.gix-sec]]
 829 | who = "Taylor Cramer <cramertj@google.com>"
 830 | criteria = ["ub-risk-2"]
 831 | version = "0.10.0"
 832 | notes = "Reviewed in CL 581046394"
 833 | 
 834 | [[audits.gix-tempfile]]
 835 | who = "Manish Goregaokar <manishearth@google.com>"
 836 | criteria = ["ub-risk-3"]
 837 | version = "11.0.0"
 838 | notes = "Reviewed in CL 581562529"
 839 | 
 840 | [[audits.gix-tempfile]]
 841 | who = "Manish Goregaokar <manishearth@google.com>"
 842 | criteria = ["ub-risk-3"]
 843 | delta = "11.0.1 -> 14.0.0"
 844 | notes = "Reviewed in CL 636941982"
 845 | 
 846 | [[audits.goblin]]
 847 | who = "Ben Saunders <bsaunders@google.com>"
 848 | criteria = ["ub-risk-1"]
 849 | version = "0.8.0"
 850 | notes = "Reviewed in CL 642006818"
 851 | 
 852 | [[audits.half]]
 853 | who = "Ben Saunders <bsaunders@google.com>"
 854 | criteria = ["ub-risk-3", "does-not-implement-crypto"]
 855 | version = "1.8.2"
 856 | notes = """Reviewed in CL 590192561
 857 | Issues found:
 858 |  - The `set_len`s in slice.rs and vec.rs are premature and create uninitialized vectors
 859 |  - (internal safety) f16x4_to_f32x4 and f16x4_to_f32x4_x86_f16c do not enforce i.len() > 4. Should be marked unsafe
 860 | (no issues filed, all of the issues appear to be fixed on GitHub main)
 861 | """
 862 | 
 863 | [[audits.half]]
 864 | who = "Ben Saunders <bsaunders@google.com>"
 865 | criteria = ["ub-risk-1"]
 866 | version = "1.8.3"
 867 | notes = "Reviewed in CL 590192561"
 868 | 
 869 | [[audits.half]]
 870 | who = "Ben Saunders <bsaunders@google.com>"
 871 | criteria = ["ub-risk-1"]
 872 | version = "2.4.0"
 873 | notes = "Reviewed in CL 610738461"
 874 | 
 875 | [[audits.halfbrown]]
 876 | who = "Augie Fackler <augie@google.com>"
 877 | criteria = ["ub-risk-4"]
 878 | version = "0.2.5"
 879 | notes = "Reviewed in CL 659834502"
 880 | 
 881 | [[audits.hashlink]]
 882 | who = "<mmaurer@google.com>"
 883 | criteria = ["ub-risk-2"]
 884 | version = "0.9.0"
 885 | notes = "Reviewed in CL 649389159"
 886 | 
 887 | [[audits.home]]
 888 | who = "Manish Goregaokar <manishearth@google.com>"
 889 | criteria = ["ub-risk-2"]
 890 | version = "0.5.4"
 891 | notes = "Reviewed in CL 559796554"
 892 | 
 893 | [[audits.home]]
 894 | who = "Augie Fackler <augie@google.com>"
 895 | criteria = ["ub-risk-2", "does-not-implement-crypto"]
 896 | delta = "0.5.4 -> 0.5.5"
 897 | notes = "Reviewed in CL 566644164"
 898 | 
 899 | [[audits.hoot]]
 900 | who = "Ben Saunders <bsaunders@google.com>"
 901 | criteria = ["ub-risk-3", "does-not-implement-crypto"]
 902 | version = "0.1.3"
 903 | notes = """Reviewed in CL 607320079
 904 | Issues found:
 905 |  - https://github.com/algesten/hoot/issues/2 (fixed in https://github.com/algesten/hoot/pull/3)
 906 | """
 907 | 
 908 | [[audits.hoot]]
 909 | who = "Ben Saunders <bsaunders@google.com>"
 910 | criteria = ["ub-risk-1", "does-not-implement-crypto"]
 911 | version = "0.1.4"
 912 | notes = "Reviewed in CL 607320079"
 913 | 
 914 | [[audits.hound]]
 915 | who = "Manish Goregaokar <manishearth@google.com>"
 916 | criteria = ["ub-risk-4"]
 917 | version = "3.5.0"
 918 | notes = """Reviewed in CL 564508706
 919 | Issues found:
 920 |  - https://github.com/ruuda/hound/pull/58
 921 | """
 922 | 
 923 | [[audits.html-escape]]
 924 | who = "Ben Saunders <bsaunders@google.com>"
 925 | criteria = ["ub-risk-4", "does-not-implement-crypto"]
 926 | version = "0.2.13"
 927 | notes = """Reviewed in CL 612354454
 928 | Issues found:
 929 |  - decode_impl macro should have "unsafe" in its name and document the safety at callsites
 930 |  - write_hex_to_vec: The Vec::set_len is UB and should only be called after filling the buffer.
 931 | """
 932 | 
 933 | [[audits.http]]
 934 | who = "Taylor Cramer <cramertj@google.com>"
 935 | criteria = ["ub-risk-2"]
 936 | version = "1.49.0"
 937 | notes = "Reviewed in CL 588379811"
 938 | 
 939 | [[audits.httparse]]
 940 | who = "Ben Saunders <bsaunders@google.com>"
 941 | criteria = ["ub-risk-4"]
 942 | delta = "1.8.0 -> 1.9.4"
 943 | notes = """Reviewed in CL 648994349
 944 | Issues found:
 945 |  - https://github.com/seanmonstar/httparse/issues/177
 946 |  -Parsing code would be improved with an API that combines peeking and advancing
 947 | """
 948 | 
 949 | [[audits.hyper]]
 950 | who = [
 951 |     "Manish Goregaokar <manishearth@google.com>",
 952 |     "Augie Fackler <augie@google.com>"
 953 | ]
 954 | criteria = ["ub-risk-4"]
 955 | version = "1.0.1"
 956 | notes = """Reviewed in CL 588384310
 957 | Issues found:
 958 |  - https://github.com/hyperium/hyper/pull/3498
 959 |  - https://github.com/hyperium/hyper/issues/3556
 960 |  - https://github.com/hyperium/hyper/issues/3500 
 961 | (probably not a real issue)
 962 |  - https://github.com/hyperium/hyper/issues/3554 (documentation)
 963 | """
 964 | 
 965 | [[audits.hyper-util]]
 966 | who = "Ben Saunders <bsaunders@google.com>"
 967 | criteria = ["ub-risk-2"]
 968 | version = "0.1.3"
 969 | notes = "Reviewed in CL 605631967"
 970 | 
 971 | [[audits.igvm]]
 972 | who = "Ben Saunders <bsaunders@google.com>"
 973 | criteria = ["ub-risk-1"]
 974 | version = "0.3.0"
 975 | notes = "Reviewed in CL 660125968"
 976 | 
 977 | [[audits.image]]
 978 | who = "Taylor Cramer <cramertj@google.com>"
 979 | criteria = ["ub-risk-2"]
 980 | version = "0.24.6"
 981 | notes = "Reviewed in CL 559198279"
 982 | 
 983 | [[audits.imara_diff]]
 984 | who = "Taylor Cramer <cramertj@google.com>"
 985 | criteria = ["ub-risk-2"]
 986 | version = "0.1.7"
 987 | notes = "Reviewed in CL 657293942"
 988 | 
 989 | [[audits.imara-diff]]
 990 | who = "Taylor Cramer <cramertj@google.com>"
 991 | criteria = ["ub-risk-4"]
 992 | version = "0.1.5"
 993 | notes = "Reviewed in CL 581562578"
 994 | 
 995 | [[audits.indexmap]]
 996 | who = "Taylor Cramer <cramertj@google.com>"
 997 | criteria = ["ub-risk-2"]
 998 | version = "2.2.6"
 999 | notes = "Reviewed in CL 629033781"
1000 | 
1001 | [[audits.inotify]]
1002 | who = "Manish Goregaokar <manishearth@google.com>"
1003 | criteria = ["ub-risk-2"]
1004 | version = "0.9.6"
1005 | notes = "Reviewed in CL 562731461"
1006 | 
1007 | [[audits.inst]]
1008 | who = "Manish Goregaokar <manishearth@google.com>"
1009 | criteria = ["ub-risk-2"]
1010 | delta = "1.40.0 -> 1.41.1"
1011 | notes = """Reviewed in CL 698174008
1012 | One usage of unsafe, could have safety comments
1013 | """
1014 | 
