# cargo-vet config file default-criteria = "safe-to-run" [cargo-vet] version = "0.9" [imports.chromeos] url = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [imports.chromeos.criteria-map] crypto-safe = "crypto-safe" does-not-implement-crypto = "does-not-implement-crypto" ub-risk-0 = "ub-risk-0" ub-risk-1 = "ub-risk-1" ub-risk-2 = "ub-risk-2" ub-risk-3 = "ub-risk-3" ub-risk-4 = "ub-risk-4" [imports.fuchsia] url = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT" [imports.fuchsia.criteria-map] crypto-safe = "crypto-safe" does-not-implement-crypto = "does-not-implement-crypto" ub-risk-0 = "ub-risk-0" ub-risk-1 = "ub-risk-1" ub-risk-2 = "ub-risk-2" ub-risk-3 = "ub-risk-3" ub-risk-4 = "ub-risk-4" [imports.google] url = "https://raw.githubusercontent.com/google/rust-crate-audits/main/manual-sources/google3-audits.toml" [imports.google.criteria-map] crypto-safe = "crypto-safe" does-not-implement-crypto = "does-not-implement-crypto" ub-risk-0 = "ub-risk-0" ub-risk-1 = "ub-risk-1" ub-risk-2 = "ub-risk-2" ub-risk-3 = "ub-risk-3" ub-risk-4 = "ub-risk-4" [policy."aho-corasick:1.1.3"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."anstyle:1.0.6"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."anyhow:1.0.82"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."base64:0.13.1"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."bitflags:2.5.0"] criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-2"] [policy."bytemuck:1.15.0"] criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-2"] [policy."bytes:1.6.0"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."cc:1.0.94"] criteria = [] [policy."cfg-if:1.0.0"] criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-2"] [policy."clap:4.5.4"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."clap_builder:4.5.2"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."clap_lex:0.7.0"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."codespan-reporting:0.11.1"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."cxx:1.0.120"] criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-2"] [policy."cxxbridge-cmd:1.0.121"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."cxxbridge-flags:1.0.120"] criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-2"] [policy."cxxbridge-macro:1.0.120"] criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-2"] [policy."either:1.11.0"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."fend-core:1.4.6"] criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-2"] [policy."font-types:0.4.3"] criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-2"] [policy."getrandom:0.2.14"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."heck:0.4.1"] criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-2"] [policy."hex-literal:0.4.1"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."hex:0.4.3"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."itertools:0.11.0"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."itoa:1.0.11"] criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-2"] [policy."lazy_static:1.4.0"] criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-2"] [policy."libc:0.2.153"] criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-2"] [policy."link-cplusplus:1.0.9"] criteria = [] [policy."log:0.4.21"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."memchr:2.7.2"] criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-2"] [policy."minimal-lexical:0.2.1"] criteria = [] [policy."nom:7.1.3"] criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-2"] [policy."ppv-lite86:0.2.17"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."proc-macro2:1.0.80"] criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-2"] [policy."prost-derive:0.12.4"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."prost:0.12.3"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."qr_code:2.0.0"] criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-2"] [policy."quote:1.0.36"] criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-2"] [policy."rand:0.8.5"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."rand_chacha:0.3.1"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."rand_core:0.6.4"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."rand_pcg:0.3.1"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."read-fonts:0.15.6"] criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-2"] [policy."regex-automata:0.4.6"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."regex-syntax:0.8.3"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."regex:1.10.4"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."rstest:0.17.0"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."rstest_macros:0.17.0"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."rstest_reuse:0.5.0"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."rustc-demangle-capi:0.1.0"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."rustc-demangle:0.1.23"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."rustc_version:0.4.0"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."rustversion:1.0.15"] criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-2"] [policy."ryu:1.0.17"] criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-2"] [policy."semver:1.0.22"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."serde:1.0.197"] criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-2"] [policy."serde_derive:1.0.197"] criