444136 - Create framework to automatically scan add-ons for bad patterns

Status: VERIFIED FIXED

(addons.mozilla.org Graveyard :: Administration, defect)

Description

[Justin Scott [:fligtar]]

Did this last summer and we should do it again. Grep all xpis for updateURL and extensions.update.url and contact any authors for hits. updateURLs may have been introduced from bug 443791 and we don't check for extensions.update.url on upload.

Comment 1

[Michael Morgan [:morgamic]]

We should automate this.  Justin, could you spend some time later this quarter planning a security and code scanning framework?  I've seen quite a few of these bugs.

Comment 2

[Michael Morgan [:morgamic]]

This is now a tracking bug for the scanning tool/framework.  We should work on requirements so we can start work on this in Q1 2009.

Comment 3

[Les Orchard [:lorchard]]

Throwing this into a milestone

Comment 4

[Wil Clouser [:clouserw]]

Evolving spec is here: http://docs.google.com/Doc?id=dcfr9qrp_1c2pgcsfh

Comment 5

[Wil Clouser [:clouserw]]

This is practically a dupe of bug 371210 but I'll leave it open for now.  They both depend on each other though and the other bug has more discussion, specs, and a mockup.

Comment 6

[Wil Clouser [:clouserw]]

Framework is in, initial tests are in.  We can improve as we go along in other bugs.

Comment 7

[Stephen Donner [:stephend] Not actively reading bugmail]

Attachment: Screenshot

Only one example of a potentially bad pattern, but there are others I've found, just haven't attached here.

Comment 8

[Stephen Donner [:stephend] Not actively reading bugmail]

Verified FIXED.