├── sources.list ├── manual-sources ├── README.md ├── additional-audits.toml └── google3-audits.toml ├── .github └── workflows │ └── aggregate.yml ├── CONTRIBUTING.md ├── CODE_OF_CONDUCT.md ├── README.md ├── LICENSE └── auditing_standards.md /sources.list: -------------------------------------------------------------------------------- 1 | # Chromium OS: 2 | https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT 3 | 4 | # Chromium: 5 | https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT 6 | 7 | # Fuchsia: 8 | https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT 9 | 10 | # google3: 11 | https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml 12 | 13 | # additional audits: 14 | https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/additional-audits.toml 15 | -------------------------------------------------------------------------------- /manual-sources/README.md: -------------------------------------------------------------------------------- 1 | # Manual audit sources 2 | 3 | This repo aggregates audits from other sources like Android and Fuchsia; however it is the source of truth for some audits that are not otherwise public, for example for Rust crates being imported into the [google3](https://opensource.google/documentation/reference/glossary#google3) monorepo. 4 | 5 | The primary source of truth for these is stored in audits.toml files in this folder, and aggregated into the toplevel audits.toml by CI. 6 | 7 | If you are performing an audit for such a source, you may submit your audits to these files directly. You do not need to update the toplevel audits.toml as that will be done by CI, though you can if you'd like (it's finicky). 8 | 9 | You may directly depend on these audit files if you wish, however their locations may move around in the long term. It is recommended to depend on the toplevel audit file in this repo. 10 | 11 | `additional-audits.toml` contains additional audit criteria that are not assessed during private reviews. 12 | For example, this file might include `safe-to-deploy` audits for crates that have been evaluated `ub-risk-2` or lower during unsafe review and do not perform potentially dangerous operations such as filesystem access. 13 | -------------------------------------------------------------------------------- /manual-sources/additional-audits.toml: -------------------------------------------------------------------------------- 1 | [[audits.jxl]] 2 | who = "Luca Versari " 3 | criteria = ["safe-to-deploy"] 4 | version = "0.1.1" 5 | notes = "Based on ub-risk-1 by joshlf@google.com and the lack of filesystem usage outside tests." 6 | 7 | [[audits.jxl]] 8 | who = "Łukasz Anforowicz " 9 | criteria = ["safe-to-deploy"] 10 | version = "0.1.3" 11 | notes = "Based on a review by @anforowicz (https://github.com/libjxl/jxl-rs/pull/518) and the lack of filesystem usage outside tests." 12 | 13 | [[audits.jxl_simd]] 14 | who = "Łukasz Anforowicz " 15 | criteria = ["safe-to-deploy"] 16 | version = "0.1.3" 17 | notes = "Based on a review by @anforowicz (https://github.com/libjxl/jxl-rs/pull/518) and the lack of filesystem usage outside tests." 18 | 19 | [[audits.jxl]] 20 | who = "Łukasz Anforowicz " 21 | criteria = ["safe-to-deploy"] 22 | version = "0.1.5" 23 | notes = "Delta review from v0.1.3: no safety-relevant changes (except for a simple fix under stacked borrows)." 24 | 25 | [[audits.jxl_simd]] 26 | who = "Łukasz Anforowicz " 27 | criteria = ["safe-to-deploy"] 28 | version = "0.1.5" 29 | notes = "Delta review from v0.1.3: no safety-relevant changes." 30 | -------------------------------------------------------------------------------- /.github/workflows/aggregate.yml: -------------------------------------------------------------------------------- 1 | name: CI 2 | on: 3 | workflow_dispatch: 4 | schedule: 5 | # Every hour 6 | - cron: '0 * * * *' 7 | 8 | permissions: 9 | contents: write 10 | 11 | jobs: 12 | aggregate: 13 | name: Aggregate Dependencies 14 | runs-on: ubuntu-latest 15 | env: 16 | CARGO_VET_VERSION: 0.4.0 17 | steps: 18 | - uses: actions/checkout@master 19 | - name: Install Rust 20 | run: rustup update stable && rustup default stable 21 | - uses: actions/cache@v4 22 | with: 23 | path: ${{ runner.tool_cache }}/cargo-vet 24 | key: cargo-vet-bin-${{ env.CARGO_VET_VERSION }} 25 | - name: Add the tool cache directory to the search path 26 | run: echo "${{ runner.tool_cache }}/cargo-vet/bin" >> $GITHUB_PATH 27 | - name: Ensure that the tool cache is populated with the cargo-vet binary 28 | run: cargo install --root ${{ runner.tool_cache }}/cargo-vet --version ${{ env.CARGO_VET_VERSION }} cargo-vet 29 | - name: Invoke cargo-vet aggregate 30 | run: cargo vet aggregate --output-file audits.toml sources.list 31 | - name: Commit changes (if any) 32 | run: | 33 | git config --global user.name "cargo-vet[bot]" 34 | git config --global user.email "cargo-vet-aggregate@invalid" 35 | git add audits.toml 36 | git commit -m "Aggregate new audits" || true 37 | - name: Push changes (if any) 38 | run: git push origin main 39 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | # How to Contribute 2 | 3 | We'd love to accept your patches and contributions to this project. 4 | 5 | ## Before you begin 6 | 7 | ### Sign our Contributor License Agreement 8 | 9 | Contributions to this project must be accompanied by a 10 | [Contributor License Agreement](https://cla.developers.google.com/about) (CLA). 11 | You (or your employer) retain the copyright to your contribution; this simply 12 | gives us permission to use and redistribute your contributions as part of the 13 | project. 14 | 15 | If you or your current employer have already signed the Google CLA (even if it 16 | was for a different project), you probably don't need to do it again. 17 | 18 | Visit to see your current agreements or to 19 | sign a new one. 20 | 21 | ### Review our Community Guidelines 22 | 23 | This project follows 24 | [Google's Open Source Community Guidelines](https://opensource.google/conduct/). 25 | 26 | ## Contribution process 27 | 28 | ### Code Reviews 29 | 30 | All submissions, including submissions by project members, require review. We 31 | use GitHub pull requests for this purpose. Consult 32 | [GitHub Help](https://help.github.com/articles/about-pull-requests/) for more 33 | information on using pull requests. 34 | 35 | ## Contributing Rust Audits 36 | 37 | This respository is primarily an aggregation of audits done by people employed 38 | by Google, certifying code to be used in Google software. For this reason, we 39 | unfortunately cannot accept audits directly from non-Google sources. 40 | 41 | If you're trying to add a Google project to the set of aggregated audits, thank 42 | you! You should reach out to @djkoloski. Please note that participating 43 | requires copying all audit criteria into your `audits.toml` verbatim; 44 | deviations/customizations will break our automatic aggregation jobs. 45 | -------------------------------------------------------------------------------- /CODE_OF_CONDUCT.md: -------------------------------------------------------------------------------- 1 | # Code of Conduct 2 | 3 | ## Our Pledge 4 | 5 | In the interest of fostering an open and welcoming environment, we as 6 | contributors and maintainers pledge to making participation in our project and 7 | our community a harassment-free experience for everyone, regardless of age, body 8 | size, disability, ethnicity, gender identity and expression, level of 9 | experience, education, socio-economic status, nationality, personal appearance, 10 | race, religion, or sexual identity and orientation. 11 | 12 | ## Our Standards 13 | 14 | Examples of behavior that contributes to creating a positive environment 15 | include: 16 | 17 | * Using welcoming and inclusive language 18 | * Being respectful of differing viewpoints and experiences 19 | * Gracefully accepting constructive criticism 20 | * Focusing on what is best for the community 21 | * Showing empathy towards other community members 22 | 23 | Examples of unacceptable behavior by participants include: 24 | 25 | * The use of sexualized language or imagery and unwelcome sexual attention or 26 | advances 27 | * Trolling, insulting/derogatory comments, and personal or political attacks 28 | * Public or private harassment 29 | * Publishing others' private information, such as a physical or electronic 30 | address, without explicit permission 31 | * Other conduct which could reasonably be considered inappropriate in a 32 | professional setting 33 | 34 | ## Our Responsibilities 35 | 36 | Project maintainers are responsible for clarifying the standards of acceptable 37 | behavior and are expected to take appropriate and fair corrective action in 38 | response to any instances of unacceptable behavior. 39 | 40 | Project maintainers have the right and responsibility to remove, edit, or reject 41 | comments, commits, code, wiki edits, issues, and other contributions that are 42 | not aligned to this Code of Conduct, or to ban temporarily or permanently any 43 | contributor for other behaviors that they deem inappropriate, threatening, 44 | offensive, or harmful. 45 | 46 | ## Scope 47 | 48 | This Code of Conduct applies both within project spaces and in public spaces 49 | when an individual is representing the project or its community. Examples of 50 | representing a project or community include using an official project e-mail 51 | address, posting via an official social media account, or acting as an appointed 52 | representative at an online or offline event. Representation of a project may be 53 | further defined and clarified by project maintainers. 54 | 55 | This Code of Conduct also applies outside the project spaces when the Project 56 | Steward has a reasonable belief that an individual's behavior may have a 57 | negative impact on the project or its community. 58 | 59 | ## Conflict Resolution 60 | 61 | We do not believe that all conflict is bad; healthy debate and disagreement 62 | often yield positive results. However, it is never okay to be disrespectful or 63 | to engage in behavior that violates the project’s code of conduct. 64 | 65 | If you see someone violating the code of conduct, you are encouraged to address 66 | the behavior directly with those involved. Many issues can be resolved quickly 67 | and easily, and this gives people more control over the outcome of their 68 | dispute. If you are unable to resolve the matter for any reason, or if the 69 | behavior is threatening or harassing, report it. We are dedicated to providing 70 | an environment where participants feel welcome and safe. 71 | 72 | Reports should be directed to *[PROJECT STEWARD NAME(s) AND EMAIL(s)]*, the 73 | Project Steward(s) for *[PROJECT NAME]*. It is the Project Steward’s duty to 74 | receive and address reported violations of the code of conduct. They will then 75 | work with a committee consisting of representatives from the Open Source 76 | Programs Office and the Google Open Source Strategy team. If for any reason you 77 | are uncomfortable reaching out to the Project Steward, please email 78 | opensource@google.com. 79 | 80 | We will investigate every complaint, but you may not receive a direct response. 81 | We will use our discretion in determining when and how to follow up on reported 82 | incidents, which may range from not taking action to permanent expulsion from 83 | the project and project-sponsored spaces. We will notify the accused of the 84 | report and provide them an opportunity to discuss it before any action is taken. 85 | The identity of the reporter will be omitted from the details of the report 86 | supplied to the accused. In potentially harmful situations, such as ongoing 87 | harassment or threats to anyone's safety, we may take action without notice. 88 | 89 | ## Attribution 90 | 91 | This Code of Conduct is adapted from the Contributor Covenant, version 1.4, 92 | available at 93 | https://www.contributor-covenant.org/version/1/4/code-of-conduct.html 94 | 95 | Note: A version of this file is also available in the 96 | [New Project repo](https://github.com/google/new-project/blob/master/docs/code-of-conduct.md). -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Google's Rust Crate Audits 2 | 3 | Google uses cargo-vet to ensure third-party Rust dependencies have been audited 4 | by Googlers or other trusted entities. 5 | 6 | This repository automatically aggregates Google's audits from various 7 | repositories to make them easily reusable by others. 8 | 9 | To import Google's audits into another cargo-vet instance, add the following 10 | lines to your config.toml: 11 | 12 | ```toml 13 | [imports.google] 14 | url = "https://raw.githubusercontent.com/google/rust-crate-audits/main/audits.toml" 15 | ``` 16 | 17 | ## Aggregated projects 18 | 19 | These audits are automatically aggregated from the following Google projects: 20 | 21 | - [Chromium] 22 | - [ChromiumOS] 23 | - [Fuchsia] 24 | 25 | and other [manual sources] from within Google. 26 | 27 | [Chromium]: https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain 28 | [ChromiumOS]: https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/ 29 | [Fuchsia]: https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/ 30 | [manual sources]: https://github.com/google/rust-crate-audits/tree/main/manual-sources 31 | 32 | ## Disclaimer 33 | 34 | As with the audits from its contributing projects, this aggregation is provided 35 | on a best-effort basis. These audits should not be construed as reflecting 36 | material safety or security properties of Rust crates. We do our best to 37 | aggregate valuable information; use at your own risk. 38 | 39 | ## Auditing criteria 40 | 41 | Google audits Rust crates using both built-in and custom cargo-vet criteria. 42 | Below are the formal descriptions of the criteria used across Google. We 43 | recommend cross-referencing these criteria with the corresponding 44 | [auditing standards] for a better understanding of what they mean. 45 | 46 | [auditing standards]: https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md 47 | 48 | ### Cryptography 49 | 50 | #### `crypto-safe` 51 | 52 | [Auditing standards](https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#crypto-safe) 53 | 54 | > All crypto algorithms in this crate have been reviewed by a relevant expert. 55 | > 56 | > **Note**: If a crate does not implement crypto, use `does-not-implement-crypto`, 57 | > which implies `crypto-safe`, but does not require expert review in order to 58 | > audit for. 59 | 60 | #### `does-not-implement-crypto` 61 | 62 | [Auditing standards](https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#does-not-implement-crypto) 63 | 64 | > Inspection reveals that the crate in question does not attempt to implement 65 | > any cryptographic algorithms on its own. 66 | > 67 | > Note that certification of this does not require an expert on all forms of 68 | > cryptography: it's expected for crates we import to be \"good enough\" 69 | > citizens, so they'll at least be forthcoming if they try to implement 70 | > something cryptographic. When in doubt, please ask an expert. 71 | 72 | ### Deployment 73 | 74 | #### `safe-to-run` 75 | 76 | [Auditing standards](https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#safe-to-run) 77 | 78 | > This crate can be compiled, run, and tested on a local workstation or in 79 | > controlled automation without surprising consequences, such as: 80 | > * Reading or writing data from sensitive or unrelated parts of the filesystem. 81 | > * Installing software or reconfiguring the device. 82 | > * Connecting to untrusted network endpoints. 83 | > * Misuse of system resources (e.g. cryptocurrency mining). 84 | 85 | #### `safe-to-deploy` 86 | 87 | [Auditing standards](https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#safe-to-deploy) 88 | 89 | > This crate will not introduce a serious security vulnerability to production 90 | > software exposed to untrusted input. 91 | > 92 | > Auditors are not required to perform a full logic review of the entire crate. 93 | > Rather, they must review enough to fully reason about the behavior of all 94 | > unsafe blocks and usage of powerful imports. For any reasonable usage of the 95 | > crate in real-world software, an attacker must not be able to manipulate the 96 | > runtime behavior of these sections in an exploitable or surprising way. 97 | > 98 | > Ideally, all unsafe code is fully sound, and ambient capabilities (e.g. 99 | > filesystem access) are hardened against manipulation and consistent with the 100 | > advertised behavior of the crate. However, some discretion is permitted. In 101 | > such cases, the nature of the discretion should be recorded in the `notes` 102 | > field of the audit record. 103 | > 104 | > For crates which generate deployed code (e.g. build dependencies or procedural 105 | > macros), reasonable usage of the crate should output code which meets the 106 | > above criteria. 107 | 108 | ### Soundness 109 | 110 | #### `ub-risk-0` 111 | 112 | [Auditing standards](https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#ub-risk-0) 113 | 114 | > This crate cannot cause undefined behavior because it contains no unsafe code. 115 | 116 | #### `ub-risk-1` 117 | 118 | [Auditing standards](https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#ub-risk-1) 119 | 120 | > A designated unsafe code reviewer has audited the unsafe code in this crate. 121 | > No risk of causing undefined behavior was found. 122 | > 123 | > UB-RISK-1 crates are suitable for applications with the strictest memory 124 | > safety requirements: 125 | > - Safety documentation is comprehensive and precise. Unsafe APIs can be used 126 | > soundly. 127 | > - Unsafe blocks rely on clear invariants and preconditions, and are 128 | > well-justified by them. 129 | > - No way to cause undefined behavior was found during review. 130 | > 131 | > UB-RISK-1 crates are exceptionally well-documented and justified, leaving 132 | > little to no room for error. 