1015 | [[audits.insta]]
1016 | who = "Taylor Cramer <cramertj@google.com>"
1017 | criteria = ["ub-risk-1"]
1018 | version = "1.29.0"
1019 | notes = "Reviewed in CL 554440331"
1020 | 
1021 | [[audits.intrusive-collections]]
1022 | who = "Taylor Cramer <cramertj@google.com>"
1023 | criteria = ["ub-risk-3"]
1024 | version = "0.9.6"
1025 | notes = "Reviewed in CL 638226392"
1026 | 
1027 | [[audits.is_executable]]
1028 | who = "Taylor Cramer <cramertj@google.com>"
1029 | criteria = ["ub-risk-2"]
1030 | version = "1.0.4"
1031 | notes = "Reviewed in CL 696533953"
1032 | 
1033 | [[audits.is-terminal]]
1034 | who = "Luca Versari <veluca@google.com>"
1035 | criteria = ["ub-risk-2"]
1036 | version = "0.4.13"
1037 | notes = "Reviewed in CL 666758546"
1038 | 
1039 | [[audits.itertools]]
1040 | who = "Ben Saunders <bsaunders@google.com>"
1041 | criteria = ["ub-risk-1", "does-not-implement-crypto"]
1042 | version = "0.11.0"
1043 | notes = "Reviewed in CL 566337310"
1044 | 
1045 | [[audits.itoap]]
1046 | who = "Augie Fackler <augie@google.com>"
1047 | criteria = ["ub-risk-2"]
1048 | version = "1.0.1"
1049 | notes = "Reviewed in CL 649662185"
1050 | 
1051 | [[audits.jiff]]
1052 | who = "Taylor Cramer <cramertj@google.com>"
1053 | criteria = ["ub-risk-2"]
1054 | version = "0.1.0"
1055 | notes = "Reviewed in CL 666672133"
1056 | 
1057 | [[audits.jiter]]
1058 | who = "Ben Saunders <bsaunders@google.com>"
1059 | criteria = ["ub-risk-2", "does-not-implement-crypto"]
1060 | version = "0.0.6"
1061 | notes = "Reviewed in CL 615051835"
1062 | 
1063 | [[audits.jj_cli]]
1064 | who = "Taylor Cramer <cramertj@google.com>"
1065 | criteria = ["ub-risk-2"]
1066 | version = "0.11.0"
1067 | notes = "Reviewed in CL 586453800"
1068 | 
1069 | [[audits.jj_cli]]
1070 | who = "Taylor Cramer <cramertj@google.com>"
1071 | criteria = ["ub-risk-1"]
1072 | version = "0.8.0"
1073 | notes = "Reviewed in CL 558944141"
1074 | 
1075 | [[audits.jj_lib]]
1076 | who = "Taylor Cramer <cramertj@google.com>"
1077 | criteria = ["ub-risk-2"]
1078 | version = "0.11.0"
1079 | notes = "Reviewed in CL 586453800"
1080 | 
1081 | [[audits.jj-cli]]
1082 | who = "Ben Saunders <bsaunders@google.com>"
1083 | criteria = ["ub-risk-2", "does-not-implement-crypto"]
1084 | version = "0.8.0"
1085 | notes = "Reviewed in CL 554583176"
1086 | 
1087 | [[audits.js-sys]]
1088 | who = "Taylor Cramer <cramertj@google.com>"
1089 | criteria = ["ub-risk-2"]
1090 | version = "0.3.69"
1091 | notes = "Reviewed in CL 652404154"
1092 | 
1093 | [[audits.js-sys]]
1094 | who = "Manish Goregaokar <manishearth@google.com>"
1095 | criteria = ["ub-risk-2"]
1096 | delta = "0.3.69 -> 0.3.70"
1097 | notes = """Reviewed in CL 696447614
1098 | Minor changes since last review
1099 | """
1100 | 
1101 | [[audits.keccak]]
1102 | who = "Manish Goregaokar <manishearth@google.com>"
1103 | criteria = ["ub-risk-2"]
1104 | version = "0.1.5"
1105 | notes = "Reviewed in CL 636605237"
1106 | 
1107 | [[audits.kstring]]
1108 | who = "<devinj@google.com>"
1109 | criteria = ["ub-risk-3"]
1110 | version = "2.0.0"
1111 | notes = """Reviewed in CL 653263733
1112 | Issues found:
1113 |  - Should use repr(C) union to get correct layout: https://github.com/cobalt-org/kstring/pull/77.
1114 |  - Ideally the HeapStr trait should be unsafe, but this is a local issue since the trait is sealed.
1115 | """
1116 | 
1117 | [[audits.kstring]]
1118 | who = "<devinj@google.com>"
1119 | criteria = ["ub-risk-2"]
1120 | delta = "2.0.0 -> 2.0.1"
1121 | notes = "Reviewed in CL 655475274"
1122 | 
1123 | [[audits.kvm-ioctls]]
1124 | who = "Manish Goregaokar <manishearth@google.com>"
1125 | criteria = ["ub-risk-3"]
1126 | version = "0.14.0"
1127 | notes = "Reviewed in CL 549307303"
1128 | 
1129 | [[audits.kvm-ioctls]]
1130 | who = "Manish Goregaokar <manishearth@google.com>"
1131 | criteria = ["ub-risk-3"]
1132 | version = "0.14.0"
1133 | notes = "Reviewed in CL 565655079"
1134 | 
1135 | [[audits.kvm-ioctls]]
1136 | who = "Manish Goregaokar <manishearth@google.com>"
1137 | criteria = ["ub-risk-3"]
1138 | delta = "0.15.0 -> 0.17.0"
1139 | notes = "Reviewed in CL 634689649"
1140 | 
1141 | [[audits.lexical]]
1142 | who = "Taylor Cramer <cramertj@google.com>"
1143 | criteria = ["ub-risk-4", "does-not-implement-crypto"]
1144 | version = "6.1.1"
1145 | notes = """Reviewed in CL 545304248
1146 | Many issues found across the `lexical` family of crates:
1147 |  - https://github.com/Alexhuszagh/rust-lexical/pull/103
1148 |  - https://github.com/Alexhuszagh/rust-lexical/issues/104
1149 |  - https://github.com/Alexhuszagh/rust-lexical/issues/101
1150 |  - https://github.com/Alexhuszagh/rust-lexical/issues/95
1151 |  - Beyond the above issues, review was not completed on the unchecked indexing
1152 | """
1153 | 
1154 | [[audits.lexical_parse_integer]]
1155 | who = "Ben Saunders <bsaunders@google.com>"
1156 | criteria = ["ub-risk-4", "does-not-implement-crypto"]
1157 | version = "0.8.6"
1158 | notes = """Reviewed in CL 545304272
1159 | See notes on lexical crate.
1160 | """
1161 | 
1162 | [[audits.lexical_parse_integer]]
1163 | who = "Ben Saunders <bsaunders@google.com>"
1164 | criteria = ["ub-risk-4", "does-not-implement-crypto"]
1165 | version = "0.8.6"
1166 | notes = """Reviewed in CL 545304281
1167 | See notes on lexical crate.
1168 | """
1169 | 
1170 | [[audits.lexical_util]]
1171 | who = "Manish Goregaokar <manishearth@google.com>"
1172 | criteria = ["ub-risk-4", "does-not-implement-crypto"]
1173 | version = "0.8.5"
1174 | notes = """Reviewed in CL 545304267
1175 | See notes on lexical crate.
1176 | """
1177 | 
1178 | [[audits.lexical_write_float]]
1179 | who = "Manish Goregaokar <manishearth@google.com>"
1180 | criteria = ["ub-risk-4", "does-not-implement-crypto"]
1181 | version = "0.8.5"
1182 | notes = """Reviewed in CL 545304258
1183 | See notes on lexical crate.
1184 | """
1185 | 
1186 | [[audits.lexical-core]]
1187 | who = "Manish Goregaokar <manishearth@google.com>"
1188 | criteria = ["ub-risk-3", "does-not-implement-crypto"]
1189 | version = "0.8.5"
1190 | notes = """Reviewed in CL 545304290
1191 | See notes on lexical crate.
1192 | """
1193 | 
1194 | [[audits.lexical-write-integer]]
1195 | who = "Manish Goregaokar <manishearth@google.com>"
1196 | criteria = ["ub-risk-4", "does-not-implement-crypto"]
1197 | version = "0.8.5"
1198 | notes = """Reviewed in CL 545304293
1199 | See notes on lexical crate.
