config.toml (19339B)
1 # cargo-vet config file 2 3 [cargo-vet] 4 version = "0.10" 5 6 [imports.bytecode-alliance] 7 url = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" 8 9 [imports.embark-studios] 10 url = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml" 11 12 [imports.google] 13 url = "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml" 14 15 [imports.isrg] 16 url = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml" 17 18 [imports.mozilla] 19 url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml" 20 21 [policy.allocator-api2] 22 audit-as-crates-io = true 23 notes = "This is the upstream code with a fix for rust 1.89." 24 25 [policy.any_all_workaround] 26 audit-as-crates-io = true 27 notes = "This is the upstream code plus the ARM intrinsics workaround from qcms, see bug 1882209." 28 29 [policy.autocfg] 30 audit-as-crates-io = true 31 notes = "This is the upstream code plus a few local fixes, see bug 1685697." 32 33 [policy."bindgen:0.72.0@git:9366e0af8da529c958b4cd4fcbe492d951c86f5c"] 34 audit-as-crates-io = true 35 notes = "This is the upstream code not yet released" 36 37 [policy.chardetng] 38 audit-as-crates-io = true 39 notes = "This is a crate Henri wrote which is also published. We should probably update Firefox to tip and certify that." 40 41 [policy.chardetng_c] 42 audit-as-crates-io = true 43 notes = "This is a crate Henri wrote which is also published. We should probably update Firefox to tip and certify that." 44 45 [policy.cose] 46 audit-as-crates-io = true 47 notes = "This is upstream plus a warning fix from bug 1823866." 48 49 [policy.firefox-on-glean] 50 audit-as-crates-io = false 51 notes = "The crates.io version of this is just a placeholder to allow public crates to depend on firefox-on-glean." 52 53 [policy.geckodriver] 54 audit-as-crates-io = false 55 criteria = "safe-to-run" 56 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here. It's also used only for automation, so its subtree can be safe-to-run." 57 58 [policy.gkrust-gtest] 59 criteria = "safe-to-run" 60 notes = "Used for testing." 61 62 [policy.gkrust-shared] 63 dependency-criteria = { tokio-reactor = [], tokio-threadpool = [] } 64 notes = "The dependencies on tokio-reactor and tokio-threadpools are just a hack to pin the version used by audioipc-{client,server}. Suppress vetting on those for the same reasons behind the policy entries." 65 66 [policy.gluesmith] 67 criteria = "safe-to-run" 68 notes = "Used for fuzzing." 69 70 [policy.http3server] 71 criteria = "safe-to-run" 72 notes = "Used for testing." 73 74 [policy.icu_capi] 75 audit-as-crates-io = true 76 notes = "Patched version of upstream" 77 78 [policy.icu_segmenter_data] 79 audit-as-crates-io = true 80 notes = "Patched version of upstream" 81 82 [policy.l10nregistry] 83 dependency-criteria = { fluent-testing = "safe-to-run", tokio = "safe-to-run" } 84 notes = "This crate has two testing-only dependencies which are specified as regular-but-optional rather than a dev-dependencies, because they need to be available to both benchmarks and integration tests." 85 86 [policy.libcrux-traits] 87 audit-as-crates-io = true 88 notes = "Patched version of upstream to avoid unnecessary unused dependencies and conflicts." 89 90 [policy.libudev-sys] 91 audit-as-crates-io = false 92 notes = "This override is an api-compatible fork with an orthogonal implementation." 