[Development] Proposing QUIP-23: Qt-Security header in source code files
Dimitrios Apostolou
jimis at qt.io
Wed Jul 10 01:06:05 CEST 2024
Hello list,
on behalf of the Qt Company, I would like to propose a new single-line
comment header for the Qt source code.
The syntax is:
// Qt-Security score:N reason:some-reason [labels:label1,label2]
The idea is to mark files with code where bugs are more likely to cause
security issues. For example code that is usually parsing input from
untrusted sources, or a protocol implementation. For now we only plan to
mark selected files with score 2, which vaguely translates to "contains
security critical code". Here is an example use:
// Qt-Security score:2 reason:data-parser
The purpose is to leverage this information in our codereview system and
enforce special handling of such files, for example extra scrutiny in the
review process, more rigorous testing etc.
Please read the QUIP at [1] and a first use of this header at [2].
[1] https://codereview.qt-project.org/c/meta/quips/+/575276
[2] https://codereview.qt-project.org/c/qt/qtbase/+/568279
All feedback is welcome, here or on the QUIP review.
Regards,
Dimitrios Apostolou
More information about the Development
mailing list