add supply chain audits for #5929's rustls changes (#6137)

The `ring` crate needed to be exempted: it contains a large quantity of asm and native binary implementations of crypto primitives. It is a major undertaking to certify the safety of those implementations.

ring also pulled in the wasm-bindgen family of crates for its wasm32-unknown-unknown target, which this project will not be using. Because we don't care about that platform, I added exemptions for all of these crates, so we don't have to audit them.

The actual supply chain audits for rusttls, rustls-webpki, sct, and tokio-rustls were unremarkable. I also audited a small diff on wasm-bindgen-shared because it was trivial.

supply-chain/audits.toml

@@ -817,6 +817,23 @@ criteria = "safe-to-deploy"
 delta = "0.36.7 -> 0.36.8"
 notes = "The Bytecode Alliance is the author of this crate."
 
+[[audits.rustls]]
+who = "Pat Hickey <phickey@fastly.com>"
+criteria = "safe-to-deploy"
+version = "0.21.0"
+notes = "no unsafe code, ambient capabilities only used in tests"
+
+[[audits.rustls-webpki]]
+who = "Pat Hickey <phickey@fastly.com>"
+criteria = "safe-to-deploy"
+version = "0.100.1"
+
+[[audits.sct]]
+who = "Pat Hickey <phickey@fastly.com>"
+criteria = "safe-to-deploy"
+version = "0.7.0"
+notes = "no unsafe, no build, no ambient capabilities"
+
 [[audits.semver]]
 who = "Pat Hickey <phickey@fastly.com>"
 criteria = "safe-to-deploy"
@@ -901,6 +918,12 @@ criteria = "safe-to-deploy"
 version = "0.3.1"
 notes = "unsafety is used for smuggling std::task::Context as a raw pointer. Lifetime and type safety appears to be taken care of correctly."
 
+[[audits.tokio-rustls]]
+who = "Pat Hickey <phickey@fastly.com>"
+criteria = "safe-to-deploy"
+version = "0.24.0"
+notes = "no unsafe, no build, no ambient capabilities"
+
 [[audits.tokio-util]]
 who = "Pat Hickey <phickey@fastly.com>"
 criteria = "safe-to-deploy"
@@ -967,6 +990,11 @@ who = "Pat Hickey <phickey@fastly.com>"
 criteria = "safe-to-deploy"
 version = "0.3.0"
 
+[[audits.wasm-bindgen-shared]]
+who = "Pat Hickey <phickey@fastly.com>"
+criteria = "safe-to-deploy"
+delta = "0.2.83 -> 0.2.80"
+
 [[audits.wasm-coredump-builder]]
 who = "Alex Crichton <alex@alexcrichton.com>"
 criteria = "safe-to-deploy"
@@ -1602,6 +1630,11 @@ criteria = "safe-to-deploy"
 delta = "1.0.48 -> 1.0.49"
 notes = "The Bytecode Alliance is the author of this crate."
 
+[[audits.webpki-roots]]
+who = "Pat Hickey <phickey@fastly.com>"
+criteria = "safe-to-deploy"
+delta = "0.22.4 -> 0.23.0"
+
 [[audits.windows-sys]]
 who = "Dan Gohman <dev@sunfishcode.online>"
 criteria = "safe-to-deploy"

supply-chain/config.toml

@@ -426,6 +426,11 @@ criteria = "safe-to-deploy"
 version = "0.1.24"
 criteria = "safe-to-deploy"
 
+[[exemptions.js-sys]]
+version = "0.3.57"
+criteria = "safe-to-deploy"
+notes = "dependency of ring for wasm32 browser platform, which our project does not target"
+
 [[exemptions.js-sys]]
 version = "0.3.57"
 criteria = "safe-to-run"
@@ -733,6 +738,11 @@ criteria = "safe-to-deploy"
 version = "0.5.3"
 criteria = "safe-to-deploy"
 
+[[exemptions.ring]]
+version = "0.16.20"
+criteria = "safe-to-deploy"
+notes = "contains assembly language and object file implementations of crypto primitives for a very large number of platforms"
+
 [[exemptions.rsa]]
 version = "0.5.0"
 criteria = "safe-to-deploy"
@@ -961,26 +971,47 @@ criteria = "safe-to-deploy"
 version = "0.11.0+wasi-snapshot-preview1"
 criteria = "safe-to-deploy"
 
+[[exemptions.wasm-bindgen]]
+version = "0.2.80"
+criteria = "safe-to-deploy"
+notes = "dependency of ring for wasm32 browser platform, which our project does not target"
+
 [[exemptions.wasm-bindgen]]
 version = "0.2.80"
 criteria = "safe-to-run"
 
+[[exemptions.wasm-bindgen-backend]]
+version = "0.2.80"
+criteria = "safe-to-deploy"
+notes = "dependency of ring for wasm32 browser platform, which our project does not target"
+
 [[exemptions.wasm-bindgen-backend]]
 version = "0.2.80"
 criteria = "safe-to-run"
 
+[[exemptions.wasm-bindgen-macro]]
+version = "0.2.80"
+criteria = "safe-to-deploy"
+notes = "dependency of ring for wasm32 browser platform, which our project does not target"
+
 [[exemptions.wasm-bindgen-macro]]
 version = "0.2.80"
 criteria = "safe-to-run"
 
 [[exemptions.wasm-bindgen-macro-support]]
 version = "0.2.80"
-criteria = "safe-to-run"
+criteria = "safe-to-deploy"
+notes = "dependency of ring for wasm32 browser platform, which our project does not target"
 
-[[exemptions.wasm-bindgen-shared]]
+[[exemptions.wasm-bindgen-macro-support]]
 version = "0.2.80"
 criteria = "safe-to-run"
 
+[[exemptions.web-sys]]
+version = "0.3.57"
+criteria = "safe-to-deploy"
+notes = "dependency of ring for wasm32 browser platform, which our project does not target"
+
 [[exemptions.web-sys]]
 version = "0.3.57"
 criteria = "safe-to-run"

supply-chain/imports.lock

@@ -32,6 +32,12 @@ criteria = "safe-to-deploy"
 version = "0.2.2"
 notes = "Inspected it and is a tiny crate with just type definitions"
 
+[[audits.embark-studios.audits.webpki-roots]]
+who = "Johan Andersson <opensource@embark-studios.com>"
+criteria = "safe-to-deploy"
+version = "0.22.4"
+notes = "Inspected it to confirm that it only contains data definitions and no runtime code"
+
 [[audits.google.audits.libfuzzer-sys]]
 who = "ChromeOS"
 criteria = "safe-to-run"
@@ -71,6 +77,16 @@ who = "David Cook <dcook@divviup.org>"
 criteria = "safe-to-deploy"
 version = "0.4.1"
 
+[[audits.isrg.audits.untrusted]]
+who = "David Cook <dcook@divviup.org>"
+criteria = "safe-to-deploy"
+version = "0.7.1"
+
+[[audits.isrg.audits.wasm-bindgen-shared]]
+who = "David Cook <dcook@divviup.org>"
+criteria = "safe-to-deploy"
+version = "0.2.83"
+
 [[audits.mozilla.audits.autocfg]]
 who = "Josh Stone <jistone@redhat.com>"
 criteria = "safe-to-deploy"