1200 | """
1201 | 
1202 | [[audits.libc]]
1203 | who = "Ben Saunders <bsaunders@google.com>"
1204 | criteria = ["ub-risk-4"]
1205 | delta = "0.2.150 -> 0.2.153"
1206 | notes = "Reviewed in CL 622219230"
1207 | 
1208 | [[audits.libfuzz-sys]]
1209 | who = "Taylor Cramer <cramertj@google.com>"
1210 | criteria = ["ub-risk-3"]
1211 | delta = "0.4.4 -> 0.4.5"
1212 | notes = """Reviewed in CL 562889777
1213 | Issues found:
1214 | - https://github.com/rust-fuzz/libfuzzer/issues/112
1215 | - https://github.com/rust-fuzz/libfuzzer/issues/113
1216 | """
1217 | 
1218 | [[audits.libfuzzer-sys]]
1219 | who = "Ben Saunders <bsaunders@google.com>"
1220 | criteria = ["ub-risk-1", "does-not-implement-crypto"]
1221 | version = "0.4.7"
1222 | notes = "Reviewed in CL 564731033"
1223 | 
1224 | [[audits.libloading]]
1225 | who = "Taylor Cramer <cramertj@google.com>"
1226 | criteria = ["ub-risk-2"]
1227 | version = "0.8.0"
1228 | notes = "Reviewed in CL 562765830"
1229 | 
1230 | [[audits.libproc]]
1231 | who = "Taylor Cramer <cramertj@google.com>"
1232 | criteria = ["ub-risk-4"]
1233 | version = "0.14.8"
1234 | notes = """Reviewed in CL 650620517
1235 | Issues found:
1236 |  - `pidinfo` buffer is inferred as `c_void` and is therefore too small
1237 |  - `PIDFDInfo` and `PIDRUsage` should be `unsafe trait`s
1238 | """
1239 | 
1240 | [[audits.libshpool]]
1241 | who = "Manish Goregaokar <manishearth@google.com>"
1242 | criteria = ["ub-risk-2"]
1243 | version = "0.3.3"
1244 | notes = "Reviewed in CL 580903771"
1245 | 
1246 | [[audits.libshpool]]
1247 | who = "Manish Goregaokar <manishearth@google.com>"
1248 | criteria = ["ub-risk-2"]
1249 | version = "0.5.0"
1250 | notes = "Reviewed in CL 609436265"
1251 | 
1252 | [[audits.libsqlite3-sys]]
1253 | who = "<mmaurer@google.com>"
1254 | criteria = ["ub-risk-2"]
1255 | version = "0.28.0"
1256 | notes = "Reviewed in CL 649389160"
1257 | 
1258 | [[audits.line-index]]
1259 | who = "Taylor Cramer <cramertj@google.com>"
1260 | criteria = ["ub-risk-2"]
1261 | version = "0.1.0"
1262 | notes = "Reviewed in CL 562882288"
1263 | 
1264 | [[audits.line-index]]
1265 | who = "Ben Saunders <bsaunders@google.com>"
1266 | criteria = ["ub-risk-2"]
1267 | version = "0.1.1"
1268 | notes = "Reviewed in CL 599482318"
1269 | 
1270 | [[audits.linux-loader]]
1271 | who = "Taylor Cramer <cramertj@google.com>"
1272 | criteria = ["ub-risk-2", "does-not-implement-crypto"]
1273 | version = "0.9.0"
1274 | notes = "Reviewed in CL 548095317"
1275 | 
1276 | [[audits.linux-loader]]
1277 | who = "Manish Goregaokar <manishearth@google.com>"
1278 | criteria = ["ub-risk-2"]
1279 | delta = "0.9.0 -> 0.10.0"
1280 | notes = "Reviewed in CL 600836074"
1281 | 
1282 | [[audits.linux-raw-sys]]
1283 | who = "Ben Saunders <bsaunders@google.com>"
1284 | criteria = ["ub-risk-2", "does-not-implement-crypto"]
1285 | version = "0.4.10"
1286 | notes = "Reviewed in CL 581059097"
1287 | 
1288 | [[audits.lock_api]]
1289 | who = "Taylor Cramer <cramertj@google.com>"
1290 | criteria = ["ub-risk-2"]
1291 | delta = "0.4.9 -> 0.4.10"
1292 | notes = "Reviewed in CL 563851550"
1293 | 
1294 | [[audits.log]]
1295 | who = "Ben Saunders <bsaunders@google.com>"
1296 | criteria = ["ub-risk-1", "does-not-implement-crypto"]
1297 | version = "0.4.20"
1298 | notes = "Reviewed in CL 563853923"
1299 | 
1300 | [[audits.malloced]]
1301 | who = "Ben Saunders <bsaunders@google.com>"
1302 | criteria = ["ub-risk-2"]
1303 | version = "1.3.1"
1304 | notes = "Reviewed in CL 604812730"
1305 | 
1306 | [[audits.matchers]]
1307 | who = "Manish Goregaokar <manishearth@google.com>"
1308 | criteria = ["ub-risk-2"]
1309 | version = "0.1.0"
1310 | notes = """Reviewed in CL 639804665
1311 | Has relatively straightforward invariant, but invariant could be documented further. Filed PR: https://github.com/hawkw/matchers/pull/9
1312 | """
1313 | 
1314 | [[audits.memchr]]
1315 | who = "Manish Goregaokar <manishearth@google.com>"
1316 | criteria = ["ub-risk-2", "does-not-implement-crypto"]
1317 | version = "2.6.3"
1318 | notes = """Reviewed in CL 563868651
1319 | Second review would be appreciated.
1320 | """
1321 | 
1322 | [[audits.memfd]]
1323 | who = "Ben Saunders <bsaunders@google.com>"
1324 | criteria = ["ub-risk-2", "does-not-implement-crypto"]
1325 | version = "0.6.4"
1326 | notes = "Reviewed in CL 703568697"
1327 | 
1328 | [[audits.memoffset]]
1329 | who = "Taylor Cramer <cramertj@google.com>"
1330 | criteria = ["ub-risk-3"]
1331 | version = "0.9.0"
1332 | notes = "Reviewed in CL 555491937"
1333 | 
1334 | [[audits.merlin]]
1335 | who = "Ben Saunders <bsaunders@google.com>"
1336 | criteria = ["ub-risk-4"]
1337 | version = "3.0.0"
1338 | notes = """Reviewed in CL 660103172
1339 | Issues found:
1340 |  - https://github.com/zkcrypto/merlin/pull/7
1341 | """
1342 | 
1343 | [[audits.minifier]]
1344 | who = "Manish Goregaokar <manishearth@google.com>"
1345 | criteria = ["ub-risk-4"]
1346 | version = "0.2.3"
1347 | notes = """Reviewed in CL 577203072
1348 | Issues found:
1349 |  - https://github.com/GuillaumeGomez/minifier-rs/issues/105
1350 | """
1351 | 
1352 | [[audits.nanorand]]
1353 | who = "Ben Saunders <bsaunders@google.com>"
1354 | criteria = ["ub-risk-1", "does-not-implement-crypto"]
1355 | version = "0.7.0"
1356 | notes = "Reviewed in CL 562503105"
1357 | 
1358 | [[audits.nix]]
1359 | who = "Manish Goregaokar <manishearth@google.com>"
1360 | criteria = ["ub-risk-3"]
1361 | delta = "0.26.1 -> 0.28.0"
1362 | notes = """Reviewed in CL 622222105
1363 | (The rating differs from the previous once since I feel that the crate needs much more safety comments)
1364 | """
1365 | 
1366 | [[audits.nix]]
1367 | who = "Taylor Cramer <cramertj@google.com>"
1368 | criteria = ["ub-risk-2"]
1369 | version = "0.26.2"
1370 | notes = "Reviewed in CL 552861153"
1371 | 
1372 | [[audits.notify]]
1373 | who = "Taylor Cramer <cramertj@google.com>"
1374 | criteria = ["ub-risk-2"]
1375 | version = "6.1.1"
1376 | notes = "Reviewed in CL 562731464"
1377 | 
1378 | [[audits.nu_ansi_term]]
