# General

The audit begins at the commit hash where the previous audit ended. Use code_audit.sh for creating the diff and highlighting potentially problematic code. The audit is scoped to a specific language (currently C/C++, Rust, Java/Kotlin, and Javascript).

The output includes the entire patch where the new problematic code was introduced. Search for `XXX MATCH XXX` to find the next potential violation.

`code_audit.sh` contains the list of known problematic APIs. New usage of these functions are documented and analyzed in this audit.

## Firefox: https://github.com/mozilla/gecko-dev.git

- Start: `59930a20119813ea25546eaca75dcc3bbc500039` ( `FIREFOX_RELEASE_101_BASE` )
- End:   `856b9168439ef597dbd103cd1e2940a8ad110450` ( `FIREFOX_RELEASE_102_BASE` )

### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust

Nothing of interest (using `code_audit.sh`)

---

## Application Services: https://github.com/mozilla/application-services.git

- Start: `6a4737d1c043d71dfac67e270ee4afa4fb6c73b4` ( `v93.2.1` )
- End:   `0302b89604bb29adb34fdcd710feabd3dd01992d` ( `v93.5.0` )

### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust

Nothing of interest (using `code_audit.sh`)

## Android Components: https://github.com/mozilla-mobile/android-components.git

- Start: `4eef6c129c9611b6927bd50a5a1620ede57744b1` ( `v101.0.0` )
- End:   `95fe1972b83b518a70febc76cdf3e27d5cfa390f`  ( `v101.0.9` )

### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust

Nothing of interest (using `code_audit.sh`)

## Fenix: https://github.com/mozilla-mobile/fenix.git

- Start: `02ca27633b10acbe4db08aecf9c0a12d83376fd9` ( `v101.0.0-beta.1` )
- End:   `be90007a460cc7b06008f319447011b2dce76aaa`  ( `releases_v101.0.0` )

### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust

Nothing of interest (using `code_audit.sh`)

## Ticket Review ##

### 101 https://bugzilla.mozilla.org/buglist.cgi?query_format=advanced&resolution=FIXED&target_milestone=101%20Branch&order=priority%2Cbug_severity&limit=0

- https://bugzilla.mozilla.org/show_bug.cgi?id=1766401 : @ma1 https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41147
  - safe, nothing for us to do here
- https://bugzilla.mozilla.org/show_bug.cgi?id=1661450 : @boklm https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41148
  - didn't turn out to be relevant
- https://bugzilla.mozilla.org/show_bug.cgi?id=1762576 : @dan https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41149
  - disabled DLL injection support by default
- https://bugzilla.mozilla.org/show_bug.cgi?id=1753302 : @dan https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41150
  - already disabled by dom.webgpu.enabled pref, nothing for us to do here
- https://bugzilla.mozilla.org/show_bug.cgi?id=1757823 : @dan https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41151
  - potential fingerprinting vectors here, requires much deeper investigation into what is feasible w/o completely breaking multimedia support