93 94 [policy.malloc_size_of_derive] 95 audit-as-crates-io = false 96 notes = "This was originally servo code which Bobby Holley put on crates.io some years ago and that was moved in-tree as first-party code later on." 97 98 [policy.marionette] 99 audit-as-crates-io = false 100 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here." 101 102 [policy.memtest] 103 audit-as-crates-io = true 104 105 [policy.midir] 106 audit-as-crates-io = true 107 notes = "This is a pinned version of the upstream code, presumably to get a fix that hadn't been released yet. We should consider switching to the latest official release." 108 109 [policy.mls-rs] 110 audit-as-crates-io = true 111 notes = "This is a pinned version of the upstream code, pending update of the crate." 112 113 [policy.mls-rs-codec] 114 audit-as-crates-io = true 115 notes = "This is a pinned version of the upstream code, pending update of the crate." 116 117 [policy.mls-rs-codec-derive] 118 audit-as-crates-io = true 119 notes = "This is a pinned version of the upstream code, pending update of the crate." 120 121 [policy.mls-rs-core] 122 audit-as-crates-io = true 123 notes = "This is a pinned version of the upstream code, pending update of the crate." 124 125 [policy.mls-rs-crypto-hpke] 126 audit-as-crates-io = true 127 notes = "This is a pinned version of the upstream code, pending update of the crate." 128 129 [policy.mls-rs-crypto-traits] 130 audit-as-crates-io = true 131 notes = "This is a pinned version of the upstream code, pending update of the crate." 132 133 [policy.mls-rs-identity-x509] 134 audit-as-crates-io = true 135 notes = "This is a pinned version of the upstream code, pending update of the crate." 136 137 [policy.mls-rs-provider-sqlite] 138 audit-as-crates-io = true 139 notes = "This is a pinned version of the upstream code, pending update of the crate." 140 141 [policy.mozbuild] 142 audit-as-crates-io = false 143 notes = "The crates.io version of this is just a placeholder to allow public crates to depend on mozbuild." 144 145 [policy.mozdevice] 146 audit-as-crates-io = false 147 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here." 148 149 [policy.mozglue-static] 150 dependency-criteria = { rustc_version = "safe-to-run" } 151 notes = "The rustc_version dependency is only used in the build script, and does not generate any runtime code" 152 153 [policy.mozilla-central-workspace-hack] 154 audit-as-crates-io = false 155 criteria = "safe-to-run" 156 notes = "This is a first-party crate which is also published to crates.io as a convenience for other in-tree crates that depend on it and are published as well. The dependencies from this crate are dependencies of other crates that will get the right criteria through them, but using safe-to-deploy for this one would be too broad." 157 158 [policy.mozprofile] 159 audit-as-crates-io = false 160 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here." 161 162 [policy.mozrunner] 163 audit-as-crates-io = false 164 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here." 165 166 [policy.mozversion] 167 audit-as-crates-io = false 168 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here." 169 170 [policy.mp4parse] 171 audit-as-crates-io = false 172 173 [policy.mp4parse_capi] 174 audit-as-crates-io = false 175 176 [policy.mtu] 177 audit-as-crates-io = true 178 179 [policy.naga] 180 audit-as-crates-io = true 181 notes = "Part of the wgpu repository, pinned as the rest of wgpu crates." 