1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
|
{{!--
Copyright 2024 The Chromium Authors
Use of this source code is governed by a BSD-style license that can be
found in the LICENSE file.
TODO(lukasza: https://github.com/mozilla/cargo-vet/issues/589): Reintroduce
Chromium-specific comments if/when `cargo vet ... --locked` stops complaining
about them with: "A file in the store is not correctly formatted". These
should include the copyright comment above, but maybe more importantly they
should include:
# @generated by tools/crates/gnrt vendor. Do not edit.
--}}
# cargo-vet config file
default-criteria = "safe-to-run"
[cargo-vet]
version = "0.9"
[imports.chromeos]
url = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[imports.chromeos.criteria-map]
crypto-safe = "crypto-safe"
does-not-implement-crypto = "does-not-implement-crypto"
ub-risk-0 = "ub-risk-0"
ub-risk-1 = "ub-risk-1"
ub-risk-2 = "ub-risk-2"
ub-risk-3 = "ub-risk-3"
ub-risk-4 = "ub-risk-4"
[imports.fuchsia]
url = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
[imports.fuchsia.criteria-map]
crypto-safe = "crypto-safe"
does-not-implement-crypto = "does-not-implement-crypto"
ub-risk-0 = "ub-risk-0"
ub-risk-1 = "ub-risk-1"
ub-risk-2 = "ub-risk-2"
ub-risk-3 = "ub-risk-3"
ub-risk-4 = "ub-risk-4"
[imports.google]
url = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml"
[imports.google.criteria-map]
crypto-safe = "crypto-safe"
does-not-implement-crypto = "does-not-implement-crypto"
ub-risk-0 = "ub-risk-0"
ub-risk-1 = "ub-risk-1"
ub-risk-2 = "ub-risk-2"
ub-risk-3 = "ub-risk-3"
ub-risk-4 = "ub-risk-4"
{{#each this.policies}}
[policy."{{crate_name}}"]
criteria = [{{#each criteria}}{{#if @first}}{{else}}, {{/if}}"{{this}}"{{/each}}]
{{/each}}
[[exemptions.aho-corasick]]
version = "1.1.3"
criteria = ["safe-to-deploy", "ub-risk-2"]
notes = """
Part of ICU4X import. Partially audited in google3 without a published review, to be revisited later.
Is not needed by the actual packages enabled in the ICU4X import.
Critical dependency of a rust-lang maintained library (regex).
https://crbug.com/366411886
"""
[[exemptions.cxx]]
version = "1.0.146"
criteria = ["safe-to-deploy", "crypto-safe", "ub-risk-2"]
notes = """
Grandparented-in when setting up `cargo vet` in Jan 2024
Delta audit of 1.0.110 -> 1.0.115 has been done in Jan 2024, but because of a
lack of a fully-audited baseline nothing was recorded in audits.toml
Exemption updated to 1.0.116 in Feb 2024.
Exemption updated to 1.0.117 in Feb 2024.
Exemption updated to 1.0.122 in May 2024.
Exemption updated to 1.0.123 in June 2024.
Exemption updated to 1.0.124 in June 2024.
Exemption updated to 1.0.126 in August 2024.
Exemption updated to 1.0.128 in September 2024.
Exemption updated to 1.0.129 in October 2024.
Exemption updated to 1.0.130 in November 2024.
Exemption updated to 1.0.131 in December 2024.
Exemption updated to 1.0.135 in December 2024.
Exemption updated to 1.0.136 in January 2025.
Exemption updated to 1.0.137 in January 2025.
Exemption updated to 1.0.140 in February 2025.
Exemption updated to 1.0.141 in February 2025.
Exemption updated to 1.0.143 in February 2025.
Exemption updated to 1.0.146 in March 2025.
"""
[[exemptions.cxxbridge-macro]]
version = "1.0.146"
criteria = ["safe-to-deploy", "crypto-safe", "ub-risk-2"]
notes = """
Grandparented-in when setting up `cargo vet` in Jan 2024
Delta audit of 1.0.110 -> 1.0.115 has been done in Jan 2024, but because of a
lack of a fully-audited baseline nothing was recorded in audits.toml
Exemption updated to 1.0.116 in Feb 2024.
Exemption updated to 1.0.117 in Feb 2024.
Exemption updated to 1.0.122 in May 2024.
Exemption updated to 1.0.123 in June 2024.
Exemption updated to 1.0.124 in June 2024.
