# Qt securityHeader Bot

As per [QUIP-23](https://contribute.qt-project.org/quips/23),
This bot executes Security Header checks on all files as they are uploaded in a patchset.

It examines the first 50 lines (limited to the first 8KB) of changed files in a patchset
for the security keyphrase:
> // Qt-Security score:critical

In the event that a file is modified or deleted, both the current patch and previous
version will be checked for the security keyphrase to ensure that it is not being
inappropriately removed or downgraded.

If a security-critical file is added, modified or deleted, the bot will:
- Post a hashtag ["Qt-Security change"](https://codereview.qt-project.org/q/hashtag:%22Qt-Security+change%22)
  to the gerrit change request.

  Changes with this hashtag will display a large red banner to notify
  reviewers that the change deserves extra scrutiny.


### Exclusions
- All non-utf-8 encoded files (images, archives, other binary file formats)

## Installation
To install this script as a service
1. Copy the service file to the systemd directory of your choice such as `/etc/systemd/system/`.
2. Reload the daemon with `systemctl daemon-reload`.
3. Run `systemctl edit qtSecurity_bot` to generate an override config. Set environment variables here.
4. Start the service (Default port=8088, override with `QTSECURITYBOT_PORT`).

## Prerequsites
1. This bot is designed to receive webhooks from Gerrit Code Review. See
[Gerrit Webhooks](https://gerrit.googlesource.com/plugins/webhooks/+/refs/heads/master/src/main/resources/Documentation/config.md)
2. The included systemd service file assumes you have `pipenv` installed for the `qt` user.
3. You must manually install required packaged into the pipenv, as the service does not do this
    automatically.