Epic
P1: Critical Description
As part of Qt's CRA compliance all Qt sources must be marked if they contain critical code paths. Such code paths need special attention from reviewers. Once a file was marked as such, gerrit will highlight the file when reviewing new code changes. An example how this marking looks like can be seen in https://codereview.qt-project.org/c/qt/qtmultimedia/+/629914.
The way such critical source files have to be marked is outlined by QUIP 23.
In particular, we are looking for code that
- parses external data or handles input directly
- implements network protocols (this is actually a subcategory of the above)
- implements cryptography or handles relevant libraries.
In this task, we only consider security in the context of handling untrusted data
Such code should have the security header
// Qt-Security score:critical reason:data-parser
Definition of done:
1. All code mentioned in the issue summary is reviewed
2. If security critical code is found, the header is added.
This epic tracks the progress of all evaluations across all Qt modules. Once a module was assessed the relevant child issue in this epic must be marked as done. Note that it is perfectly fine for a module to not have any critical code paths.