|
|
1
|
+# General
|
|
|
2
|
+
|
|
|
3
|
+The audit begins at the commit hash where the previous audit ended. Use code_audit.sh for creating the diff and highlighting potentially problematic code. The audit is scoped to a specific language (currently C/C++, Rust, Java/Kotlin, and Javascript).
|
|
|
4
|
+
|
|
|
5
|
+The output includes the entire patch where the new problematic code was introduced. Search for `XXX MATCH XXX` to find the next potential violation.
|
|
|
6
|
+
|
|
|
7
|
+`code_audit.sh` contains the list of known problematic APIs. New usage of these functions are documented and analyzed in this audit.
|
|
|
8
|
+
|
|
|
9
|
+## Firefox: https://github.com/mozilla/gecko-dev.git
|
|
|
10
|
+
|
|
|
11
|
+- Start: `feef2b7da6ff76b4c3c7a13e611eab6e97837ae2` ( `FIREFOX_102_0_1_RELEASE` )
|
|
|
12
|
+- End: `1f1c56dc6bae6b3302471f097ed132ef44cded86` ( `FIREFOX_103_0_2_RELEASE` )
|
|
|
13
|
+
|
|
|
14
|
+### Languages:
|
|
|
15
|
+- [x] java
|
|
|
16
|
+- [x] cpp
|
|
|
17
|
+- [x] js
|
|
|
18
|
+- [x] rust
|
|
|
19
|
+
|
|
|
20
|
+Nothing of interest (using `code_audit.sh`)
|
|
|
21
|
+
|
|
|
22
|
+---
|
|
|
23
|
+
|
|
|
24
|
+## Application Services: https://github.com/mozilla/application-services.git
|
|
|
25
|
+
|
|
|
26
|
+- Start: `0302b89604bb29adb34fdcd710feabd3dd01992d` ( `v93.5.0` )
|
|
|
27
|
+- End: `b70c54882fec606d10e77520b1dd2ae144768747` ( `v94.0.0` )
|
|
|
28
|
+
|
|
|
29
|
+### Languages:
|
|
|
30
|
+- [x] java
|
|
|
31
|
+- [x] cpp
|
|
|
32
|
+- [x] js
|
|
|
33
|
+- [x] rust
|
|
|
34
|
+
|
|
|
35
|
+Nothing of interest (using `code_audit.sh`)
|
|
|
36
|
+
|
|
|
37
|
+## Android Components: https://github.com/mozilla-mobile/android-components.git
|
|
|
38
|
+
|
|
|
39
|
+- Start: `c349019286e21e5179a59e33cec6ae528b108519`
|
|
|
40
|
+- End: `ce720e6308e26588decd5f9d2b02e4658d5b9d14` ( `v103.0.11` )
|
|
|
41
|
+
|
|
|
42
|
+### Languages:
|
|
|
43
|
+- [x] java
|
|
|
44
|
+- [x] cpp
|
|
|
45
|
+- [x] js
|
|
|
46
|
+- [x] rust
|
|
|
47
|
+
|
|
|
48
|
+<!--
|
|
|
49
|
+### foreach PROBLEMATIC_HASH:
|
|
|
50
|
+#### $(PROBLEMATIC_HASH)
|
|
|
51
|
+- Summary
|
|
|
52
|
+- Review Result: (SAFE|BAD)
|
|
|
53
|
+-->
|
|
|
54
|
+
|
|
|
55
|
+#### Problematic Commits
|
|
|
56
|
+- Biometric prompt feature (#12291): `b1723820859fce1c6d0a358e1edec4f4dec39234`
|
|
|
57
|
+
|
|
|
58
|
+## Fenix: https://github.com/mozilla-mobile/fenix.git
|
|
|
59
|
+
|
|
|
60
|
+- Start: `6e0ad035e384ef1fb7d8c8ac8d398470d953e1dc` ( `v103.0.0-beta.1` )
|
|
|
61
|
+- End: `e0d3c03afefe699a7456214b0da140f74ef499f7` ( `v103.2.0` )
|
|
|
62
|
+
|
|
|
63
|
+### Languages:
|
|
|
64
|
+- [x] java
|
|
|
65
|
+- [x] cpp
|
|
|
66
|
+- [x] js
|
|
|
67
|
+- [x] rust
|
|
|
68
|
+
|
|
|
69
|
+Nothing of interest (using `code_audit.sh`)
|
|
|
70
|
+
|
|
|
71
|
+## Ticket Review ##
|
|
|
72
|
+
|
|
|
73
|
+Bugzilla Query: `https://bugzilla.mozilla.org/buglist.cgi?query_format=advanced&resolution=FIXED&target_milestone=103%20Branch&order=priority%2Cbug_severity&limit=0`
|
|
|
74
|
+
|
|
|
75
|
+#### Problematic Tickets
|
|
|
76
|
+- **Use double-conversion library instead of dtoa for string-to-double conversion** https://bugzilla.mozilla.org/show_bug.cgi?id=1770158
|
|
|
77
|
+ - Uses upstream https://github.com/google/double-conversion from google
|
|
|
78
|
+ - Well tested and documentaiton doesn't suggest any hardware specific differences, quick look through the source suggest integer operations for the parsing/conversions |