Review Bot 3.2 is a small release focusing on compatibility improvements, Secret Scanning enhancements, and improvements in automated reviews.

What is Review Bot?

Review Bot is an extension to Review Board that adds automated code reviews to your workflow. It integrates with an assortment of third-party code lint, compliance, and security checking tools to help catch problems early.

It's free, open source, and extensible, making it a great addition to your Review Board server.

New in 3.2: Compatibility Improvements

Review Board 5 and 6 compatibility has improved. Some compatibility issues with recent releases of Review Board 5 have been smoothed over, including a crash when browsing the database entries for Review Bot tools.

We've also addressed issues processing results from Shellcheck and PMD.

Secret Scanning

Our support for Secret Scanning has been updated to look for the new enhanced API token format introduced in Review Board 5.

If you're reviewing infrastructure or tools that integrate with Review Board, this will help catch any API tokens you accidentally leave in a file.

Automated Review Improvements

Some tools had a tendency to leave comments spanning entire functions or classes, making it difficult to read some reviews.

Review Bot now caps all comments to 10 lines. When capped, the original line range will be listed in the comment.

That's it for this release!

For complete details on Review Bot 3.2, see the release notes.

To get started, download Review Bot and read the documentation to begin installing and configuring Review Bot.

We recommend our Docker images to help you get going quickly.

Development on Review Bot 4 will begin soon, with new automated code review tools planned. Stay tuned!

Power Pack 5.2 adds new connection options for Cliosoft SOS and improved repository support for VersionVault and ClearCase.

It also offers improved compatibility with Review Board 6 Beta 1.

What is Power Pack?

Power Pack is licensed add-on for Review Board, offering:

• PDF document review and diffing, allowing you to review documents, schematics, designs, contracts, and code all in one place.
• Report generation, giving you insight into code review practices in your organization.
• Advanced server management for scalability, database management, and splitting/merging installs
• Support for enterprise source code management systems, including AWS CodeCommit, Azure DevOps/TFS, Bitbucket Server, Cliosoft SOS, GitHub Enterprise, HCL VersionVault, and IBM Rational ClearCase.

You can try Power Pack free for 60 days or purchase a license for your server.

Let's explore what's new in 5.2.

SSH Connectivity for Cliosoft SOS

With Power Pack 5.2, Review Board can now communicate with Cliosoft SOS source code management servers over SSH. This simplifies setup, allowing you to use an existing licensed user on any remote server.

This is now the preferred method for talking to Cliosoft SOS.

Larger ClearCase/VersionVault Repositories

ClearCase/VersionVault repositories now support up to 48KB worth of VOB OIDs. This lets you connect to very large repositories with thousands of VOBs.

Review Board 6 Compatibility

Power Pack 5.2 is fully compatible with the current beta of Review Board 6 and the upcoming release (due out soon). If you're planning to upgrade to Review Board 6, we recommend preparing by upgrading to Power Pack 5.2.

For the complete list of changes and installation instructions, see the release notes.

We’re excited to announce the first beta of Review Board 6! This is a smaller release focusing on improvements to the review workflow by giving you a new starting point for creating reviews and the ability to bulk-publish drafts of reviews, replies, and review requests.

If you’re new to Review Board, it’s a free, open source, extensible web-based code review and document review tool, helping developers work together to ensure quality code on their projects, whether using Git, Mercurial, Perforce, Subversion, ClearCase, or other current or future source code management tools.

Let’s take a closer look at some of the key changes in this beta.

The New Review Banner

Since the beginning, Review Board has represented drafts of new reviews, replies, or review request changes as a green draft banner at the top of the screen. Each draft had its own banner, and each draft had to be published separately.

We’re now introducing a new unified banner, which shows everything you have in flight on a review request.

From here, you can:

• Start or edit reviews from anywhere on the page (replacing the old “Review” and “Ship It” buttons).
• File general comments pertaining to the review request as a whole (replacing the old “Add Comment” button).
• Switch between drafts, if you want to publish one independently.
• Bulk-publish all reviews, replies, and pending changes on a review request at once, resulting in fewer button clicks and e-mails.

The banner is always present on a review request. You can use the Review menu to create a brand-new blank review, file a general comment, or quickly file a Ship It! review:

There’s more coming. In beta 2, the new banner will show you your active file in a diff and let you jump to other files.

Learn more about the new review banner.

We’re opening this up to extension authors. Soon, extensions will be able to add new information and sections to the banner, giving your organization more control over your review workflow.

