Most of the files are unmarked and will therefore fall back to their default value of significant. qendian{_p.h,.h,.cpp} were considered to be critical due to their role in parsers, but ultimately kept at significant. qlogging{.h,.cpp} were considered to be critical because they work with raw string data that might come directly from untrusted sources. However, untrusted string data is forwarded to QString, and string parsing is only performed on trusted strings. Therefore, the security scores are kept at significant. qlibraryinfo.cpp is marked critical because it influence paths from which libraries and executables are loaded. qnumeric{.h,.cpp} are marked critical because they handle edge-cases that might lead to undefined behaviour if not handled correctly. At the current point we assume that various data-parsers rely on the correct behavior of these functions and therefore want to treat them as critical. qrandom{.h,.cpp} are marked critical because they are related to cryptography. Some functionality is described as cryptographically safe in the documentation. While we forward the complex parts to the OS, it seems prudent to be extra cautious here. QUIP: 23 Pick-to: 6.10 6.9 6.8 Fixes: QTBUG-135186 Change-Id: I037379fff3a72c36b840d042252391417de33f5c Reviewed-by: Axel Spoerl <axel.spoerl@qt.io> Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>