What's New in Review Board

We are pleased to announce the first beta for the next major version of Review Board!

Our team has been hard at work on this release, and with your help, we hope to ship the final 5.0 release soon.

If you’re interested in beta testing, please keep reading.

What’s New in 5.0?

Built for Modern Environments

Review Board now requires Python 3.7 or higher, and uses Django 3.2 LTS.

Many of our dependencies have been updated to require the latest versions available.

If you’re upgrading an old installation, this would be a good opportunity to deploy a new server or switch to our Docker images (use beanbag/reviewboard:5.0b1). Once released, we’ll continue to support older versions through support contracts.

Single Sign-On

We’re building support for SAML 2.0-based Single Sign-On (SSO) directly in Review Board. With SSO, you can use a provider such as Auth0, OneLogin, or Okta to provision and authenticate users.

This works alongside any existing authentication setup you may already have, such as LDAP or Active Directory.

When enabled, users will need to configure API Tokens for use with RBTools, rather than using their SSO credentials.

We’re still testing this with various SAML providers. If you’re interested in this feature, please let us know which providers you use today, and whether you encounter any problems with the beta.

Trojan Source Attack Detection

Review Board now looks for Trojan Source attacks in code posted for review. These attacks use special Unicode characters to make code appear one way, but execute another way, and can be injected intentionally (by a malicious developer) or accidentally (by copying and pasting malicious code from another website).

The diff viewer will now show a notice if any suspicious code is detected for a file, and will show you the suspicious characters. Reviewers can then choose to see how the code would normally appear, getting a sense of the attack.

Elasticsearch 5.x and 7.x

Review Board now supports using Elasticsearch 5.x and 7.x as search backends, as well as the previously-supported 1.x and 2.x releases.

Please note, we depend on a third-party project called Django Haystack for our Elasticsearch support. At this time, neither Elasticsearch 8.x nor OpenSearch are supported by Haystack.

See the release notes for information on how to configure your version of Elasticsearch.

Global Review and Comment APIs

These new APIs allow you to make queries against all reviews or all comments in Review Board.

This can, for instance, be used to list all reviews made by a given user in the past month, or all issues that remain open.

Performance Improvements

We’re making substantial changes to how Review Board works internally, in an effort to improve performance for large installs.

Beta 1 begins this work by simplifying many of the queries used in the database, making the dashboard and several APIs substantially faster.

We’ll have even more improvements in beta 2.

Plus…

• You can now forward review requests and discussions to the Matrix chat service.
• You can set the syntax highlighter you want for different file types in the diff viewer.
• Extension authors can now benefit from the features available in Django 3.2, new registration abilities for custom SCMs, and async/await operations in our JavaScript API.
• Many bugs were fixed (the major ones are listed in the release notes).

See the 5.0 beta 1 release notes for the full list of changes.

Want to Help Us Test?

We’d love to have your help! We have installation information in the release notes.

Please make sure you have a dedicated testing server and database. Do not test this beta in production!

You can use the beanbag/reviewboard:5.0b1 Docker image as well. See our Docker instructions for information on setting up an environment.

Power Pack 5.1 adds support for the upcoming Review Board 5 release, while maintaining compatibility with Review Board 3 and 4.

We are releasing Review Board 5 beta 1 very soon. If you're planning to beta test this release, and are using Power Pack today, we recommend preparing by upgrading to Power Pack 5.1.

This release also contains a fix for diffing PDFs on Python 3 installations.

For complete details, see the release notes.

What is Power Pack?

Power Pack is an add-on to Review Board that provides:

• PDF document review and diffing, allowing you to review documents, schematics, designs, contracts, and code all in one place.
• Report generation, giving you insight into code review practices in your organization.
• Integrations with enterprise services including AWS CodeCommit, Azure DevOps/TFS, Bitbucket Server, Cliosoft SOS, GitHub Enterprise, HCL VersionVault and IBM Rational ClearCase.

With more features in the works.

Licenses are affordable and can cover as many or as few users as needed in your team. Download a 60-day trial license to get started.

Review Bot 3.1 adds support for the upcoming Review Board 5 release, while maintaining compatibility with Review Board 3 and 4.

We are releasing Review Board 5 beta 1 very soon. If you're planning to beta test this release, and are using Review Bot today, we recommend preparing by upgrading to 3.1.

This release also contains a small fix for changing the configured broker URL, to avoid retaining connections to older brokers.

For complete details, see the release notes.

To get started, download Review Bot or read the documentation.