Also For Extension Authors

Extension authors also have a few new goodies in this release:

• We’ve reworked our actions framework, which manages the buttons that can be found on a review request, the review banner, and the page header. It’s now easier to add, replace, or remove actions and tailor the product to your needs.
• We’re adding Python Type Hints throughout our codebase, making it easier for your IDE to ensure you’re calling our internal APIs correctly.
• Client-side extensions can now be written in TypeScript and use ES6 modules. Simply declare an index.ts file in your JavaScript bundle, and use that to write any TypeScript code or import from TypeScript modules.
• You can also now use modern ES6 classes for your JavaScript/TypeScript code. We’ve introduced a new library called Spina to help create these, working as a drop-in replacement for the old Backbone.JS.

We’ll have documentation on all this before the final 6.0 is released.

Plus…

• The dashboard now defaults to the “Overview” view, which shows all your incoming and outgoing review requests.
• We’ve changed “Close -> Submitted” to “Close -> Completed,” removing some old and confusing Perforce-centric terminology.
• Numerous behind-the-scenes improvements for improving performance, architecture, and stability.

See the 6.0 beta 1 release notes for the full list of changes.

Want to Help Us Test?

We’d love to have your help! We have installation information in the release notes.

Please make sure you have a dedicated testing server and database. Do not test this beta in production!

You can use the beanbag/reviewboard:6.0b1 Docker image as well. See our Docker instructions for information on setting up an environment.

Review Board 5.0.4 is a bug fix release, focusing on improving compatibility throughout the product, addressing problems with Single Sign-On, and making critical changes to the API.

Fixes for new Apache installs

Review Board 5.0.3 auto-generated new configurations for more web servers when first installing a site, but it was missing the new templates for Apache installs.

Review Board 5.0.4 now generates much-improved Apache configurations with wide Apache support. These new configurations help with setting up SSL and configuring mod_wsgi for different modes.

Better service compatibility

We've fixed compatibility for a few services we integrate with, including:

• Review Bot 3.x, our automated code review add-on for Review Board

• Elasticsearch 7

• Single Sign-On providers

If you're using any of these, you'll want to upgrade to 5.0.4.

Important API changes

We introduced the following APIs in Review Board 5.0:

• All Reviews API

• All Diff Comments API

• All General Comments API

• All File Attachment Comments API

Due to a conflict between the names used for linking to these resources and names used for other resources in our URI templates at the top-level of our API, we've needed to rename these links. If you are using these new APIs, please see the release notes for the new names.

We try hard not to break the API, but this was the less intrusive option.

This also fixes a compatibility problem with the rbt review command.

Plus...

• Full Single Sign-On support in Docker
• Fixes in the presentation of the Trojan Source warning in the diff viewer
• Better instructions when configuring Elasticsearch
• Additional fixes throughout the product

All the details can be found in the release notes.

To learn more about upgrading your server, see our upgrade instructions. You can also use our official Docker images.

If you need assistance with your server, we can help under a support contract.

Oh, one more thing

We're releasing Review Board 6 beta 1 very soon! 6.0 will be a smaller release focused on a few improvements in the review process.

The beta will be public to everybody, but if you're interested in beta testing, we'd love to hear from you!

Today’s new releases fix a (rare) security issue when using older insecure LDAP servers. There are also installation improvements and a handful of bug fixes.

LDAP Security Fix

A security bug was found that enables a user to log in as another user when LDAP is configured. This vulnerability only exists when:

1. Using very old LDAP servers that contain a credential verification security bug; and
2. Enabling anonymous binds; and
3. Logging in as a user not present in LDAP

Under these conditions, a combination of an invalid LDAP username and a non-empty password can result in LDAP claiming the credentials are valid. If that user exists in Review Board as a local user, Review Board will see that the login was “successful” in LDAP and log the user in.

Most users should never hit this issue. So far it’s only been found in an old version of Active Directory, and only when using our “LDAP” backend instead of the recommended “Active Directory.”

We've tightened the code path and added additional checks to safeguard this on our end. All of today’s releases include the fix.

If you use LDAP, we recommend upgrading to this release, ensuring your LDAP servers are up-to-date, and disabling anonymous binds if you don't need them.

New Supported Web Servers

Review Board works well with just about any modern web server, but we’ve only ever provided sample configurations for Apache.

Now, when installing a new site, sample configurations are auto-generated for these often-requested web servers:

• Apache + mod_wsgi
• Nginx + Gunicorn
• Nginx + uWSGI

See our Web Server documentation for these sample configuration files and additional instructions.