133 | 134 | #### `ub-risk-1-thorough` 135 | 136 | A more thorough version of `ub-risk-1`. See [thorough soundness audits] for a 137 | description of "thorough" audits. 138 | 139 | #### `ub-risk-2` 140 | 141 | [Auditing standards](https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#ub-risk-2) 142 | 143 | > A designated unsafe code reviewer has audited the unsafe code in this crate. 144 | > It has been found to pose a trivial risk of causing undefined behavior. 145 | > 146 | > UB-RISK-2 crates are suitable for most applications: 147 | > - Safety documentation is relatively comprehensive, though it may not be 148 | > adequately precise. Unsafe APIs can be used soundly with very minor caution. 149 | > - Unsafe blocks may rely on informal invariants and preconditions. The 150 | > reasoning required to justify them may be especially difficult or 151 | > under-documented. 152 | > - Undefined behavior may be possible under extraordinary circumstances. 153 | > 154 | > UB-RISK-2 crates are effectively "the average good crate". While they may 155 | > have very slight (but real) soundness issues, they are safe to use in general 156 | > without much worry. These crates may exhibit undefined behavior under 157 | > "extraordinary circumstances", which is ultimately up to reviewer discretion. 158 | > Users may expect that reasonable use of the crate will not cause undefined 159 | > behavior. 160 | 161 | #### `ub-risk-2-thorough` 162 | 163 | A more thorough version of `ub-risk-2`. See [thorough soundness audits] for a 164 | description of "thorough" audits. 165 | 166 | [thorough soundness audits]: https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#thoroughness 167 | 168 | #### `ub-risk-3` 169 | 170 | [Auditing standards](https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#ub-risk-3) 171 | 172 | > A designated unsafe code reviewer has audited the unsafe code in this crate. 173 | > It has been found to pose a significant risk of causing undefined behavior. 174 | > 175 | > UB-RISK-3 crates are suitable for select applications: 176 | > - Safety documentation may not be adequately comprehensive or precise. Unsafe 177 | > APIs can be used soundly with a decent amount of caution. 178 | > - Unsafe blocks may rely on under-documented or inferred invariants and 179 | > preconditions. The reasoning required to justify them may rely on specific 180 | > interpretations of undefined behavior that are under-specified. Those 181 | > interpretations must not actively cause UB, and should be unlikely to begin 182 | > causing UB in the future. 183 | > - Undefined behavior may be possible under uncommon circumstances. 184 | > 185 | > UB-RISK-3 crates may not uphold the typical standards required for unsafe 186 | > code, but are still used because they have been widely adopted and will 187 | > inevitably be leveraged by indirect dependencies. These crates may exhibit 188 | > undefined behavior under \"uncommon circumstances\", which is ultimately up to 189 | > reviewer discretion. A decent amount of experience with unsafe code will be 190 | > required to avoid undefined behavior. 191 | 192 | #### `ub-risk-4` 193 | 194 | [Auditing standards](https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#ub-risk-4) 195 | 196 | > A designated unsafe code reviewer has audited the unsafe code in this crate. 197 | > It has been found to pose a high risk of causing undefined behavior. 198 | > 199 | > UB-RISK-4 crates are unsuitable except in specific situations: 200 | > - Safety documentation may be nonexistent. Unsafe APIs may be difficult to use 201 | > safely even with experience writing unsafe code and specific domain 202 | > expertise. 203 | > - Unsafe blocks may rely on undocumented invarianats or platform-specific 204 | > behavior. It may be difficult or impossible to reason about all possible 205 | > situations that may cause undefined behavior. Even a best-effort review is 206 | > expected to miss at least some possible unsoundness. 207 | > - Undefined behavior may be possible under common circumstances. 208 | > 209 | > UB-RISK-4 crates may have APIs that are difficult to use without causing 210 | > undefined behavior. They may require a large amount of domain expertise to use 211 | > correctly, have large unsafe APIs with insufficient documentation, or perform 212 | > many operations from safe code that could cause undefined behavior. 213 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | APPENDIX: How to apply the Apache License to your work. 180 | 181 | To apply the Apache License to your work, attach the following 182 | boilerplate notice, with the fields enclosed by brackets "[]" 183 | replaced with your own identifying information. (Don't include 184 | the brackets!) The text should be enclosed in the appropriate 185 | comment syntax for the file format. We also recommend that a 186 | file or class name and description of purpose be included on the 187 | same "printed page" as the copyright notice for easier 188 | identification within third-party archives. 189 | 190 | Copyright [yyyy] [name of copyright owner] 191 | 192 | Licensed under the Apache License, Version 2.0 (the "License"); 193 | you may not use this file except in compliance with the License. 194 | You may obtain a copy of the License at 195 | 196 | http://www.apache.org/licenses/LICENSE-2.0 197 | 198 | Unless required by applicable law or agreed to in writing, software 199 | distributed under the License is distributed on an "AS IS" BASIS, 200 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 201 | See the License for the specific language governing permissions and 202 | limitations under the License. -------------------------------------------------------------------------------- /auditing_standards.md: -------------------------------------------------------------------------------- 1 | # Rust Crate Auditing Standards 2 | 3 | ## Why we need standards for auditing 4 | 5 | When auditing third-party crates, we're reading a standard described by a few short paragraphs and judging whether some code satisfies them. That judgment adds a new fact to our shared understanding of third-party code. As a legal analogy, an auditing criteria description is like a _law_. The job of the auditor is to play judge and decide whether some code upholds or breaks the law. From this analogy, it's easy to understand how different auditors may interpret the same criteria differently. Some auditors may be more lenient than others, and real-world experience uniquely informs our decisions. 6 | 7 | To ensure that our audits are usable throughout Google, we need to be confident that different auditors will come to the same conclusions about the same code. These auditing standards increase our confidence through clarifying remarks, case studies, and required processes. Continuing the legal analogy, these standards are like case law. 8 | 9 | ## Summary 10 | 11 | Below are a list of all the auditing criteria and the requirements for someone to audit for them. If you're a contributor looking for criteria you can help audit, this table can help point you towards criteria you're qualified to audit for. 12 | 13 | | **Criteria** | **Requires** | 14 | |---------------------------------------|---------------------------------------------------| 15 | | [`crypto-safe`] | **Cryptography expertise** and **Rust expertise** | 16 | | [`does-not-implement-crypto`] | **Generalist SWE** | 17 | | [`safe-to-run`] | **Generalist SWE** | 18 | | [`safe-to-deploy`] | **Generalist SWE** | 19 | | [`ub-risk-0`] | **Automation** or **Generalist SWE** | 20 | | [`ub-risk-1`], [`ub-risk-1-thorough`] | **Unsafe Rust expertise** | 21 | | [`ub-risk-2`], [`ub-risk-2-thorough`] | **Unsafe Rust expertise** | 22 | | [`ub-risk-3`] | **Unsafe Rust expertise** | 23 | | [`ub-risk-4`] | **Unsafe Rust expertise** | 24 | 25 | [`crypto-safe`]: #crypto-safe 26 | [`does-not-implement-crypto`]: #does-not-implement-crypto 27 | [`safe-to-run`]: #safe-to-run 28 | [`safe-to-deploy`]: #safe-to-deploy 29 | [`ub-risk-0`]: #ub-risk-0 30 | [`ub-risk-1`]: #ub-risk-1 31 | [`ub-risk-1-thorough`]: #ub-risk-1-thorough 32 | [`ub-risk-2`]: #ub-risk-2 33 | [`ub-risk-2-thorough`]: #ub-risk-2-thorough 34 | [`ub-risk-3`]: #ub-risk-3 35 | [`ub-risk-4`]: #ub-risk-4 36 | 37 | ## Common criteria 38 | 39 | ### Cryptography 40 | 41 | #### `crypto-safe` 42 | 43 | Requires **Cryptography expertise** and **Rust expertise** 44 | 45 | Crates with this criteria contain implementations of cryptographic algorithms which have been reviewed by an expert and deemed acceptable. Cryptography is always mission-critical. Even though we don't expect to catch every issue in review, a crate audited as crypto-safe is sufficient for use. 46 | 47 | #### Guidelines 48 | 49 | * An expert must review the cryptographic algorithms and deem them acceptable. Generalist SWEs and others without adequate experience in cryptographic algorithms may not audit for this criteria. 50 | * It is not acceptable to just compare the written code against reference pseudocode or another accepted implementation. 51 | * It is recommended that a cryptography expert work with a Rust language expert to verify that the implementation works as intended. 52 | 53 | ### `does-not-implement-crypto` 54 | 55 | Requires **Generalist SWE** 56 | 57 | Crates with this criteria do not implement cryptographic algorithms. 58 | 59 | #### Criteria guidelines 60 | 61 | * Generalist SWEs have the ability to determine whether a crate contains implementations of cryptographic algorithms. 62 | * Many crates use but do not implement cryptographic algorithms. The way they use those cryptographic algorithms may have material implications on the security or soundness of the algorithms. These issues may be raised while auditing deployment criteria, but are not relevant to this criteria. Those crates may still be audited as `does-not-implement-crypto`. 63 | 64 | ## Deployment 65 | 66 | ### `safe-to-run` 67 | 68 | Requires **Generalist SWE** 69 | 70 | This criteria is built-in to cargo vet and describes a crate which "can be compiled, run, and tested on a local workstation or in controlled automation without surprising consequences". It lists a few examples of what it considers "surprising consequences" which will be repeated here along with any additional guidelines specific to Google. 71 | 72 | #### Criteria guidelines 73 | 74 | * Generalist SWEs have the ability to determine whether a crate is safe to run. 75 | * Crates must not do any of the following unless it is their express purpose and have been explicitly directed to do so by a developer or user: 76 | * Read or write data from sensitive or unrelated parts of the filesystem 77 | * Install software or reconfigure the device 78 | * Connect to untrusted network endpoints 79 | * Crates must not do any of the following under any circumstances: 80 | * Misuse system resources (e.g. cryptocurrency mining). 81 | 82 | ### `safe-to-deploy` 83 | 84 | Requires **Generalist SWE** 85 | 86 | This criteria is built-in to cargo vet and describes a crate which "will not introduce a serious security vulnerability to production software exposed to untrusted input". It clarifies some specific practices which will be repeated here along with any additional guidelines specific to Google. 87 | 88 | #### Criteria guidelines 89 | 90 | * While this criteria does not require specific expertise, a generalist SWE must have familiarity with all auditing criteria and standards. Many organizations have additional requirements for code to be safe to deploy which may be relevant to the crate being reviewed. 91 | * Per the criteria description: 92 | * Reviewers are not required to perform a full logic review of the entire crate. Rather, they must review enough to fully reason about the behavior of all unsafe blocks and usage of powerful imports. For any reasonable usage of the crate in real-world software, an attacker must not be able to manipulate the runtime behavior of these sections in an exploitable or surprising way. 93 | * Ideally, all unsafe code is fully sound, and ambient capabilities (e.g. filesystem access) are hardened against manipulation and consistent with the advertised behavior of the crate. However, some discretion is permitted. In such cases, the nature of the discretion should be recorded in the `notes` field of the audit record. 94 | * For crates which generate deployed code (e.g. build dependencies or procedural macros), reasonable usage of the crate should output code which meets the above criteria. 95 | * This criteria is not a proper soundness review. See the "Soundness" group for criteria pertaining to soundness. 96 | * This criteria does not satisfy a general requirement for deploying code. Google's requirements for deploying code may vary across organizations. 97 | 98 | ## Soundness 99 | 100 | Most criteria in this group require training and experience in reviewing unsafe Rust code. Getting approval to do these unsafe reviews varies across organizations, but generally requires learning a wide variety of unsafe Rust topics and doing in-person shadowing. 101 | 102 | ### Thoroughness 103 | 104 | The goal of a soundness review is to correctly classify the code as either "sound" or "unsound", then assign a risk level based on the code classified as "unsound". A perfect test would classify all of the sound code as "sound" and all of the unsound code as "unsound", with no classification errors. Soundness reviews are already very precise and technical work, and reaching such high levels of confidence may require an inordinate amount of effort. With this limitation in mind, review "thoroughness" is a way to increase the effort applied to a review and the confidence of its conclusion. 105 | 106 | A "thorough" soundness review aims to increase the sensitivity of the review and correctly classify all unsound code. It should be considered the "gold standard" of reviewing; it should not be feasible to more accurately detect unsoundness than with a thorough review. Because thoroughness only focuses on reducing the false negative rate, thoroughness only matters when auditing for `ub-risk-1` and `ub-risk-2`. If the code is known to be riskier than `ub-risk-2`, then the thoroughness of the review is not consequential. 107 | 108 | #### All soundness reviews 109 | 110 | For all soundness reviews, an unsafe Rust reviewer must: 111 | 112 | * Look at each line of unsafe code 113 | * Reason about the unsafe Rust patterns found 114 | 115 | It is acceptable if similar-looking unsafe blocks are skimmed over during a review. It is recommended (but not required) for the reviewer to document each unsafe block with a comment. 116 | 117 | #### Thorough soundness reviews 118 | 119 | For thorough soundness reviews, an unsafe Rust reviewer must additionally: 120 | 121 | * Explicitly justify the code in each unsafe block 122 | * All unsafe operations must be identified and the safety conditions for each must be addressed. 123 | * If the review is done in a group, then any nontrivial reasoning should be voiced for discussion. 124 | * Document the justification for each unsafe block with a comment 125 | * For structurally identical unsafe blocks, it is acceptable for the reasoning to be “same as above” or "ditto". 126 | 127 | Unless an unsafe Rust reviewer is very experienced, a group of two or more should perform thorough soundness reviews. 128 | 129 | [thorough]: #thorough-soundness-reviews 130 | 131 | ### `ub-risk-0` 132 | 133 | Also called: "No unsafe code" 134 | 135 | Requires **Automation** or **Generalist SWE** 136 | 137 | Crates with this criteria do not contain unsafe Rust code. 138 | 139 | #### Criteria guidelines 140 | 141 | * Because this criteria merely describes whether a crate contains unsafe Rust code, generalist SWEs may audit for it. Unless there is unambiguously no unsafe code, automation may not audit for this criteria. Even if automation audits for this criteria, a real person **must** sign off on the final audit. As a baseline, automation should reject any code containing the string `unsafe`. It may - but is not required to - allow **only** the following exceptions if robust and very well-tested: 142 | * When not a whole-word textual match: e.g. `struct Unsafe`, `UnsafeCell`, `let not_unsafe`, etc 143 | * Comments: e.g. `// This is not unsafe` 144 | * Literals: e.g. `"hello unsafe"` 145 | * Tests: i.e. code gated behind `#[cfg(test)]`. Note that unsafe blocks that are included in downstream binaries (e.g. `#[cfg(debug_assertions)]`) may not be ignored. 146 | * In the future, unsafe code that is disabled via `cfg` may be ignored if the disabled features are recorded with the audit and `cargo vet` handles these exclusions programmatically. See [this issue](https://github.com/mozilla/cargo-vet/issues/380) for tracking. 147 | 148 | ### `ub-risk-1` 149 | 150 | Also called: "No detectable unsoundness", "Excellent soundness" 151 | 152 | Requires **Unsafe Rust expertise** 153 | 154 | Crates with this criteria contain unsafe Rust code which is very high quality and poses near-zero risk of introducing undefined behavior. This risk level can be considered the `crypto-safe` of soundness, and these crates are suitable for the most demanding situations. 155 | 156 | #### Criteria guidelines 157 | 158 | * Auditing for this criteria requires expertise with unsafe Rust. See the group documentation for details. 159 | * Per the criteria description: 160 | * Unsafe blocks rely on clear invariants and preconditions, and are well-justified by them. 161 | * No way to cause undefined behavior was found during review. 162 | * Safety documentation is comprehensive and precise. Unsafe APIs can be used soundly. 163 | * The unsafe code in this crate must be sound even when held to the highest possible standard. 164 | * It may not be good enough for a crate to have sound unsafe code if that unsafe code is too difficult to confidently review. 165 | * Unsafe blocks should have safety comments. We prefer standard safety justifications of the form `// SAFETY: ` but any comments which fulfill the same purpose are acceptable. 