Docker images are also available to help you get going quickly.

We have three new releases out today, all focusing on better compatibility and bug fixes.

Review Board 4.0.7

We've fixed issues all throughout the product, covering:

• Compatibility fixes for ClearCase, GitLab, reCAPTCHA, and third-party extensions
• Text editing improvements to better help you write code in comments
• Better scaling for deployments with many Review Board servers and with thousands of repositories
• Fixes for edge cases when rendering diffs

Our Docker images have also been updated to include support for Power Pack and Review Bot 3.

See the release notes for more on Review Board 4.0.7.

RBTools 3.1.1

This release fixes some regressions from the 3.1 release in rbt land and rbt patch.

It also improves support for IBM ClearCase and HCL VersionVault repositories, which is available through Power Pack.

See the release notes for more on RBTools 3.1.1.

Power Pack 5.0.1

This releases focuses on improving the support for IBM ClearCase and HCL VersionVault. Bugs for diff generation has been fixed and support for UCM workflows have been improved. If you're using legacy ClearCase support in Review Board, we recommend upgrading to the modern version in Power Pack for features like multi-VOB repositories, better compatibility, and official support.

We've also fixed issues running the Database Import/Export functionality in some environments. If you're using our Docker images, import-db and export-db should now work fine.

Power Pack supports additional repositories like Cliosoft SOS and GitHub Enterprise, PDF document review and diffing, Reports for your teams and organizations, and more.

See the release notes for more on Power Pack 5.0.1, or download a 60-day trial license to get started!

Cliosoft SOS is an enterprise source code management solution widely used for hardware and software design and development. It's built to allow teams across the globe to collaborate on large hardware-focused projects.

We’ve partnered with Cliosoft to bring support for SOS to Review Board. You can now connect your SOS projects to Review Board as repositories, post code from local workareas using RBTools, and review them using Review Board’s collection of code review capabilities. This includes issue tracking for comments, moved code detection, multi-line commenting, interdiffs, file attachment review, and more.

SOS support is available as of today’s releases of Power Pack 5 (our licensed add-ons for Review Board) and RBTools 3.1 (our developer command line tools).

Along with SOS support, Power Pack provides PDF document review/diffing, team collaboration reports, database import/export, scalability enhancements, and support for several additional source code management solutions.

Compatible Releases

SOS support requires the following minimum versions on the Review Board server:

• SOS 7.20
• Review Board 4.0.6
• Power Pack 5

And on developer machines:

• SOS 7.20
• RBTools 3.1

Licensing

Power Pack is a licensed product. Licenses can be purchased by credit card or Purchase Order, and can cover as many or as few Review Board users as needed for SOS.

You can get started with a 60-day trial license.

Please note that this is separate from your SOS license.

Learn More

See our SOS workflow guide to learn how to post changes to Review Board, and our repository setup guide to learn how to connect Review Board to SOS.

To learn more about today’s releases of Power Pack 5 and RBTools 3.1, see the Power Pack release notes and RBTools release notes.

The all-new Review Bot 3 brings enhancements to every area of the product. New Docker images to ease installation, new code review tools to spot problems in more languages, a new Secret Scanner that looks for leaked credentials or API tokens, and a new worker experience. Plus many, many bug fixes.

Docker Images

Review Bot is now easier to install than ever, thanks to our new official Docker images.

You can create your own Review Bot worker image with the specific tools you need by using beanbag/reviewbot-base, or you can use one or more of the following pre-built images for reviewing:

• reviewbot-c: C/C++ and Objective-C/C++
• reviewbot-go: Go
• reviewbot-java: Java
• reviewbot-javascript: JavaScript
• reviewbot-python: Python
• reviewbot-ruby: Ruby
• reviewbot-rust: Rust
• reviewbot-shell: Shell Scripts
• reviewbot-fbinfer: Multiple languages through FBInfer
• reviewbot-pmd: Multiple languages through PMD

Our Review Board Docker image has been updated to include the extension for Review Bot 3.

See our documentation on using or customizing the Review Bot docker images.

Secret Scanning

Review Bot can now check all published diffs for any accidental passwords, API tokens, or other credentials included in the code. This is a red flag to the author of the change to quickly reset those credentials

This is built into the Review Bot worker. No special tools are required. See the Secret Scanner documentation for information on what kinds of credentials Review Bot looks for, and let us know if you have any you’d like us to add.

