Another prolific year of open-source contributions

By Samuel Moelius

This time last year, we wrote about the more than 190 Trail of Bits-authored pull requests that were merged into non-Trail of Bits repositories in 2021. In 2022, we continued that trend by having more than 400 pull requests merged into non-Trail of Bits repositories!

Why is this significant? While we take great pride in the tools that we develop, we recognize that we benefit from tools maintained outside of Trail of Bits. When one of those tools doesn’t work as we expect, we try to fix it. When a tool doesn’t fill the need we think it was meant to, we try to improve it. In short, we try to give back to the community that gives so much to us.

Here are a few highlights from the list of PRs at the end of this blog post:

Clippy is a collection of over 550 lints to catch common mistakes and improve Rust code. We added the crate_in_macro_def and unnecessary_find_map lints, and contributed improvements and bugfixes to lints such as empty_line_after_outer_attribute, expect_used/unwrap_used, extra_unused_lifetimes, needless_borrow, needless_lifetimes, unnecessary_to_owned, and unnecessary_filter_map.
HEVM is an implementation of the Ethereum virtual machine with symbolic execution capabilities. Our contributions to HEVM included simplifying its use of the SMT solver, improving its performance, fixing a memory leak, and adding tests.
Envoy is a high-performance open source edge and service proxy that makes the network transparent to applications. We implemented the initial version of the Unified Header Validation (UHV) component within Envoy for validating all request and response headers for HTTP/1 and HTTP/2. We took the existing header validation logic, consolidated it into the UHV component, performed an assessment to determine where the logic was not fully RFC compliant, and then fixed or implemented any gaps to ensure that the default configuration strictly adheres to the RFC standards. The new component provides a single entry point for all HTTP request and response validation that makes it a much easier code base to maintain, audit, extend, customize, and fix any newly discovered attack vectors.
pyca/cryptography is a package that provides cryptographic recipes and primitives to Python developers. We improved its support for Certificate Transparency and made numerous usability improvements.
Vcpkg is a C/C++ package manager for Windows, Linux, and MacOS. We fixed a bug in Vcpkg itself and made improvements to packages such as flatbuffers, grpc, gtest, ixwebsocket. libcpplocate, llvm, mbedtls, tcb-span, and z3.
Warehouse is the software that powers PyPI, the official package index for the Python programming language. We made numerous feature improvements and bugfixes, including support for expiring API tokens, support for credential-free package uploads with OIDC, a refactor of core permissions internals, enhancements to PyPI’s vulnerability feed, and improvements to user-facing error messages.

The projects named below represent software of the highest quality. Software of this caliber doesn’t come from just merging PRs and publishing new releases; it comes from careful planning, prioritizing features, familiarity with related projects, and an understanding of the role that a project plays within the larger software ecosystem. We thank these projects’ maintainers both for the work the public sees and for innumerable hours spent on work the public doesn’t see.

Some of Trail of Bits’s 2022 Open-Source Contributions

Cryptography

Tech Infrastructure

Software testing tools

Blockchain software