1379 | who = "Taylor Cramer <cramertj@google.com>"
1380 | criteria = ["ub-risk-2"]
1381 | version = "0.49.0"
1382 | notes = "Reviewed in CL 585090965"
1383 | 
1384 | [[audits.num_enum_derive]]
1385 | who = "Taylor Cramer <cramertj@google.com>"
1386 | criteria = ["ub-risk-2"]
1387 | version = "0.7.2"
1388 | notes = "Reviewed in CL 647708155"
1389 | 
1390 | [[audits.num_traits]]
1391 | who = "Manish Goregaokar <manishearth@google.com>"
1392 | criteria = ["ub-risk-2"]
1393 | version = "0.2.15"
1394 | notes = "Reviewed in CL 558869499"
1395 | 
1396 | [[audits.num_traits]]
1397 | who = "Taylor Cramer <cramertj@google.com>"
1398 | criteria = ["ub-risk-2"]
1399 | delta = "0.2.15 -> 0.2.16"
1400 | notes = "Reviewed in CL 562140156"
1401 | 
1402 | [[audits.num-bigint-dig]]
1403 | who = "Manish Goregaokar <manishearth@google.com>"
1404 | criteria = ["ub-risk-3"]
1405 | version = "0.8.4"
1406 | notes = """Reviewed in CL 598457101
1407 | Issues found:
1408 |  - to_str_radix_reversed is required to return a valid string by unsafe code, but this is not documented, nor is it easy to verify. It should probably return a String (at least internally), and have better safety documentation, or a double check when converting from UTF8
1409 | """
1410 | 
1411 | [[audits.numpy]]
1412 | who = "<devinj@google.com>"
1413 | criteria = ["ub-risk-4"]
1414 | delta = "0.20.0 -> 0.21.0"
1415 | notes = """Reviewed in CL 683848897
1416 | Issues found:
1417 |  - to_owned_array needs to be unsafe as it can introduce aliasing UB
1418 |  - Review incomplete: pervasive undocumented unsafety
1419 | """
1420 | 
1421 | [[audits.object]]
1422 | who = "Manish Goregaokar <manishearth@google.com>"
1423 | criteria = ["ub-risk-1"]
1424 | version = "0.32.0"
1425 | notes = "Reviewed in CL 558738698"
1426 | 
1427 | [[audits.owo-colors]]
1428 | who = "Manish Goregaokar <manishearth@google.com>"
1429 | criteria = ["ub-risk-4"]
1430 | version = "3.5.0"
1431 | notes = """Reviewed in CL 683999019
1432 | Issues found:
1433 |  - Unsafe code relies on const promotion. This *may* actually be sound in a const context, however it's not a huge deal since it's easy to patch: https://github.com/jam1garner/owo-colors/pull/131
1434 | """
1435 | 
1436 | [[audits.owo-colors]]
1437 | who = "Manish Goregaokar <manishearth@google.com>"
1438 | criteria = ["ub-risk-4"]
1439 | version = "4.1.0"
1440 | notes = """Reviewed in CL 683999019
1441 | Issues found:
1442 |  - Unsafe code relies on const promotion. This *may* actually be sound in a const context, however it's not a huge deal since it's easy to patch: https://github.com/jam1garner/owo-colors/pull/131
1443 | """
1444 | 
1445 | [[audits.parquet]]
1446 | who = "Manish Goregaokar <manishearth@google.com>"
1447 | criteria = ["ub-risk-4"]
1448 | version = "51.0.0"
1449 | notes = "Reviewed in CL 642798209"
1450 | 
1451 | [[audits.perf_event]]
1452 | who = "Taylor Cramer <cramertj@google.com>"
1453 | criteria = ["ub-risk-2"]
1454 | version = "0.4.8"
1455 | notes = "Reviewed in CL 583996666"
1456 | 
1457 | [[audits.perf-event-open-sys]]
1458 | who = "Taylor Cramer <cramertj@google.com>"
1459 | criteria = ["ub-risk-2"]
1460 | version = "4.0.0"
1461 | notes = "Reviewed in CL 583996664"
1462 | 
1463 | [[audits.petgraph]]
1464 | who = "Taylor Cramer <cramertj@google.com>"
1465 | criteria = ["ub-risk-3"]
1466 | version = "0.5.1"
1467 | notes = """Reviewed in CL 558142733
1468 | Issues found:
1469 | - https://github.com/petgraph/petgraph/pull/404
1470 | - https://github.com/petgraph/petgraph/issues/582
1471 | """
1472 | 
1473 | [[audits.planus]]
1474 | who = "Taylor Cramer <cramertj@google.com>"
1475 | criteria = ["ub-risk-3"]
1476 | version = "0.3.1"
1477 | notes = """Reviewed in CL 702424963
1478 | Issues found:
1479 |  - Some traits should be unsafe https://github.com/planus-org/planus/issues/276
1480 | """
1481 | 
1482 | [[audits.polars]]
1483 | who = "Manish Goregaokar <manishearth@google.com>"
1484 | criteria = ["ub-risk-0"]
1485 | version = "0.38.3"
1486 | notes = """Reviewed in CL 645917709
1487 | No unsafe code outside of tests.
1488 | """
1489 | 
1490 | [[audits.polars-arrow-format]]
1491 | who = "Taylor Cramer <cramertj@google.com>"
1492 | criteria = ["ub-risk-2"]
1493 | version = "0.1.0"
1494 | notes = "Reviewed in CL 703108664"
1495 | 
1496 | [[audits.polars-io]]
1497 | who = "Manish Goregaokar <manishearth@google.com>"
1498 | criteria = ["ub-risk-4"]
1499 | version = "0.38.3"
1500 | notes = """Reviewed in CL 645900171
1501 | No actual unsoundness was found, however this crate was rather hard to review, with a lot of usages of unsafe in the CSV parser that seemed gratuitous, and uncommented. Rating can be lowered when someone can find the time to review this.
1502 | """
1503 | 
1504 | [[audits.polars-json]]
1505 | who = "Manish Goregaokar <manishearth@google.com>"
1506 | criteria = ["ub-risk-4"]
1507 | version = "0.38.3"
1508 | notes = """Reviewed in CL 671839126
1509 | issues found:
1510 |  - Unsafe code relies on entirely undocumented invariants pervasive in code around only ever producing UTF8 bytes. Code should be updated to use `&mut String`
1511 |  - https://github.com/pola-rs/polars/pull/18725
1512 | """
1513 | 
1514 | [[audits.polars-plan]]
1515 | who = "Ben Saunders <bsaunders@google.com>"
1516 | criteria = ["ub-risk-4"]
1517 | version = "0.38.3"
1518 | notes = """Reviewed in CL 653608525
1519 | Issues found:
1520 |  - Unprotected public `static mut`s read in safe code
1521 |  - Review incomplete: pervasive undocumented unsafety
1522 | """
1523 | 
1524 | [[audits.polars-row]]
1525 | who = "Augie Fackler <augie@google.com>"
1526 | criteria = ["ub-risk-3"]
1527 | version = "0.38.3"
1528 | notes = "Reviewed in CL 644011025"
1529 | 
1530 | [[audits.polars-time]]
1531 | who = "Taylor Cramer <cramertj@google.com>"
1532 | criteria = ["ub-risk-4"]
1533 | version = "0.38.3"
1534 | notes = """Reviewed in CL 645900204
1535 | mem::transmute of ParseError is unsound and unnecessary.
