Mark QXmlUtils as security-criticalHEADdev

QXmlUtils are used by QXmlStream and QDom, both of which are (or ought
soon to be) marked as security-critical. The component is clearly a
data-parser, too, with the same input as QXmlStream and QDom, so has to
be security-critical, too.

The header file contains only declarations, so it gets the default
score:significant.

Amends 8df072fc8006510c9b743e8ffedaaf51a876883a.

QUIP: 23
Task-number: QTBUG-135194
Pick-to: 6.10 6.9 6.8
Change-Id: I415486dbba0c748e6af561ea4f098ea42c4b1830
Reviewed-by: Ivan Solovev <[email protected]>

2 files changed, 2 insertions, 0 deletions

diff --git a/src/corelib/serialization/qxmlutils.cpp b/src/corelib/serialization/qxmlutils.cpp
index e6fae7c173f..f84b27dc88d 100644
--- a/src/corelib/serialization/qxmlutils.cpp
+++ b/src/corelib/serialization/qxmlutils.cpp
@@ -1,5 +1,6 @@
 // Copyright (C) 2016 The Qt Company Ltd.
 // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
+// Qt-Security score:critical reason:data-parser
 
 #include <qstring.h>
 
diff --git a/src/corelib/serialization/qxmlutils_p.h b/src/corelib/serialization/qxmlutils_p.h
index 0ad17589799..8489d50c108 100644
--- a/src/corelib/serialization/qxmlutils_p.h
+++ b/src/corelib/serialization/qxmlutils_p.h
@@ -1,5 +1,6 @@
 // Copyright (C) 2016 The Qt Company Ltd.
 // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
+// Qt-Security score:significant reason:header-decls-only
 
 #ifndef QXMLUTILS_P_H
 #define QXMLUTILS_P_H