166 | * Every unsafe trait and function must have safety documentation clearly describing the preconditions and postconditions (if any) which are required to maintain memory safety. 167 | 168 | ### `ub-risk-1-thorough` 169 | 170 | A more [thorough] version of [`ub-risk-1`]. 171 | 172 | ### `ub-risk-2` 173 | 174 | Also called: "Negligible unsoundness", "Average good crate" 175 | 176 | Requires **Unsafe Rust expertise** 177 | 178 | Crates with this criteria contain unsafe Rust code which is of good quality and pose a trivial risk of causing undefined behavior. The "average good crate" typically falls in this risk level. They are suitable for most applications. 179 | 180 | #### Criteria guidelines 181 | 182 | * Auditing for this criteria requires expertise with unsafe Rust. See the group documentation for details. 183 | * Per the criteria description: 184 | * Safety documentation is relatively comprehensive, though it may not be adequately precise. Unsafe APIs can be used soundly with very minor caution. 185 | * Unsafe blocks may rely on informal invariants and preconditions. The reasoning required to justify them may be especially difficult or under-documented. 186 | * Undefined behavior may be possible under extraordinary circumstances. 187 | * Most crates involving unsafe code belong here. Avoid putting crates in `ub-risk-1` unless they genuinely meet the stated criteria. 188 | * The definition of "extraordinary circumstances" is open to interpretation. Some examples of circumstances that can cause UB generally considered "extraordinary" are: 189 | * Violating some obvious but unwritten rules about how to use an unsafe API. Even if an unsafe API doesn't specify that a pointer must be properly aligned, it's safe to assume that passing an unaligned pointer can cause UB. 190 | * Violating work-in-progress rules around unsafe code that are being designed by `t-opsem` (e.g. Stacked Borrows and Tree Borrows), provided that stable alternatives for performing the same operation do not exist or have only recently been stabilized. This may include code that triggers errors in MIRI. 191 | * Working in gray areas of unsafe semantics that are still under discussion and yet to be decided by `t-opsem`, provided that stable alternatives for performing the same operation do not exist or have only recently been stabilized, or that the general trend of current discussion of `t-opsem` can be shown to be in the direction that allows the pattern to be sound. 192 | * Being able to cause UB with malicious code. The code should be complex enough that it would never be written by accident. For example: panicking in a callback you gave to the API, then catching it and performing some specific operations that normal code would not do. 193 | * Using or implementing `#[doc(hidden)]` items to cause UB without unsafe code. 194 | * Users may expect that reasonable use of these crates will not cause UB. 195 | 196 | ### `ub-risk-2-thorough` 197 | 198 | A more [thorough] version of [`ub-risk-2`]. 199 | 200 | ### `ub-risk-3` 201 | 202 | Also called: "Mild unsoundness", "Suboptimal soundness" 203 | 204 | Requires **Unsafe Rust expertise** 205 | 206 | Crates with this criteria contain unsafe Rust code which doesn't uphold the typical standards required for unsafe code. They pose a nontrivial, but not necessarily unacceptable risk of causing undefined behavior. Projects are encouraged to allow the use of these crates on a case-by-case basis, based on their own specific constraints. 207 | 208 | #### Criteria guidelines 209 | 210 | * Auditing for this criteria requires expertise with unsafe Rust. See the group documentation for details. 211 | * Per the criteria description: 212 | * Safety documentation may not be adequately comprehensive or precise. Unsafe APIs can be used soundly with a decent amount of caution. 213 | * Unsafe blocks may rely on under-documented or inferred invariants and preconditions. The reasoning required to justify them may rely on specific interpretations of undefined behavior that are under-specified. Those interpretations must not actively cause UB, and should be unlikely to begin causing UB in the future. 214 | * Undefined behavior may be possible under uncommon circumstances. 215 | * These are crates that we would prefer not to use because of their unsafe code, but we may still do so begrudgingly. 216 | * The definition of "uncommon circumstances" is open to interpretation. Some examples of circumstances that can cause UB generally considered "uncommon" are: 217 | * Leveraging incorrect variance on type lifetimes to violate memory safety. 218 | * Writing implementations of traits not marked `unsafe` by violating documented invariants. 219 | * Writing implementations of traits not marked `unsafe` that are not really intended to be implemented by the user. 220 | * Explicitly forgetting values that have important drop behavior to cause UB when combined with operations that would not be expected to follow normally. 221 | * Some caution may be required to avoid undefined behavior. 222 | 223 | 224 | `ub-risk-3` is the highest risk level at which non-experts could reasonably avoid causing undefined behavior. These crates are unsound, but the risk they pose may be acceptable in some situations. Projects need to make judgement calls about where, when, and by whom these crates may be used. For example, a project may deem a `ub-risk-3` crate acceptable to use if it contains unsoundness that: 225 | 226 | * Is only triggered on platforms that the codebase does not care about. 227 | * May only become a problem in future versions of Rust, by which time there is confidence that it will have been patched. 228 | * Is triggered by a pattern of use which the project discourages and can confidently avoid long-term. 229 | 230 | 231 | All audit levels should strive to detail the safety issues found. However, those details are especially important for `ub-risk-3` audits because projects depend on those details to determine whether high-risk crates are acceptable to use. 232 | 233 | ### `ub-risk-4` 234 | 235 | Also called: "Extreme unsoundness", "Very risky" 236 | 237 | Requires **Unsafe Rust expertise** 238 | 239 | Crates with this criteria contain very dangerous unsafe rust code. They pose a risk of causing undefined behavior with typical use. 240 | 241 | #### Criteria guidelines 242 | 243 | * Auditing for this criteria requires expertise with unsafe Rust. See the group documentation for details. 244 | * Per the criteria description: 245 | * Safety documentation may be nonexistent. Unsafe APIs may be difficult to use safely even with experience writing unsafe code and specific domain expertise. 246 | * Unsafe blocks may rely on undocumented invariants or platform-specific behavior. It may be difficult or impossible to reason about all possible situations that may cause undefined behavior. Even a best-effort review is expected to miss at least some possible unsoundness. 247 | * Undefined behavior may be possible under common circumstances. 248 | * Most crates that try to be sound but don't quite make the cut go in `ub-risk-3`, not here. These crates are wildly unsafe, and the only time we should use them is when they are a necessary evil. 249 | * Everything worse than `ub-risk-3` goes in here and we should do our best to avoid using them. 250 | 251 | ## Criteria-agnostic guidelines 252 | 253 | ### Delta audits should describe the final version 254 | 255 | In general, delta audits should always take the previous, baseline audit into 256 | account. In particular, note that 257 | [Cargo Vet's documentation](https://mozilla.github.io/cargo-vet/audit-entries.html#delta) 258 | asks the auditor to acquire sufficient context when working on delta 259 | audits: 260 | 261 | > The [auditing] standard here is that the properties are actually 262 | > preserved, not merely that that the diff doesn't obviously violate 263 | > them. It is the responsibility of the auditor to acquire sufficient 264 | > context to certify the former. 265 | 266 | Since the delta audits only determine which criteria from the baseline version 267 | are preserved, you should perform and record a non-delta audit to lower the 268 | `UB-risk-N` level, or to downgrade from `crypto-safe` to 269 | `does-not-contain-crypto`. In other words, a delta audit should never result in 270 | lowering the `UB-risk-N` value from the previous audit, or downgrading 271 | `crypto-safe` to `does-not-contain-crypto`. 272 | 273 | For example, even though 274 | [the 1.0.79 to 1.0.80 delta of the `proc-macro2` crate](https://chromium-review.googlesource.com/c/chromium/src/+/5453972/2..6) 275 | doesn't add or change any `unsafe` code, it shouldn't be recorded as 276 | `ub-risk-0`, because there is still `unsafe` outside of the delta 277 | (e.g. `unsafe { imp::Literal::from_str_unchecked(repr) }` in 278 | [`lib.rs` on line 1282](https://chromium-review.googlesource.com/c/chromium/src/+/5453972/2..6/third_party/rust/chromium_crates_io/vendor/proc-macro2-1.0.80/src/lib.rs#1282)). 279 | 280 | Another example is the improvements in `flate2` between version 1.0.27 281 | (`ub-risk-4` because of https://github.com/rust-lang/flate2-rs/issues/220) and 282 | 1.0.28 (`ub-risk-3` because of https://github.com/rust-lang/flate2-rs/pull/373). 283 | Recording this improvement as a delta audit would be insufficient to pass `cargo 284 | vet check` presumits (as tested by 285 | [this ad-hoc Chromium CL](https://crrev.com/c/5532326)). 286 | 287 | ### Audits should be as precise as possible 288 | 289 | *e.g. Audits should not account for `config.toml` policy* 290 | 291 | Audits should record the most precise criteria for each crate, without 292 | accounting for a project's `config.toml` policy. In some cases, a project's 293 | policy may only require a crate to meet a minimum level of certification. 294 | Although it may be less work to audit a crate at that minimum level, we 295 | should always audit crates with the most precise criteria available. This 296 | ensures that our audits are as shareable as possible between project 297 | participants. 298 | 299 | For example, Chromium requires `ub-risk-2` for crates used in the browser 300 | process. The following `config.toml` is auto-generated for the quote crate: 301 | entry for the `quote` crate: 302 | 303 | ``` 304 | # supply-chain/config.toml: 305 | [policy."quote:1.0.36"] 306 | criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-2"] 307 | ``` 308 | 309 | This means that certifying this crate as `ub-risk-2` is sufficient for `cargo 310 | vet` checks/presubmits to pass and `cargo vet check` will actually only ask 311 | to certify at the `ub-risk-2` level: 312 | 313 | ``` 314 | $ tools/crates/run_cargo_vet.py check 315 | Vetting Failed! 316 | 317 | 1 unvetted dependencies: 318 | quote:1.0.36 missing ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] 319 | 320 | recommended audits for safe-to-deploy, does-not-implement-crypto, ub-risk-2: 321 | Command Publisher Used By Audit Size 322 | cargo vet diff quote 1.0.35 1.0.36 dtolnay syn, chromium, prost-derive, and 6 others 6 files changed, 568 insertions(+), 548 deletions(-) 323 | 324 | estimated audit backlog: 1116 lines 325 | 326 | Use |cargo vet certify| to record the audits. 327 | ``` 328 | 329 | Although it is recommended to audit at `ub-risk-2`, the audit should always 330 | certify `quote` 1.0.36 at the most precise ub-risk level possible. In this case, 331 | the crate should be audited as `ub-risk-0` because it doesn't contain any 332 | unsafe code. 333 | -------------------------------------------------------------------------------- /manual-sources/google3-audits.toml: -------------------------------------------------------------------------------- 1 | [criteria.crypto-safe] 2 | description = """ 3 | All crypto algorithms in this crate have been reviewed by a relevant expert. 4 | 5 | **Note**: If a crate does not implement crypto, use `does-not-implement-crypto`, 6 | which implies `crypto-safe`, but does not require expert review in order to 7 | audit for.""" 8 | 9 | [criteria.does-not-implement-crypto] 10 | description = """ 11 | Inspection reveals that the crate in question does not attempt to implement any 12 | cryptographic algorithms on its own. 13 | 14 | Note that certification of this does not require an expert on all forms of 15 | cryptography: it's expected for crates we import to be \"good enough\" citizens, 16 | so they'll at least be forthcoming if they try to implement something 17 | cryptographic. When in doubt, please ask an expert.""" 18 | implies = "crypto-safe" 19 | 20 | [criteria.ub-risk-0] 21 | description = """ 22 | No unsafe code. 23 | 24 | Full description of the audit criteria can be found at 25 | https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#ub-risk-0 26 | """ 27 | implies = "ub-risk-1" 28 | 29 | [criteria.ub-risk-1] 30 | description = """ 31 | Excellent soundness. 32 | 33 | Full description of the audit criteria can be found at 34 | https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#ub-risk-1 35 | """ 36 | implies = "ub-risk-2" 37 | 38 | [criteria.ub-risk-1-thorough] 39 | description = """ 40 | Excellent soundness (established in a thorough review). 41 | 42 | Full description of the audit criteria can be found at 43 | https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#ub-risk-1-thorough 44 | """ 45 | implies = "ub-risk-1" 46 | 47 | [criteria.ub-risk-2] 48 | description = """ 49 | Negligible unsoundness or average soundness. 50 | 51 | Full description of the audit criteria can be found at 52 | https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#ub-risk-2 53 | """ 54 | implies = "ub-risk-3" 55 | 56 | [criteria.ub-risk-2-thorough] 57 | description = """ 58 | Negligible unsoundness or average soundness (established in a thorough review). 59 | 60 | Full description of the audit criteria can be found at 61 | https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#ub-risk-2-thorough 62 | """ 63 | implies = "ub-risk-2" 64 | 65 | [criteria.ub-risk-3] 66 | description = """ 67 | Mild unsoundness or suboptimal soundness. 68 | 69 | Full description of the audit criteria can be found at 70 | https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#ub-risk-3 71 | """ 72 | implies = "ub-risk-4" 73 | 74 | [criteria.ub-risk-4] 75 | description = """ 76 | Extreme unsoundness. 77 | 78 | Full description of the audit criteria can be found at 79 | https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#ub-risk-4 80 | """ 81 | 82 | [[audits.alloc-no-stdlib]] 83 | who = [ 84 | "Luca Versari ", 85 | "Manish Goregaokar " 86 | ] 87 | criteria = ["ub-risk-4"] 88 | version = "2.0.4" 89 | notes = """Reviewed in CL 636730294 90 | Issues found: 91 | - unsafe functions have no documented safety invariants 92 | - CallocBackingStore returns uninitialized memory 93 | """ 94 | 95 | [[audits.alloc-stdlib]] 96 | who = "Taylor Cramer " 97 | criteria = ["ub-risk-2"] 98 | version = "0.2.2" 99 | notes = "Reviewed in CL 636730499" 100 | 101 | [[audits.android_logger]] 102 | who = "Manish Goregaokar " 103 | criteria = ["ub-risk-3", "does-not-implement-crypto"] 104 | version = "0.13.3" 105 | notes = "Reviewed in CL 559548165" 106 | 107 | [[audits.anstream]] 108 | who = "Manish Goregaokar " 109 | criteria = ["ub-risk-3"] 110 | version = "0.3.2" 111 | notes = "Reviewed in CL 559376670" 112 | 113 | [[audits.anstream]] 114 | who = "Ben Saunders " 115 | criteria = ["ub-risk-4"] 116 | version = "0.6.5" 117 | notes = """Reviewed in CL 596713982 118 | Issues found: 119 | - https://github.com/rust-cli/anstyle/issues/156 120 | - Exhaustive review of utf8 soundness not performed 121 | """ 122 | 123 | [[audits.anstyle]] 124 | who = "Ben Saunders " 125 | criteria = ["ub-risk-1", "does-not-implement-crypto"] 126 | version = "1.0.0" 127 | notes = "Reviewed in CL 559404826" 128 | 129 | [[audits.anstyle_query]] 130 | who = "Ben Saunders " 131 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 132 | version = "1.0.0" 133 | notes = "Reviewed in CL 559375925" 134 | 135 | [[audits.anstyle-parse]] 136 | who = "Manish Goregaokar " 137 | criteria = ["ub-risk-3"] 138 | version = "0.2.1" 139 | notes = "Reviewed in CL 559131783" 140 | 141 | [[audits.anymap]] 142 | who = "Manish Goregaokar " 143 | criteria = ["ub-risk-3", "does-not-implement-crypto"] 144 | version = "1.0.0-beta2" 145 | notes = "Reviewed in CL 558118223" 146 | 147 | [[audits.archery]] 148 | who = "Taylor Cramer " 149 | criteria = ["ub-risk-2"] 150 | version = "1.2.1" 151 | notes = "Reviewed in CL 689387930" 152 | 153 | [[audits.argminmax]] 154 | who = "Augie Fackler " 155 | criteria = ["ub-risk-2"] 156 | version = "0.6.2" 157 | notes = "Reviewed in CL 645900200" 158 | 159 | [[audits.array-init-cursor]] 160 | who = "Manish Goregaokar " 161 | criteria = ["ub-risk-3"] 162 | version = "0.2.0" 163 | notes = """Reviewed in CL 702364774 164 | Could have more comments. into_buf can probably be written safely. 