Review Bot 3.0 Release Notes¶

Official Docker Images¶

We now have official Docker images for Review Bot workers. Going forward, all releases (including betas) will come with Docker images, ready for testing or deployment in your network.

The base image (beanbag/reviewbot-base) can be used to easily build your own workers with exactly the tools you need. We also offer pre-built images containing tools for various languages.

See the documentation to get started.

JSON Management of Repositories¶

The list of repositories or Review Board servers for full repository access can now be managed in external JSON files, using the repositories_config_path and reviewboard_servers_config_path settings.

This is used by the new Docker images, and can help larger organizations better manage their available list of repositories through in-house automation.

Improved Worker Experience¶

The Review Bot worker is built on Celery, and the command line and startup screen mostly identified as Celery, making for a less-than-optimal experience. It also required running reviewbot worker as the command.

Now, you simply run reviewbot, without the worker parameter, to start up Review Bot. The command line options are tailored for our use, rather than Celery’s.

When starting up, Review Bot will log information about the available tools and repositories that can be used by that particular worker. The old Celery information is no longer displayed.

New Worker Configuration Options¶

The Review Bot worker now provides new options for configuring tool paths and cookie storage locations.

Some of these replace legacy options, which will stop working in Review Bot 4. See Upgrading Review Bot for instructions.

The location of the configuration file can also be changed by setting the REVIEWBOT_CONFIG_FILE environment variable.

New Tools¶

• Cargo Tool

  This tool can check Rust source code for errors and suspicious constructs.

  It supports running cargo clippy to perform lint checks on files, and cargo test to run unit test suites.

  This requires full repository access.

  Based on a patch by Jacob Blazusiak.

• Secret Scanner

  This in-house tool checks source code and configuration files for any accidental inclusion of credentials or access keys. This can scan for the following:

  • AWS Access, KWS, and Secret keys

  • Asana access tokens

  • Discord bot tokens and webhook URLs

  • Dropbox tokens

  • Facebook access tokens

  • GitHub OAuth tokens (legacy and modern)

  • Google Cloud API keys, client IDs, and service accounts

  • Heroku API keys

  • JSON Web Tokens

  • Mailchimp API keys

  • Mailgun API keys

  • NPM access tokens

  • PGP private keys

  • PyPI API tokens

  • RSA private keys

  • SSH private keys

  • SSL certificates

  • Slack tokens and webhook URLs

  • Stripe access keys

  • Twilio API keys and account SIDs

  • Twitter OAuth tokens

  Based on a patch by Cecilia Wei.

• FBInfer

  This tool from Facebook checks source code from a wide variety of programming languages, looking for many different kinds of issues.

  It can handle a number of build systems, such as Make, Gradle, Ant, XCode, and more.

  It’s a heavier-weight tool, requiring proper configuration. It also requires full repository access.

  Based on a patch by Jacob Blazusiak.

• Go Fmt

  This tool checks Go source code for common formatting issues. If it finds a file that needs to be run through go fmt, it will leave a comment recommending that the user runs this and re-uploads the diff.,

  Based on a patch by Jacob Blazusiak.

• Go Tool

  This tool checks Go source code for problems.

  It supports running go vet to perform lint checks on files, and go test to run unit test suites.

  This tool requires full repository access.

  Based on a patch by Jacob Blazusiak.

• RuboCop

  This tool checks Ruby code for common errors, potential problems, and source code formatting issues.

  It can be customized to exclude particular cops/departments that should not be checked.

  If RuboCop knows any documentation relevant to an error, it will include a link in the comment, helping to more easily resolve the issue.

  Based on a patch by Cecilia Wei.

• Rust Fmt

  This tool checks Go source code for common formatting issues. If it finds a file that needs to be run through rustfmt, it will leave a comment recommending that the user runs this and re-uploads the diff.,

  Based on a patch by Jacob Blazusiak.

• ShellCheck

  This tool checks stanard shell scripts for common problems and misused commands.

  This supports *.bash, *.bats, *.dash, *.ksh, and *.sh files.

  It can be customized to exclude particular error codes, and to change the minimum level of severity for any errors that should be reported.

  Based on a patch by Cecilia Wei.

Tool Enhancements¶

• Most tools now include enhanced information when reporting errors in code, such as line and column numbers/ranges, severity warnings, and tool error codes.

• Most tools have improved report parsing, helping ensure that reports from tools are always represented in some way, even when they fail to check code.

• Tools that provide customizable file extensions for processing are now more forgiving when extra spaces or commas are present in the extension list.

• Checkstyle XML configuration has improved.

  Checkstyle now supports specifying the name of a bundled XML ruleset file (either google_checks.xml or sun_checks.xml).

  This can be used instead of providing a full XML file during configuration.

  JAR files with custom XML files can also be provided in the java_classpaths and referenced during configuration.

• Clang Static Analyzer now leaves comments when encountering syntax errors.

• Cpplint and Cppcheck now checks for more standard C/C++ source and header file patterns.

• Pyflakes now reports syntax errors.

Full Repository Access Tools¶

• Fixed applying patches containing new files, deleted files, and symlinks when using tools requiring full repository access. (Bug #4678, Bug #4888, Bug #4912, Bug #4982)

• Fixed applying patches containing DOS/Windows-based file paths on a Linux-based install of the worker.

• Binary files are now skipped when applying patches, rather than resulting in a possible error.

• Fixed race conditions when running multiple tools requiring full repository access on the same Git repository.

• Added validation of repository configuration.

  Any issues found in the configuration of a repository or a Review Board server now logs an error and will be skipped. In previous releases, errors could cause Review Bot to fail to start up until fixed.

Tool Compatibility¶

• All tools now only run for files they support. (Bug #4885)

• Fixed a bug in Checkstyle that could prevent filenames from being properly matched.

• Clang Static Analyzer no longer fails to check code when encountering syntax errors.

• Clang Static Analyzer now runs correctly on Python 3.

• Clang Static Analyzer now always comments on the correct lines, rather than sometimes being offset.

• Cppcheck now runs without excluded file checks (Bug #4671)

• Cppcheck now respects the default setting for whether to report comments as issues to resolve.

• Pydocstyle now reports the full message for each error found, not just part of it.

• Fixed parsing issues that could occur with RuboCop.