I reviewed twitter-bootstrap3 3.4.0+dfsg-4 as checked into eoan. This shouldn't
be considered a full audit but rather a quick gauge of maintainability.
twitter-bootstrap3 is an open source toolkit for developing with HTML, CSS, and
JS.
- There are different versions of twitter-bootstrap in the archive, after some
search we have that
- twitter-bootstrap4: Highly maintained
- twitter-bootstrap3: The 3.4.0 version landed in December 2018 and it shows
that development is more focused in the 4.x version than in 3.x. See: https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0/
After the 3.4.0 release we had 3.4.1 (Feb 2019) which fixed a security
issue. So it seems that they are doing the minimum of giving at least
security updates to version 3. (we might want to consider updating to 3.4.1)
It is used in mailman-website where you can manage lists. It is unclear to
me if the version 3 is a hard dependency.
- CVE History:
- 7 open CVEs
- 1 still open in eoan CVE-2019-8331 (fixed in version 3.4.1)
- All CVEs are XSS
- Build-Depends
- cssmin,
- debhelper,
- lcdf-typetools,
- node-less,
- node-source-map,
- node-uglify,
- pandoc
- No pre/post inst/rm scripts
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- No binaries in PATH
- No sudo fragments
- No udev rules
- Unit tests found in js/tests/
- unit/ contains the unit test files for each Bootstrap plugin
- vendor/ contains jQuery
- visual/ contains "visual" tests which are run interactively in real browsers
and require manual verification
- No cron jobs
- Build logs:
- No security relevant warnings or errors
dpkg-scanpackages: warning: Packages in archive but missing from override file:
dpkg-scanpackages: warning: sbuild-build-depends-core-dummy
dpkg-scanpackages: info: Wrote 1 entries to output Packages file.
E: twitter-bootstrap3 changes: bad-distribution-in-changes-file unstable
N: 4 tags overridden (1 error, 3 warnings)
- Processes spawned
- Mostly on Grunt, a javascript task runner that is embedded in this
package, or documentation
- Memory management: looks like there's not much and seem ok.
- No file IO
- Logging only in Grunt
- No use of environment variables
- No use of privileged functions
- No use of encryption
- No temp files
- No use of networking
- Make use of WebKit
- No PolicyKit
- No shell scripts
- Multiple (most from test code, which might be low priority) NULL_RETURNS from Coverity analysis, mostly related to jquery.
Someone with better JS skills might want to check coverity results before we ACK/NACK.
Christian could you please assign someone to take a look on those warnings?
I reviewed twitter-bootstrap3 3.4.0+dfsg-4 as checked into eoan. This shouldn't
be considered a full audit but rather a quick gauge of maintainability.
twitter-bootstrap3 is an open source toolkit for developing with HTML, CSS, and
JS.
- There are different versions of twitter-bootstrap in the archive, after some /blog.getbootst rap.com/ 2018/12/ 13/bootstrap- 3-4-0/ build-depends- core-dummy n-in-changes- file unstable
search we have that
- twitter-bootstrap4: Highly maintained
- twitter-bootstrap3: The 3.4.0 version landed in December 2018 and it shows
that development is more focused in the 4.x version than in 3.x. See:
https:/
After the 3.4.0 release we had 3.4.1 (Feb 2019) which fixed a security
issue. So it seems that they are doing the minimum of giving at least
security updates to version 3. (we might want to consider updating to 3.4.1)
It is used in mailman-website where you can manage lists. It is unclear to
me if the version 3 is a hard dependency.
- CVE History:
- 7 open CVEs
- 1 still open in eoan CVE-2019-8331 (fixed in version 3.4.1)
- All CVEs are XSS
- Build-Depends
- cssmin,
- debhelper,
- lcdf-typetools,
- node-less,
- node-source-map,
- node-uglify,
- pandoc
- No pre/post inst/rm scripts
- No init scripts
- No systemd units
- No dbus services
- No setuid binaries
- No binaries in PATH
- No sudo fragments
- No udev rules
- Unit tests found in js/tests/
- unit/ contains the unit test files for each Bootstrap plugin
- vendor/ contains jQuery
- visual/ contains "visual" tests which are run interactively in real browsers
and require manual verification
- No cron jobs
- Build logs:
- No security relevant warnings or errors
dpkg-scanpackages: warning: Packages in archive but missing from override file:
dpkg-scanpackages: warning: sbuild-
dpkg-scanpackages: info: Wrote 1 entries to output Packages file.
E: twitter-bootstrap3 changes: bad-distributio
N: 4 tags overridden (1 error, 3 warnings)
- Processes spawned
- Mostly on Grunt, a javascript task runner that is embedded in this
package, or documentation
- Memory management: looks like there's not much and seem ok.
- No file IO
- Logging only in Grunt
- No use of environment variables
- No use of privileged functions
- No use of encryption
- No temp files
- No use of networking
- Make use of WebKit
- No PolicyKit
- No shell scripts
- Multiple (most from test code, which might be low priority) NULL_RETURNS from Coverity analysis, mostly related to jquery.
Someone with better JS skills might want to check coverity results before we ACK/NACK.
Christian could you please assign someone to take a look on those warnings?
Attached goes the coverity output.