Ubuntu
twitter-bootstrap3 package

  1. Bug #1820226
  2. Comment #5

Comment 5 for bug 1820226

Revision history for this message
Eduardo Barretto (ebarretto) wrote :

I reviewed twitter-bootstrap3 3.4.0+dfsg-4 as checked into eoan. This shouldn't
be considered a full audit but rather a quick gauge of maintainability.

twitter-bootstrap3 is an open source toolkit for developing with HTML, CSS, and
JS.

- There are different versions of twitter-bootstrap in the archive, after some
  search we have that
  - twitter-bootstrap4: Highly maintained
  - twitter-bootstrap3: The 3.4.0 version landed in December 2018 and it shows
    that development is more focused in the 4.x version than in 3.x. See:
    https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0/
    After the 3.4.0 release we had 3.4.1 (Feb 2019) which fixed a security
    issue. So it seems that they are doing the minimum of giving at least
    security updates to version 3. (we might want to consider updating to 3.4.1)
    It is used in mailman-website where you can manage lists. It is unclear to
    me if the version 3 is a hard dependency.
- CVE History:
  - 7 open CVEs
  - 1 still open in eoan CVE-2019-8331 (fixed in version 3.4.1)
  - All CVEs are XSS
- Build-Depends
  - cssmin,
  - debhelper,
  - lcdf-typetools,
  - node-less,
  - node-source-map,
  - node-uglify,
  - pandoc
- No pre/post inst/rm scripts
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- No binaries in PATH
- No sudo fragments
- No udev rules
- Unit tests found in js/tests/
  - unit/ contains the unit test files for each Bootstrap plugin
  - vendor/ contains jQuery
  - visual/ contains "visual" tests which are run interactively in real browsers
    and require manual verification
- No cron jobs
- Build logs:
  - No security relevant warnings or errors
dpkg-scanpackages: warning: Packages in archive but missing from override file:
dpkg-scanpackages: warning: sbuild-build-depends-core-dummy
dpkg-scanpackages: info: Wrote 1 entries to output Packages file.
E: twitter-bootstrap3 changes: bad-distribution-in-changes-file unstable
N: 4 tags overridden (1 error, 3 warnings)

- Processes spawned
  - Mostly on Grunt, a javascript task runner that is embedded in this
    package, or documentation
- Memory management: looks like there's not much and seem ok.
- No file IO
- Logging only in Grunt
- No use of environment variables
- No use of privileged functions
- No use of encryption
- No temp files
- No use of networking
- Make use of WebKit
- No PolicyKit
- No shell scripts
- Multiple (most from test code, which might be low priority) NULL_RETURNS from Coverity analysis, mostly related to jquery.

Someone with better JS skills might want to check coverity results before we ACK/NACK.

Christian could you please assign someone to take a look on those warnings?

Attached goes the coverity output.