Coverity Scan: Thunderbird
ben.bucksch at beonex.com
Fri Oct 19 14:14:49 UTC 2018
Mark Banner schrieb am 19.10.2018 um 10:12:
> On 12/10/2018 09:26, Óvári wrote:
>> "Since Coverity is C/C++ only, this obviously wouldn't be necessary"
>> ; however, "Projects on Coverity Scan"  languages: Java, C/C++,
>> Does this mean that "Coverity Scan" could help with Thunderbird add-ons?
> That's very unclear. There's no detailed list that I can see of what
> defects but they are mainly things I'd associate with c++ or similar
> compiled languages.
Yes, there are few general language issues. Buffer overllows in JS, for
example. Just a few dangerous idioms, like code in a string etc..
Our real danger are things that are very Mozilla specific, e.g. take
stuff from network, but make it part of a URL, run the URL as chrome, bam.
> Without more information on the specifics, I'd suggest that promoting
> ESLint <https://eslint.org/> to add-on authors is more likely to be
> useful - there's lots of rules <https://eslint.org/docs/rules/>
> highlighting various issues that can be selectively enabled. For
> legacy/hybrid add-ons, there's eslint-plugin-mozilla
> <https://www.npmjs.com/package/eslint-plugin-mozilla> which has the
> mozilla-central configuration, and useful rules specific to gecko.
I think that's a very good idea, as long as it's not enforced (by
scripts or by addon reviewers), but used merely as a hint for developers
of things to look at. It should be a service offered to addon authors.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the tb-planning