165 | """ 166 | 167 | [[audits.arrayref]] 168 | who = [ 169 | "Luca Versari ", 170 | "Manish Goregaokar " 171 | ] 172 | criteria = ["ub-risk-3"] 173 | version = "0.3.7" 174 | notes = """Reviewed in CL 636647431 175 | Issues found: 176 | - Macros do not overflow check before adding pre/post and can cause hard-to-trigger UB. https://github.com/droundy/arrayref/issues/26 177 | """ 178 | 179 | [[audits.arrayref]] 180 | who = "Manish Goregaokar " 181 | criteria = ["ub-risk-2"] 182 | delta = "0.3.7 -> 0.3.9" 183 | notes = """Reviewed in CL 693504716 184 | Diff fixes https://github.com/droundy/arrayref/issues/26 185 | """ 186 | 187 | [[audits.arrow_select]] 188 | who = "Taylor Cramer " 189 | criteria = ["ub-risk-3"] 190 | version = "53.1.0" 191 | notes = """Reviewed in CL 683334337 192 | Issues found: 193 | - filter_run_end_array needs a patch to check its preconditions https://github.com/apache/arrow-rs/issues/6569 194 | """ 195 | 196 | [[audits.arrow-buffer]] 197 | who = "Augie Fackler " 198 | criteria = ["ub-risk-2"] 199 | version = "51.0.0" 200 | notes = "Reviewed in CL 637904132" 201 | 202 | [[audits.arrow-cast]] 203 | who = "Augie Fackler " 204 | criteria = ["ub-risk-2"] 205 | version = "51.0.0" 206 | notes = "Reviewed in CL 638739847" 207 | 208 | [[audits.arrow-data]] 209 | who = "Ben Saunders " 210 | criteria = ["ub-risk-3"] 211 | version = "51.0.0" 212 | notes = "Reviewed in CL 638739833" 213 | 214 | [[audits.arrow-select]] 215 | who = "Augie Fackler " 216 | criteria = ["ub-risk-3"] 217 | version = "51.0.0" 218 | notes = "Reviewed in CL 638739853" 219 | 220 | [[audits.askama_derive]] 221 | who = "Luca Versari " 222 | criteria = ["ub-risk-2"] 223 | version = "0.13.1" 224 | notes = "Reviewed in CL 751078334" 225 | 226 | [[audits.askama_parser]] 227 | who = "Luca Versari " 228 | criteria = ["ub-risk-2"] 229 | version = "0.13.0" 230 | notes = "Reviewed in " 231 | 232 | [[audits.async_stream]] 233 | who = "Luca Versari " 234 | criteria = ["ub-risk-3"] 235 | version = "0.3.6" 236 | notes = "Reviewed in CL 814718864" 237 | 238 | [[audits.async-executor]] 239 | who = "Luca Versari " 240 | criteria = ["ub-risk-2"] 241 | version = "1.13.1" 242 | notes = "Reviewed in CL 737846535" 243 | 244 | [[audits.async-lock]] 245 | who = "Luca Versari " 246 | criteria = ["ub-risk-2"] 247 | version = "3.4.0" 248 | notes = "Reviewed in CL 740466573" 249 | 250 | [[audits.base64ct]] 251 | who = "Taylor Cramer " 252 | criteria = ["ub-risk-2"] 253 | version = "1.6.0" 254 | notes = "Reviewed in CL 592910669" 255 | 256 | [[audits.beef]] 257 | who = "Ben Saunders " 258 | criteria = ["ub-risk-1"] 259 | version = "0.5.0" 260 | notes = "Reviewed in CL 742874865" 261 | 262 | [[audits.bit-set]] 263 | who = [ 264 | "Manish Goregaokar ", 265 | "Augie Fackler " 266 | ] 267 | criteria = ["ub-risk-2"] 268 | version = "0.5.3" 269 | notes = """Reviewed in CL 615008047 270 | Uses unsafe operations from bit-vec that are not actually unsafe. 271 | """ 272 | 273 | [[audits.bitflags]] 274 | who = "Taylor Cramer " 275 | criteria = ["ub-risk-1", "does-not-implement-crypto"] 276 | version = "2.3.3" 277 | notes = "Reviewed in CL 545304270" 278 | 279 | [[audits.bitmaps]] 280 | who = "Manish Goregaokar " 281 | criteria = ["ub-risk-4"] 282 | version = "2.1.0" 283 | notes = """Reviewed in CL 755933866 284 | This has incorrect usage of target_feature: https://github.com/bodil/bitmaps/issues/31 285 | """ 286 | 287 | [[audits.bitmaps]] 288 | who = "Manish Goregaokar " 289 | criteria = ["ub-risk-4"] 290 | version = "3.2.1" 291 | notes = """Reviewed in CL 755933866 292 | Issues found: 293 | - Incorrect use of target_feature https://github.com/bodil/bitmaps/issues/31 294 | - Incorrect layout assumptions around bool https://github.com/bodil/bitmaps/issues/29 295 | """ 296 | 297 | [[audits.boxcar]] 298 | who = "Luca Versari " 299 | criteria = ["ub-risk-2"] 300 | version = "0.2.10" 301 | notes = "Reviewed in CL 736485432" 302 | 303 | [[audits.brotli]] 304 | who = "Ben Saunders " 305 | criteria = ["ub-risk-2"] 306 | version = "3.5.0" 307 | notes = "Reviewed in CL 641306142" 308 | 309 | [[audits.btoi]] 310 | who = "Ben Saunders " 311 | criteria = ["ub-risk-0", "does-not-implement-crypto"] 312 | version = "0.4.3" 313 | notes = "Reviewed in CL 581228675" 314 | 315 | [[audits.bulletproofs]] 316 | who = "Manish Goregaokar " 317 | criteria = ["ub-risk-0"] 318 | version = "5.0.0" 319 | notes = """Reviewed in CL 666491560 320 | Only unsafe is in tests 321 | """ 322 | 323 | [[audits.bumpalo]] 324 | who = "Taylor Cramer " 325 | criteria = ["ub-risk-2"] 326 | version = "3.14.0" 327 | notes = "Reviewed in CL 574186321" 328 | 329 | [[audits.bytecount]] 330 | who = "Manish Goregaokar " 331 | criteria = ["ub-risk-3"] 332 | version = "0.6.7" 333 | notes = """Reviewed in CL 596699465 334 | Is sound, but needs safety docs 335 | """ 336 | 337 | [[audits.bytemuck]] 338 | who = [ 339 | "Manish Goregaokar ", 340 | "Łukasz Anforowicz " 341 | ] 342 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 343 | version = "1.13.1" 344 | notes = "Reviewed in CL 561111794" 345 | 346 | [[audits.byteorder]] 347 | who = "Alyssa Haroldsen " 348 | criteria = ["ub-risk-3", "does-not-implement-crypto"] 349 | version = "1.4.3" 350 | notes = """Reviewed in CL 559206679 351 | Issues found: 352 | - https://github.com/BurntSushi/byteorder/issues/194 353 | """ 354 | 355 | [[audits.bzip2]] 356 | who = "Manish Goregaokar " 357 | criteria = ["ub-risk-2"] 358 | version = "0.6.1" 359 | notes = "Reviewed in CL 828354407" 360 | 361 | [[audits.caliptra_cfi]] 362 | who = "Taylor Cramer " 363 | criteria = ["ub-risk-4"] 364 | version = "0.1.0" 365 | notes = """Reviewed in CL 609792409 366 | Rating is ub-risk-4 because this crate makes assumptions about single-threadedness. 367 | However, on the platform it is intended for, this is fine and can be treated as having ub-risk-3. 368 | Issues found: https://github.com/chipsalliance/caliptra-cfi/pull/10 369 | """ 370 | 371 | [[audits.castaway]] 372 | who = "Taylor Cramer " 373 | criteria = ["ub-risk-2"] 374 | version = "0.2.3" 375 | notes = "Reviewed in CL 683065028" 376 | 377 | [[audits.chacha20]] 378 | who = "" 379 | criteria = ["ub-risk-2"] 380 | version = "0.9.1" 381 | notes = "Reviewed in CL 640124703" 382 | 383 | [[audits.chalk_ir]] 384 | who = "Manish Goregaokar " 385 | criteria = ["ub-risk-2"] 386 | version = "0.92.0" 387 | notes = "Reviewed in CL 558137822" 388 | 389 | [[audits.chalk_ir]] 390 | who = "Manish Goregaokar " 391 | criteria = ["ub-risk-0"] 392 | version = "0.95.0" 393 | notes = "Reviewed in CL 599467162" 394 | 395 | [[audits.clap_lex]] 396 | who = "Ben Saunders " 397 | criteria = ["ub-risk-3", "does-not-implement-crypto"] 398 | version = "0.5.0" 399 | notes = """Reviewed in CL 559377426 400 | Issues: 401 | - Unsound transmutes from OsStr to [u8] (https://github.com/clap-rs/clap/issues/5280) 402 | - (optional) Incorrect safety comment (https://github.com/clap-rs/clap/pull/5281) 403 | """ 404 | 405 | [[audits.clap_lex]] 406 | who = "Manish Goregaokar " 407 | criteria = ["ub-risk-3"] 408 | delta = "0.5.1 -> 0.6.0" 409 | notes = """Reviewed in CL 596708333 410 | Issues: 411 | - Unsound transmutes from OsStr to [u8] (https://github.com/clap-rs/clap/issues/5280) 412 | - (optional) Incorrect safety comment (https://github.com/clap-rs/clap/pull/5281) 413 | """ 414 | 415 | [[audits.clap_lex]] 416 | who = "Manish Goregaokar " 417 | criteria = ["ub-risk-3"] 418 | delta = "0.7.2 -> 0.7.3" 419 | notes = "Reviewed in CL 701531434" 420 | 421 | [[audits.clap_lex]] 422 | who = "Manish Goregaokar " 423 | criteria = ["ub-risk-3"] 424 | delta = "0.7.3 -> 0.7.4" 425 | notes = """Reviewed in CL 709087295 426 | No change since previous review 427 | """ 428 | 429 | [[audits.clear_on_drop]] 430 | who = "Manish Goregaokar " 431 | criteria = ["ub-risk-3"] 432 | version = "0.2.5" 433 | notes = """Reviewed in CL 666491561 434 | Issues: 435 | - Could use some safety comments 436 | - Clear::clear() would ideally discard the &mut self and only work with raw pointers to avoid tripping anything around reference validity. Impl is *probably* fine given the way T-opsem is leaning 437 | """ 438 | 439 | [[audits.clru]] 440 | who = "Ben Saunders " 441 | criteria = ["ub-risk-1", "does-not-implement-crypto"] 442 | version = "0.6.1" 443 | notes = "Reviewed in CL 581562557" 444 | 445 | [[audits.command_group]] 446 | who = "Ben Saunders " 447 | criteria = ["ub-risk-4", "does-not-implement-crypto"] 448 | version = "2.0.1" 449 | notes = """Reviewed in CL 561009596 450 | Issues found: 451 | - https://github.com/watchexec/command-group/issues/20 452 | - https://github.com/watchexec/command-group/issues/19 453 | """ 454 | 455 | [[audits.compact_str]] 456 | who = "Augie Fackler " 457 | criteria = ["ub-risk-2"] 458 | version = "0.7.1" 459 | notes = "Reviewed in CL 639198555" 460 | 461 | [[audits.console]] 462 | who = "" 463 | criteria = ["ub-risk-2"] 464 | version = "0.15.8" 465 | notes = "Reviewed in CL 683999046" 466 | 467 | [[audits.constant_time_eq]] 468 | who = "Ben Saunders " 469 | criteria = ["ub-risk-1", "does-not-implement-crypto"] 470 | version = "0.3.0" 471 | notes = "Reviewed in CL 587904821" 472 | 473 | [[audits.constcat]] 474 | who = "Manish Goregaokar " 475 | criteria = ["ub-risk-2"] 476 | version = "0.5.1" 477 | notes = "Reviewed in CL 706930648" 478 | 479 | [[audits.core-foundation]] 480 | who = "Manish Goregaokar " 481 | criteria = ["ub-risk-2"] 482 | version = "0.10.0" 483 | notes = """Reviewed in CL 711537864 484 | FFI crate 485 | """ 486 | 487 | [[audits.core-foundation-sys]] 488 | who = "Taylor Cramer " 489 | criteria = ["ub-risk-2"] 490 | version = "0.8.7" 491 | notes = "Reviewed in CL 711535914" 492 | 493 | [[audits.countme]] 494 | who = "Manish Goregaokar " 495 | criteria = ["ub-risk-3"] 496 | version = "3.0.1" 497 | notes = "Reviewed in CL 558181122" 498 | 499 | [[audits.crabbyavif]] 500 | who = "Taylor Cramer " 501 | criteria = ["ub-risk-2"] 502 | version = "0.1.0" 503 | notes = "Reviewed in CL 781088700" 504 | 505 | [[audits.cranelift-entity]] 506 | who = "Ben Saunders " 507 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 508 | version = "0.113.1" 509 | notes = "Reviewed in CL 698407144" 510 | 511 | [[audits.cranelift-entity]] 512 | who = "Manish Goregaokar " 513 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 514 | delta = "1.113.1 -> 1.114.0" 515 | notes = """Reviewed in CL 699228957 516 | No change in unsafe code since last import 517 | """ 518 | 519 | [[audits.crc32c]] 520 | who = "Manish Goregaokar " 521 | criteria = ["ub-risk-3"] 522 | version = "0.6.5" 523 | notes = """Reviewed in CL 608991681 524 | Does not have much unsafe (some use of hardware intrinsics, one bit of pointer manipulation). However, the unsafe isn't documented enough. Can be upgraded to a rating 2 or 1 with some unsafe documentation. 525 | """ 526 | 527 | [[audits.crc32fast]] 528 | who = "Manish Goregaokar " 529 | criteria = ["ub-risk-2"] 530 | version = "1.3.2" 531 | notes = "Reviewed in CL 558895300" 532 | 533 | [[audits.crossterm]] 534 | who = "Ben Saunders " 535 | criteria = ["ub-risk-3", "does-not-implement-crypto"] 536 | version = "0.26.1" 537 | notes = """Reviewed in CL 562140151 538 | Issues: 539 | - Internal API permits buffer overruns (https://github.com/crossterm-rs/crossterm/pull/821) 540 | """ 541 | 542 | [[audits.crossterm]] 543 | who = "Ben Saunders " 544 | criteria = ["ub-risk-3", "does-not-implement-crypto"] 545 | delta = "0.26.1 -> 0.27.0" 546 | notes = """Reviewed in CL 566337315 547 | Issues: 548 | - Internal API permits buffer overruns (https://github.com/crossterm-rs/crossterm/pull/821) 549 | """ 550 | 551 | [[audits.cstream]] 552 | who = "Taylor Cramer " 553 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 554 | version = "0.1.1" 555 | notes = "Reviewed in CL 805553961" 556 | 557 | [[audits.ctor]] 558 | who = "Ben Saunders " 559 | criteria = ["ub-risk-3", "does-not-implement-crypto"] 560 | version = "0.2.4" 561 | notes = """Reviewed in CL 552861146 562 | Issues found: 563 | - https://github.com/mmastrac/rust-ctor/pull/294 564 | - https://github.com/mmastrac/rust-ctor/pull/293 565 | """ 566 | 567 | [[audits.ctrlc]] 568 | who = "Taylor Cramer " 569 | criteria = ["ub-risk-3"] 570 | version = "3.4.0" 571 | notes = "Reviewed in CL 587904024" 572 | 573 | [[audits.curve25519-dalek]] 574 | who = "Ben Saunders " 575 | criteria = ["ub-risk-1"] 576 | version = "4.0.0" 577 | notes = "Reviewed in CL 557134163" 578 | 579 | [[audits.curve25519-dalek-derive]] 580 | who = "Ben Saunders " 581 | criteria = ["ub-risk-3", "does-not-implement-crypto"] 582 | version = "0.1.0" 583 | notes = """Reviewed in CL 557129495 584 | Issues found: 585 | - https://github.com/dalek-cryptography/curve25519-dalek/issues/563 586 | """ 587 | 588 | [[audits.daemonize]] 589 | who = "Taylor Cramer " 590 | criteria = ["ub-risk-2"] 591 | version = "0.5.0" 592 | notes = "Reviewed in CL 670551760" 593 | 594 | [[audits.dary_heap]] 595 | who = "Ben Saunders " 596 | criteria = ["ub-risk-1", "does-not-implement-crypto"] 597 | version = "0.3.7" 598 | notes = "Reviewed in CL 778340537" 599 | 600 | [[audits.deduplicating_array]] 601 | who = "Manish Goregaokar " 602 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 603 | version = "0.1.7" 604 | notes = """Reviewed in CL 700071397 605 | Safe, but needs safety comments 606 | """ 607 | 608 | [[audits.deranged]] 609 | who = "Manish Goregaokar " 610 | criteria = ["ub-risk-2"] 611 | version = "0.3.0" 612 | notes = "Reviewed in CL 683999039" 613 | 614 | [[audits.deranged]] 615 | who = "Taylor Cramer " 616 | criteria = ["ub-risk-1"] 617 | version = "0.3.9" 618 | notes = "Reviewed in CL 579385986" 619 | 620 | [[audits.derive_builder]] 621 | who = "Manish Goregaokar " 622 | criteria = ["ub-risk-0"] 623 | version = "0.20.0" 624 | notes = "Reviewed in CL 644303353" 625 | 626 | [[audits.dispatch2]] 627 | who = "" 628 | criteria = ["ub-risk-3", "does-not-implement-crypto"] 629 | version = "0.3.0" 630 | notes = "Reviewed in CL 752745648" 631 | 632 | [[audits.dyn-clone]] 633 | who = [ 634 | "Ben Saunders ", 635 | "Augie Fackler ", 636 | "Luca Versari " 637 | ] 638 | criteria = ["ub-risk-2"] 639 | version = "1.0.17" 640 | notes = "Reviewed in CL 637023476" 641 | 642 | [[audits.dyn-stack]] 643 | who = "Ben Saunders " 644 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 645 | delta = "0.9.0 -> 0.11.0" 646 | notes = "Reviewed in CL 754079845" 647 | 648 | [[audits.educe]] 649 | who = "Taylor Cramer " 650 | criteria = ["ub-risk-3"] 651 | version = "0.4.23" 652 | notes = """Reviewed in CL 778349439 653 | Issues found: 654 | - https://github.com/magiclen/educe/issues/45 655 | """ 656 | 657 | [[audits.encode_unicode]] 658 | who = "Taylor Cramer " 659 | criteria = ["ub-risk-2"] 660 | version = "1.0.0" 661 | notes = "Reviewed in CL 683999023" 662 | 663 | [[audits.encoding_rs]] 664 | who = "Manish Goregaokar " 665 | criteria = ["ub-risk-3"] 666 | version = "0.8.33" 667 | notes = """Reviewed in CL 605370461 668 | Needs extensive safety comments: 669 | - https://github.com/hsivonen/encoding_rs/pull/101 670 | """ 671 | 672 | [[audits.enum-ordinalize]] 673 | who = "" 674 | criteria = ["ub-risk-2"] 675 | version = "3.1.15" 676 | notes = "Reviewed in CL 778348618" 677 | 678 | [[audits.enumflags2]] 679 | who = "Ben Saunders " 680 | criteria = ["ub-risk-1", "does-not-implement-crypto"] 681 | version = "0.7.8" 682 | notes = "Reviewed in CL 603523557" 683 | 684 | [[audits.equator-macro]] 685 | who = "" 686 | criteria = ["ub-risk-4"] 687 | version = "0.4.2" 688 | notes = """Reviewed in CL 752779890 689 | The unsafe code is a transmute from a user-provided type to a user-provided type, so it is trivially unsound. Would be better if e.g. the proc macro was renamed unsafe_assert, and had a safety comment describing the preconditions. (It is currently named `assert`, and undocumented.) 690 | """ 691 | 692 | [[audits.errno]] 693 | who = "Ben Saunders " 694 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 695 | version = "0.2.8" 696 | notes = "Reviewed in CL 567624402" 697 | 698 | [[audits.error-chain]] 699 | who = "Ben Saunders " 700 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 701 | version = "0.12.4" 702 | notes = "Reviewed in CL 545732008" 703 | 704 | [[audits.etcetera]] 705 | who = "Taylor Cramer " 706 | criteria = ["ub-risk-2"] 707 | version = "0.10.0" 708 | notes = "Reviewed in CL 750960146" 709 | 710 | [[audits.etherparse]] 711 | who = "Ben Saunders " 712 | criteria = ["ub-risk-1"] 713 | version = "0.18.0" 714 | notes = "Reviewed in CL 775556814" 715 | 716 | [[audits.ethnum]] 717 | who = "Ben Saunders " 718 | criteria = ["ub-risk-4"] 719 | version = "1.5.0" 720 | notes = """Reviewed in CL 624267108 721 | Issues found: 722 | - error.rs: Unsoundly transmutes into std error types, making assumptions about stability and layout 723 | - fmt.rs: GenericRadix trait should be unsafe 724 | - fmt.rs: fmt_u256 has safety comments that are incorrect 725 | """ 726 | 727 | [[audits.euclid]] 728 | who = "Taylor Cramer " 729 | criteria = ["ub-risk-1"] 730 | version = "0.22.11" 731 | notes = "Reviewed in CL 719023061" 732 | 733 | [[audits.fast-float]] 734 | who = [ 735 | "Augie Fackler ", 736 | "< manishearth@google.com>" 737 | ] 738 | criteria = ["ub-risk-4"] 739 | version = "0.2.0" 740 | notes = """Reviewed in 741 | Issues found: 742 | - https://github.com/aldanor/fast-float-rust/issues/37 (multiple issues) 743 | """ 744 | 745 | [[audits.faster-hex]] 746 | who = "Ben Saunders " 747 | criteria = ["ub-risk-4", "does-not-implement-crypto"] 748 | version = "0.8.1" 749 | notes = """Reviewed in CL 579318683 750 | Issues found: 751 | - https://github.com/nervosnetwork/faster-hex/pull/39 752 | """ 753 | 754 | [[audits.fdt]] 755 | who = "Manish Goregaokar " 756 | criteria = ["ub-risk-2"] 757 | version = "0.1.5" 758 | notes = """Reviewed in CL 565675584 759 | No usage of unsafe; one public unsafe function with documented invariants. 760 | """ 761 | 762 | [[audits.filedescriptor]] 763 | who = "Luca Versari " 764 | criteria = ["ub-risk-2"] 765 | version = "0.8.2" 766 | notes = "Reviewed in CL 715944931" 767 | 768 | [[audits.filetime]] 769 | who = "Manish Goregaokar " 770 | criteria = ["ub-risk-3", "does-not-implement-crypto"] 771 | version = "0.2.19" 772 | notes = "Reviewed in CL 559795004" 773 | 774 | [[audits.find-msvc-tools]] 775 | who = "" 776 | criteria = ["ub-risk-3"] 777 | version = "0.1.2" 778 | notes = "Reviewed in CL 810860514" 779 | 780 | [[audits.fixedbitset]] 781 | who = "Manish Goregaokar " 782 | criteria = ["ub-risk-3"] 783 | version = "0.2.0" 784 | notes = "Reviewed in CL 559071858" 785 | 786 | [[audits.flatbuffers]] 787 | who = "Taylor Cramer " 788 | criteria = ["ub-risk-1"] 789 | version = "23.5.26" 790 | notes = "Reviewed in CL 638739860" 791 | 792 | [[audits.flate2]] 793 | who = "Manish Goregaokar " 794 | criteria = ["ub-risk-4"] 795 | version = "1.0.24" 796 | notes = """Reviewed in CL 558916134 797 | Issues found: 798 | - Uninitialized memory: https://github.com/rust-lang/flate2-rs/pull/373 799 | Minor code quality suggestions: 800 | - Defense in depth on dangling pointers (https://github.com/rust-lang/flate2-rs/issues/379) 801 | - set_len usage relies on tricky undocumented invariants (incidentally fixed by PR #373) 802 | """ 803 | 804 | [[audits.flate2]] 805 | who = "Manish Goregaokar " 806 | criteria = ["ub-risk-4"] 807 | delta = "1.0.24 -> 1.0.27" 808 | notes = """Reviewed in CL 572611911 809 | Same review as previous 810 | """ 811 | 812 | [[audits.flate2]] 813 | who = "Manish Goregaokar " 814 | criteria = ["ub-risk-3"] 815 | delta = "1.0.27 -> 1.0.28" 816 | notes = """Reviewed in CL 573223148 817 | Issues from previous review (#379, #220) fixed (PRs #380, #373). 