Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-135177

Review & mark all Qt sources as per QUIP 23

    XMLWordPrintable

Details

    • Epic
    • Resolution: Unresolved
    • P1: Critical
    • None
    • None
    • Other
    • Qt CRA Review QUIP23
    • All

    Description

      As part of Qt's CRA compliance all Qt sources must be marked if they contain critical code paths. Such code paths need special attention from reviewers. Once a file was marked as such, gerrit will highlight the file when reviewing new code changes. An example how this marking looks like can be seen in https://codereview.qt-project.org/c/qt/qtmultimedia/+/629914.

      The way such critical source files have to be marked is outlined by QUIP 23.

      In particular, we are looking for code that

      • parses external data or handles input directly
      • implements network protocols (this is actually a subcategory of the above)
      • implements cryptography or handles relevant libraries.

      In this task, we only consider security in the context of handling untrusted data

      Such code should have the security header

      // Qt-Security score:critical reason:data-parser
      

      Definition of done:
      1. All code mentioned in the issue summary is reviewed
      2. If security critical code is found, the header is added.

       

      This epic tracks the progress of all evaluations across all Qt modules. Once a module was assessed the relevant child issue in this epic must be marked as done. Note that it is perfectly fine for a module to not have any critical code paths.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            ablasche Alex Blasche
            ablasche Alex Blasche
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:

              Gerrit Reviews

                There are no open Gerrit changes