diff options
| author | Daniel Smith <[email protected]> | 2024-06-27 13:22:12 +0200 |
|---|---|---|
| committer | Daniel Smith <[email protected]> | 2025-05-20 09:51:48 +0000 |
| commit | 1ed01b4a1e5172090d71e472ccb721777cacab27 (patch) | |
| tree | a496c6816944e9d4e94997c7058e41b6bfde4db5 /README.md | |
| parent | 05d173273e8d66db2d7a608ad846865a01d6776a (diff) | |
This bot checks files for each patchset and tags the change with a
hashtag if it touches a file that is marked as security sensitive.
Task-number: QTQAINFRA-6431
Change-Id: I09f0c2fb646fa902a2278771f48a5401f4770586
Reviewed-by: Daniel Smith <[email protected]>
Diffstat (limited to 'README.md')
| -rw-r--r-- | README.md | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/README.md b/README.md new file mode 100644 index 0000000..54779c6 --- /dev/null +++ b/README.md @@ -0,0 +1,37 @@ +# Qt securityHeader Bot + +As per [QUIP-23](https://contribute.qt-project.org/quips/23), +This bot executes Security Header checks on all files as they are uploaded in a patchset. + +It examines the first 50 lines (limited to the first 8KB) of changed files in a patchset +for the security keyphrase: +> // Qt-Security score:critical + +In the event that a file is modified or deleted, both the current patch and previous +version will be checked for the security keyphrase to ensure that it is not being +inappropriately removed or downgraded. + +If a security-critical file is added, modified or deleted, the bot will: +- Post a hashtag ["Qt-Security change"](https://codereview.qt-project.org/q/hashtag:%22Qt-Security+change%22) + to the gerrit change request. + + Changes with this hashtag will display a large red banner to notify + reviewers that the change deserves extra scrutiny. + + +### Exclusions +- All non-utf-8 encoded files (images, archives, other binary file formats) + +## Installation +To install this script as a service +1. Copy the service file to the systemd directory of your choice such as `/etc/systemd/system/`. +2. Reload the daemon with `systemctl daemon-reload`. +3. Run `systemctl edit qtSecurity_bot` to generate an override config. Set environment variables here. +4. Start the service (Default port=8088, override with `QTSECURITYBOT_PORT`). + +## Prerequsites +1. This bot is designed to receive webhooks from Gerrit Code Review. See +[Gerrit Webhooks](https://gerrit.googlesource.com/plugins/webhooks/+/refs/heads/master/src/main/resources/Documentation/config.md) +2. The included systemd service file assumes you have `pipenv` installed for the `qt` user. +3. You must manually install required packaged into the pipenv, as the service does not do this + automatically. |