qtattributionsscanner: Add SecurityCritical attribute

Serves as an indicator in the release process that these components need
to be carefully monitored and updated (even more often than the other
third-party modules).

So far this is not reflected in the generated documentation. This might
change in the future though.

For reasoning, see also

https://lists.qt-project.org/pipermail/development/2023-February/043667.html

Change-Id: I82c59e0198fc2fdc855aed89aa49f929391aa0ef
Reviewed-by: Qt CI Bot <qt_ci_bot@qt-project.org>
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
(cherry picked from commit 162573d4274e703cea7d95e4ea16158b3bbf710f)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>

8 files changed, 28 insertions, 3 deletions

diff --git a/src/qtattributionsscanner/jsongenerator.cpp b/src/qtattributionsscanner/jsongenerator.cpp
index 3959390e5..2a194264e 100644
--- a/src/qtattributionsscanner/jsongenerator.cpp
+++ b/src/qtattributionsscanner/jsongenerator.cpp
@@ -23,6 +23,7 @@ static QJsonObject generate(Package package)
     obj.insert(u"QDocModule"_s, package.qdocModule);
     obj.insert(u"Name"_s, package.name);
     obj.insert(u"QtUsage"_s, package.qtUsage);
+    obj.insert(u"SecurityCritical"_s, package.securityCritical);
     obj.insert(u"QtParts"_s, QJsonArray::fromStringList(package.qtParts));
 
     obj.insert(u"Description"_s, package.description);
diff --git a/src/qtattributionsscanner/package.h b/src/qtattributionsscanner/package.h
index d226930eb..082d60f1e 100644
--- a/src/qtattributionsscanner/package.h
+++ b/src/qtattributionsscanner/package.h
@@ -15,6 +15,7 @@ struct Package {
     QString name; // Descriptive name of the package. Will be used as the title. Mandatory.
     QString qdocModule; // QDoc module where the documentation should be included. Mandatory.
     QString qtUsage; // How the package is used in Qt. Any way to disable? Mandatory.
+    bool securityCritical = false; // Whether code is security critical in the Qt module. Optional.
     QStringList qtParts; // Possible values are "examples", "tests", "tools", or "libs".
                          // "libs" is the default.
 
diff --git a/src/qtattributionsscanner/scanner.cpp b/src/qtattributionsscanner/scanner.cpp
index eaca5ca8c..5c0d542e1 100644
--- a/src/qtattributionsscanner/scanner.cpp
+++ b/src/qtattributionsscanner/scanner.cpp
@@ -61,6 +61,12 @@ static bool validatePackage(Package &p, const QString &filePath, LogLevel logLev
         validPackage = false;
     }
 
+    if (p.securityCritical && p.downloadLocation.isEmpty()) {
+        if (logLevel != SilentLog)
+            missingPropertyWarning(filePath, u"DownloadLocation"_s);
+        validPackage = false;
+    }
+
     for (const QString &part : std::as_const(p.qtParts)) {
         if (part != "examples"_L1 && part != "tests"_L1
             && part != "tools"_L1 && part != "libs"_L1) {
@@ -201,9 +207,8 @@ static std::optional<Package> readPackage(const QJsonObject &object, const QStri
     for (auto iter = object.constBegin(); iter != object.constEnd(); ++iter) {
         const QString key = iter.key();
 