Many Bug Fixes

We’ve stomped out several bugs in this release, including:

• Problems marking a SSH key or SSL certificate as trusted when configuring a repository
• Communicating with repositories over SSH in some setups
• Performing manual runs of automated reviews when multiple configurations for the same tool are present
• Workarounds for environment issues during installation on Ubuntu 20.04 LTS

New Documentation

We’ve also reworked much of our documentation. Some highlights include:

• Streamlined installation steps for Linux
• A guide on configuring SELinux
• Enhanced instructions for using docker-compose
• Modernized techniques for optimizing and scaling your deployment
• An overview of using automated code review

For the full list of changes, see:

• Review Board 5.0.3 release notes
• Review Board 4.0.12 release notes
• Review Board 3.0.25 release notes

To learn more about upgrading your server, see our upgrade instructions. You can also use our official Docker images.

If you need assistance with your server, we can help under a support contract.

Review Board 5.0.2 adds new time-based expiration controls for API tokens, improves your control over Trojan Source detection, adds new API features, and fixes several bugs.

Time-Based Expiration for API Tokens

In Review Board 5.0, we introduced new, stronger API tokens that could expire and be validated through automated tools.

Tokens can now be set to expire at a specific time. This is useful when creating short-lived tokens or ones that need to expire at, say, midnight on a given date.

The expiration dates/times for existing tokens can also be changed after token creation. They can even be set in the past to force a token to be expired.

Trojan Source Detection Options

Review Board 5 brought the ability to scan uploaded diffs for possible Trojan Source attacks. Since these are based on Unicode characters from a variety of languages, they can result in false-positives when working with character sets such as Cyrillic or Greek.

Now, Trojan Source detection can be toggled off entirely in Admin UI -> Diff Viewer Settings. Or you can leave it on and mark some character sets as safe.

Changes to URI Templates in the API

URI templates provide quick and easy access to various API resources, allowing a client to determine the appropriate URL simply by accessing the root resource and looking up the desired template name.

In Review Board 5, we had some new resources that conflicted with other ones. This may have impacted some in-house integrations or when using the RBTools API.

We’ve now fixed this to use the original names. The conflicting URI template names have been deprecated, and we’ve introduced a whole new set of future-proofed URI template names.

If you're a developer using our API, please see the full list of new, existing, and deprecated URI templates.

Plus...

• Review UI support for more JSON and YAML mimetypes
• Better defaults on new site installs for maximum diff sizes and lines for syntax highlighting
• Extension capabilities for defining custom ACLs for accessing diffs
• Usability fixes in the diff viewer and in configuration forms
• Crash fixes
• And more.

All the details can be found in the release notes.

To learn more about upgrading your server, see our upgrade instructions. You can also use our official Docker images.

If you need assistance with your server, we can help under a support contract.

Today's release of Review Board 5.0.1 improves the new API tokens introduced in 5.0 and fixes a handful of bugs.

Improvements to API Tokens

In Review Board 5.0, we introduced new, stronger API tokens that could expire and be validated through automated tools.

To help transition to newer tokens, your My Account page will now highlight any API tokens using the older format automatically. Future releases of RBTools will also suggest upgrading your token if using the older format.

A Handful of Bug Fixes

We've fixed a handful of bugs in this release, including:

• Inconsistent URI templates in the root resource API, depending on the version of Python being used.
• Better errors when accessing a repository backed by an extension that failed to load.
• Fixes for error messages when failing to authenticate with GitLab.
• Small usability fixes in the Review Dialog and Log In page.

All the details can be found in the release notes.

We've also documented a known third-party issue in the release notes with using Single Sign-On with the new Python 3.11 release. If you're already using 3.11 in production, please take a look for instructions on working around this issue.

RBTools 4 brings support for Apple Diff, introduced in the all-new macOS Ventura, along with some other new features, performance improvements, and benefits for script authors.

Apple Diff in macOS Ventura

macOS Ventura replaced GNU Diff with its own Apple Diff.

We now support Apple Diff as an alternative to GNU Diff. The correct diff tool is detected automatically, and compatible diffs will be uploaded to any version of Review Board.

If you use macOS Ventura, you will need to upgrade to RBTools 4 to continue working with most source code management systems.

Better Startup and Diff Generation

We've reworked the RBTools startup process to be faster and to catch errors (missing tools or repositories) sooner, with improved error messages.

Diff generation has been completely redone for Apple Diff support. In the process, we've improved performance, fixed edge cases, and overall improved compatibility.

