Closed andymeneely closed 10 years ago
I didn't know what most of these formats were so I looked them up.
In addition to the once you say you think are source code:
.h
.cc
.js
.py
.S
.c
.make
.sh
What about
.cpp
.sb
And the build tools? I don't know how build tools work, but wouldn't the be generating source to? I'm especially curious about the .gyp as it's up high on the list of vulnerabilities.
.scons
.xib
.gyp
As far as incorporating source code files (and only source files into ReleaseFilepath) goes. Couldn't we just do a check with some regex in release_filepath_loader.rb for the file extension, and then only add the filepaths with the source extensions we want to look at (instead of all of them)?
Yes, that definitely the fastest and simplest way to do that.
Do we need to do more? Do we need to filter out other filepaths as source code or not in the analysis? Our original questions are about source code files that later had vulnerabilities originally having few reviewers, inexperienced reviewers, etc. Just thinking out loud here...
Upon further consideration, no I don't think we need anything else beyond that. I'll write up a separate issue for this and assign it to @kayladavis.
Based on #114, once we decided on source code file extensions, we need to make sure our analysis of
ReleaseFilepath
is limited to source code files only. Suggestions, @kayladavis?