818 | """ 819 | 820 | [[audits.fleetspeak]] 821 | who = "Manish Goregaokar " 822 | criteria = ["ub-risk-3", "does-not-implement-crypto"] 823 | version = "0.4.0" 824 | notes = """Reviewed in CL 551181045 825 | Opens files from file descriptors obtained from potentially untrusted sources. This may be okay depending on your use case, and is a common pattern for IPC, but should be included in your project with care since opening the wrong mmaped fd may cause UB. 826 | """ 827 | 828 | [[audits.font-types]] 829 | who = "Augie Fackler " 830 | criteria = ["ub-risk-1", "does-not-implement-crypto"] 831 | version = "0.5.0" 832 | notes = "Reviewed in CL 617547813" 833 | 834 | [[audits.font-types]] 835 | who = "Ben Saunders " 836 | criteria = ["ub-risk-1", "does-not-implement-crypto"] 837 | version = "0.8.2" 838 | notes = "Reviewed in CL 718913459" 839 | 840 | [[audits.fragile]] 841 | who = "Taylor Cramer " 842 | criteria = ["ub-risk-4"] 843 | version = "2.0.0" 844 | notes = """Reviewed in CL 655309625 845 | Issues found: 846 | - https://github.com/mitsuhiko/fragile/issues/34 847 | """ 848 | 849 | [[audits.fs-set-times]] 850 | who = "Manish Goregaokar " 851 | criteria = ["ub-risk-2"] 852 | version = "0.20.3" 853 | notes = "Reviewed in CL 778504445" 854 | 855 | [[audits.fs4]] 856 | who = "" 857 | criteria = ["ub-risk-2"] 858 | version = "0.13.1" 859 | notes = "Reviewed in CL 771980548" 860 | 861 | [[audits.fsevent-sys]] 862 | who = "Manish Goregaokar " 863 | criteria = ["ub-risk-2"] 864 | version = "4.1.0" 865 | notes = """Reviewed in CL 726605958 866 | FFI crate with some simple wrappers 867 | """ 868 | 869 | [[audits.futf]] 870 | who = "Taylor Cramer " 871 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 872 | version = "0.1.5" 873 | notes = "Reviewed in CL 810913099" 874 | 875 | [[audits.getifaddrs]] 876 | who = "Ben Saunders " 877 | criteria = ["ub-risk-3", "does-not-implement-crypto"] 878 | version = "0.1.5" 879 | notes = """Reviewed in CL 772629745 880 | Issues found: 881 | - Iterator for InterfaceIterator impl unconditionally derefs potentially-null current_unicast pointer 882 | """ 883 | 884 | [[audits.getrandom]] 885 | who = "Manish Goregaokar " 886 | criteria = ["ub-risk-3"] 887 | version = "0.3.1" 888 | notes = """Reviewed in CL 731774826 889 | Tons of unsafe for backend specific syscalls. The MaybeUninit invariant of `fill_inner` is upheld nonlocally and is not tracked in comments. Potentially would be nicer to have `fn fill_inner(&mut [MaybeUninit]) -> &mut [u8]`, and have individual backends do their own `assume_init()` invariant asserting comments. 890 | """ 891 | 892 | [[audits.gif]] 893 | who = "Ben Saunders " 894 | criteria = ["ub-risk-1"] 895 | version = "0.12.1" 896 | notes = "Reviewed in CL 637680029" 897 | 898 | [[audits.gimli]] 899 | who = "Manish Goregaokar " 900 | criteria = ["ub-risk-2"] 901 | version = "0.26.2" 902 | notes = """Reviewed in CL 694412583 903 | Based off of existing review for 0.31, diff reviewed was *backwards*. 904 | """ 905 | 906 | [[audits.gimli]] 907 | who = "Manish Goregaokar " 908 | criteria = ["ub-risk-2"] 909 | version = "0.31.0" 910 | notes = """Reviewed in CL 675488712 911 | Could have better documented invariants. 912 | """ 913 | 914 | [[audits.gix]] 915 | who = "Manish Goregaokar " 916 | criteria = ["ub-risk-4"] 917 | version = "0.55.2" 918 | notes = """Reviewed in CL 581562516 919 | Issues found: 920 | - Unsafe transmute of lifetime (https://github.com/Byron/gitoxide/pull/1154) 921 | - Interrupt handler function should be unsafe 922 | """ 923 | 924 | [[audits.gix_packetline]] 925 | who = "Taylor Cramer " 926 | criteria = ["ub-risk-2"] 927 | version = "0.17.5" 928 | notes = "Reviewed in CL 651814949" 929 | 930 | [[audits.gix-attributes]] 931 | who = "" 932 | criteria = ["ub-risk-4"] 933 | version = "0.22.2" 934 | notes = """Reviewed in CL 653264864 935 | Issues found: 936 | - https://github.com/Byron/gitoxide/issues/1460 937 | """ 938 | 939 | [[audits.gix-commitgraph]] 940 | who = "Manish Goregaokar " 941 | criteria = ["ub-risk-3"] 942 | version = "0.22.0" 943 | notes = "Reviewed in CL 581562496" 944 | 945 | [[audits.gix-config-value]] 946 | who = "Manish Goregaokar " 947 | criteria = ["ub-risk-3"] 948 | version = "0.14.0" 949 | notes = "Reviewed in CL 581042137" 950 | 951 | [[audits.gix-features]] 952 | who = "Manish Goregaokar " 953 | criteria = ["ub-risk-3"] 954 | delta = "0.30.0 -> 0.40.0" 955 | notes = "Reviewed in CL 720029078" 956 | 957 | [[audits.gix-features]] 958 | who = "Ben Saunders " 959 | criteria = ["ub-risk-4", "does-not-implement-crypto"] 960 | version = "0.36.0" 961 | notes = """Reviewed in CL 580908504 962 | Issues: 963 | - Illegal mutable aliasing (https://github.com/Byron/gitoxide/pull/1115) 964 | """ 965 | 966 | [[audits.gix-filter]] 967 | who = "Taylor Cramer " 968 | criteria = ["ub-risk-2"] 969 | version = "0.11.2" 970 | notes = "Reviewed in CL 652491636" 971 | 972 | [[audits.gix-filter]] 973 | who = "Manish Goregaokar " 974 | criteria = ["ub-risk-2"] 975 | delta = "0.11.3 -> 0.13.0" 976 | notes = """Reviewed in CL 666834466 977 | No change to unsafe code 978 | """ 979 | 980 | [[audits.gix-hash]] 981 | who = "Taylor Cramer " 982 | criteria = ["ub-risk-2"] 983 | version = "0.13.1" 984 | notes = "Reviewed in CL 580781568" 985 | 986 | [[audits.gix-index]] 987 | who = "Ben Saunders " 988 | criteria = ["ub-risk-2-thorough", "does-not-implement-crypto"] 989 | version = "0.26.0" 990 | notes = """Reviewed in CL 581562538 991 | Relies on mmap'd file being untouched externally. 992 | """ 993 | 994 | [[audits.gix-index]] 995 | who = "Manish Goregaokar " 996 | criteria = ["ub-risk-2"] 997 | delta = "0.27.1 -> 0.33.0" 998 | notes = "Reviewed in CL 636423069" 999 | 1000 | [[audits.gix-pack]] 1001 | who = "Taylor Cramer " 1002 | criteria = ["ub-risk-4"] 1003 | version = "0.44.0" 1004 | notes = """Reviewed in CL 581562540 1005 | Issues: 1006 | - https://github.com/Byron/gitoxide/pull/113 1007 | - https://github.com/Byron/gitoxide/pull/1115 1008 | - https://github.com/Byron/gitoxide/pull/1116 1009 | """ 1010 | 1011 | [[audits.gix-pack]] 1012 | who = "Manish Goregaokar " 1013 | criteria = ["ub-risk-4"] 1014 | delta = "0.44.0 -> 0.45.0" 1015 | notes = """Reviewed in CL 594331347 1016 | Issues found: 1017 | - https://github.com/Byron/gitoxide/pull/1230 1018 | - https://github.com/Byron/gitoxide/issues/1231 1019 | (previously found issues have been fixed) 1020 | """ 1021 | 1022 | [[audits.gix-ref]] 1023 | who = "Manish Goregaokar " 1024 | criteria = ["ub-risk-2-thorough"] 1025 | version = "0.38.0" 1026 | notes = "Reviewed in CL 581562488" 1027 | 1028 | [[audits.gix-ref]] 1029 | who = "Manish Goregaokar " 1030 | criteria = ["ub-risk-2"] 1031 | version = "0.47.0" 1032 | notes = """Reviewed in CL 666834467 1033 | Uses mmap, otherwise minimal use of unsafe, well commented 1034 | """ 1035 | 1036 | [[audits.gix-revision]] 1037 | who = "Taylor Cramer " 1038 | criteria = ["ub-risk-2"] 1039 | version = "0.23.0" 1040 | notes = "Reviewed in CL 581562502" 1041 | 1042 | [[audits.gix-revision]] 1043 | who = "Manish Goregaokar " 1044 | criteria = ["ub-risk-2"] 1045 | delta = "0.23.0 -> 0.24.0" 1046 | notes = "Reviewed in CL 594331337" 1047 | 1048 | [[audits.gix-revision]] 1049 | who = "Ben Saunders " 1050 | criteria = ["ub-risk-1", "does-not-implement-crypto"] 1051 | version = "0.29.0" 1052 | notes = "Reviewed in CL 666885060" 1053 | 1054 | [[audits.gix-sec]] 1055 | who = "Taylor Cramer " 1056 | criteria = ["ub-risk-2"] 1057 | version = "0.10.0" 1058 | notes = "Reviewed in CL 581046394" 1059 | 1060 | [[audits.gix-tempfile]] 1061 | who = "Manish Goregaokar " 1062 | criteria = ["ub-risk-3"] 1063 | version = "11.0.0" 1064 | notes = "Reviewed in CL 581562529" 1065 | 1066 | [[audits.gix-tempfile]] 1067 | who = "Manish Goregaokar " 1068 | criteria = ["ub-risk-3"] 1069 | delta = "11.0.1 -> 14.0.0" 1070 | notes = "Reviewed in CL 636941982" 1071 | 1072 | [[audits.goblin]] 1073 | who = "Ben Saunders " 1074 | criteria = ["ub-risk-1"] 1075 | version = "0.8.0" 1076 | notes = "Reviewed in CL 642006818" 1077 | 1078 | [[audits.half]] 1079 | who = "Ben Saunders " 1080 | criteria = ["ub-risk-3", "does-not-implement-crypto"] 1081 | version = "1.8.2" 1082 | notes = """Reviewed in CL 590192561 1083 | Issues found: 1084 | - The `set_len`s in slice.rs and vec.rs are premature and create uninitialized vectors 1085 | - (internal safety) f16x4_to_f32x4 and f16x4_to_f32x4_x86_f16c do not enforce i.len() > 4. Should be marked unsafe 1086 | (no issues filed, all of the issues appear to be fixed on GitHub main) 1087 | """ 1088 | 1089 | [[audits.half]] 1090 | who = "Ben Saunders " 1091 | criteria = ["ub-risk-1"] 1092 | version = "1.8.3" 1093 | notes = "Reviewed in CL 590192561" 1094 | 1095 | [[audits.half]] 1096 | who = "Ben Saunders " 1097 | criteria = ["ub-risk-1"] 1098 | version = "2.4.0" 1099 | notes = "Reviewed in CL 610738461" 1100 | 1101 | [[audits.halfbrown]] 1102 | who = "Augie Fackler " 1103 | criteria = ["ub-risk-4"] 1104 | version = "0.2.5" 1105 | notes = "Reviewed in CL 659834502" 1106 | 1107 | [[audits.hashlink]] 1108 | who = "" 1109 | criteria = ["ub-risk-2"] 1110 | version = "0.9.0" 1111 | notes = "Reviewed in CL 649389159" 1112 | 1113 | [[audits.highway]] 1114 | who = "Taylor Cramer " 1115 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 1116 | version = "1.3.0" 1117 | notes = "Reviewed in CL 794944624" 1118 | 1119 | [[audits.home]] 1120 | who = "Manish Goregaokar " 1121 | criteria = ["ub-risk-2"] 1122 | version = "0.5.4" 1123 | notes = "Reviewed in CL 559796554" 1124 | 1125 | [[audits.home]] 1126 | who = "Augie Fackler " 1127 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 1128 | delta = "0.5.4 -> 0.5.5" 1129 | notes = "Reviewed in CL 566644164" 1130 | 1131 | [[audits.hoot]] 1132 | who = "Ben Saunders " 1133 | criteria = ["ub-risk-3", "does-not-implement-crypto"] 1134 | version = "0.1.3" 1135 | notes = """Reviewed in CL 607320079 1136 | Issues found: 1137 | - https://github.com/algesten/hoot/issues/2 (fixed in https://github.com/algesten/hoot/pull/3) 1138 | """ 1139 | 1140 | [[audits.hoot]] 1141 | who = "Ben Saunders " 1142 | criteria = ["ub-risk-1", "does-not-implement-crypto"] 1143 | version = "0.1.4" 1144 | notes = "Reviewed in CL 607320079" 1145 | 1146 | [[audits.hostname]] 1147 | who = "Augie Fackler " 1148 | criteria = ["ub-risk-2"] 1149 | version = "0.4.0" 1150 | notes = "Reviewed in CL 707926879" 1151 | 1152 | [[audits.hound]] 1153 | who = "Manish Goregaokar " 1154 | criteria = ["ub-risk-4"] 1155 | version = "3.5.0" 1156 | notes = """Reviewed in CL 564508706 1157 | Issues found: 1158 | - https://github.com/ruuda/hound/pull/58 1159 | """ 1160 | 1161 | [[audits.html-escape]] 1162 | who = "Ben Saunders " 1163 | criteria = ["ub-risk-4", "does-not-implement-crypto"] 1164 | version = "0.2.13" 1165 | notes = """Reviewed in CL 612354454 1166 | Issues found: 1167 | - decode_impl macro should have "unsafe" in its name and document the safety at callsites 1168 | - write_hex_to_vec: The Vec::set_len is UB and should only be called after filling the buffer. 1169 | """ 1170 | 1171 | [[audits.http]] 1172 | who = "Taylor Cramer " 1173 | criteria = ["ub-risk-2"] 1174 | version = "1.49.0" 1175 | notes = "Reviewed in CL 588379811" 1176 | 1177 | [[audits.httparse]] 1178 | who = "Ben Saunders " 1179 | criteria = ["ub-risk-4"] 1180 | delta = "1.8.0 -> 1.9.4" 1181 | notes = """Reviewed in CL 648994349 1182 | Issues found: 1183 | - https://github.com/seanmonstar/httparse/issues/177 1184 | -Parsing code would be improved with an API that combines peeking and advancing 1185 | """ 1186 | 1187 | [[audits.hyper]] 1188 | who = [ 1189 | "Manish Goregaokar ", 1190 | "Augie Fackler " 1191 | ] 1192 | criteria = ["ub-risk-4"] 1193 | version = "1.0.1" 1194 | notes = """Reviewed in CL 588384310 1195 | Issues found: 1196 | - https://github.com/hyperium/hyper/pull/3498 1197 | - https://github.com/hyperium/hyper/issues/3556 1198 | - https://github.com/hyperium/hyper/issues/3500 1199 | (probably not a real issue) 1200 | - https://github.com/hyperium/hyper/issues/3554 (documentation) 1201 | """ 1202 | 1203 | [[audits.hyper-util]] 1204 | who = "Ben Saunders " 1205 | criteria = ["ub-risk-2"] 1206 | version = "0.1.3" 1207 | notes = "Reviewed in CL 605631967" 1208 | 1209 | [[audits.igvm]] 1210 | who = "Ben Saunders " 1211 | criteria = ["ub-risk-1"] 1212 | version = "0.3.0" 1213 | notes = "Reviewed in CL 660125968" 1214 | 1215 | [[audits.image]] 1216 | who = "Taylor Cramer " 1217 | criteria = ["ub-risk-2"] 1218 | version = "0.24.6" 1219 | notes = "Reviewed in CL 559198279" 1220 | 1221 | [[audits.imara_diff]] 1222 | who = "Taylor Cramer " 1223 | criteria = ["ub-risk-2"] 1224 | version = "0.1.7" 1225 | notes = "Reviewed in CL 657293942" 1226 | 1227 | [[audits.imara-diff]] 1228 | who = "Taylor Cramer " 1229 | criteria = ["ub-risk-4"] 1230 | version = "0.1.5" 1231 | notes = "Reviewed in CL 581562578" 1232 | 1233 | [[audits.indexmap]] 1234 | who = "Taylor Cramer " 1235 | criteria = ["ub-risk-2"] 1236 | version = "2.2.6" 1237 | notes = "Reviewed in CL 629033781" 1238 | 1239 | [[audits.inotify]] 1240 | who = "Manish Goregaokar " 1241 | criteria = ["ub-risk-2"] 1242 | version = "0.9.6" 1243 | notes = "Reviewed in CL 562731461" 1244 | 1245 | [[audits.inst]] 1246 | who = "Manish Goregaokar " 1247 | criteria = ["ub-risk-2"] 1248 | delta = "1.40.0 -> 1.41.1" 1249 | notes = """Reviewed in CL 698174008 1250 | One usage of unsafe, could have safety comments 1251 | """ 1252 | 1253 | [[audits.insta]] 1254 | who = "Taylor Cramer " 1255 | criteria = ["ub-risk-1"] 1256 | version = "1.29.0" 1257 | notes = "Reviewed in CL 554440331" 1258 | 1259 | [[audits.insta]] 1260 | who = "Manish Goregaokar " 1261 | criteria = ["ub-risk-2"] 1262 | version = "1.42.0" 1263 | notes = """Reviewed in CL 718829060 1264 | Only use of unsafe is bind_async, which does a straightforward projection. Can be removed with https://github.com/mitsuhiko/insta/pull/711 1265 | """ 1266 | 1267 | [[audits.intaglio]] 1268 | who = "" 1269 | criteria = ["ub-risk-2"] 1270 | version = "1.11.0" 1271 | notes = "Reviewed in CL 821787257" 1272 | 1273 | [[audits.intrusive-collections]] 1274 | who = "Taylor Cramer " 1275 | criteria = ["ub-risk-3"] 1276 | version = "0.9.6" 1277 | notes = "Reviewed in CL 638226392" 1278 | 1279 | [[audits.io-close]] 1280 | who = "Taylor Cramer " 1281 | criteria = ["ub-risk-2"] 1282 | version = "0.3.7" 1283 | notes = "Reviewed in CL 733421084" 1284 | 1285 | [[audits.io-extras]] 1286 | who = "Luca Versari " 1287 | criteria = ["ub-risk-2"] 1288 | version = "0.18.4" 1289 | notes = "Reviewed in CL 799517019" 1290 | 1291 | [[audits.is_executable]] 1292 | who = "Taylor Cramer " 1293 | criteria = ["ub-risk-2"] 1294 | version = "1.0.4" 1295 | notes = "Reviewed in CL 696533953" 1296 | 1297 | [[audits.is-terminal]] 1298 | who = "Luca Versari " 1299 | criteria = ["ub-risk-2"] 1300 | version = "0.4.13" 1301 | notes = "Reviewed in CL 666758546" 1302 | 1303 | [[audits.isolang]] 1304 | who = "Taylor Cramer " 1305 | criteria = ["ub-risk-2"] 1306 | version = "2.4.0" 1307 | notes = "Reviewed in CL 710664600" 1308 | 1309 | [[audits.itertools]] 1310 | who = "Ben Saunders " 1311 | criteria = ["ub-risk-1", "does-not-implement-crypto"] 1312 | version = "0.11.0" 1313 | notes = "Reviewed in CL 566337310" 1314 | 1315 | [[audits.itoap]] 1316 | who = "Augie Fackler " 1317 | criteria = ["ub-risk-2"] 1318 | version = "1.0.1" 1319 | notes = "Reviewed in CL 649662185" 1320 | 1321 | [[audits.jaq]] 1322 | who = "" 1323 | criteria = ["ub-risk-3"] 1324 | version = "2.2.0" 1325 | notes = "Reviewed in CL 778639304" 1326 | 1327 | [[audits.jiff]] 1328 | who = "Taylor Cramer " 1329 | criteria = ["ub-risk-2"] 1330 | version = "0.1.0" 1331 | notes = "Reviewed in CL 666672133" 1332 | 1333 | [[audits.jiff]] 1334 | who = "Manish Goregaokar " 1335 | criteria = ["ub-risk-2"] 1336 | delta = "0.1.0 -> 0.1.24" 1337 | notes = """Reviewed in CL 717066700 1338 | New Android system APIs, otherwise no change to unsafe code since last review 1339 | """ 1340 | 1341 | [[audits.jiter]] 1342 | who = "Ben Saunders " 1343 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 1344 | version = "0.0.6" 1345 | notes = "Reviewed in CL 615051835" 1346 | 1347 | [[audits.jj_cli]] 1348 | who = "Taylor Cramer " 1349 | criteria = ["ub-risk-2"] 1350 | version = "0.11.0" 1351 | notes = "Reviewed in CL 586453800" 1352 | 1353 | [[audits.jj_cli]] 1354 | who = "Taylor Cramer " 1355 | criteria = ["ub-risk-1"] 1356 | version = "0.8.0" 1357 | notes = "Reviewed in CL 558944141" 1358 | 1359 | [[audits.jj_lib]] 1360 | who = "Taylor Cramer " 1361 | criteria = ["ub-risk-2"] 1362 | version = "0.11.0" 1363 | notes = "Reviewed in CL 586453800" 1364 | 1365 | [[audits.jj-cli]] 1366 | who = "Ben Saunders " 1367 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 1368 | version = "0.8.0" 1369 | notes = "Reviewed in CL 554583176" 1370 | 1371 | [[audits.js-sys]] 1372 | who = "Taylor Cramer " 1373 | criteria = ["ub-risk-2"] 1374 | version = "0.3.69" 1375 | notes = "Reviewed in CL 652404154" 1376 | 1377 | [[audits.js-sys]] 1378 | who = "Manish Goregaokar " 1379 | criteria = ["ub-risk-2"] 1380 | delta = "0.3.69 -> 0.3.70" 1381 | notes = """Reviewed in CL 696447614 1382 | Minor changes since last review 1383 | """ 1384 | 1385 | [[audits.json_writer]] 1386 | who = "Augie Fackler " 1387 | criteria = ["ub-risk-2"] 1388 | version = "0.4.0" 1389 | notes = "Reviewed in CL 809112751" 1390 | 1391 | [[audits.jxl]] 1392 | who = "Joshua Liebow-Feeser " 1393 | criteria = ["ub-risk-1"] 1394 | version = "0.1.1" 1395 | notes = "Reviewed in " 1396 | 1397 | [[audits.kamadak-exif]] 1398 | who = "Ben Saunders " 1399 | criteria = ["ub-risk-1", "does-not-implement-crypto"] 1400 | version = "0.6.1" 1401 | notes = "Reviewed in CL 827439468" 1402 | 1403 | [[audits.keccak]] 1404 | who = "Manish Goregaokar " 1405 | criteria = ["ub-risk-2"] 1406 | version = "0.1.5" 1407 | notes = "Reviewed in CL 636605237" 1408 | 1409 | [[audits.kstring]] 1410 | who = "" 1411 | criteria = ["ub-risk-3"] 1412 | version = "2.0.0" 1413 | notes = """Reviewed in CL 653263733 1414 | Issues found: 1415 | - Should use repr(C) union to get correct layout: https://github.com/cobalt-org/kstring/pull/77. 