Exemption updated to 1.0.126 in August 2024.
Exemption updated to 1.0.128 in September 2024.
Exemption updated to 1.0.129 in October 2024.
Exemption updated to 1.0.130 in November 2024.
Exemption updated to 1.0.131 in December 2024.
Exemption updated to 1.0.135 in December 2024.
Exemption updated to 1.0.136 in January 2025.
Exemption updated to 1.0.137 in January 2025.
Exemption updated to 1.0.140 in February 2025.
Exemption updated to 1.0.141 in February 2025.
Exemption updated to 1.0.143 in February 2025.
Exemption updated to 1.0.146 in March 2025.
"""
[[exemptions.icu_experimental]]
version = "0.3.0-beta2"
criteria = ["safe-to-deploy", "ub-risk-2"]
notes = """
Requires unsafe review audit. Sufficiently reviewed to ensure no unsoundness, but needs comments.
Is not needed by the actual packages enabled in the ICU4X import.
Part of Google-co-maintained ICU4X project.
https://crbug.com/366411886
"""
[[exemptions.memchr]]
version = "2.7.4"
criteria = ["safe-to-deploy", "ub-risk-2"]
notes = """
Grandparented-in when setting up `cargo vet` in Jan 2024
Bumped up the exemption to 2.7.1 when updating the crates. When removing
the exemptions in the future we may want to look at the notes in cl/568617493
but even with those notes a review of the whole crate (rather than just the
delta) may be needed for `ub-risk-2`.
Bumped up the exemption to 2.7.2 in April 2024. The delta was relatively small
and straightfoward (focusing on `target_feature = \"simd128\"`). Note that an
unfinished audit of 2.7.1 has been started at https://crrev.com/c/5367005 and
I hear that Fuchsia has also been working on reviewing 2.7.1 (so we should check
later if maybe we can just import their audit).
Bumped up the exemption to 2.7.4 in June 2024, with a small and benign delta.
"""
[[exemptions.num-bigint]]
version = "0.4.6"
criteria = ["safe-to-deploy", "ub-risk-2"]
notes = """
Part of ICU4X import. Partially audited in google3 without a published review, to be revisited later.
Is not needed by the actual packages enabled in the ICU4X import.
https://crbug.com/366411886
"""
[[exemptions.rand_core]]
version = "0.6.4"
criteria = "crypto-safe"
notes = """
Grandparented-in when setting up `cargo vet` in Jan 2024
TODO(b/341950532): Remove this exemption.
"""
[[exemptions.regex-automata]]
version = "0.4.9"
criteria = ["safe-to-deploy", "ub-risk-2"]
notes = """
Part of ICU4X import. Partially audited in google3 without a published review, to be revisited later.
Is not needed by the actual packages enabled in the ICU4X import.
Maintained by rust-lang.
https://crbug.com/366411886
"""
[[exemptions.ryu]]
version = "1.0.20"
criteria = ["safe-to-deploy", "crypto-safe", "ub-risk-2"]
notes = """
Grandparented-in when setting up `cargo vet` in Jan 2024.
Delta audit of 1.0.15 -> 1.0.16 has been done in Jan 2024, but because of a
lack of a fully-audited baseline nothing was recorded in audits.toml
Exemption updated to 1.0.17 in Feb 2024.
Exemption updated to 1.0.18 in May 2024.
Exemption updated to 1.0.19 in Feb 2025.
Exemption updated to 1.0.20 in Feb 2025.
"""
[[exemptions.smallvec]]
version = "1.14.0"
criteria = "ub-risk-2"
notes = """
Part of ICU4X import. Audited in google3 with ub-risk-3, however it's a widely used crate and it should
be fine to temporarily up its rating. The google3 audit showed that it needed better encapsulation and
more comments (which disqualifies it from ub-risk-2), but it is still known to be sound.
https://crbug.com/366411886
Bumped up the exemption to 1.14.0 in February 2025.
WARNING: The `malloc_size_of` feature has **not** been audited because
this feature does not explicitly document its safety requirements.
See also https://chromium-review.googlesource.com/c/chromium/src/+/6275133/comment/ea0d7a93_98051a2e/
and https://github.com/servo/malloc_size_of/issues/8.
This feature is banned in gnrt_config.toml.