1536 | """
1537 | 
1538 | [[audits.polars-time]]
1539 | who = "Taylor Cramer <cramertj@google.com>"
1540 | criteria = ["ub-risk-2"]
1541 | version = "0.38.3"
1542 | notes = "Reviewed in CL 645900204"
1543 | 
1544 | [[audits.polars-utils]]
1545 | who = "Augie Fackler <augie@google.com>"
1546 | criteria = ["ub-risk-2", "does-not-implement-crypto"]
1547 | version = "0.38.3"
1548 | notes = "Reviewed in CL 636679479"
1549 | 
1550 | [[audits.pollster]]
1551 | who = "Manish Goregaokar <manishearth@google.com>"
1552 | criteria = ["ub-risk-2"]
1553 | version = "0.3.0"
1554 | notes = """Reviewed in CL 581562576
1555 | Usage of unsafe is fine, but crate can be 100% safe: https://github.com/zesterer/pollster/pull/23
1556 | """
1557 | 
1558 | [[audits.postcard]]
1559 | who = "Manish Goregaokar <manishearth@google.com>"
1560 | criteria = ["ub-risk-2"]
1561 | delta = "1.0.10 -> 1.1.1"
1562 | notes = "Reviewed in CL 707054899"
1563 | 
1564 | [[audits.postcard]]
1565 | who = "Manish Goregaokar <manishearth@google.com>"
1566 | criteria = ["ub-risk-2"]
1567 | delta = "1.0.2 -> 1.0.10"
1568 | notes = "Reviewed in CL 698047950"
1569 | 
1570 | [[audits.powerfmt]]
1571 | who = "Taylor Cramer <cramertj@google.com>"
1572 | criteria = ["ub-risk-1"]
1573 | version = "0.2.0"
1574 | notes = "Reviewed in CL 578897702"
1575 | 
1576 | [[audits.process-wrap]]
1577 | who = "Augie Fackler <augie@google.com>"
1578 | criteria = ["ub-risk-3"]
1579 | version = "8.0.2"
1580 | notes = "Reviewed in CL 640811587"
1581 | 
1582 | [[audits.proptest]]
1583 | who = "Manish Goregaokar <manishearth@google.com>"
1584 | criteria = ["ub-risk-3"]
1585 | version = "0.10.1"
1586 | notes = """Reviewed in CL 615011355
1587 | Not safe with hardware_rng feature on platforms without RDRAND support. Should bubble up the invariant or have a feature test assertion
1588 | """
1589 | 
1590 | [[audits.pulldown_cmark]]
1591 | who = "Manish Goregaokar <manishearth@google.com>"
1592 | criteria = ["ub-risk-2"]
1593 | version = "0.8.0"
1594 | notes = "Reviewed in CL 669013210"
1595 | 
1596 | [[audits.pulldown-cmark]]
1597 | who = "Manish Goregaokar <manishearth@google.com>"
1598 | criteria = ["ub-risk-2"]
1599 | version = "0.9.3"
1600 | notes = "Reviewed in CL 555491415"
1601 | 
1602 | [[audits.pulldown-cmark-escape]]
1603 | who = "Augie Fackler <augie@google.com>"
1604 | criteria = ["ub-risk-2"]
1605 | version = "0.11.0"
1606 | notes = "Reviewed in CL 658107045"
1607 | 
1608 | [[audits.pyo3_macros]]
1609 | who = "Taylor Cramer <cramertj@google.com>"
1610 | criteria = ["ub-risk-0"]
1611 | version = "0.20.3"
1612 | notes = "Reviewed in CL 616043931"
1613 | 
1614 | [[audits.pyo3_macros_backend]]
1615 | who = "Taylor Cramer <cramertj@google.com>"
1616 | criteria = ["ub-risk-2"]
1617 | version = "0.23.1"
1618 | notes = "Reviewed in CL 697590460"
1619 | 
1620 | [[audits.ra_ap_ide_db]]
1621 | who = "<devinj@google.com>"
1622 | criteria = ["ub-risk-2"]
1623 | version = "0.0.241"
1624 | notes = "Reviewed in CL 694853573"
1625 | 
1626 | [[audits.ra_ap_rust-analyzer]]
1627 | who = "Ben Saunders <bsaunders@google.com>"
1628 | criteria = ["ub-risk-2", "does-not-implement-crypto"]
1629 | version = "0.0.241"
1630 | notes = "Reviewed in CL 694923973"
1631 | 
1632 | [[audits.ra_ap_rustc_abi]]
1633 | who = "Taylor Cramer <cramertj@google.com>"
1634 | criteria = ["ub-risk-2"]
1635 | version = "0.75.0"
1636 | notes = "Reviewed in CL 693823235"
1637 | 
1638 | [[audits.ra_ap_salsa]]
1639 | who = "Luca Versari <veluca@google.com>"
1640 | criteria = ["ub-risk-2"]
1641 | version = "0.0.241"
1642 | notes = "Reviewed in CL 694114488"
1643 | 
1644 | [[audits.ra_ap_stdx]]
1645 | who = "Taylor Cramer <cramertj@google.com>"
1646 | criteria = ["ub-risk-2"]
1647 | version = "0.0.241"
1648 | notes = "Reviewed in CL 694057205"
1649 | 
1650 | [[audits.rand_xorshift]]
1651 | who = "Augie Fackler <augie@google.com>"
1652 | criteria = ["ub-risk-2", "does-not-implement-crypto"]
1653 | version = "0.2.0"
1654 | notes = "Reviewed in CL 615005895"
1655 | 
1656 | [[audits.read-fonts]]
1657 | who = "Taylor Cramer <cramertj@google.com>"
1658 | criteria = ["ub-risk-1"]
1659 | version = "0.15.6"
1660 | notes = "Reviewed in CL 611302616"
1661 | 
1662 | [[audits.realfft]]
1663 | who = "Taylor Cramer <cramertj@google.com>"
1664 | criteria = ["ub-risk-2"]
1665 | version = "3.3.0"
1666 | notes = "Reviewed in CL 564478712"
1667 | 
1668 | [[audits.ref-cast]]
1669 | who = "Taylor Cramer <cramertj@google.com>"
1670 | criteria = ["ub-risk-2"]
1671 | version = "1.0.20"
1672 | notes = "Reviewed in CL 585449372"
1673 | 
1674 | [[audits.ref-cast-impl]]
1675 | who = "Manish Goregaokar <manishearth@google.com>"
1676 | criteria = ["ub-risk-2"]
1677 | version = "1.0.20"
1678 | notes = "Reviewed in CL 585449373"
1679 | 
1680 | [[audits.regex_automata]]
1681 | who = "Taylor Cramer <cramertj@google.com>"
1682 | criteria = ["ub-risk-1"]
1683 | version = "0.3.8"
1684 | notes = "Reviewed in CL 563876644"
1685 | 
1686 | [[audits.regex_automata]]
1687 | who = "Ben Saunders <bsaunders@google.com>"
1688 | criteria = ["ub-risk-1"]
1689 | delta = "0.3.8 -> 0.4.3"
1690 | notes = "Reviewed in CL 576161259"
1691 | 
1692 | [[audits.regex-automata]]
1693 | who = "Manish Goregaokar <manishearth@google.com>"
1694 | criteria = ["ub-risk-1"]
1695 | delta = "0.4.8 -> 0.4.9"
1696 | notes = """Reviewed in CL 701879630
1697 | Built on top of previous diff reviews
1698 | """
1699 | 
1700 | [[audits.rinja_derive]]
1701 | who = "Manish Goregaokar <manishearth@google.com>"
1702 | criteria = ["ub-risk-3"]
1703 | version = "0.3.5"
1704 | notes = """Reviewed in CL 691465402
1705 | The unsafe code is mostly in from_utf8_unchecked calls. It does not appear to be particularly performance-necessary, and the crate could use clearer tracking of these invariants. One bit of unsafe code relies on code in rinja_parser continuing to be ASCII-only.
1706 | """
1707 | 
1708 | [[audits.rinja_parser]]
1709 | who = "Manish Goregaokar <manishearth@google.com>"
1710 | criteria = ["ub-risk-3"]
1711 | version = "0.3.5"
1712 | notes = """Reviewed in CL 691465401
1713 | Review done alongside rinja_derive.
1714 | The unsafe code is mostly in from_utf8_unchecked calls. It does not appear to be particularly performance-necessary, and the crate could use clearer tracking of these invariants. One bit of unsafe code relies on code in rinja_parser continuing to be ASCII-only.
1715 | """
1716 | 
1717 | [[audits.rpassword]]
1718 | who = "Ben Saunders <bsaunders@google.com>"
1719 | criteria = ["ub-risk-2", "does-not-implement-crypto"]
1720 | version = "7.3.1"
1721 | notes = "Reviewed in CL 702377827"
1722 | 
1723 | [[audits.rubato]]
1724 | who = "Taylor Cramer <cramertj@google.com>"
1725 | criteria = ["ub-risk-3"]
1726 | version = "0.14.1"
1727 | notes = "Reviewed in CL 570228314"
1728 | 
1729 | [[audits.rusqlite]]
1730 | who = "<mmaurer@google.com>"
1731 | criteria = ["ub-risk-3"]
1732 | version = "0.32.0"
1733 | notes = """Reviewed in CL 649389163
1734 | Issues found:
1735 |  - https://github.com/rusqlite/rusqlite/issues/1546
1736 |  - Technically, free_boxed_value should use catch_unwind (minor)
1737 | """
1738 | 
1739 | [[audits.rustybuzz]]
1740 | who = "Manish Goregaokar <manishearth@google.com>"
1741 | criteria = ["ub-risk-0"]
1742 | version = "0.12.0"
1743 | notes = """Reviewed in CL 649338374
1744 | Only unsafe is in examples
1745 | """
1746 | 
1747 | [[audits.ruzstd]]
1748 | who = "Manish Goregaokar <manishearth@google.com>"
1749 | criteria = ["ub-risk-2"]
1750 | version = "0.4.0"
1751 | notes = """Reviewed in CL 557876502
1752 | Issues found:
1753 |  - https://github.com/KillingSpark/zstd-rs/issues/44
1754 |  - extend_from_within_unchecked_branchless is hard to review but it's currently dead code
1755 | """
1756 | 
1757 | [[audits.ruzstd]]
1758 | who = "Manish Goregaokar <manishearth@google.com>"
1759 | criteria = ["ub-risk-2"]
1760 | version = "0.6.0"
1761 | notes = "Reviewed in CL 615772489"
1762 | 
1763 | [[audits.ryu-js]]
1764 | who = "Ben Saunders <bsaunders@google.com>"
1765 | criteria = ["ub-risk-3", "does-not-implement-crypto"]
1766 | version = "0.2.2"
1767 | notes = """Reviewed in CL 589126213
1768 | Issues found:
1769 |  - Internal unsoundness around the invariants of q and i in f2s_intrinsics.rs
1770 |  - Unclear bounds checking around get_unchecked in s2d.rs
1771 | """
1772 | 
1773 | [[audits.scroll]]
1774 | who = "Taylor Cramer <cramertj@google.com>"
1775 | criteria = ["ub-risk-2"]
1776 | version = "0.12.0"
1777 | notes = "Reviewed in CL 642006817"
1778 | 
1779 | [[audits.seccompiler]]
1780 | who = "Ben Saunders <bsaunders@google.com>"
1781 | criteria = ["ub-risk-1", "does-not-implement-crypto"]
1782 | version = "0.3.0"
1783 | notes = "Reviewed in CL 547754248"
1784 | 
1785 | [[audits.serde_bser]]
1786 | who = "Ben Saunders <bsaunders@google.com>"
1787 | criteria = ["ub-risk-2"]
1788 | version = "0.4.0"
1789 | notes = "Reviewed in CL 696305035"
1790 | 
1791 | [[audits.serde_jcs]]
1792 | who = "Augie Fackler <augie@google.com>"
1793 | criteria = ["ub-risk-3", "does-not-implement-crypto"]
1794 | version = "0.1.0"
1795 | notes = "Reviewed in CL 590122717"
1796 | 
1797 | [[audits.sha1_smol]]
1798 | who = "Manish Goregaokar <manishearth@google.com>"
1799 | criteria = ["ub-risk-2"]
1800 | version = "1.0.0"
1801 | notes = "Reviewed in CL 581562531"
1802 | 
1803 | [[audits.shlex]]
1804 | who = [
1805 |     "Manish Goregaokar <manishearth@google.com>",
1806 |     "Augie Fackler <augie@google.com>"
1807 | ]
1808 | criteria = ["ub-risk-3"]
1809 | version = "1.3.0"
1810 | notes = """Reviewed in CL 600742555
1811 | This crate appears safe, but it's not clear that the unchecked utf8 stuff is necessary given the use case, and it relies on undocumented invariants from the bytes iterator code. Would be nice to have these properties documented and fuzz tested.