1416 | - Ideally the HeapStr trait should be unsafe, but this is a local issue since the trait is sealed. 1417 | """ 1418 | 1419 | [[audits.kstring]] 1420 | who = "" 1421 | criteria = ["ub-risk-2"] 1422 | delta = "2.0.0 -> 2.0.1" 1423 | notes = "Reviewed in CL 655475274" 1424 | 1425 | [[audits.kvm-ioctls]] 1426 | who = "Manish Goregaokar " 1427 | criteria = ["ub-risk-3"] 1428 | version = "0.14.0" 1429 | notes = "Reviewed in CL 549307303" 1430 | 1431 | [[audits.kvm-ioctls]] 1432 | who = "Manish Goregaokar " 1433 | criteria = ["ub-risk-3"] 1434 | version = "0.14.0" 1435 | notes = "Reviewed in CL 565655079" 1436 | 1437 | [[audits.kvm-ioctls]] 1438 | who = "Manish Goregaokar " 1439 | criteria = ["ub-risk-3"] 1440 | delta = "0.15.0 -> 0.17.0" 1441 | notes = "Reviewed in CL 634689649" 1442 | 1443 | [[audits.lab]] 1444 | who = "Augie Fackler " 1445 | criteria = ["ub-risk-2"] 1446 | version = "0.11.0" 1447 | notes = "Reviewed in CL 716390760" 1448 | 1449 | [[audits.lebe]] 1450 | who = "Luca Versari " 1451 | criteria = ["ub-risk-3"] 1452 | version = "0.5.2" 1453 | notes = "Reviewed in CL 793627519" 1454 | 1455 | [[audits.lexical]] 1456 | who = "Taylor Cramer " 1457 | criteria = ["ub-risk-4", "does-not-implement-crypto"] 1458 | version = "6.1.1" 1459 | notes = """Reviewed in CL 545304248 1460 | Many issues found across the `lexical` family of crates: 1461 | - https://github.com/Alexhuszagh/rust-lexical/pull/103 1462 | - https://github.com/Alexhuszagh/rust-lexical/issues/104 1463 | - https://github.com/Alexhuszagh/rust-lexical/issues/101 1464 | - https://github.com/Alexhuszagh/rust-lexical/issues/95 1465 | - Beyond the above issues, review was not completed on the unchecked indexing 1466 | """ 1467 | 1468 | [[audits.lexical_parse_integer]] 1469 | who = "Ben Saunders " 1470 | criteria = ["ub-risk-4", "does-not-implement-crypto"] 1471 | version = "0.8.6" 1472 | notes = """Reviewed in CL 545304272 1473 | See notes on lexical crate. 1474 | """ 1475 | 1476 | [[audits.lexical_parse_integer]] 1477 | who = "Ben Saunders " 1478 | criteria = ["ub-risk-4", "does-not-implement-crypto"] 1479 | version = "0.8.6" 1480 | notes = """Reviewed in CL 545304281 1481 | See notes on lexical crate. 1482 | """ 1483 | 1484 | [[audits.lexical_util]] 1485 | who = "Manish Goregaokar " 1486 | criteria = ["ub-risk-4", "does-not-implement-crypto"] 1487 | version = "0.8.5" 1488 | notes = """Reviewed in CL 545304267 1489 | See notes on lexical crate. 1490 | """ 1491 | 1492 | [[audits.lexical_write_float]] 1493 | who = "Manish Goregaokar " 1494 | criteria = ["ub-risk-4", "does-not-implement-crypto"] 1495 | version = "0.8.5" 1496 | notes = """Reviewed in CL 545304258 1497 | See notes on lexical crate. 1498 | """ 1499 | 1500 | [[audits.lexical-core]] 1501 | who = "Manish Goregaokar " 1502 | criteria = ["ub-risk-3", "does-not-implement-crypto"] 1503 | version = "0.8.5" 1504 | notes = """Reviewed in CL 545304290 1505 | See notes on lexical crate. 1506 | """ 1507 | 1508 | [[audits.lexical-write-integer]] 1509 | who = "Manish Goregaokar " 1510 | criteria = ["ub-risk-4", "does-not-implement-crypto"] 1511 | version = "0.8.5" 1512 | notes = """Reviewed in CL 545304293 1513 | See notes on lexical crate. 1514 | """ 1515 | 1516 | [[audits.libafl_bolts]] 1517 | who = "Luca Versari " 1518 | criteria = ["ub-risk-4"] 1519 | version = "0.14.1" 1520 | notes = "Reviewed in CL 752209217" 1521 | 1522 | [[audits.libc]] 1523 | who = "Ben Saunders " 1524 | criteria = ["ub-risk-4"] 1525 | delta = "0.2.150 -> 0.2.153" 1526 | notes = "Reviewed in CL 622219230" 1527 | 1528 | [[audits.libc-print]] 1529 | who = "Luca Versari " 1530 | criteria = ["ub-risk-2"] 1531 | version = "0.1.20" 1532 | notes = "Reviewed in CL 779126414" 1533 | 1534 | [[audits.libfuzz-sys]] 1535 | who = "Taylor Cramer " 1536 | criteria = ["ub-risk-3"] 1537 | delta = "0.4.4 -> 0.4.5" 1538 | notes = """Reviewed in CL 562889777 1539 | Issues found: 1540 | - https://github.com/rust-fuzz/libfuzzer/issues/112 1541 | - https://github.com/rust-fuzz/libfuzzer/issues/113 1542 | """ 1543 | 1544 | [[audits.libfuzzer-sys]] 1545 | who = "Ben Saunders " 1546 | criteria = ["ub-risk-1", "does-not-implement-crypto"] 1547 | version = "0.4.7" 1548 | notes = "Reviewed in CL 564731033" 1549 | 1550 | [[audits.libloading]] 1551 | who = "Taylor Cramer " 1552 | criteria = ["ub-risk-2"] 1553 | version = "0.8.0" 1554 | notes = "Reviewed in CL 562765830" 1555 | 1556 | [[audits.liblzma]] 1557 | who = "Luca Versari " 1558 | criteria = ["ub-risk-2"] 1559 | version = "0.4.1" 1560 | notes = "Reviewed in CL 767514298" 1561 | 1562 | [[audits.liblzma-sys]] 1563 | who = "Luca Versari " 1564 | criteria = ["ub-risk-3"] 1565 | version = "0.4.3" 1566 | notes = "Reviewed in CL 767507325" 1567 | 1568 | [[audits.libproc]] 1569 | who = "Taylor Cramer " 1570 | criteria = ["ub-risk-4"] 1571 | version = "0.14.8" 1572 | notes = """Reviewed in CL 650620517 1573 | Issues found: 1574 | - `pidinfo` buffer is inferred as `c_void` and is therefore too small 1575 | - `PIDFDInfo` and `PIDRUsage` should be `unsafe trait`s 1576 | """ 1577 | 1578 | [[audits.libshpool]] 1579 | who = "Manish Goregaokar " 1580 | criteria = ["ub-risk-2"] 1581 | version = "0.3.3" 1582 | notes = "Reviewed in CL 580903771" 1583 | 1584 | [[audits.libshpool]] 1585 | who = "Manish Goregaokar " 1586 | criteria = ["ub-risk-2"] 1587 | version = "0.5.0" 1588 | notes = "Reviewed in CL 609436265" 1589 | 1590 | [[audits.libsqlite3-sys]] 1591 | who = "" 1592 | criteria = ["ub-risk-2"] 1593 | version = "0.28.0" 1594 | notes = "Reviewed in CL 649389160" 1595 | 1596 | [[audits.line-index]] 1597 | who = "Taylor Cramer " 1598 | criteria = ["ub-risk-2"] 1599 | version = "0.1.0" 1600 | notes = "Reviewed in CL 562882288" 1601 | 1602 | [[audits.line-index]] 1603 | who = "Ben Saunders " 1604 | criteria = ["ub-risk-2"] 1605 | version = "0.1.1" 1606 | notes = "Reviewed in CL 599482318" 1607 | 1608 | [[audits.linkme]] 1609 | who = "Luca Versari " 1610 | criteria = ["ub-risk-4"] 1611 | version = "0.3.32" 1612 | notes = "Reviewed in CL 758190959" 1613 | 1614 | [[audits.linkme-impl]] 1615 | who = "Luca Versari " 1616 | criteria = ["ub-risk-4"] 1617 | version = "0.3.32" 1618 | notes = "Reviewed in CL 758190960 (but see the review for linkme)" 1619 | 1620 | [[audits.linux-loader]] 1621 | who = "Taylor Cramer " 1622 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 1623 | version = "0.9.0" 1624 | notes = "Reviewed in CL 548095317" 1625 | 1626 | [[audits.linux-loader]] 1627 | who = "Manish Goregaokar " 1628 | criteria = ["ub-risk-2"] 1629 | delta = "0.9.0 -> 0.10.0" 1630 | notes = "Reviewed in CL 600836074" 1631 | 1632 | [[audits.linux-raw-sys]] 1633 | who = "Ben Saunders " 1634 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 1635 | version = "0.4.10" 1636 | notes = "Reviewed in CL 581059097" 1637 | 1638 | [[audits.lock_api]] 1639 | who = "Taylor Cramer " 1640 | criteria = ["ub-risk-2"] 1641 | delta = "0.4.9 -> 0.4.10" 1642 | notes = "Reviewed in CL 563851550" 1643 | 1644 | [[audits.log]] 1645 | who = "Ben Saunders " 1646 | criteria = ["ub-risk-1", "does-not-implement-crypto"] 1647 | version = "0.4.20" 1648 | notes = "Reviewed in CL 563853923" 1649 | 1650 | [[audits.logos]] 1651 | who = "" 1652 | criteria = ["ub-risk-0"] 1653 | version = "0.15.0" 1654 | notes = "Reviewed in CL 742874864" 1655 | 1656 | [[audits.logos-codegen]] 1657 | who = "Taylor Cramer " 1658 | criteria = ["ub-risk-2"] 1659 | version = "0.15.0" 1660 | notes = "Reviewed in CL 742874863" 1661 | 1662 | [[audits.mac_address]] 1663 | who = "Manish Goregaokar " 1664 | criteria = ["ub-risk-2"] 1665 | version = "1.1.7" 1666 | notes = """Reviewed in CL 718900394 1667 | winapi code 1668 | """ 1669 | 1670 | [[audits.malloced]] 1671 | who = "Ben Saunders " 1672 | criteria = ["ub-risk-2"] 1673 | version = "1.3.1" 1674 | notes = "Reviewed in CL 604812730" 1675 | 1676 | [[audits.matchers]] 1677 | who = "Manish Goregaokar " 1678 | criteria = ["ub-risk-2"] 1679 | version = "0.1.0" 1680 | notes = """Reviewed in CL 639804665 1681 | Has relatively straightforward invariant, but invariant could be documented further. Filed PR: https://github.com/hawkw/matchers/pull/9 1682 | """ 1683 | 1684 | [[audits.mathcal]] 1685 | who = "Luca Versari " 1686 | criteria = ["ub-risk-3"] 1687 | version = "0.6.9" 1688 | notes = "Reviewed in CL 770938969" 1689 | 1690 | [[audits.memchr]] 1691 | who = "Manish Goregaokar " 1692 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 1693 | version = "2.6.3" 1694 | notes = """Reviewed in CL 563868651 1695 | Second review would be appreciated. 1696 | """ 1697 | 1698 | [[audits.memfd]] 1699 | who = "Ben Saunders " 1700 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 1701 | version = "0.6.4" 1702 | notes = "Reviewed in CL 703568697" 1703 | 1704 | [[audits.memoffset]] 1705 | who = "Taylor Cramer " 1706 | criteria = ["ub-risk-3"] 1707 | version = "0.9.0" 1708 | notes = "Reviewed in CL 555491937" 1709 | 1710 | [[audits.merlin]] 1711 | who = "Ben Saunders " 1712 | criteria = ["ub-risk-4"] 1713 | version = "3.0.0" 1714 | notes = """Reviewed in CL 660103172 1715 | Issues found: 1716 | - https://github.com/zkcrypto/merlin/pull/7 1717 | """ 1718 | 1719 | [[audits.minifier]] 1720 | who = "Manish Goregaokar " 1721 | criteria = ["ub-risk-4"] 1722 | version = "0.2.3" 1723 | notes = """Reviewed in CL 577203072 1724 | Issues found: 1725 | - https://github.com/GuillaumeGomez/minifier-rs/issues/105 1726 | """ 1727 | 1728 | [[audits.mmx]] 1729 | who = "" 1730 | criteria = ["ub-risk-3"] 1731 | version = "0.1.32" 1732 | notes = "Reviewed in CL 769615692" 1733 | 1734 | [[audits.nanorand]] 1735 | who = "Ben Saunders " 1736 | criteria = ["ub-risk-1", "does-not-implement-crypto"] 1737 | version = "0.7.0" 1738 | notes = "Reviewed in CL 562503105" 1739 | 1740 | [[audits.netlink-packet-core]] 1741 | who = "Manish Goregaokar " 1742 | criteria = ["ub-risk-0"] 1743 | version = "0.7.0" 1744 | notes = "Reviewed in CL 772208218" 1745 | 1746 | [[audits.netlink-sys]] 1747 | who = "Ben Saunders " 1748 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 1749 | version = "0.8.0" 1750 | notes = "Reviewed in CL 772197803" 1751 | 1752 | [[audits.nix]] 1753 | who = "Manish Goregaokar " 1754 | criteria = ["ub-risk-3"] 1755 | delta = "0.26.1 -> 0.28.0" 1756 | notes = """Reviewed in CL 622222105 1757 | (The rating differs from the previous once since I feel that the crate needs much more safety comments) 1758 | """ 1759 | 1760 | [[audits.nix]] 1761 | who = "Taylor Cramer " 1762 | criteria = ["ub-risk-2"] 1763 | version = "0.26.2" 1764 | notes = "Reviewed in CL 552861153" 1765 | 1766 | [[audits.notify]] 1767 | who = "Taylor Cramer " 1768 | criteria = ["ub-risk-2"] 1769 | version = "6.1.1" 1770 | notes = "Reviewed in CL 562731464" 1771 | 1772 | [[audits.nu_ansi_term]] 1773 | who = "Taylor Cramer " 1774 | criteria = ["ub-risk-2"] 1775 | version = "0.49.0" 1776 | notes = "Reviewed in CL 585090965" 1777 | 1778 | [[audits.num_enum_derive]] 1779 | who = "Taylor Cramer " 1780 | criteria = ["ub-risk-2"] 1781 | version = "0.7.2" 1782 | notes = "Reviewed in CL 647708155" 1783 | 1784 | [[audits.num_traits]] 1785 | who = "Manish Goregaokar " 1786 | criteria = ["ub-risk-2"] 1787 | version = "0.2.15" 1788 | notes = "Reviewed in CL 558869499" 1789 | 1790 | [[audits.num_traits]] 1791 | who = "Taylor Cramer " 1792 | criteria = ["ub-risk-2"] 1793 | delta = "0.2.15 -> 0.2.16" 1794 | notes = "Reviewed in CL 562140156" 1795 | 1796 | [[audits.num-bigint-dig]] 1797 | who = "Manish Goregaokar " 1798 | criteria = ["ub-risk-3"] 1799 | version = "0.8.4" 1800 | notes = """Reviewed in CL 598457101 1801 | Issues found: 1802 | - to_str_radix_reversed is required to return a valid string by unsafe code, but this is not documented, nor is it easy to verify. It should probably return a String (at least internally), and have better safety documentation, or a double check when converting from UTF8 1803 | """ 1804 | 1805 | [[audits.numpy]] 1806 | who = "" 1807 | criteria = ["ub-risk-4"] 1808 | delta = "0.20.0 -> 0.21.0" 1809 | notes = """Reviewed in CL 683848897 1810 | Issues found: 1811 | - to_owned_array needs to be unsafe as it can introduce aliasing UB 1812 | - Review incomplete: pervasive undocumented unsafety 1813 | """ 1814 | 1815 | [[audits.object]] 1816 | who = "Manish Goregaokar " 1817 | criteria = ["ub-risk-1"] 1818 | version = "0.32.0" 1819 | notes = "Reviewed in CL 558738698" 1820 | 1821 | [[audits.os_pipe]] 1822 | who = "Manish Goregaokar " 1823 | criteria = ["ub-risk-2"] 1824 | version = "1.2.1" 1825 | notes = "Reviewed in CL 715231802" 1826 | 1827 | [[audits.owo-colors]] 1828 | who = "Manish Goregaokar " 1829 | criteria = ["ub-risk-4"] 1830 | version = "3.5.0" 1831 | notes = """Reviewed in CL 683999019 1832 | Issues found: 1833 | - Unsafe code relies on const promotion. This *may* actually be sound in a const context, however it's not a huge deal since it's easy to patch: https://github.com/jam1garner/owo-colors/pull/131 1834 | """ 1835 | 1836 | [[audits.owo-colors]] 1837 | who = "Manish Goregaokar " 1838 | criteria = ["ub-risk-4"] 1839 | version = "4.1.0" 1840 | notes = """Reviewed in CL 683999019 1841 | Issues found: 1842 | - Unsafe code relies on const promotion. This *may* actually be sound in a const context, however it's not a huge deal since it's easy to patch: https://github.com/jam1garner/owo-colors/pull/131 1843 | """ 1844 | 1845 | [[audits.p9]] 1846 | who = "Taylor Cramer " 1847 | criteria = ["ub-risk-2"] 1848 | version = "0.3.2" 1849 | notes = "Reviewed in CL 713823916" 1850 | 1851 | [[audits.parquet]] 1852 | who = "Manish Goregaokar " 1853 | criteria = ["ub-risk-4"] 1854 | version = "51.0.0" 1855 | notes = "Reviewed in CL 642798209" 1856 | 1857 | [[audits.parquet]] 1858 | who = "Augie Fackler " 1859 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 1860 | version = "54.0.0" 1861 | notes = """Reviewed in CL 712680846 1862 | Skipped all the `arrow` parts of this crate as we won't use them. 1863 | """ 1864 | 1865 | [[audits.partial-io]] 1866 | who = "Luca Versari " 1867 | criteria = ["ub-risk-2"] 1868 | version = "0.5.4" 1869 | notes = "Reviewed in CL 767496248" 1870 | 1871 | [[audits.pcap]] 1872 | who = "" 1873 | criteria = ["ub-risk-3"] 1874 | version = "2.2.0" 1875 | notes = "Reviewed in CL 772184300" 1876 | 1877 | [[audits.perf_event]] 1878 | who = "Taylor Cramer " 1879 | criteria = ["ub-risk-2"] 1880 | version = "0.4.8" 1881 | notes = "Reviewed in CL 583996666" 1882 | 1883 | [[audits.perf-event-open-sys]] 1884 | who = "Taylor Cramer " 1885 | criteria = ["ub-risk-2"] 1886 | version = "4.0.0" 1887 | notes = "Reviewed in CL 583996664" 1888 | 1889 | [[audits.petgraph]] 1890 | who = "Taylor Cramer " 1891 | criteria = ["ub-risk-3"] 1892 | version = "0.5.1" 1893 | notes = """Reviewed in CL 558142733 1894 | Issues found: 1895 | - https://github.com/petgraph/petgraph/pull/404 1896 | - https://github.com/petgraph/petgraph/issues/582 1897 | """ 1898 | 1899 | [[audits.planus]] 1900 | who = "Taylor Cramer " 1901 | criteria = ["ub-risk-3"] 1902 | version = "0.3.1" 1903 | notes = """Reviewed in CL 702424963 1904 | Issues found: 1905 | - Some traits should be unsafe https://github.com/planus-org/planus/issues/276 1906 | """ 1907 | 1908 | [[audits.polars]] 1909 | who = "Manish Goregaokar " 1910 | criteria = ["ub-risk-0"] 1911 | version = "0.38.3" 1912 | notes = """Reviewed in CL 645917709 1913 | No unsafe code outside of tests. 1914 | """ 1915 | 1916 | [[audits.polars-arrow-format]] 1917 | who = "Taylor Cramer " 1918 | criteria = ["ub-risk-2"] 1919 | version = "0.1.0" 1920 | notes = "Reviewed in CL 703108664" 1921 | 1922 | [[audits.polars-ffi]] 1923 | who = "" 1924 | criteria = ["ub-risk-2"] 1925 | version = "0.48.1" 1926 | notes = "Reviewed in CL 774758919" 1927 | 1928 | [[audits.polars-io]] 1929 | who = "Manish Goregaokar " 1930 | criteria = ["ub-risk-4"] 1931 | version = "0.38.3" 1932 | notes = """Reviewed in CL 645900171 1933 | No actual unsoundness was found, however this crate was rather hard to review, with a lot of usages of unsafe in the CSV parser that seemed gratuitous, and uncommented. Rating can be lowered when someone can find the time to review this. 1934 | """ 1935 | 1936 | [[audits.polars-json]] 1937 | who = "Manish Goregaokar " 1938 | criteria = ["ub-risk-4"] 1939 | version = "0.38.3" 1940 | notes = """Reviewed in CL 671839126 1941 | issues found: 1942 | - Unsafe code relies on entirely undocumented invariants pervasive in code around only ever producing UTF8 bytes. Code should be updated to use `&mut String` 1943 | - https://github.com/pola-rs/polars/pull/18725 1944 | """ 1945 | 1946 | [[audits.polars-parquet]] 1947 | who = "Taylor Cramer " 1948 | criteria = ["ub-risk-3"] 1949 | version = "0.44.2" 1950 | notes = "Reviewed in CL 704268862" 1951 | 1952 | [[audits.polars-plan]] 1953 | who = "Ben Saunders " 1954 | criteria = ["ub-risk-4"] 1955 | version = "0.38.3" 1956 | notes = """Reviewed in CL 653608525 1957 | Issues found: 1958 | - Unprotected public `static mut`s read in safe code 1959 | - Review incomplete: pervasive undocumented unsafety 1960 | """ 1961 | 1962 | [[audits.polars-row]] 1963 | who = "Augie Fackler " 1964 | criteria = ["ub-risk-3"] 1965 | version = "0.38.3" 1966 | notes = "Reviewed in CL 644011025" 1967 | 1968 | [[audits.polars-stream]] 1969 | who = "" 1970 | criteria = ["ub-risk-4"] 1971 | version = "0.48.1" 1972 | notes = "Reviewed in CL 771500385" 1973 | 1974 | [[audits.polars-time]] 1975 | who = "Taylor Cramer " 1976 | criteria = ["ub-risk-4"] 1977 | version = "0.38.3" 1978 | notes = """Reviewed in CL 645900204 1979 | mem::transmute of ParseError is unsound and unnecessary. 