-        if (!iter.value().isString() && key != "QtParts"_L1
-            && key != "Files"_L1
-            && key != "LicenseFiles"_L1) {
+        if (!iter.value().isString() && key != "QtParts"_L1 && key != "SecurityCritical"_L1
+            && key != "Files"_L1 && key != "LicenseFiles"_L1) {
             if (logLevel != SilentLog)
                 std::cerr << qPrintable(tr("File %1: Expected JSON string as value of %2.").arg(
                                             QDir::toNativeSeparators(filePath), key)) << std::endl;
@@ -271,6 +276,15 @@ static std::optional<Package> readPackage(const QJsonObject &object, const QStri
             p.description = value;
         } else if (key == "QtUsage"_L1) {
             p.qtUsage = value;
+        } else if (key == "SecurityCritical"_L1) {
+            if (!iter.value().isBool()) {
+                std::cerr << qPrintable(tr("File %1: Expected JSON boolean in %2.")
+                                                .arg(QDir::toNativeSeparators(filePath), key))
+                          << std::endl;
+                validPackage = false;
+                continue;
+            }
+            p.securityCritical = iter.value().toBool();
         } else if (key == "QtParts"_L1) {
             auto parts = toStringList(iter.value());
             if (!parts) {
diff --git a/tests/auto/qtattributionsscanner/testdata/good/complete/qt_attribution_test.json b/tests/auto/qtattributionsscanner/testdata/good/complete/qt_attribution_test.json
index dbdcefab8..22eadd8cd 100644
--- a/tests/auto/qtattributionsscanner/testdata/good/complete/qt_attribution_test.json
+++ b/tests/auto/qtattributionsscanner/testdata/good/complete/qt_attribution_test.json
@@ -18,6 +18,7 @@ Usage",
     "Homepage": "www.qt.io",
     "Version": "1.0",
     "DownloadLocation": "www.qt.io/1.0",
+    "SecurityCritical": true,
     "LicenseId": "xxx",
     "LicenseFile": "../../../../../../LICENSES/BSD-3-Clause.txt",
     "PackageComment": "just a test package"
diff --git a/tests/auto/qtattributionsscanner/testdata/good/expected.json b/tests/auto/qtattributionsscanner/testdata/good/expected.json
index f5d5fa5d2..adde0d86b 100644
--- a/tests/auto/qtattributionsscanner/testdata/good/expected.json
+++ b/tests/auto/qtattributionsscanner/testdata/good/expected.json
@@ -18,6 +18,7 @@
             "libs"
         ],
         "QtUsage": "Used in Qt WebEngine",
+        "SecurityCritical": false,
         "Version": ""
     },
     {
@@ -39,6 +40,7 @@
             "examples"
         ],
         "QtUsage": "Multi\nLine\nUsage",
+        "SecurityCritical": true,
         "Version": "1.0"
     },
     {
@@ -60,6 +62,7 @@
             "libs"
         ],
         "QtUsage": "Usage",
+        "SecurityCritical": false,
         "Version": ""
     },
     {
@@ -81,6 +84,7 @@
             "libs"
         ],
         "QtUsage": "Usage",
+        "SecurityCritical": false,
         "Version": ""
     },
     {
@@ -105,6 +109,7 @@
             "libs"
         ],
         "QtUsage": "Usage",
+        "SecurityCritical": false,
         "Version": ""
     }
 ]
diff --git a/tests/auto/qtattributionsscanner/testdata/good/licenses-dir/expected.json b/tests/auto/qtattributionsscanner/testdata/good/licenses-dir/expected.json
index 1e808b008..ab5c31309 100644
--- a/tests/auto/qtattributionsscanner/testdata/good/licenses-dir/expected.json
+++ b/tests/auto/qtattributionsscanner/testdata/good/licenses-dir/expected.json
@@ -18,6 +18,7 @@
             "libs"
         ],
         "QtUsage": "Usage",
+        "SecurityCritical": false,
         "Version": ""
     }
 ]
diff --git a/tests/auto/qtattributionsscanner/testdata/good/minimal/expected.json b/tests/auto/qtattributionsscanner/testdata/good/minimal/expected.json
index fcde8f084..546830d3f 100644
--- a/tests/auto/qtattributionsscanner/testdata/good/minimal/expected.json
+++ b/tests/auto/qtattributionsscanner/testdata/good/minimal/expected.json
@@ -18,6 +18,7 @@
             "libs"
         ],
         "QtUsage": "Usage",
+        "SecurityCritical": false,
         "Version": ""
     }
 ]
diff --git a/tests/auto/qtattributionsscanner/testdata/good/variants/expected.json b/tests/auto/qtattributionsscanner/testdata/good/variants/expected.json
index 10a339175..f69f55726 100644
--- a/tests/auto/qtattributionsscanner/testdata/good/variants/expected.json
+++ b/tests/auto/qtattributionsscanner/testdata/good/variants/expected.json
@@ -21,6 +21,7 @@
             "libs"
         ],
         "QtUsage": "Usage",
+        "SecurityCritical": false,
         "Version": ""
     }
 ]