Coverity Scan: Thunderbird

Ben Bucksch ben.bucksch at
Fri Oct 19 14:14:49 UTC 2018

Mark Banner schrieb am 19.10.2018 um 10:12:
> On 12/10/2018 09:26, Óvári wrote:
>> "Since Coverity is C/C++ only, this obviously wouldn't be necessary" 
>> [1]; however, "Projects on Coverity Scan" [2] languages: Java, C/C++, 
>> C#, JavaScript, PHP/Python/Ruby.
>> Isn't JavaScript [3] used in Thunderbird add-ons?
> Yes it is, but it wasn't clear from the site that it covers Javascript.
>> Does this mean that "Coverity Scan" could help with Thunderbird add-ons?
> That's very unclear. There's no detailed list that I can see of what 
> Javascript specific defects are caught. There is a list of general 
> defects but they are mainly things I'd associate with c++ or similar 
> compiled languages.

Yes, there are few general language issues. Buffer overllows in JS, for 
example. Just a few dangerous idioms, like code in a string etc..

Our real danger are things that are very Mozilla specific, e.g. take 
stuff from network, but make it part of a URL, run the URL as chrome, bam.

> Without more information on the specifics, I'd suggest that promoting 
> ESLint <> to add-on authors is more likely to be 
> useful - there's lots of rules <> 
> highlighting various issues that can be selectively enabled. For 
> legacy/hybrid add-ons, there's eslint-plugin-mozilla 
> <> which has the 
> mozilla-central configuration, and useful rules specific to gecko.

I think that's a very good idea, as long as it's not enforced (by 
scripts or by addon reviewers), but used merely as a hint for developers 
of things to look at. It should be a service offered to addon authors.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the tb-planning mailing list