1980 | """ 1981 | 1982 | [[audits.polars-time]] 1983 | who = "Taylor Cramer " 1984 | criteria = ["ub-risk-2"] 1985 | version = "0.38.3" 1986 | notes = "Reviewed in CL 645900204" 1987 | 1988 | [[audits.polars-utils]] 1989 | who = "Augie Fackler " 1990 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 1991 | version = "0.38.3" 1992 | notes = "Reviewed in CL 636679479" 1993 | 1994 | [[audits.pollster]] 1995 | who = "Manish Goregaokar " 1996 | criteria = ["ub-risk-2"] 1997 | version = "0.3.0" 1998 | notes = """Reviewed in CL 581562576 1999 | Usage of unsafe is fine, but crate can be 100% safe: https://github.com/zesterer/pollster/pull/23 2000 | """ 2001 | 2002 | [[audits.portable-atomic-util]] 2003 | who = "Taylor Cramer " 2004 | criteria = ["ub-risk-1"] 2005 | version = "0.2.4" 2006 | notes = "Reviewed in CL 772168486" 2007 | 2008 | [[audits.postcard]] 2009 | who = "Manish Goregaokar " 2010 | criteria = ["ub-risk-2"] 2011 | delta = "1.0.10 -> 1.1.1" 2012 | notes = "Reviewed in CL 707054899" 2013 | 2014 | [[audits.postcard]] 2015 | who = "Manish Goregaokar " 2016 | criteria = ["ub-risk-2"] 2017 | delta = "1.0.2 -> 1.0.10" 2018 | notes = "Reviewed in CL 698047950" 2019 | 2020 | [[audits.powerfmt]] 2021 | who = "Taylor Cramer " 2022 | criteria = ["ub-risk-1"] 2023 | version = "0.2.0" 2024 | notes = "Reviewed in CL 578897702" 2025 | 2026 | [[audits.process-wrap]] 2027 | who = "Augie Fackler " 2028 | criteria = ["ub-risk-3"] 2029 | version = "8.0.2" 2030 | notes = "Reviewed in CL 640811587" 2031 | 2032 | [[audits.proptest]] 2033 | who = "Manish Goregaokar " 2034 | criteria = ["ub-risk-3"] 2035 | version = "0.10.1" 2036 | notes = """Reviewed in CL 615011355 2037 | Not safe with hardware_rng feature on platforms without RDRAND support. Should bubble up the invariant or have a feature test assertion 2038 | """ 2039 | 2040 | [[audits.pulldown_cmark]] 2041 | who = "Manish Goregaokar " 2042 | criteria = ["ub-risk-2"] 2043 | version = "0.8.0" 2044 | notes = "Reviewed in CL 669013210" 2045 | 2046 | [[audits.pulldown-cmark]] 2047 | who = "Manish Goregaokar " 2048 | criteria = ["ub-risk-2"] 2049 | version = "0.9.3" 2050 | notes = "Reviewed in CL 555491415" 2051 | 2052 | [[audits.pulldown-cmark-escape]] 2053 | who = "Augie Fackler " 2054 | criteria = ["ub-risk-2"] 2055 | version = "0.11.0" 2056 | notes = "Reviewed in CL 658107045" 2057 | 2058 | [[audits.pulldown-latex]] 2059 | who = "Manish Goregaokar " 2060 | criteria = ["ub-risk-2"] 2061 | version = "0.7.1" 2062 | notes = """Reviewed in CL 764665483 2063 | Ideally can use fmt::Writer instead of io::Writer. 2064 | """ 2065 | 2066 | [[audits.pyo3_macros]] 2067 | who = "Taylor Cramer " 2068 | criteria = ["ub-risk-0"] 2069 | version = "0.20.3" 2070 | notes = "Reviewed in CL 616043931" 2071 | 2072 | [[audits.pyo3_macros_backend]] 2073 | who = "Taylor Cramer " 2074 | criteria = ["ub-risk-2"] 2075 | version = "0.23.1" 2076 | notes = "Reviewed in CL 697590460" 2077 | 2078 | [[audits.ra_ap_ide_db]] 2079 | who = "" 2080 | criteria = ["ub-risk-2"] 2081 | version = "0.0.241" 2082 | notes = "Reviewed in CL 694853573" 2083 | 2084 | [[audits.ra_ap_proc_macro_srv]] 2085 | who = "" 2086 | criteria = ["ub-risk-4"] 2087 | version = "0.0.241" 2088 | notes = """Reviewed in CL 719871627 2089 | Issues found: 2090 | - https://github.com/rust-lang/rust-analyzer/issues/19342 2091 | """ 2092 | 2093 | [[audits.ra_ap_rust-analyzer]] 2094 | who = "Ben Saunders " 2095 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 2096 | version = "0.0.241" 2097 | notes = "Reviewed in CL 694923973" 2098 | 2099 | [[audits.ra_ap_rustc_abi]] 2100 | who = "Taylor Cramer " 2101 | criteria = ["ub-risk-2"] 2102 | version = "0.75.0" 2103 | notes = "Reviewed in CL 693823235" 2104 | 2105 | [[audits.ra_ap_salsa]] 2106 | who = "Luca Versari " 2107 | criteria = ["ub-risk-2"] 2108 | version = "0.0.241" 2109 | notes = "Reviewed in CL 694114488" 2110 | 2111 | [[audits.ra_ap_stdx]] 2112 | who = "Taylor Cramer " 2113 | criteria = ["ub-risk-2"] 2114 | version = "0.0.241" 2115 | notes = "Reviewed in CL 694057205" 2116 | 2117 | [[audits.radix_fmt]] 2118 | who = "Manish Goregaokar " 2119 | criteria = ["ub-risk-2"] 2120 | version = "1.0.0" 2121 | notes = """Reviewed in CL 762469621 2122 | One use of unsafe to build up an ASCII alphanumeric string. 2123 | """ 2124 | 2125 | [[audits.rand]] 2126 | who = "Ben Saunders " 2127 | criteria = ["ub-risk-1"] 2128 | version = "0.9.1" 2129 | notes = "Reviewed in CL 755137509" 2130 | 2131 | [[audits.rand_xorshift]] 2132 | who = "Augie Fackler " 2133 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 2134 | version = "0.2.0" 2135 | notes = "Reviewed in CL 615005895" 2136 | 2137 | [[audits.read-fonts]] 2138 | who = "Taylor Cramer " 2139 | criteria = ["ub-risk-1"] 2140 | version = "0.15.6" 2141 | notes = "Reviewed in CL 611302616" 2142 | 2143 | [[audits.realfft]] 2144 | who = "Taylor Cramer " 2145 | criteria = ["ub-risk-2"] 2146 | version = "3.3.0" 2147 | notes = "Reviewed in CL 564478712" 2148 | 2149 | [[audits.ref-cast]] 2150 | who = "Taylor Cramer " 2151 | criteria = ["ub-risk-2"] 2152 | version = "1.0.20" 2153 | notes = "Reviewed in CL 585449372" 2154 | 2155 | [[audits.ref-cast-impl]] 2156 | who = "Manish Goregaokar " 2157 | criteria = ["ub-risk-2"] 2158 | version = "1.0.20" 2159 | notes = "Reviewed in CL 585449373" 2160 | 2161 | [[audits.referencing]] 2162 | who = "Manish Goregaokar " 2163 | criteria = ["ub-risk-4"] 2164 | version = "0.29.1" 2165 | notes = """Reviewed in CL 831131871 2166 | This crate seems to use unsafe code in a very underdocumented way to achieve self-referencing. Self-referencing is very tricky to get right, and while I'm not 100% sure I think this crate does it wrong. 2167 | https://github.com/Stranger6667/jsonschema/issues/851 2168 | """ 2169 | 2170 | [[audits.regex_automata]] 2171 | who = "Taylor Cramer " 2172 | criteria = ["ub-risk-1"] 2173 | version = "0.3.8" 2174 | notes = "Reviewed in CL 563876644" 2175 | 2176 | [[audits.regex_automata]] 2177 | who = "Ben Saunders " 2178 | criteria = ["ub-risk-1"] 2179 | delta = "0.3.8 -> 0.4.3" 2180 | notes = "Reviewed in CL 576161259" 2181 | 2182 | [[audits.regex-automata]] 2183 | who = "Manish Goregaokar " 2184 | criteria = ["ub-risk-1"] 2185 | delta = "0.4.8 -> 0.4.9" 2186 | notes = """Reviewed in CL 701879630 2187 | Built on top of previous diff reviews 2188 | """ 2189 | 2190 | [[audits.relative-path]] 2191 | who = "Ben Saunders " 2192 | criteria = ["ub-risk-1", "does-not-implement-crypto"] 2193 | version = "1.9.3" 2194 | notes = "Reviewed in CL 820550361" 2195 | 2196 | [[audits.rinja_derive]] 2197 | who = "Manish Goregaokar " 2198 | criteria = ["ub-risk-3"] 2199 | version = "0.3.5" 2200 | notes = """Reviewed in CL 691465402 2201 | The unsafe code is mostly in from_utf8_unchecked calls. It does not appear to be particularly performance-necessary, and the crate could use clearer tracking of these invariants. One bit of unsafe code relies on code in rinja_parser continuing to be ASCII-only. 2202 | """ 2203 | 2204 | [[audits.rinja_parser]] 2205 | who = "Manish Goregaokar " 2206 | criteria = ["ub-risk-3"] 2207 | version = "0.3.5" 2208 | notes = """Reviewed in CL 691465401 2209 | Review done alongside rinja_derive. 2210 | The unsafe code is mostly in from_utf8_unchecked calls. It does not appear to be particularly performance-necessary, and the crate could use clearer tracking of these invariants. One bit of unsafe code relies on code in rinja_parser continuing to be ASCII-only. 2211 | """ 2212 | 2213 | [[audits.rlsf]] 2214 | who = "Manish Goregaokar " 2215 | criteria = ["ub-risk-2"] 2216 | version = "0.2.1" 2217 | notes = """Reviewed in CL 710142550 2218 | Custom allocator crate doing a bunch of pointer math. Decent safety comments. 2219 | """ 2220 | 2221 | [[audits.roman-numerals-rs]] 2222 | who = "Ben Saunders " 2223 | criteria = ["ub-risk-1", "does-not-implement-crypto"] 2224 | version = "3.1.0" 2225 | notes = "Reviewed in CL 762479504" 2226 | 2227 | [[audits.rpassword]] 2228 | who = "Ben Saunders " 2229 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 2230 | version = "7.3.1" 2231 | notes = "Reviewed in CL 702377827" 2232 | 2233 | [[audits.rubato]] 2234 | who = "Taylor Cramer " 2235 | criteria = ["ub-risk-3"] 2236 | version = "0.14.1" 2237 | notes = "Reviewed in CL 570228314" 2238 | 2239 | [[audits.rusqlite]] 2240 | who = "" 2241 | criteria = ["ub-risk-3"] 2242 | version = "0.32.0" 2243 | notes = """Reviewed in CL 649389163 2244 | Issues found: 2245 | - https://github.com/rusqlite/rusqlite/issues/1546 2246 | - Technically, free_boxed_value should use catch_unwind (minor) 2247 | """ 2248 | 2249 | [[audits.rustix-linux-procfs]] 2250 | who = "Taylor Cramer " 2251 | criteria = ["ub-risk-1"] 2252 | version = "0.1.1" 2253 | notes = "Reviewed in CL 778504452" 2254 | 2255 | [[audits.rustybuzz]] 2256 | who = "Manish Goregaokar " 2257 | criteria = ["ub-risk-0"] 2258 | version = "0.12.0" 2259 | notes = """Reviewed in CL 649338374 2260 | Only unsafe is in examples 2261 | """ 2262 | 2263 | [[audits.ruzstd]] 2264 | who = "Manish Goregaokar " 2265 | criteria = ["ub-risk-2"] 2266 | version = "0.4.0" 2267 | notes = """Reviewed in CL 557876502 2268 | Issues found: 2269 | - https://github.com/KillingSpark/zstd-rs/issues/44 2270 | - extend_from_within_unchecked_branchless is hard to review but it's currently dead code 2271 | """ 2272 | 2273 | [[audits.ruzstd]] 2274 | who = "Manish Goregaokar " 2275 | criteria = ["ub-risk-2"] 2276 | version = "0.6.0" 2277 | notes = "Reviewed in CL 615772489" 2278 | 2279 | [[audits.ryu-js]] 2280 | who = "Ben Saunders " 2281 | criteria = ["ub-risk-3", "does-not-implement-crypto"] 2282 | version = "0.2.2" 2283 | notes = """Reviewed in CL 589126213 2284 | Issues found: 2285 | - Internal unsoundness around the invariants of q and i in f2s_intrinsics.rs 2286 | - Unclear bounds checking around get_unchecked in s2d.rs 2287 | """ 2288 | 2289 | [[audits.safe_arch]] 2290 | who = "Ben Saunders " 2291 | criteria = ["ub-risk-1"] 2292 | version = "0.7.4" 2293 | notes = "Reviewed in CL 796208907" 2294 | 2295 | [[audits.sapling-streampager]] 2296 | who = "Ben Saunders " 2297 | criteria = ["ub-risk-4"] 2298 | version = "0.10.3" 2299 | notes = """Reviewed in CL 719162422 2300 | Issues found: 2301 | - BufferWrite::written() must clamp 2302 | """ 2303 | 2304 | [[audits.scopeguard]] 2305 | who = "Manish Goregaokar " 2306 | criteria = ["ub-risk-2"] 2307 | version = "1.2.0" 2308 | notes = """Reviewed in CL 728831450 2309 | Implements a drop guard, unsafe code around ptr::read/ManuallyDrop and Sync impl. Rather clearly commented. 2310 | """ 2311 | 2312 | [[audits.scroll]] 2313 | who = "Taylor Cramer " 2314 | criteria = ["ub-risk-2"] 2315 | version = "0.12.0" 2316 | notes = "Reviewed in CL 642006817" 2317 | 2318 | [[audits.seccompiler]] 2319 | who = "Ben Saunders " 2320 | criteria = ["ub-risk-1", "does-not-implement-crypto"] 2321 | version = "0.3.0" 2322 | notes = "Reviewed in CL 547754248" 2323 | 2324 | [[audits.security-framework-sys]] 2325 | who = "Manish Goregaokar " 2326 | criteria = ["ub-risk-2"] 2327 | version = "2.13.0" 2328 | notes = """Reviewed in CL 711542463 2329 | FFI 2330 | """ 2331 | 2332 | [[audits.serde_bser]] 2333 | who = "Ben Saunders " 2334 | criteria = ["ub-risk-2"] 2335 | version = "0.4.0" 2336 | notes = "Reviewed in CL 696305035" 2337 | 2338 | [[audits.serde_core]] 2339 | who = "Luca Versari " 2340 | criteria = ["ub-risk-2"] 2341 | version = "1.0.228" 2342 | notes = "Reviewed in CL 816638143" 2343 | 2344 | [[audits.serde_jcs]] 2345 | who = "Augie Fackler " 2346 | criteria = ["ub-risk-3", "does-not-implement-crypto"] 2347 | version = "0.1.0" 2348 | notes = "Reviewed in CL 590122717" 2349 | 2350 | [[audits.serde_yml]] 2351 | who = "Manish Goregaokar " 2352 | criteria = ["ub-risk-4"] 2353 | version = "0.0.12" 2354 | notes = """Reviewed in https://github.com/sebastienrousseau/libyml 2355 | DO NOT USE, ported from libyml using c2rust, and then "fixed" by an LLM, with unsound code like https://github.com/sebastienrousseau/libyml/blob/2d23ead2742c196b0e65004a9ed353bc30bea6ad/src/document.rs#L711-L715 2356 | Should be strongly avoided. 2357 | """ 2358 | 2359 | [[audits.sha1_smol]] 2360 | who = "Manish Goregaokar " 2361 | criteria = ["ub-risk-2"] 2362 | version = "1.0.0" 2363 | notes = "Reviewed in CL 581562531" 2364 | 2365 | [[audits.shlex]] 2366 | who = [ 2367 | "Manish Goregaokar ", 2368 | "Augie Fackler " 2369 | ] 2370 | criteria = ["ub-risk-3"] 2371 | version = "1.3.0" 2372 | notes = """Reviewed in CL 600742555 2373 | This crate appears safe, but it's not clear that the unchecked utf8 stuff is necessary given the use case, and it relies on undocumented invariants from the bytes iterator code. Would be nice to have these properties documented and fuzz tested. 2374 | """ 2375 | 2376 | [[audits.shpool_pty]] 2377 | who = "Ben Saunders " 2378 | criteria = ["ub-risk-4"] 2379 | version = "0.1.0" 2380 | notes = """Reviewed in CL 578198476 2381 | Issues: 2382 | - Data race in Fork::new 2383 | """ 2384 | 2385 | [[audits.shpool_pty]] 2386 | who = "Ben Saunders " 2387 | criteria = ["ub-risk-4", "does-not-implement-crypto"] 2388 | version = "0.2.1" 2389 | notes = "Reviewed in CL 578198476" 2390 | 2391 | [[audits.shpool_pty]] 2392 | who = "Ben Saunders " 2393 | criteria = ["ub-risk-2-thorough", "does-not-implement-crypto"] 2394 | version = "0.3.0" 2395 | notes = "Reviewed in CL 578198476" 2396 | 2397 | [[audits.simd-json]] 2398 | who = "Ben Saunders " 2399 | criteria = ["ub-risk-4"] 2400 | version = "0.13.10" 2401 | notes = """Reviewed in CL 661175961 2402 | Issues found: 2403 | - Review incomplete: Pervasive undocumented unsafety. 2404 | """ 2405 | 2406 | [[audits.simple_logger]] 2407 | who = "Manish Goregaokar " 2408 | criteria = ["ub-risk-2"] 2409 | version = "4.3.3" 2410 | notes = """Reviewed in CL 706757224 2411 | Uses unsafe for interfacing with Windows tty APIs 2412 | """ 2413 | 2414 | [[audits.skiplist]] 2415 | who = "Taylor Cramer " 2416 | criteria = ["ub-risk-2"] 2417 | version = "0.5.1" 2418 | notes = "Reviewed in CL 769416918" 2419 | 2420 | [[audits.skrifa]] 2421 | who = "Augie Fackler " 2422 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 2423 | version = "0.16.0" 2424 | notes = "Reviewed in CL 614825012" 2425 | 2426 | [[audits.slotmap]] 2427 | who = "Augie Fackler " 2428 | criteria = ["ub-risk-2"] 2429 | version = "1.0.6" 2430 | notes = "Reviewed in CL 647314509" 2431 | 2432 | [[audits.smallstr]] 2433 | who = "Taylor Cramer " 2434 | criteria = ["ub-risk-2"] 2435 | version = "0.3.0" 2436 | notes = "Reviewed in CL 740466574" 2437 | 2438 | [[audits.smallvec]] 2439 | who = "Manish Goregaokar " 2440 | criteria = ["ub-risk-3", "does-not-implement-crypto"] 2441 | version = "1.11.0" 2442 | notes = "Reviewed in CL 552492992" 2443 | 2444 | [[audits.smol_str]] 2445 | who = "Manish Goregaokar " 2446 | criteria = ["ub-risk-3"] 2447 | version = "0.2.0" 2448 | notes = "Reviewed in CL 558187227" 2449 | 2450 | [[audits.speedate]] 2451 | who = "Manish Goregaokar " 2452 | criteria = ["ub-risk-2"] 2453 | version = "0.13.0" 2454 | notes = """Reviewed in CL 614967252 2455 | Would be rather straightforward to add safety comments 2456 | """ 2457 | 2458 | [[audits.sptr]] 2459 | who = "Augie Fackler " 2460 | criteria = ["ub-risk-2"] 2461 | version = "0.3.2" 2462 | notes = "Reviewed in CL 660053567" 2463 | 2464 | [[audits.stable-deref-trait]] 2465 | who = "Manish Goregaokar " 2466 | criteria = ["ub-risk-2"] 2467 | version = "1.2.0" 2468 | notes = """Reviewed in 2469 | Purely a trait, crates using this should be carefully vetted since self-referential stuff can be super tricky around various unsafe rust edges. 2470 | """ 2471 | 2472 | [[audits.strck]] 2473 | who = "Manish Goregaokar " 2474 | criteria = ["ub-risk-1"] 2475 | version = "1.0.0" 2476 | notes = "Reviewed in CL 685732460" 2477 | 2478 | [[audits.swc_atoms]] 2479 | who = "Manish Goregaokar " 2480 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 2481 | version = "0.5.7" 2482 | notes = "Reviewed in CL 547104864" 2483 | 2484 | [[audits.swc_common]] 2485 | who = "Manish Goregaokar " 2486 | criteria = ["ub-risk-3", "does-not-implement-crypto"] 2487 | version = "0.31.17" 2488 | notes = """Reviewed in CL 547720673 2489 | Issues found: 2490 | - https://github.com/swc-project/swc/issues/7709 2491 | """ 2492 | 2493 | [[audits.swc_ecma_ast]] 2494 | who = "Manish Goregaokar " 2495 | criteria = ["ub-risk-2"] 2496 | version = "0.107.0" 2497 | notes = "Reviewed in CL 545304253" 2498 | 2499 | [[audits.swc_ecma_parser]] 2500 | who = "Manish Goregaokar " 2501 | criteria = ["ub-risk-4"] 2502 | version = "0.137.1" 2503 | notes = """Reviewed in CL 545304254 2504 | Issues found: 2505 | - https://github.com/swc-project/swc/issues/7797 2506 | - https://github.com/swc-project/swc/issues/7752 2507 | """ 2508 | 2509 | [[audits.swc_visit]] 2510 | who = "Taylor Cramer " 2511 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 2512 | version = "0.5.7" 2513 | notes = "Reviewed in CL 546872016" 2514 | 2515 | [[audits.sxd-document]] 2516 | who = "Ben Saunders " 2517 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 2518 | version = "0.3.2" 2519 | notes = """Reviewed in CL 764633109 2520 | Issues found: 2521 | - Large quantities of mostly undocumented, difficult-to-audit raw pointer manipulation, but these seem to all bake down to sound use of arena-owned memory. 