Coverity Scan: Thunderbird

Ben Bucksch ben.bucksch at beonex.com
Fri Oct 19 14:14:49 UTC 2018


Mark Banner schrieb am 19.10.2018 um 10:12:
>
> On 12/10/2018 09:26, Óvári wrote:
>
>> "Since Coverity is C/C++ only, this obviously wouldn't be necessary" 
>> [1]; however, "Projects on Coverity Scan" [2] languages: Java, C/C++, 
>> C#, JavaScript, PHP/Python/Ruby.
>>
>> Isn't JavaScript [3] used in Thunderbird add-ons?
> Yes it is, but it wasn't clear from the site that it covers Javascript.
>> Does this mean that "Coverity Scan" could help with Thunderbird add-ons?
>
> That's very unclear. There's no detailed list that I can see of what 
> Javascript specific defects are caught. There is a list of general 
> defects but they are mainly things I'd associate with c++ or similar 
> compiled languages.
>

Yes, there are few general language issues. Buffer overllows in JS, for 
example. Just a few dangerous idioms, like code in a string etc..

Our real danger are things that are very Mozilla specific, e.g. take 
stuff from network, but make it part of a URL, run the URL as chrome, bam.

> Without more information on the specifics, I'd suggest that promoting 
> ESLint <https://eslint.org/> to add-on authors is more likely to be 
> useful - there's lots of rules <https://eslint.org/docs/rules/> 
> highlighting various issues that can be selectively enabled. For 
> legacy/hybrid add-ons, there's eslint-plugin-mozilla 
> <https://www.npmjs.com/package/eslint-plugin-mozilla> which has the 
> mozilla-central configuration, and useful rules specific to gecko.
>

I think that's a very good idea, as long as it's not enforced (by 
scripts or by addon reviewers), but used merely as a hint for developers 
of things to look at. It should be a service offered to addon authors.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/tb-planning/attachments/20181019/d9076ff2/attachment.html>


More information about the tb-planning mailing list