182 183 [policy.nss-gk-api] 184 audit-as-crates-io = true 185 notes = "This is a pinned version of the upstream code, pending update of the crate." 186 187 [policy.objc] 188 audit-as-crates-io = true 189 notes = "This is the upstream code plus a backported fix." 190 191 [policy.osclientcerts] 192 audit-as-crates-io = false 193 notes = "This is a first-party crate that happens to have been pushed to crates.io a very long time ago but was yanked." 194 195 [policy.peek-poke] 196 audit-as-crates-io = false 197 198 [policy.peek-poke-derive] 199 audit-as-crates-io = false 200 201 [policy.pulse] 202 audit-as-crates-io = false 203 notes = "This is a first-party crate which is entirely unrelated to the crates.io package of the same name." 204 205 [policy.qcms] 206 audit-as-crates-io = true 207 notes = "This is a first-party crate which is also published to crates.io, but we should publish audits for it for the benefit of the ecosystem." 208 209 [policy.rure] 210 audit-as-crates-io = true 211 notes = "Identical to upstream, but with cdylib and staticlib targets disabled to avoid unnecessary build artifacts and linker errors." 212 213 [policy.selectors] 214 audit-as-crates-io = true 215 notes = "This is a first-party crate which is also published to crates.io, but we should publish audits for it for the benefit of the ecosystem." 216 217 [policy.servo_arc] 218 audit-as-crates-io = true 219 notes = "This is a first-party crate which is also published to crates.io, but we should publish audits for it for the benefit of the ecosystem." 220 221 [policy.spirv] 222 audit-as-crates-io = true 223 notes = "Contains only upstream mainline history pending release." 224 225 [policy.storage] 226 audit-as-crates-io = false 227 notes = "This is a first-party crate which is entirely unrelated to the crates.io package of the same name." 228 229 [policy.tabs] 230 audit-as-crates-io = false 231 notes = "This is a first-party crate, maintained by the appservices team, which is entirely unrelated to the crates.io package of the same name." 232 233 [policy.thin-vec] 234 audit-as-crates-io = true 235 notes = "3rd-party crate with a mozilla-specific patch applied" 236 237 [policy.to_shmem] 238 audit-as-crates-io = true 239 notes = "This is a first-party crate which is also published to crates.io" 240 241 [policy.to_shmem_derive] 242 audit-as-crates-io = true 243 notes = "This is a first-party crate which is also published to crates.io" 244 245 [policy.unicode-bidi] 246 audit-as-crates-io = true 247 248 [policy.viaduct] 249 audit-as-crates-io = false 250 notes = "This is a first-party crate, maintained by the appservices team, which is entirely unrelated to the crates.io package of the same name." 251 252 [policy.webdriver] 253 audit-as-crates-io = false 254 criteria = "safe-to-run" 255 notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here. It's also used only for automation, so its subtree can be safe-to-run." 256 257 [policy.webrender] 258 audit-as-crates-io = false 259 dependency-criteria = { hyper = "safe-to-run", tokio = "safe-to-run" } 260 notes = "the hyper and tokio dependencies are only enabled in local debug builds, and are not shipped to users" 261 262 [policy.webrender_api] 263 audit-as-crates-io = false 264 265 [policy.webrender_build] 266 audit-as-crates-io = false 267 268 [policy.wgpu-core] 269 audit-as-crates-io = true 270 notes = "Upstream project which we pin." 271 272 [policy.wgpu-core-deps-apple] 273 audit-as-crates-io = true 274 notes = "Upstream project which we pin." 275 276 [policy.wgpu-core-deps-windows-linux-android] 277 audit-as-crates-io = true 278 notes = "Upstream project which we pin." 279 280 [policy.wgpu-hal] 281 audit-as-crates-io = true 282 notes = "Upstream project which we pin." 283 284 [policy.wgpu-types] 285 audit-as-crates-io = true 286 notes = "Upstream project which we pin." 287 288 [policy.windows] 289 audit-as-crates-io = true 290 notes = "Local override of the crates.io crate that uses a non-vendored local copy of the downloaded crate" 291 292 [policy.wr_malloc_size_of] 293 audit-as-crates-io = false 294 295 [policy.zip] 296 audit-as-crates-io = true 297 298 [[exemptions.alsa]] 299 version = "0.4.3" 300 criteria = "safe-to-deploy" 301 302 [[exemptions.alsa-sys]] 303 version = "0.3.1" 304 criteria = "safe-to-deploy" 305 306 [[exemptions.android_log-sys]] 307 version = "0.2.0" 308 criteria = "safe-to-deploy" 309 310 [[exemptions.async-task]] 311 version = "4.0.3" 312 criteria = "safe-to-deploy" 313 314 [[exemptions.bincode]] 315 version = "1.3.3" 316 criteria = "safe-to-deploy" 317 318 [[exemptions.block]] 319 version = "0.1.6" 320 criteria = "safe-to-deploy" 321 322 [[exemptions.cache-padded]] 323 version = "1.2.0" 324 criteria = "safe-to-deploy" 325 326 [[exemptions.chrono]] 327 version = "0.4.19" 328 criteria = "safe-to-deploy" 329 330 [[exemptions.chunky-vec]] 331 version = "0.1.0" 332 criteria = "safe-to-deploy" 333 334 [[exemptions.clang-sys]] 335 version = "1.3.3" 336 criteria = "safe-to-deploy" 337 338 [[exemptions.cookie]] 339 version = "0.16.0" 340 criteria = "safe-to-run" 341 342 [[exemptions.coreaudio-sys]] 343 version = "0.2.10" 344 criteria = "safe-to-deploy" 345 346 [[exemptions.coremidi-sys]] 347 version = "3.1.0" 348 criteria = "safe-to-deploy" 349 350 [[exemptions.cose]] 351 version = "0.1.4" 352 criteria = "safe-to-deploy" 353 354 [[exemptions.cose-c]] 355 version = "0.1.5" 356 criteria = "safe-to-deploy" 357 358 [[exemptions.cpufeatures]] 359 version = "0.2.2" 360 criteria = "safe-to-deploy" 361 362 [[exemptions.crossbeam-channel]] 363 version = "0.5.4" 364 criteria = "safe-to-deploy" 365 366 [[exemptions.crossbeam-deque]] 367 version = "0.8.1" 368 criteria = "safe-to-deploy" 369 370 [[exemptions.crossbeam-epoch]] 371 version = "0.9.8" 372 criteria = "safe-to-deploy" 373 374 [[exemptions.crossbeam-utils]] 375 version = "0.8.8" 376 criteria = "safe-to-deploy" 377 378 [[exemptions.darling]] 379 version = "0.13.4" 380 criteria = "safe-to-deploy" 381 382 [[exemptions.darling_core]] 383 version = "0.13.4" 384 criteria = "safe-to-deploy" 385 386 [[exemptions.darling_macro]] 387 version = "0.13.4" 388 criteria = "safe-to-deploy" 389 390 [[exemptions.data-encoding]] 391 version = "2.3.2" 392 criteria = "safe-to-deploy" 393 394 [[exemptions.dbus]] 395 version = "0.6.5" 396 criteria = "safe-to-deploy" 397 398 [[exemptions.devd-rs]] 399 version = "0.3.4" 400 criteria = "safe-to-deploy" 401 402 [[exemptions.digest]] 403 version = "0.10.3" 404 criteria = "safe-to-deploy" 405 406 [[exemptions.dirs]] 407 version = "4.0.0" 408 criteria = "safe-to-deploy" 409 410 [[exemptions.dirs-sys]] 411 version = "0.3.7" 412 criteria = "safe-to-deploy" 413 414 [[exemptions.dns-parser]] 415 version = "0.8.0" 416 criteria = "safe-to-deploy" 417 418 [[exemptions.enumset]] 419 version = "1.0.11" 420 criteria = "safe-to-deploy" 