1812 | """
1813 | 
1814 | [[audits.shpool_pty]]
1815 | who = "Ben Saunders <bsaunders@google.com>"
1816 | criteria = ["ub-risk-4"]
1817 | version = "0.1.0"
1818 | notes = """Reviewed in CL 578198476
1819 | Issues:
1820 |  - Data race in Fork::new
1821 | """
1822 | 
1823 | [[audits.shpool_pty]]
1824 | who = "Ben Saunders <bsaunders@google.com>"
1825 | criteria = ["ub-risk-4", "does-not-implement-crypto"]
1826 | version = "0.2.1"
1827 | notes = "Reviewed in CL 578198476"
1828 | 
1829 | [[audits.shpool_pty]]
1830 | who = "Ben Saunders <bsaunders@google.com>"
1831 | criteria = ["ub-risk-2-thorough", "does-not-implement-crypto"]
1832 | version = "0.3.0"
1833 | notes = "Reviewed in CL 578198476"
1834 | 
1835 | [[audits.simd-json]]
1836 | who = "Ben Saunders <bsaunders@google.com>"
1837 | criteria = ["ub-risk-4"]
1838 | version = "0.13.10"
1839 | notes = """Reviewed in CL 661175961
1840 | Issues found:
1841 |  - Review incomplete: Pervasive undocumented unsafety.
1842 | """
1843 | 
1844 | [[audits.simple_logger]]
1845 | who = "Manish Goregaokar <manishearth@google.com>"
1846 | criteria = ["ub-risk-2"]
1847 | version = "4.3.3"
1848 | notes = """Reviewed in CL 706757224
1849 | Uses unsafe for interfacing with Windows tty APIs
1850 | """
1851 | 
1852 | [[audits.skrifa]]
1853 | who = "Augie Fackler <augie@google.com>"
1854 | criteria = ["ub-risk-2", "does-not-implement-crypto"]
1855 | version = "0.16.0"
1856 | notes = "Reviewed in CL 614825012"
1857 | 
1858 | [[audits.slotmap]]
1859 | who = "Augie Fackler <augie@google.com>"
1860 | criteria = ["ub-risk-2"]
1861 | version = "1.0.6"
1862 | notes = "Reviewed in CL 647314509"
1863 | 
1864 | [[audits.smallvec]]
1865 | who = "Manish Goregaokar <manishearth@google.com>"
1866 | criteria = ["ub-risk-3", "does-not-implement-crypto"]
1867 | version = "1.11.0"
1868 | notes = "Reviewed in CL 552492992"
1869 | 
1870 | [[audits.smol_str]]
1871 | who = "Manish Goregaokar <manishearth@google.com>"
1872 | criteria = ["ub-risk-3"]
1873 | version = "0.2.0"
1874 | notes = "Reviewed in CL 558187227"
1875 | 
1876 | [[audits.speedate]]
1877 | who = "Manish Goregaokar <manishearth@google.com>"
1878 | criteria = ["ub-risk-2"]
1879 | version = "0.13.0"
1880 | notes = """Reviewed in CL 614967252
1881 | Would be rather straightforward to add safety comments
1882 | """
1883 | 
1884 | [[audits.sptr]]
1885 | who = "Augie Fackler <augie@google.com>"
1886 | criteria = ["ub-risk-2"]
1887 | version = "0.3.2"
1888 | notes = "Reviewed in CL 660053567"
1889 | 
1890 | [[audits.strck]]
1891 | who = "Manish Goregaokar <manishearth@google.com>"
1892 | criteria = ["ub-risk-1"]
1893 | version = "1.0.0"
1894 | notes = "Reviewed in CL 685732460"
1895 | 
1896 | [[audits.swc_atoms]]
1897 | who = "Manish Goregaokar <manishearth@google.com>"
1898 | criteria = ["ub-risk-2", "does-not-implement-crypto"]
1899 | version = "0.5.7"
1900 | notes = "Reviewed in CL 547104864"
1901 | 
1902 | [[audits.swc_common]]
1903 | who = "Manish Goregaokar <manishearth@google.com>"
1904 | criteria = ["ub-risk-3", "does-not-implement-crypto"]
1905 | version = "0.31.17"
1906 | notes = """Reviewed in CL 547720673
1907 | Issues found:
1908 |  - https://github.com/swc-project/swc/issues/7709
1909 | """
1910 | 
1911 | [[audits.swc_ecma_ast]]
1912 | who = "Manish Goregaokar <manishearth@google.com>"
1913 | criteria = ["ub-risk-2"]
1914 | version = "0.107.0"
1915 | notes = "Reviewed in CL 545304253"
1916 | 
1917 | [[audits.swc_ecma_parser]]
1918 | who = "Manish Goregaokar <manishearth@google.com>"
1919 | criteria = ["ub-risk-4"]
1920 | version = "0.137.1"
1921 | notes = """Reviewed in CL 545304254
1922 | Issues found:
1923 |  - https://github.com/swc-project/swc/issues/7797
1924 |  - https://github.com/swc-project/swc/issues/7752
1925 | """
1926 | 
1927 | [[audits.swc_visit]]
1928 | who = "Taylor Cramer <cramertj@google.com>"
1929 | criteria = ["ub-risk-2", "does-not-implement-crypto"]
1930 | version = "0.5.7"
1931 | notes = "Reviewed in CL 546872016"
1932 | 
1933 | [[audits.syn]]
1934 | who = "Ben Saunders <bsaunders@google.com>"
1935 | criteria = ["ub-risk-2", "does-not-implement-crypto"]
1936 | version = "2.0.29"
1937 | notes = "Reviewed in CL 559769881"
1938 | 
1939 | [[audits.sync_wrapper]]
1940 | who = "Taylor Cramer <cramertj@google.com>"
1941 | criteria = ["ub-risk-1"]
1942 | version = "0.1.2"
1943 | notes = "Reviewed in CL 605332043"
1944 | 
1945 | [[audits.tar]]
1946 | who = "Taylor Cramer <cramertj@google.com>"
1947 | criteria = ["ub-risk-2"]
1948 | version = "0.4.0"
1949 | notes = "Reviewed in CL 627536088"
1950 | 
1951 | [[audits.tar]]
1952 | who = "Manish Goregaokar <manishearth@google.com>"
1953 | criteria = ["ub-risk-2"]
1954 | delta = "0.4.40 -> 0.4.42"
1955 | notes = "Reviewed in CL 688729490"
1956 | 
1957 | [[audits.tfhe]]
1958 | who = "Taylor Cramer <cramertj@google.com>"
1959 | criteria = ["ub-risk-3"]
1960 | version = "0.3.1"
1961 | notes = """Reviewed in CL 557823618
1962 | Issues found:
1963 |  - https://github.com/zama-ai/tfhe-rs/issues/526
1964 | """
1965 | 
1966 | [[audits.time-macros]]
1967 | who = "Ben Saunders <bsaunders@google.com>"
1968 | criteria = ["ub-risk-2", "does-not-implement-crypto"]
1969 | version = "0.2.15"
1970 | notes = "Reviewed in CL 580962188"
1971 | 
1972 | [[audits.tokenizers]]
1973 | who = "Manish Goregaokar <manishearth@google.com>"
1974 | criteria = ["ub-risk-4"]
1975 | version = "0.19.1"
1976 | notes = """Reviewed in CL 684450749
1977 | Issues found:
1978 |  - UB with static mut https://github.com/huggingface/tokenizers/issues/1491
1979 |  - underdocumented safety invariants in cases that need more documentation (PR in https://github.com/huggingface/tokenizers/pull/1651)
1980 | """
1981 | 
1982 | [[audits.tokenizers]]
1983 | who = "Manish Goregaokar <manishearth@google.com>"
1984 | criteria = ["ub-risk-3"]
1985 | version = "0.20.1"
1986 | notes = """Reviewed in CL 684450749
1987 | Issues found:
1988 |  - underdocumented safety invariants in cases that need more documentation (PR in https://github.com/huggingface/tokenizers/pull/1651)
1989 | """
1990 | 
1991 | [[audits.tokenizers-python]]
1992 | who = "Taylor Cramer <cramertj@google.com>"
1993 | criteria = ["ub-risk-2"]
1994 | version = "0.20.1"
1995 | notes = "Reviewed in CL 687963248"
