# General

The audit begins at the commit hash where the previous audit ended. Use code_audit.sh for creating the diff and highlighting potentially problematic code. The audit is scoped to a specific language (currently C/C++, Rust, Java/Kotlin, and Javascript).

The output includes the entire patch where the new problematic code was introduced. Search for `XXX MATCH XXX` to find the next potential violation.

`code_audit.sh` contains the list of known problematic APIs. New usage of these functions are documented and analyzed in this audit.

## Firefox: https://github.com/mozilla/gecko-dev.git

- Start: `1187da3c99c93ad941eea0809d3b2c8f81ac5ccf` ( `FIREFOX_107_0_1_RELEASE` )
- End:   `0ae93a27c796bea7836d4b0885c8a1f2c4c18284`  ( `FIREFOX_108_0_2_RELEASE` )

### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust

Nothing of interest (using `code_audit.sh`)

---

## Application Services: https://github.com/mozilla/application-services.git

- Start: `ce8f1767d991da9d6d26331faecd426210071c7e`  ( `v96.1.0` )
- End:   `d8b5a386936aa156f4c6d93e6645a6d2188aa788`  ( `v96.2.1` )

### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust

Nothing of interest (using `code_audit.sh`)

## Firefox Android: https://github.com/mozilla-mobile/firefox-android.git

- Start: `0486e931b4427d646af1dcf69a53c90efbe60862`
- End:   `55d34bf82ad051e25f15c0d1ef5fb8b3a32a7522`

### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust

Nothing of interest (using `code_audit.sh`)

## Fenix: https://github.com/mozilla-mobile/fenix.git

- Start: `171d8a7aa521676d008bfd98bfae34ce8774e5f5` ( `v108.0b1` )
- End:   `78718ba91dd19f78e94d8f8c462598c29d48069a`  ( `v108.2.0` )

### Languages:
- [x] java
- [x] cpp
- [x] js
- [x] rust

Nothing of interest (using `code_audit.sh`)

## Ticket Review ##

Bugzilla Query: `https://bugzilla.mozilla.org/buglist.cgi?query_format=advanced&resolution=FIXED&target_milestone=108%20Branch&order=priority%2Cbug_severity&limit=0`

#### Problematic Issues:

- **Remove descriptionheightworkaround.** https://bugzilla.mozilla.org/show_bug.cgi?id=1795944
  - https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41959
  - **RESOLUTOIN** not a security issue, more of a general ESR migration/functionality issue
- **Proxy environment variables should be upper case / case insensitive** https://bugzilla.mozilla.org/show_bug.cgi?id=1797896
  - https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41960
  - **RESOLUTION**: determined this logic is gated behind our tor configuration settings, and so aren't relevant or a de-anonimisation vector; nothing to do here
- **Hide cookie banner handling UI by default** https://bugzilla.mozilla.org/show_bug.cgi?id=1798868
  - https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41961
  - **RESOLUTION**: we will hide the UI to enable/disable the feature, and likely enable the feature for everyone

## Export
- [ ] Export Report and save to `tor-browser-spec/audits`