421 422 [[exemptions.enumset_derive]] 423 version = "0.6.0" 424 criteria = "safe-to-deploy" 425 426 [[exemptions.env_logger]] 427 version = "0.9.0" 428 criteria = "safe-to-deploy" 429 430 [[exemptions.fallible-iterator]] 431 version = "0.2.0" 432 criteria = "safe-to-deploy" 433 434 [[exemptions.fallible-streaming-iterator]] 435 version = "0.1.9" 436 criteria = "safe-to-deploy" 437 438 [[exemptions.fallible_collections]] 439 version = "0.4.4" 440 criteria = "safe-to-deploy" 441 442 [[exemptions.ffi-support]] 443 version = "0.4.4" 444 criteria = "safe-to-deploy" 445 446 [[exemptions.float-cmp]] 447 version = "0.6.0" 448 criteria = "safe-to-deploy" 449 450 [[exemptions.fs-err]] 451 version = "2.7.0" 452 criteria = "safe-to-deploy" 453 454 [[exemptions.futures-task]] 455 version = "0.3.21" 456 criteria = "safe-to-deploy" 457 458 [[exemptions.futures-util]] 459 version = "0.3.21" 460 criteria = "safe-to-deploy" 461 462 [[exemptions.generic-array]] 463 version = "0.14.5" 464 criteria = "safe-to-deploy" 465 466 [[exemptions.getrandom]] 467 version = "0.2.6" 468 criteria = "safe-to-deploy" 469 470 [[exemptions.gl_generator]] 471 version = "0.14.0" 472 criteria = "safe-to-deploy" 473 474 [[exemptions.glsl]] 475 version = "6.0.1" 476 criteria = "safe-to-deploy" 477 478 [[exemptions.goblin]] 479 version = "0.1.3" 480 criteria = "safe-to-deploy" 481 482 [[exemptions.gpu-alloc]] 483 version = "0.5.3" 484 criteria = "safe-to-deploy" 485 486 [[exemptions.gpu-alloc-types]] 487 version = "0.2.0" 488 criteria = "safe-to-deploy" 489 490 [[exemptions.gpu-descriptor]] 491 version = "0.2.2" 492 criteria = "safe-to-deploy" 493 494 [[exemptions.gpu-descriptor-types]] 495 version = "0.1.1" 496 criteria = "safe-to-deploy" 497 498 [[exemptions.hashlink]] 499 version = "0.7.0" 500 criteria = "safe-to-deploy" 501 502 [[exemptions.hexf-parse]] 503 version = "0.2.1" 504 criteria = "safe-to-deploy" 505 506 [[exemptions.ioctl-sys]] 507 version = "0.7.1" 508 criteria = "safe-to-deploy" 509 510 [[exemptions.itertools]] 511 version = "0.10.3" 512 criteria = "safe-to-deploy" 513 514 [[exemptions.khronos_api]] 515 version = "3.1.0" 516 criteria = "safe-to-deploy" 517 518 [[exemptions.libdbus-sys]] 519 version = "0.2.2" 520 criteria = "safe-to-deploy" 521 522 [[exemptions.libloading]] 523 version = "0.7.3" 524 criteria = "safe-to-deploy" 525 526 [[exemptions.libsqlite3-sys]] 527 version = "0.25.2" 528 criteria = "safe-to-deploy" 529 suggest = false 530 notes = "The in-gecko feature that we enable makes only pre-built bindings used, and none of the embedded C code is built. The build script was audited and is not doing anything besides exposing those bindings" 531 532 [[exemptions.libudev]] 533 version = "0.2.0" 534 criteria = "safe-to-deploy" 535 536 [[exemptions.memmap2]] 537 version = "0.5.4" 538 criteria = "safe-to-deploy" 539 540 [[exemptions.memoffset]] 541 version = "0.6.5" 542 criteria = "safe-to-deploy" 543 544 [[exemptions.midir]] 545 version = "0.7.0" 546 criteria = "safe-to-deploy" 547 548 [[exemptions.mime_guess]] 549 version = "2.0.4" 550 criteria = "safe-to-deploy" 551 552 [[exemptions.minimal-lexical]] 553 version = "0.2.1" 554 criteria = "safe-to-deploy" 555 556 [[exemptions.mio]] 557 version = "0.8.0" 558 criteria = "safe-to-deploy" 559 560 [[exemptions.murmurhash3]] 561 version = "0.0.5" 562 criteria = "safe-to-deploy" 563 564 [[exemptions.nix]] 565 version = "0.15.0" 566 