1996 | 
1997 | [[audits.toml_edit]]
1998 | who = "Manish Goregaokar <manishearth@google.com>"
1999 | criteria = ["ub-risk-3"]
2000 | version = "0.22.12"
2001 | notes = """Reviewed in CL 628398549
2002 | Issues found:
2003 |  - Better documented safety: https://github.com/toml-rs/toml/pull/720
2004 |  - Unclear on mll_quotes and mlb_quotes being safe
2005 | """
2006 | 
2007 | [[audits.tracing]]
2008 | who = "Taylor Cramer <cramertj@google.com>"
2009 | criteria = ["ub-risk-4"]
2010 | version = "0.1.39"
2011 | notes = """Reviewed in CL 573852894
2012 | Issues found:
2013 |  - https://github.com/tokio-rs/tracing/pull/2765
2014 | """
2015 | 
2016 | [[audits.tracing-core]]
2017 | who = "Ben Saunders <bsaunders@google.com>"
2018 | criteria = ["ub-risk-2", "does-not-implement-crypto"]
2019 | version = "0.1.30"
2020 | notes = "Reviewed in CL 555490997"
2021 | 
2022 | [[audits.tracing-core]]
2023 | who = "Manish Goregaokar <manishearth@google.com>"
2024 | criteria = ["ub-risk-2"]
2025 | delta = "0.1.30 -> 0.1.32"
2026 | notes = "Reviewed in CL 573852436"
2027 | 
2028 | [[audits.tracing-log]]
2029 | who = "Ben Saunders <bsaunders@google.com>"
2030 | criteria = ["ub-risk-2", "does-not-implement-crypto"]
2031 | version = "0.2.0"
2032 | notes = "Reviewed in CL 585090968"
2033 | 
2034 | [[audits.transpose]]
2035 | who = "Ben Saunders <bsaunders@google.com>"
2036 | criteria = ["ub-risk-2", "does-not-implement-crypto"]
2037 | version = "0.2.2"
2038 | notes = "Reviewed in CL 551680548"
2039 | 
2040 | [[audits.triomphe]]
2041 | who = "Taylor Cramer <cramertj@google.com>"
2042 | criteria = ["ub-risk-3", "does-not-implement-crypto"]
2043 | version = "0.1.8"
2044 | notes = """Reviewed in CL 545304280
2045 | Issues found:
2046 | - https://github.com/Manishearth/triomphe/pull/62
2047 | """
2048 | 
2049 | [[audits.triomphe]]
2050 | who = "Taylor Cramer <cramertj@google.com>"
2051 | criteria = ["ub-risk-2", "does-not-implement-crypto"]
2052 | version = "0.1.9"
2053 | notes = "Reviewed in CL 545304280"
2054 | 
2055 | [[audits.typed-arena]]
2056 | who = "Taylor Cramer <cramertj@google.com>"
2057 | criteria = ["ub-risk-2", "does-not-implement-crypto"]
2058 | version = "2.0.2"
2059 | notes = "Reviewed in CL 545304268"
2060 | 
2061 | [[audits.uds]]
2062 | who = "Manish Goregaokar <manishearth@google.com>"
2063 | criteria = ["ub-risk-3", "does-not-implement-crypto"]
2064 | version = "0.2.6"
2065 | notes = """Reviewed in CL 552861165
2066 | Issues found:
2067 | - https://github.com/tormol/uds/issues/11
2068 | - https://github.com/tormol/uds/pull/9, https://github.com/tormol/uds/pull/10
2069 | - https://github.com/tormol/uds/issues/12
2070 | """
2071 | 
2072 | [[audits.uds]]
2073 | who = [
2074 |     "Manish Goregaokar <manishearth@google.com>",
2075 |     "Augie Fackler <augie@google.com>",
2076 |     "<mmaurer@google.com>"
2077 | ]
2078 | criteria = ["ub-risk-4"]
2079 | version = "0.4.1"
2080 | notes = """Reviewed in CL 568546769
2081 | Issues found:
2082 |  - https://github.com/tormol/uds/pull/14
2083 |  - https://github.com/tormol/uds/pull/15
2084 |  - https://github.com/tormol/uds/issues/16
2085 |  - https://github.com/tormol/uds/issues/17
2086 | """
2087 | 
2088 | [[audits.ufmt]]
2089 | who = "Taylor Cramer <cramertj@google.com>"
2090 | criteria = ["ub-risk-3"]
2091 | version = "0.2.0"
2092 | notes = "Reviewed in CL 587894431"
2093 | 
2094 | [[audits.ufmt-write]]
2095 | who = "Ben Saunders <bsaunders@google.com>"
2096 | criteria = ["ub-risk-4", "does-not-implement-crypto"]
2097 | version = "0.1.0"
2098 | notes = """Reviewed in CL 587772035
2099 | Issues found:
2100 | - https://github.com/japaric/ufmt/pull/60
2101 | """
2102 | 
2103 | [[audits.unicode-bom]]
2104 | who = "Manish Goregaokar <manishearth@google.com>"
2105 | criteria = ["ub-risk-2"]
2106 | version = "2.0.2"
2107 | notes = "Reviewed in CL 581562581"
2108 | 
2109 | [[audits.unicode-reverse]]
2110 | who = "Ben Saunders <bsaunders@google.com>"
2111 | criteria = ["ub-risk-1"]
2112 | version = "1.0.8"
2113 | notes = "Reviewed in CL 622744657"
2114 | 
2115 | [[audits.utf8parse]]
2116 | who = "Augie Fackler <augie@google.com>"
2117 | criteria = ["ub-risk-3"]
2118 | version = "0.2.1"
2119 | notes = "Reviewed in CL 559131770"
2120 | 
2121 | [[audits.vfio-bindings]]
2122 | who = "Taylor Cramer <cramertj@google.com>"
2123 | criteria = ["ub-risk-2", "does-not-implement-crypto"]
2124 | version = "0.3.1"
2125 | notes = "Reviewed in CL 545971960"
2126 | 
2127 | [[audits.vfio-ioctls]]
2128 | who = "Ben Saunders <bsaunders@google.com>"
2129 | criteria = ["ub-risk-2", "does-not-implement-crypto"]
2130 | version = "0.1.0"
2131 | notes = "Reviewed in CL 545971961"
2132 | 
2133 | [[audits.vhost]]
2134 | who = "Manish Goregaokar <manishearth@google.com>"
2135 | criteria = ["ub-risk-2"]
2136 | version = "0.7.0"
2137 | notes = "Reviewed in CL 546255068"
2138 | 
2139 | [[audits.vhost]]
2140 | who = "Manish Goregaokar <manishearth@google.com>"
2141 | criteria = ["ub-risk-4"]
2142 | version = "0.8.0"
2143 | notes = """Reviewed in CL 559359624
2144 | Issues found:
2145 |  - https://github.com/rust-vmm/vhost/pull/184
2146 | """
2147 | 
2148 | [[audits.vhost]]
2149 | who = "Manish Goregaokar <manishearth@google.com>"
2150 | criteria = ["ub-risk-3"]
2151 | version = "0.8.1"
2152 | notes = "Reviewed in CL 559359624"
2153 | 
2154 | [[audits.vhost-user-backend]]
2155 | who = "Manish Goregaokar <manishearth@google.com>"
2156 | criteria = ["ub-risk-2"]
2157 | version = "0.10.1"
2158 | notes = "Reviewed in CL 559122379"
2159 | 
2160 | [[audits.virtio]]
2161 | who = "Taylor Cramer <cramertj@google.com>"
2162 | criteria = ["ub-risk-1"]
2163 | version = "0.2.1"
2164 | notes = "Reviewed in CL 557159752"
2165 | 
2166 | [[audits.virtio-queue]]
2167 | who = "Augie Fackler <augie@google.com>"
2168 | criteria = ["ub-risk-2"]
2169 | delta = "0.9.0 -> 0.12.0"
2170 | notes = "Reviewed in CL 634659048"
2171 | 
2172 | [[audits.virtiofsd]]
2173 | who = "Manish Goregaokar <manishearth@google.com>"
2174 | criteria = ["ub-risk-3", "does-not-implement-crypto"]
2175 | version = "1.6.1"
2176 | notes = """Reviewed in CL 548811972
2177 | Issues found:
2178 |  - https://gitlab.com/virtio-fs/virtiofsd/-/issues/113 (only an issue for library users)