"""
[[exemptions.syn]]
version = "2.0.100"
criteria = ["safe-to-deploy", "crypto-safe", "ub-risk-2"]
notes = """
Grandparented-in when setting up `cargo vet` in Jan 2024
Delta audit of 2.0.39 -> syn-2.0.48 has been done in Jan 2024 (including an
`unsafe` review done at https://crrev.com/c/5178771), but because of a lack of
a fully-audited baseline nothing was recorded in audits.toml
Exemption updated to 2.0.50 when updating the crate in Feb 2024.
Exemption updated to 2.0.52 when updating the crate in Mar 2024.
Exemption updated to 2.0.53 when updating the crate.
Exemption updated to 2.0.55 when updating the crate, with notes:
- Mostly clippy, test changes - no changed unsafe.
Exemption updated to 2.0.59 when updating the crate in Apr 2024.
Exemption updated to 2.0.60 when updating the crate.
Exemption updated to 2.0.63 when updating the crate in May 2024.
Exemption updated to 2.0.65 when updating the crate in May 2024.
Exemption updated to 2.0.66 when updating the crate in May 2024.
Exemption updated to 2.0.68 when updating the crate in June 2024.
Exemption updated to 2.0.69 when updating the crate in July 2024.
Exemption updated to 2.0.71 when updating the crate in July 2024.
Exemption updated to 2.0.72 when updating the crate in July 2024.
Exemption updated to 2.0.74 when updating the crate in August 2024.
Exemption updated to 2.0.76 when updating the crate in August 2024.
Exemption updated to 2.0.77 when updating the crate in September 2024.
Exemption updated to 2.0.79 when updating the crate in October 2024.
Exemption updated to 2.0.85 when updating the crate in October 2024.
Exemption updated to 2.0.87 when updating the crate in November 2024.
Exemption updated to 2.0.90 when updating the crate in November 2024.
Exemption updated to 2.0.91 when updating the crate in December 2024.
Exemption updated to 2.0.95 when updating the crate in January 2025.
Exemption updated to 2.0.96 when updating the crate in January 2025.
Exemption updated to 2.0.98 when updating the crate in February 2025.
Exemption updated to 2.0.99 when updating the crate in February 2025.
Exemption updated to 2.0.100 when updating the crate in March 2025.
"""
[[exemptions.tinystr]]
version = "0.8.1"
criteria = ["safe-to-deploy", "ub-risk-2"]
notes = """
Requires unsafe review audit. Unsafe code is either authored or reviewed by a
crabal member, but a formal audit is yet to be performed.
Part of Google-co-maintained ICU4X project.
https://crbug.com/393810918
"""
[[exemptions.utf8_iter]]
version = "1.0.4"
criteria = ["safe-to-deploy", "ub-risk-2"]
notes = """
Requires unsafe review audit. Sufficiently reviewed to ensure no unsoundness, but needs comments.
Is not needed by the actual packages enabled in the ICU4X import.
Sister crate of Google-co-maintained ICU4X project, maintained by Mozillian ICU4X team members.
https://crbug.com/366411886
"""
[[exemptions.zerocopy]]
version = "0.7.35"
criteria = ["safe-to-deploy", "crypto-safe", "ub-risk-2"]
notes = """
Requires unsafe review audit. Authored in Google and audit should come from there as well.
https://crbug.com/366411886
"""
[[exemptions.zerocopy]]
version = "0.8.23"
criteria = ["safe-to-deploy", "crypto-safe", "ub-risk-2"]
notes = """
Requires unsafe review audit. Authored in Google and audit should come from there as well.
https://crbug.com/366411886
"""
[[exemptions.zerocopy-derive]]
version = "0.7.35"
criteria = ["safe-to-deploy", "crypto-safe", "ub-risk-2"]
notes = """
Requires unsafe review audit. Authored in Google and audit should come from there as well.
"""
[[exemptions.zerovec]]
version = "0.11.0"
criteria = ["safe-to-deploy", "ub-risk-2"]
notes = """
Requires unsafe review audit. Unsafe code is either authored or reviewed by a
crabal member, but a formal audit is yet to be performed.
Part of Google-co-maintained ICU4X project.
https://crbug.com/366411886
"""
[[exemptions.zerovec-derive]]
version = "0.11.1"
criteria = ["safe-to-deploy", "ub-risk-2"]
notes = """
Requires unsafe review audit. Unsafe code is either authored or reviewed by a
crabal member, but a formal audit is yet to be performed.
Part of Google-co-maintained ICU4X project.
https://crbug.com/366411886
Exemption updated to 0.11.1 when updating the crate in February 2025.
"""
|