2522 | """ 2523 | 2524 | [[audits.syn]] 2525 | who = "Ben Saunders " 2526 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 2527 | version = "2.0.29" 2528 | notes = "Reviewed in CL 559769881" 2529 | 2530 | [[audits.sync_wrapper]] 2531 | who = "Taylor Cramer " 2532 | criteria = ["ub-risk-1"] 2533 | version = "0.1.2" 2534 | notes = "Reviewed in CL 605332043" 2535 | 2536 | [[audits.tar]] 2537 | who = "Taylor Cramer " 2538 | criteria = ["ub-risk-2"] 2539 | version = "0.4.0" 2540 | notes = "Reviewed in CL 627536088" 2541 | 2542 | [[audits.tar]] 2543 | who = "Manish Goregaokar " 2544 | criteria = ["ub-risk-2"] 2545 | delta = "0.4.40 -> 0.4.42" 2546 | notes = "Reviewed in CL 688729490" 2547 | 2548 | [[audits.terminal_size]] 2549 | who = "Manish Goregaokar " 2550 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 2551 | version = "0.4.2" 2552 | notes = "Reviewed in CL 756344022" 2553 | 2554 | [[audits.termios]] 2555 | who = "Ben Saunders " 2556 | criteria = ["ub-risk-4", "does-not-implement-crypto"] 2557 | version = "0.3.3" 2558 | notes = """Reviewed in CL 715944917 2559 | Issues found: 2560 | - mem::uninitialized (https://github.com/dcuddeback/termios-rs/pull/28) 2561 | """ 2562 | 2563 | [[audits.termwiz]] 2564 | who = "Taylor Cramer " 2565 | criteria = ["ub-risk-2"] 2566 | version = "0.22.0" 2567 | notes = "Reviewed in CL 715944910" 2568 | 2569 | [[audits.tfhe]] 2570 | who = "Taylor Cramer " 2571 | criteria = ["ub-risk-3"] 2572 | version = "0.3.1" 2573 | notes = """Reviewed in CL 557823618 2574 | Issues found: 2575 | - https://github.com/zama-ai/tfhe-rs/issues/526 2576 | """ 2577 | 2578 | [[audits.tfhe-csprng]] 2579 | who = "" 2580 | criteria = ["ub-risk-2"] 2581 | version = "0.5.0" 2582 | notes = "Reviewed in CL 758730716" 2583 | 2584 | [[audits.tfhe-ntt]] 2585 | who = "" 2586 | criteria = ["ub-risk-2"] 2587 | version = "0.6.0" 2588 | notes = "Reviewed in CL 761105022" 2589 | 2590 | [[audits.tiff]] 2591 | who = "Luca Versari " 2592 | criteria = ["ub-risk-2"] 2593 | version = "0.9.0" 2594 | notes = "Reviewed in CL 745174015" 2595 | 2596 | [[audits.tiktoken]] 2597 | who = "" 2598 | criteria = ["ub-risk-3"] 2599 | version = "0.12.0" 2600 | notes = "Reviewed in CL 817400202" 2601 | 2602 | [[audits.time]] 2603 | who = "Manish Goregaokar " 2604 | criteria = ["ub-risk-3"] 2605 | version = "0.3.37" 2606 | notes = """Reviewed in CL 735478267 2607 | Uses unsafe to maintain calendrical invariants (is this necessary?) 2608 | The comments are rather deficient: the underlying invariants are not tracked consistently and the math needs to be hand checked at times. 2609 | """ 2610 | 2611 | [[audits.time-macros]] 2612 | who = "Ben Saunders " 2613 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 2614 | version = "0.2.15" 2615 | notes = "Reviewed in CL 580962188" 2616 | 2617 | [[audits.tokenizers]] 2618 | who = "Manish Goregaokar " 2619 | criteria = ["ub-risk-4"] 2620 | version = "0.19.1" 2621 | notes = """Reviewed in CL 684450749 2622 | Issues found: 2623 | - UB with static mut https://github.com/huggingface/tokenizers/issues/1491 2624 | - underdocumented safety invariants in cases that need more documentation (PR in https://github.com/huggingface/tokenizers/pull/1651) 2625 | """ 2626 | 2627 | [[audits.tokenizers]] 2628 | who = "Manish Goregaokar " 2629 | criteria = ["ub-risk-3"] 2630 | version = "0.20.1" 2631 | notes = """Reviewed in CL 684450749 2632 | Issues found: 2633 | - underdocumented safety invariants in cases that need more documentation (PR in https://github.com/huggingface/tokenizers/pull/1651) 2634 | """ 2635 | 2636 | [[audits.tokenizers]] 2637 | who = "Ben Saunders " 2638 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 2639 | delta = "0.20.1 -> 0.20.4" 2640 | notes = "Reviewed in CL 706934375" 2641 | 2642 | [[audits.tokenizers-python]] 2643 | who = "Taylor Cramer " 2644 | criteria = ["ub-risk-2"] 2645 | version = "0.20.1" 2646 | notes = "Reviewed in CL 687963248" 2647 | 2648 | [[audits.toml_edit]] 2649 | who = "Manish Goregaokar " 2650 | criteria = ["ub-risk-3"] 2651 | version = "0.22.12" 2652 | notes = """Reviewed in CL 628398549 2653 | Issues found: 2654 | - Better documented safety: https://github.com/toml-rs/toml/pull/720 2655 | - Unclear on mll_quotes and mlb_quotes being safe 2656 | """ 2657 | 2658 | [[audits.tracing]] 2659 | who = "Taylor Cramer " 2660 | criteria = ["ub-risk-4"] 2661 | version = "0.1.39" 2662 | notes = """Reviewed in CL 573852894 2663 | Issues found: 2664 | - https://github.com/tokio-rs/tracing/pull/2765 2665 | """ 2666 | 2667 | [[audits.tracing]] 2668 | who = "Manish Goregaokar " 2669 | criteria = ["ub-risk-2"] 2670 | delta = "0.1.40 -> 0.1.41" 2671 | notes = """Reviewed in CL 709456617 2672 | Previous UB was fixed. Small amount of unsafe, well-commented. 2673 | """ 2674 | 2675 | [[audits.tracing-core]] 2676 | who = "Ben Saunders " 2677 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 2678 | version = "0.1.30" 2679 | notes = "Reviewed in CL 555490997" 2680 | 2681 | [[audits.tracing-core]] 2682 | who = "Manish Goregaokar " 2683 | criteria = ["ub-risk-2"] 2684 | delta = "0.1.30 -> 0.1.32" 2685 | notes = "Reviewed in CL 573852436" 2686 | 2687 | [[audits.tracing-log]] 2688 | who = "Ben Saunders " 2689 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 2690 | version = "0.2.0" 2691 | notes = "Reviewed in CL 585090968" 2692 | 2693 | [[audits.transpose]] 2694 | who = "Ben Saunders " 2695 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 2696 | version = "0.2.2" 2697 | notes = "Reviewed in CL 551680548" 2698 | 2699 | [[audits.triomphe]] 2700 | who = "Taylor Cramer " 2701 | criteria = ["ub-risk-3", "does-not-implement-crypto"] 2702 | version = "0.1.8" 2703 | notes = """Reviewed in CL 545304280 2704 | Issues found: 2705 | - https://github.com/Manishearth/triomphe/pull/62 2706 | """ 2707 | 2708 | [[audits.triomphe]] 2709 | who = "Taylor Cramer " 2710 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 2711 | version = "0.1.9" 2712 | notes = "Reviewed in CL 545304280" 2713 | 2714 | [[audits.twox-hash]] 2715 | who = "Manish Goregaokar " 2716 | criteria = ["ub-risk-2"] 2717 | version = "2.1.0" 2718 | notes = """Reviewed in CL 735469359 2719 | Unsafe found: 2720 | - Some unchecked indexing based on internal invariants 2721 | - A bunch of target specific simd and simple asm 2722 | - Some unsafe traits 2723 | - Some casting between different integer buffer types, correctly handling alignment 2724 | """ 2725 | 2726 | [[audits.typed-arena]] 2727 | who = "Taylor Cramer " 2728 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 2729 | version = "2.0.2" 2730 | notes = "Reviewed in CL 545304268" 2731 | 2732 | [[audits.typeid]] 2733 | who = "" 2734 | criteria = ["ub-risk-3", "does-not-implement-crypto"] 2735 | version = "1.0.2" 2736 | notes = "Reviewed in CL 707957977" 2737 | 2738 | [[audits.typewit]] 2739 | who = "Augie Fackler " 2740 | criteria = ["ub-risk-2"] 2741 | version = "1.11.0" 2742 | notes = "Reviewed in CL 746362951" 2743 | 2744 | [[audits.uds]] 2745 | who = "Manish Goregaokar " 2746 | criteria = ["ub-risk-3", "does-not-implement-crypto"] 2747 | version = "0.2.6" 2748 | notes = """Reviewed in CL 552861165 2749 | Issues found: 2750 | - https://github.com/tormol/uds/issues/11 2751 | - https://github.com/tormol/uds/pull/9, https://github.com/tormol/uds/pull/10 2752 | - https://github.com/tormol/uds/issues/12 2753 | """ 2754 | 2755 | [[audits.uds]] 2756 | who = [ 2757 | "Manish Goregaokar ", 2758 | "Augie Fackler ", 2759 | "" 2760 | ] 2761 | criteria = ["ub-risk-4"] 2762 | version = "0.4.1" 2763 | notes = """Reviewed in CL 568546769 2764 | Issues found: 2765 | - https://github.com/tormol/uds/pull/14 2766 | - https://github.com/tormol/uds/pull/15 2767 | - https://github.com/tormol/uds/issues/16 2768 | - https://github.com/tormol/uds/issues/17 2769 | """ 2770 | 2771 | [[audits.ufmt]] 2772 | who = "Taylor Cramer " 2773 | criteria = ["ub-risk-3"] 2774 | version = "0.2.0" 2775 | notes = "Reviewed in CL 587894431" 2776 | 2777 | [[audits.ufmt-write]] 2778 | who = "Ben Saunders " 2779 | criteria = ["ub-risk-4", "does-not-implement-crypto"] 2780 | version = "0.1.0" 2781 | notes = """Reviewed in CL 587772035 2782 | Issues found: 2783 | - https://github.com/japaric/ufmt/pull/60 2784 | """ 2785 | 2786 | [[audits.unicode-bom]] 2787 | who = "Manish Goregaokar " 2788 | criteria = ["ub-risk-2"] 2789 | version = "2.0.2" 2790 | notes = "Reviewed in CL 581562581" 2791 | 2792 | [[audits.unicode-reverse]] 2793 | who = "Ben Saunders " 2794 | criteria = ["ub-risk-1"] 2795 | version = "1.0.8" 2796 | notes = "Reviewed in CL 622744657" 2797 | 2798 | [[audits.uniffi_macros]] 2799 | who = "" 2800 | criteria = ["ub-risk-3"] 2801 | version = "0.29.1" 2802 | notes = "Reviewed in CL 752709844" 2803 | 2804 | [[audits.urlencoding]] 2805 | who = "Luca Versari " 2806 | criteria = ["ub-risk-2"] 2807 | version = "2.1.3" 2808 | notes = "Reviewed in CL 778639303" 2809 | 2810 | [[audits.utf8parse]] 2811 | who = "Augie Fackler " 2812 | criteria = ["ub-risk-3"] 2813 | version = "0.2.1" 2814 | notes = "Reviewed in CL 559131770" 2815 | 2816 | [[audits.vfio-bindings]] 2817 | who = "Taylor Cramer " 2818 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 2819 | version = "0.3.1" 2820 | notes = "Reviewed in CL 545971960" 2821 | 2822 | [[audits.vfio-ioctls]] 2823 | who = "Ben Saunders " 2824 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 2825 | version = "0.1.0" 2826 | notes = "Reviewed in CL 545971961" 2827 | 2828 | [[audits.vhost]] 2829 | who = "Manish Goregaokar " 2830 | criteria = ["ub-risk-2"] 2831 | version = "0.7.0" 2832 | notes = "Reviewed in CL 546255068" 2833 | 2834 | [[audits.vhost]] 2835 | who = "Manish Goregaokar " 2836 | criteria = ["ub-risk-4"] 2837 | version = "0.8.0" 2838 | notes = """Reviewed in CL 559359624 2839 | Issues found: 2840 | - https://github.com/rust-vmm/vhost/pull/184 2841 | """ 2842 | 2843 | [[audits.vhost]] 2844 | who = "Manish Goregaokar " 2845 | criteria = ["ub-risk-3"] 2846 | version = "0.8.1" 2847 | notes = "Reviewed in CL 559359624" 2848 | 2849 | [[audits.vhost-user-backend]] 2850 | who = "Manish Goregaokar " 2851 | criteria = ["ub-risk-2"] 2852 | version = "0.10.1" 2853 | notes = "Reviewed in CL 559122379" 2854 | 2855 | [[audits.virtio]] 2856 | who = "Taylor Cramer " 2857 | criteria = ["ub-risk-1"] 2858 | version = "0.2.1" 2859 | notes = "Reviewed in CL 557159752" 2860 | 2861 | [[audits.virtio-queue]] 2862 | who = "Manish Goregaokar " 2863 | criteria = ["ub-risk-2"] 2864 | delta = "0.12.0 -> 0.14.0" 2865 | notes = """Reviewed in CL 717945204 2866 | No change to unsafe since last review 2867 | """ 2868 | 2869 | [[audits.virtio-queue]] 2870 | who = "Augie Fackler " 2871 | criteria = ["ub-risk-2"] 2872 | delta = "0.9.0 -> 0.12.0" 2873 | notes = "Reviewed in CL 634659048" 2874 | 2875 | [[audits.virtiofsd]] 2876 | who = "Manish Goregaokar " 2877 | criteria = ["ub-risk-3", "does-not-implement-crypto"] 2878 | version = "1.6.1" 2879 | notes = """Reviewed in CL 548811972 2880 | Issues found: 2881 | - https://gitlab.com/virtio-fs/virtiofsd/-/issues/113 (only an issue for library users) 2882 | """ 2883 | 2884 | [[audits.vm-memory]] 2885 | who = "Manish Goregaokar " 2886 | criteria = ["ub-risk-3"] 2887 | version = "0.12.1" 2888 | notes = """Reviewed in CL 556862067 2889 | Issues found: 2890 | - https://github.com/rust-vmm/vm-memory/issues/250 2891 | """ 2892 | 2893 | [[audits.vm-memory]] 2894 | who = "Manish Goregaokar " 2895 | criteria = ["ub-risk-2"] 2896 | version = "0.12.1" 2897 | notes = """Reviewed in CL 556862067 2898 | Issues from previous review fixed 2899 | """ 2900 | 2901 | [[audits.vm-memory]] 2902 | who = "Ben Saunders " 2903 | criteria = ["ub-risk-4", "does-not-implement-crypto"] 2904 | version = "0.13.1" 2905 | notes = """Reviewed in CL 595684339 2906 | Issues found: 2907 | - https://github.com/rust-vmm/vm-memory/issues/281 2908 | """ 2909 | 2910 | [[audits.vmm_sys_util]] 2911 | who = "Ben Saunders " 2912 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 2913 | version = "0.12.1" 2914 | notes = "Reviewed in CL 599627630" 2915 | 2916 | [[audits.vte]] 2917 | who = "Manish Goregaokar " 2918 | criteria = ["ub-risk-4"] 2919 | version = "0.12.0" 2920 | notes = """Reviewed in CL 579243289 2921 | Issues found: 2922 | - https://github.com/alacritty/vte/pull/102 2923 | """ 2924 | 2925 | [[audits.vte]] 2926 | who = "Manish Goregaokar " 2927 | criteria = ["ub-risk-3"] 2928 | delta = "0.12.0 -> 0.12.1" 2929 | notes = """Reviewed in CL 725665450 2930 | Issues found in previous audit fixed. Not reaudited to check if it qualifies for ub-risk-2 or above, but appears to need more unsafe comments. 2931 | """ 2932 | 2933 | [[audits.vtparse]] 2934 | who = "Taylor Cramer " 2935 | criteria = ["ub-risk-2"] 2936 | version = "0.6.2" 2937 | notes = "Reviewed in CL 716291286" 2938 | 2939 | [[audits.wasefire-applet-api]] 2940 | who = "Taylor Cramer " 2941 | criteria = ["ub-risk-2"] 2942 | version = "0.7.0" 2943 | notes = "Reviewed in CL 699241799" 2944 | 2945 | [[audits.wasefire-applet-api-desc]] 2946 | who = "Manish Goregaokar " 2947 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 2948 | version = "0.2.1" 2949 | notes = """Reviewed in CL 699230688 2950 | Would be nice to have comments 2951 | """ 2952 | 2953 | [[audits.wasm-bindgen]] 2954 | who = "" 2955 | criteria = ["ub-risk-2"] 2956 | version = "0.2.92" 2957 | notes = "Reviewed in CL 643989424" 2958 | 2959 | [[audits.wasm-bindgen]] 2960 | who = "Manish Goregaokar " 2961 | criteria = ["ub-risk-2"] 2962 | delta = "0.2.92 -> 0.2.93" 2963 | notes = """Reviewed in CL 695250202 2964 | Not much unsafe diff from last review 2965 | """ 2966 | 2967 | [[audits.wasm-bindgen-backend]] 2968 | who = "" 2969 | criteria = ["ub-risk-2"] 2970 | version = "0.2.92" 2971 | notes = "Reviewed in CL 643989422" 2972 | 2973 | [[audits.wasm-bindgen-backend]] 2974 | who = "Manish Goregaokar " 2975 | criteria = ["ub-risk-2"] 2976 | delta = "0.2.92 -> 0.2.93" 2977 | notes = "Reviewed in CL 695250202" 2978 | 2979 | [[audits.wasm-bindgen-futures]] 2980 | who = "Ben Saunders " 2981 | criteria = ["ub-risk-2"] 2982 | version = "0.4.43" 2983 | notes = "Reviewed in CL 696456463" 2984 | 2985 | [[audits.wasm-bindgen-macro]] 2986 | who = "" 2987 | criteria = ["ub-risk-1"] 2988 | version = "0.2.92" 2989 | notes = "Reviewed in CL 643989420" 2990 | 2991 | [[audits.wasmparser]] 2992 | who = "Luca Versari " 2993 | criteria = ["ub-risk-2"] 2994 | version = "0.214.0" 2995 | notes = "Reviewed in CL 737530206" 2996 | 2997 | [[audits.wasmtime-cache]] 2998 | who = "" 2999 | criteria = ["ub-risk-2"] 3000 | version = "27.0.0" 3001 | notes = "Reviewed in CL 722783271" 3002 | 3003 | [[audits.wezterm-color-types]] 3004 | who = "Luca Versari " 3005 | criteria = ["ub-risk-2"] 3006 | version = "0.3.0" 3007 | notes = "Reviewed in CL 716390757" 3008 | 3009 | [[audits.wezterm-dynamic]] 3010 | who = "" 3011 | criteria = ["ub-risk-2"] 3012 | version = "0.2.0" 3013 | notes = "Reviewed in CL 716296241" 3014 | 3015 | [[audits.wide]] 3016 | who = "" 3017 | criteria = ["ub-risk-2"] 3018 | version = "0.7.33" 3019 | notes = "Reviewed in CL 796208909" 3020 | 3021 | [[audits.winnow]] 3022 | who = "Taylor Cramer " 3023 | criteria = ["ub-risk-2"] 3024 | version = "0.5.19" 3025 | notes = "Reviewed in CL 581220347" 3026 | 3027 | [[audits.xlsynth]] 3028 | who = "Manish Goregaokar " 3029 | criteria = ["ub-risk-3"] 3030 | version = "0.0.11" 3031 | notes = """Reviewed in CL 644646753 3032 | - Uses dlsym for FFI, could use more safety docs separating dlsym unsafety from C API unsafety 3033 | """ 3034 | 3035 | [[audits.xlsynth]] 3036 | who = "Luca Versari " 3037 | criteria = ["ub-risk-4"] 3038 | version = "0.29.0" 3039 | notes = "Reviewed in CL 684413090" 3040 | 3041 | [[audits.xlsynth-sys]] 3042 | who = "Taylor Cramer " 3043 | criteria = ["ub-risk-2"] 3044 | delta = "0.0.181 -> 0.0.184" 3045 | notes = "Reviewed in CL 807825913" 3046 | 3047 | [[audits.xxhash-rust]] 3048 | who = "Luca Versari " 3049 | criteria = ["ub-risk-3"] 3050 | version = "0.8.15" 3051 | notes = "Reviewed in CL 747784964" 3052 | 3053 | [[audits.xxhash-rust]] 3054 | who = "Taylor Cramer " 3055 | criteria = ["ub-risk-4"] 3056 | version = "0.8.6" 3057 | notes = """Reviewed in CL 552861145 3058 | Many internal functions that are `unsafe` to call are not marked `unsafe`. 3059 | See https://github.com/DoumanAsh/xxhash-rust/issues/29 3060 | """ 3061 | 3062 | [[audits.yansi]] 3063 | who = "Ben Saunders " 3064 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 3065 | version = "1.0.1" 3066 | notes = "Reviewed in CL 705950806" 3067 | 3068 | [[audits.yansi-term]] 3069 | who = "" 3070 | criteria = ["ub-risk-2"] 3071 | version = "0.1.2" 3072 | notes = "Reviewed in CL 701084302" 3073 | 3074 | [[audits.yoke]] 3075 | who = "Luca Versari " 3076 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 3077 | version = "0.7.4" 3078 | notes = """Reviewed in https://github.com/unicode-org/icu4x/pull/5046 3079 | Review performed as PR: https://github.com/unicode-org/icu4x/pull/5046. Minor docs improvements, plus known currently-unsolvable issue around potential future noalias UB (https://github.com/unicode-org/icu4x/issues/2095) 3080 | """ 3081 | 3082 | [[audits.yoke]] 3083 | who = "Luca Versari " 3084 | criteria = ["ub-risk-2", "does-not-implement-crypto"] 3085 | delta = "0.7.4 -> 0.7.5" 3086 | notes = """Reviewed in CL 700087030 3087 | Patches from last review all applied 3088 | """ 3089 | 3090 | [[audits.yrs]] 3091 | who = "Ben Saunders " 3092 | criteria = ["ub-risk-4"] 3093 | version = "0.23.0" 3094 | notes = """Reviewed in CL 740466576 3095 | Issues found: 3096 | - Unsoundness in AtomicRef::update, ItemPtr, BranchPtr, ... 3097 | - Review left incomplete 3098 | """ 3099 | 3100 | [[audits.zerocopy]] 3101 | who = "Manish Goregaokar " 3102 | criteria = ["ub-risk-2"] 3103 | version = "0.6.1" 3104 | notes = "Reviewed in CL 592374439" 3105 | 3106 | [[audits.zerocopy]] 3107 | who = "Taylor Cramer " 3108 | criteria = ["ub-risk-1"] 3109 | version = "0.8.14" 3110 | notes = "Reviewed in CL 714029246" 3111 | 3112 | [[audits.zerotrie]] 3113 | who = "Manish Goregaokar " 3114 | criteria = ["ub-risk-2"] 3115 | version = "0.1.2" 3116 | notes = "Reviewed in https://github.com/unicode-org/icu4x/pull/2722/" 3117 | 3118 | [[audits.zlib-sys]] 3119 | who = "Manish Goregaokar " 3120 | criteria = ["ub-risk-3"] 3121 | version = "0.4.2" 3122 | notes = """Reviewed in CL 730913141 3123 | Partial review performed: Mostly SIMD and allocator stuff. Seems correct enough for ub-risk-3. 3124 | """ 3125 | 3126 | [[audits.zune-jpeg]] 3127 | who = "Luca Versari " 3128 | criteria = ["ub-risk-3"] 3129 | version = "0.4.19" 3130 | notes = "Reviewed in CL 782822780" 3131 | --------------------------------------------------------------------------------