criteria = "safe-to-deploy" 567 568 [[exemptions.objc]] 569 version = "0.2.7" 570 criteria = "safe-to-deploy" 571 572 [[exemptions.object]] 573 version = "0.28.4" 574 criteria = "safe-to-deploy" 575 576 [[exemptions.once_cell]] 577 version = "1.12.0" 578 criteria = "safe-to-deploy" 579 580 [[exemptions.plain]] 581 version = "0.2.3" 582 criteria = "safe-to-deploy" 583 584 [[exemptions.plist]] 585 version = "1.3.1" 586 criteria = "safe-to-run" 587 588 [[exemptions.ppv-lite86]] 589 version = "0.2.16" 590 criteria = "safe-to-deploy" 591 592 [[exemptions.profiling]] 593 version = "1.0.6" 594 criteria = "safe-to-deploy" 595 596 [[exemptions.prost]] 597 version = "0.8.0" 598 criteria = "safe-to-deploy" 599 600 [[exemptions.prost-derive]] 601 version = "0.8.0" 602 criteria = "safe-to-deploy" 603 604 [[exemptions.quick-error]] 605 version = "1.2.3" 606 criteria = "safe-to-deploy" 607 608 [[exemptions.remove_dir_all]] 609 version = "0.5.3" 610 criteria = "safe-to-deploy" 611 612 [[exemptions.replace_with]] 613 version = "0.1.7" 614 criteria = "safe-to-deploy" 615 616 [[exemptions.ringbuf]] 617 version = "0.2.8" 618 criteria = "safe-to-deploy" 619 620 [[exemptions.ron]] 621 version = "0.7.0" 622 criteria = "safe-to-deploy" 623 624 [[exemptions.runloop]] 625 version = "0.1.0" 626 criteria = "safe-to-deploy" 627 628 [[exemptions.rusqlite]] 629 version = "0.27.0" 630 criteria = "safe-to-deploy" 631 632 [[exemptions.rust-ini]] 633 version = "0.10.3" 634 criteria = "safe-to-deploy" 635 636 [[exemptions.scroll]] 637 version = "0.10.2" 638 criteria = "safe-to-deploy" 639 640 [[exemptions.scroll_derive]] 641 version = "0.10.5" 642 criteria = "safe-to-deploy" 643 644 [[exemptions.self_cell]] 645 version = "0.10.2" 646 criteria = "safe-to-deploy" 647 648 [[exemptions.serde_with]] 649 version = "1.14.0" 650 criteria = "safe-to-deploy" 651 652 [[exemptions.serde_with_macros]] 653 version = "1.5.2" 654 criteria = "safe-to-deploy" 655 656 [[exemptions.siphasher]] 657 version = "0.3.10" 658 criteria = "safe-to-deploy" 659 660 [[exemptions.socket2]] 661 version = "0.4.4" 662 criteria = "safe-to-deploy" 663 664 [[exemptions.spirv]] 665 version = "0.2.0+1.5.4" 666 criteria = "safe-to-deploy" 667 668 [[exemptions.tempfile]] 669 version = "3.3.0" 670 criteria = "safe-to-deploy" 671 672 [[exemptions.time]] 673 version = "0.1.44" 674 criteria = "safe-to-deploy" 675 676 [[exemptions.triple_buffer]] 677 version = "5.0.6" 678 criteria = "safe-to-deploy" 679 680 [[exemptions.type-map]] 681 version = "0.4.0" 682 criteria = "safe-to-deploy" 683 684 [[exemptions.typenum]] 685 version = "1.15.0" 686 criteria = "safe-to-deploy" 687 688 [[exemptions.unix_path]] 689 version = "1.0.1" 690 criteria = "safe-to-run" 691 692 [[exemptions.unix_str]] 693 version = "1.0.0" 694 criteria = "safe-to-run" 695 696 [[exemptions.uuid]] 697 version = "0.8.2" 698 criteria = "safe-to-deploy" 699 700 [[exemptions.webrtc-sdp]] 701 version = "0.3.9" 702 criteria = "safe-to-deploy" 703 704 [[exemptions.winapi]] 705 version = "0.3.9" 706 criteria = "safe-to-deploy" 707 708 [[exemptions.winapi-i686-pc-windows-gnu]] 709 version = "0.4.0" 710 criteria = "safe-to-deploy" 711 712 [[exemptions.winapi-x86_64-pc-windows-gnu]] 713 version = "0.4.0" 714 criteria = "safe-to-deploy" 715 716 [[exemptions.wio]] 717 version = "0.2.2" 718 criteria = "safe-to-deploy" 719 720 [[exemptions.xml-rs]] 721 version = "0.8.4" 722 criteria = "safe-to-deploy"