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-2"] [policy."serde_json:1.0.115"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."serde_json_lenient:0.2.1"] criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-2"] [policy."skrifa:0.15.5"] criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-2"] [policy."small_ctor:0.1.1"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."static_assertions:1.1.0"] criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-2"] [policy."strsim:0.11.1"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."strum:0.25.0"] criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-2"] [policy."strum_macros:0.25.3"] criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-2"] [policy."syn:1.0.109"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."syn:2.0.55"] criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-2"] [policy."termcolor:1.4.1"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."tinyvec:1.6.0"] criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-2"] [policy."unicode-ident:1.0.12"] criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-2"] [policy."unicode-linebreak:0.1.5"] criteria = ["does-not-implement-crypto", "safe-to-deploy", "ub-risk-2"] [policy."unicode-width:0.1.11"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."wasi:0.11.0+wasi-snapshot-preview1"] criteria = [] [policy."winapi-i686-pc-windows-gnu:0.4.0"] criteria = [] [policy."winapi-util:0.1.6"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."winapi-x86_64-pc-windows-gnu:0.4.0"] criteria = [] [policy."winapi:0.3.9"] criteria = ["does-not-implement-crypto", "safe-to-run"] [policy."wycheproof:0.4.0"] criteria = ["does-not-implement-crypto", "safe-to-run"] [[exemptions.cxx]] version = "1.0.117" criteria = ["safe-to-deploy", "ub-risk-2"] notes = """ Grandparented-in when setting up `cargo vet` in Jan 2024 Delta audit of 1.0.110 -> 1.0.115 has been done in Jan 2024, but because of a lack of a fully-audited baseline nothing was recorded in audits.toml Exemption updated to 1.0.116 in Feb 2024. Exemption updated to 1.0.117 in Feb 2024. """ [[exemptions.cxxbridge-macro]] version = "1.0.117" criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] notes = """ Grandparented-in when setting up `cargo vet` in Jan 2024 Delta audit of 1.0.110 -> 1.0.115 has been done in Jan 2024, but because of a lack of a fully-audited baseline nothing was recorded in audits.toml Exemption updated to 1.0.116 in Feb 2024. Exemption updated to 1.0.117 in Feb 2024. """ [[exemptions.libc]] version = "0.2.153" criteria = ["safe-to-deploy", "ub-risk-2"] notes = """ Grandparented-in when setting up `cargo vet` in Jan 2024 Unsoundness was found in 0.2.152 behind a crate feature (called \"extra_traits\") that is unused by Chromium. https://crbug.com/1524111 tracks ensuring that we don't accidentally start depending on this feature. Exemption updated to 0.2.153 in Feb 2024. """ [[exemptions.memchr]] version = "2.7.2" criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] notes = """ Grandparented-in when setting up `cargo vet` in Jan 2024 Bumped up the exemption to 2.7.1 when updating the crates. When removing the exemptions in the future we may want to look at the notes in cl/568617493 but even with those notes a review of the whole crate (rather than just the delta) may be needed for `ub-risk-2`. Bumped up the exemption to 2.7.2 in April 2024. The delta was relatively small and straightfoward (focusing on `target_feature = \"simd128\"`). Note that an unfinished audit of 2.7.1 has been started at https://crrev.com/c/5367005 and I hear that Fuchsia has also been working on reviewing 2.7.1 (so we should check later if maybe we can just import their audit). """ [[exemptions.rand_chacha]] version = "0.3.1" criteria = "does-not-implement-crypto" notes = "Grandparented-in when setting up `cargo vet` in Jan 2024" [[exemptions.rand_core]] version = "0.6.4" criteria = "does-not-implement-crypto" notes = "Grandparented-in when setting up `cargo vet` in Jan 2024" [[exemptions.read-fonts]] version = "0.15.6" criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] notes = """ 0.15.2 grandparented-in when setting up `cargo vet` in Jan 2024. Exemption updated to 0.15.5 when updating the crate in Feb 2024. Exemption updated to 0.15.6 when updating the crate in Feb 2024. """ [[exemptions.ryu]] version = "1.0.17" criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] notes = """ Grandparented-in when setting up `cargo vet` in Jan 2024. Delta audit of 1.0.15 -> 1.0.16 has been done in Jan 2024, but because of a lack of a fully-audited baseline nothing was recorded in audits.toml Exemption updated to 1.0.17 in Feb 2024. """ [[exemptions.skrifa]] version = "0.15.5" criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] notes = """ 0.15.2 grandparented-in when setting up `cargo vet` in Jan 2024. Exemption updated to 0.15.5 when updating the crate in Feb 2024. """ [[exemptions.syn]] version = "2.0.52" criteria = ["safe-to-deploy", "does-not-implement-crypto", "ub-risk-2"] notes = """ Grandparented-in when setting up `cargo vet` in Jan 2024 Delta audit of 2.0.39 -> syn-2.0.48 has been done in Jan 2024 (including an `unsafe` review done at https://crrev.com/c/5178771), but because of a lack of a fully-audited baseline nothing was recorded in audits.toml Exemption updated to 2.0.50 when updating the crate in Feb 2024. Exemption updated to 2.0.52 when updating the crate in Mar 2024. """