Updated Python Compatibility

RBTools 4 drops support for Python 2.7 and 3.6. It now supports Python 3.7 through 3.11.

This will allow us to bring new features to RBTools faster. If you still need Python 2.7 or 3.6 support, you will need RBTools 3.x.

The RBTools for Windows installer has been updated to ship Python 3.10.8. This requires Windows 8 or higher.

Scripting Improvements

For developers using the RBTools Python API, we've made a lot of changes:

• Python type annotations have been added to parts of the API, helping your IDE guarantee type safety
• SCMClient setup has changed to enable dependency checks
• A new rbtools.diffs module has been added to help with diff generation and parsing
• Process execution has been reworked for easier usage and safer results
• Deprecated a lot of old functionality, which may require updates in your scripts

Plus...

• Fixes for applying patches on Subversion, Mercurial, and Team Foundation Server
• Smarter scanning of source code repositories when posting changes
• Better support for Bazaar/Breezy

See the release notes for the full list of changes, including changes affecting script authors.

To learn more about RBTools, see the RBTools downloads page and RBTools 4 documentation.

The next generation of Review Board is here.

Review Board 5 introduces an assortment of new enhancements to keep your server, your source code, and your users more secure, through Single Sign-On, Trojan Source Detection, and enhanced API tokens.

Stale Ship It! indicators in the dashboard help your users see which review requests need another round of reviews.

New global review and comment APIs help you perform queries across all accessible reviews and comments published on the server.

Review Board 5 is built using the latest LTS releases of Python 3 and Django 3.2, helping you keep your server secure and maintained for years to come, and offering your in-house extensions all new capabilities.

Let's go on a tour of Review Board 5.

Single Sign-On

Review Board 5 integrates with SAML-based Single Sign-On systems, such as Auth0, OneLogin, and Okta.

This works alongside existing authentication services, including LDAP and Active Directory, giving you many options to manage how your users sign into Review Board.

Trojan Source Detection

Trojan Source attacks allow an attacker to craft malicious code that executes one way but looks another way through clever use of Unicode characters.

The diff viewer now looks for trojan source code, warning if found, and helping reviewers see how the malicious code was crafted.

Enhanced API Tokens

API Tokens are the recommended way to connect RBTools, your scripts, and your services to Review Board.

We've increased the strength and features of API tokens, enabling:

• Token expiration, to help you limit use and transition to newer tokens
• Revocation, enabling administrators to lock down access in the event of a security breach
• Last use tracking, so you know if a token is safe to remove
• Secret scanning, to help catch tokens leaked during review (we'll be enabling this in an upcoming release of Review Bot).

Stale Ship It! Indicators

Ever get a Ship It! on a change, post a new update, and then have to bug people to give your change another look?

The dashboard now shows when the Ship It! on your review request is stale, and your change needs a re-review. The green "Ship It!" indicator will turn from a fresh green to a dull grey, hinting that there's more to do.

Plus...

• New APIs for looking up and filtering all reviews and comments on the server
• Support for Elasticsearch 5.x and 7.x
• New integrations with the Matrix secure team chat service
• Ability to customize which syntax highlighter to use for which file types
• Many performance improvements, bug fixes, and compatibility updates

See the release notes for the full list of changes in Review Board 5.

Ready to upgrade?

First, back up your database and site directory, and test an upgrade on a test server running Python 3.7-3.11 (we recommend 3.9 or 3.10 at this time).

An upgrade can take time, so plan accordingly. If you use extensions, make sure they've been updated to work with Review Board 5.

If your deployment fails, or you need assistance with your upgrade, we can help under a support contract.

To learn more about upgrading your server, see our upgrade instructions. You can also use our official Docker images.

Today, we're bringing two new releases of RBTools and Power Pack, focusing on stability and feature improvements.

RBTools 3.1.2 Highlights

• Now supports the upcoming Python 3.11.
• Added back directory change information to diffs for ClearCase and VersionVault, and fixed problems posting symlinks.
• Fixed several issues generating Perforce diffs, especially on Python 3.
• Fixed applied patches on Subversion.

To learn more about this release, see the RBTools 3.1.2 release notes.

Power Pack 5.1.1 Highlights

• Added support for showing changes to directories when using ClearCase or VersionVault
• Fixed broken repository configuration forms when selecting Cliosoft SOS on Review Board 4.0.3 or older.

This upgrade is available for all existing Power Pack users.

To learn more about this release, see the Power Pack 5.1.1 release notes.