2179 | """
2180 | 
2181 | [[audits.vm-memory]]
2182 | who = "Manish Goregaokar <manishearth@google.com>"
2183 | criteria = ["ub-risk-3"]
2184 | version = "0.12.1"
2185 | notes = """Reviewed in CL 556862067
2186 | Issues found:
2187 |  - https://github.com/rust-vmm/vm-memory/issues/250
2188 | """
2189 | 
2190 | [[audits.vm-memory]]
2191 | who = "Manish Goregaokar <manishearth@google.com>"
2192 | criteria = ["ub-risk-2"]
2193 | version = "0.12.1"
2194 | notes = """Reviewed in CL 556862067
2195 | Issues from previous review fixed
2196 | """
2197 | 
2198 | [[audits.vm-memory]]
2199 | who = "Ben Saunders <bsaunders@google.com>"
2200 | criteria = ["ub-risk-4", "does-not-implement-crypto"]
2201 | version = "0.13.1"
2202 | notes = """Reviewed in CL 595684339
2203 | Issues found:
2204 | - https://github.com/rust-vmm/vm-memory/issues/281
2205 | """
2206 | 
2207 | [[audits.vmm_sys_util]]
2208 | who = "Ben Saunders <bsaunders@google.com>"
2209 | criteria = ["ub-risk-2", "does-not-implement-crypto"]
2210 | version = "0.12.1"
2211 | notes = "Reviewed in CL 599627630"
2212 | 
2213 | [[audits.vte]]
2214 | who = "Manish Goregaokar <manishearth@google.com>"
2215 | criteria = ["ub-risk-4"]
2216 | version = "0.12.0"
2217 | notes = """Reviewed in CL 579243289
2218 | Issues found:
2219 |  - https://github.com/alacritty/vte/pull/102
2220 | """
2221 | 
2222 | [[audits.wasefire-applet-api]]
2223 | who = "Taylor Cramer <cramertj@google.com>"
2224 | criteria = ["ub-risk-2"]
2225 | version = "0.7.0"
2226 | notes = "Reviewed in CL 699241799"
2227 | 
2228 | [[audits.wasefire-applet-api-desc]]
2229 | who = "Manish Goregaokar <manishearth@google.com>"
2230 | criteria = ["ub-risk-2", "does-not-implement-crypto"]
2231 | version = "0.2.1"
2232 | notes = """Reviewed in CL 699230688
2233 | Would be nice to have comments
2234 | """
2235 | 
2236 | [[audits.wasm-bindgen]]
2237 | who = "<mmaurer@google.com>"
2238 | criteria = ["ub-risk-2"]
2239 | version = "0.2.92"
2240 | notes = "Reviewed in CL 643989424"
2241 | 
2242 | [[audits.wasm-bindgen]]
2243 | who = "Manish Goregaokar <manishearth@google.com>"
2244 | criteria = ["ub-risk-2"]
2245 | delta = "0.2.92 -> 0.2.93"
2246 | notes = """Reviewed in CL 695250202
2247 | Not much unsafe diff from last review
2248 | """
2249 | 
2250 | [[audits.wasm-bindgen-backend]]
2251 | who = "<mmaurer@google.com>"
2252 | criteria = ["ub-risk-2"]
2253 | version = "0.2.92"
2254 | notes = "Reviewed in CL 643989422"
2255 | 
2256 | [[audits.wasm-bindgen-backend]]
2257 | who = "Manish Goregaokar <manishearth@google.com>"
2258 | criteria = ["ub-risk-2"]
2259 | delta = "0.2.92 -> 0.2.93"
2260 | notes = "Reviewed in CL 695250202"
2261 | 
2262 | [[audits.wasm-bindgen-futures]]
2263 | who = "Ben Saunders <bsaunders@google.com>"
2264 | criteria = ["ub-risk-2"]
2265 | version = "0.4.43"
2266 | notes = "Reviewed in CL 696456463"
2267 | 
2268 | [[audits.wasm-bindgen-macro]]
2269 | who = "<mmaurer@google.com>"
2270 | criteria = ["ub-risk-1"]
2271 | version = "0.2.92"
2272 | notes = "Reviewed in CL 643989420"
2273 | 
2274 | [[audits.winnow]]
2275 | who = "Taylor Cramer <cramertj@google.com>"
2276 | criteria = ["ub-risk-2"]
2277 | version = "0.5.19"
2278 | notes = "Reviewed in CL 581220347"
2279 | 
2280 | [[audits.xlsynth]]
2281 | who = "Manish Goregaokar <manishearth@google.com>"
2282 | criteria = ["ub-risk-3"]
2283 | version = "0.0.11"
2284 | notes = """Reviewed in CL 644646753
2285 | - Uses dlsym for FFI, could use more safety docs separating dlsym unsafety from C API unsafety
2286 | """
2287 | 
2288 | [[audits.xlsynth]]
2289 | who = "Luca Versari <veluca@google.com>"
2290 | criteria = ["ub-risk-4"]
2291 | version = "0.29.0"
2292 | notes = "Reviewed in CL 684413090"
2293 | 
2294 | [[audits.xxhash-rust]]
2295 | who = "Taylor Cramer <cramertj@google.com>"
2296 | criteria = ["ub-risk-4"]
2297 | version = "0.8.6"
2298 | notes = """Reviewed in CL 552861145
2299 | Many internal functions that are `unsafe` to call are not marked `unsafe`.
2300 | See https://github.com/DoumanAsh/xxhash-rust/issues/29
2301 | """
2302 | 
2303 | [[audits.yansi]]
2304 | who = "Ben Saunders <bsaunders@google.com>"
2305 | criteria = ["ub-risk-2", "does-not-implement-crypto"]
2306 | version = "1.0.1"
2307 | notes = "Reviewed in CL 705950806"
2308 | 
2309 | [[audits.yansi-term]]
2310 | who = "<devinj@google.com>"
2311 | criteria = ["ub-risk-2"]
2312 | version = "0.1.2"
2313 | notes = "Reviewed in CL 701084302"
2314 | 
2315 | [[audits.yoke]]
2316 | who = "Luca Versari <veluca@google.com>"
2317 | criteria = ["ub-risk-2", "does-not-implement-crypto"]
2318 | version = "0.7.4"
2319 | notes = """Reviewed in https://github.com/unicode-org/icu4x/pull/5046
2320 | Review performed as PR: https://github.com/unicode-org/icu4x/pull/5046. Minor docs improvements, plus known currently-unsolvable issue around potential future noalias UB (https://github.com/unicode-org/icu4x/issues/2095)
2321 | """
2322 | 
2323 | [[audits.yoke]]
2324 | who = "Luca Versari <veluca@google.com>"
2325 | criteria = ["ub-risk-2", "does-not-implement-crypto"]
2326 | delta = "0.7.4 -> 0.7.5"
2327 | notes = """Reviewed in CL 700087030
2328 | Patches from last review all applied
2329 | """
2330 | 
2331 | [[audits.zerocopy]]
2332 | who = "Manish Goregaokar <manishearth@google.com>"
2333 | criteria = ["ub-risk-2"]
2334 | version = "0.6.1"
2335 | notes = "Reviewed in CL 592374439"
2336 | 
2337 | [[audits.zerotrie]]
2338 | who = "Manish Goregaokar <manishearth@google.com>"
2339 | criteria = ["ub-risk-2"]
2340 | version = "0.1.2"
2341 | notes = "Reviewed in https://github.com/unicode-org/icu4x/pull/2722/"
2342 | 
2343 | 


--------------------------------------------------------------------------------
/sources.list:
--------------------------------------------------------------------------------
 1 | # Chromium OS:
 2 | https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT
 3 | 
 4 | # Chromium:
 5 | https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT
 6 | 
 7 | # Fuchsia:
 8 | https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT
 9 | 
10 | # google3:
11 | https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml
12 | 


--------------------------------------------------------------------------------