Home - mozilla/mozilla-depends GitHub Wiki

For individual sections, see table of content in the sidebar on the right.

Project Goals

  1. Automatically enumerate and monitor third party dependencies of mozilla-central, both inside and outside the repository.
  2. Provide dependency ecosystem insight for driving decisions about updating, vendoring, or removing third party code dependencies.
  3. Make the data accessible to established analysis and alerting pipelines (Redash, Dependency Observatory, GitHub dependency monitoring).

Design Overview

There has been prior work to create domain-specific inventory of third-party code used during development, or employed by the build process, or shipped in Firefox products. Some have been abandoned due to complexity or amount of work, while few have reached decent coverage, some only provide incomplete insight, lacking essential data. This is an attempt of combining existing projects into a unified knowledge base

Current tooling consists of detectors written in Python that extract information from a mozilla-central tree:

  • Rust
    • Detects cargo.lock files across the tree and analyses dependencies and vulnerabilities.
  • Node.js
    • Detects node packages spread across the tree and analyses their dependencies and vulnerabilities. It
  • Retire.js
    • Uses retire.js to detect JS libraries in the tree, and extracts information about known vulnerabilities from the retire.js database.
  • Python
    • Detects python packages across the tree and extracts vulnerability information from Safety-DB.
  • ThirdPartyLibraryAlerts
    • Uses metadata compiled on various C++ libraries used across the tree.
  • moz.yaml files
    • Detects and evaluates moz.yaml vendoring files that contain metadata on third-party C++ code in the tree.
  • ThirdPartyPaths
    • Analyses the content of the ThirdPartyPaths.txt file used by the linter for ignoring third-party code in the tree not adhering to Mozilla's coding guidelines.

Where possible, detectors extract information about associated Bugzilla Components, installed versions, upstream code repositories, and latest available library versions for detecting outdated packages.

Future Development

The knowledge base compiled by detectors can serve multiple purposes that allow for management of the dependency ecosystem in various ways:

  • Provide a central overview of the dependency ecosystem.
  • Detect and alert about known vulnerabilities in the dependency ecosystem.
  • Detect and alert about outdated dependencies.
  • Support upcoming vendoring processes by detecting unvendored code.
  • Feeding metrics and analysis output into existing data pipelines.
  • Mirroring both in-tree and external dependencies into a unified repository, opening it to existing vulnerability management solutions.