Improved Code Review Tools

Review Bot 3 includes new tools for reviewing Go, Rust, Ruby, and Bash/Dash/KSH/SH shell script code. It also now includes support for Facebook’s FBInfer tool.

For more information, see our documentation on:

• CargoTool
• FBInfer
• Go Fmt
• Go Tool
• RuboCop
• RustFmt
• ShellCheck

Most existing tools have also been improved, with better reporting capabilities, new configuration options, and better compatibility.

A New Worker Experience

We’ve completely reworked the Review Bot worker, adding new configuration options, a more useful startup and diagnostics screen, and a streamlined command line.

Configuration improvements include:

• Authentication cookie paths, tool executable paths, and Java classpaths are all customizable.
• The location of the Review Bot configuration can now be set on each worker.
• The list of full-access repositories or Review Board servers can now be managed in JSON files you control.

During startup, if anything is missing or any full-access repositories are misconfigured, Review Bot will now let you know.

All changes are backwards-compatible.

Lots of Bug Fixes

Compatibility issues with tools and corner cases with applying patches have all been fixed.

We’ve addressed many headaches with getting things configured, providing better guidance when things go wrong.

Race conditions between workers on full-access repositories are no more.

Performance has also been improved throughout the product.

Ready To Upgrade?

Upgrading is easy, and we have an upgrade guide to get you going.

If you’re new to Review Bot, the new Docker images make it easier than ever to get started.

See the Review Bot documentation for installation and usage instructions, and for the complete list of supported tools.

If you want to know what else is in 3.0, check out the release notes.

We have a few exciting announcements today!

Power Pack 4 and RBTools 3 are now available. There’s a few big features to cover, and we’d like to start with VersionVault and ClearCase.

HCL VersionVault and IBM ClearCase

HCL VersionVault and IBM Rational ClearCase are enterprise source code management products, built for distributed teams that need to collaborate on very large projects.

Power Pack 4 ships support for both VersionVault and ClearCase repositories, allowing your teams across the world to collaborate on code reviews and document reviews.

To get started:

1. Install Review Board 4.0.5 (or newer)
2. Install Power Pack 4 on the Review Board server
3. Download a Power Pack trial license or purchase a license
4. Configure your repositories (each can map to one or more VOBs)
5. Have your developers install the RBTools 3 command line tools to post changes for review

You can then post code for review using rbt post, and review it right from your Review Board server.

Power Pack is a licensed add-on to Review Board. You can buy a license for as many or as few users as needed. A user must be licensed to post changes for review, but anybody can review posted changes.

Please note, this replaces the old, legacy community-driven ClearCase implementation found in Review Board. You’ll want to select “VersionVault / ClearCase” when setting up your new repositories.

For more information, see the documentation on:

• Configuring VersionVault/ClearCase Repositories
• Posting VersionVault/ClearCase Changes

Database Import/Export

There are times when you may want to take the content from one Review Board server and move it to another. The simplest way to do this is just to copy the database, but there are some times when that will not suffice:

• You want to export only a subset of the content (for example, if part of a business is being spun-out or acquired).
• You want to combine two separate Review Board instances into one.
• You want to change database backend types (for example, moving from MySQL to Postgres).

Power Pack 4’s new import/export feature makes it easy to handle these kinds of scenarios by exporting a full or partial Review Board server into a database-agnostic bundle, which can then be imported into a new or existing server.

Power Pack 4 must be installed to perform the export or the import, but at this time, a license is not required to use the feature.

See the Import/Export documentation for instructions.

RBTools 3

Along with support for VersionVault and ClearCase, the all-new RBTools 3 has some new capabilities to help you build your own solutions around Review Board.

JSON Output

All commands now accept a --json argument, which will cause the command to output a JSON document showing if the command was successful or listing any errors.

Many commands (including rbt post, rbt land, rbt status-update, and rbt status) provide additional information, built to help you integrate RBTools into your own scripts.

See the documentation for each command for their JSON schemas.

We are still working to improve the JSON output. If you use this feature, please let us know what would be useful to you!

rbt review

The new rbt review command allows you to construct reviews, add comments, and publish or discard, right from the command line or scripts.

This is intended to help with in-house automation around Review Board. We’re still improving this command, so once again, let us know if you find it useful and want to see any improvements.

Let’s Get Started!

Ready to set up VersionVault/ClearCase? Or play with RBTools’s new JSON output or review automation? Or prepare for some data migration?

Upgrade to Power Pack 4 and RBTools 3 to take advantage of all these new features.

To see the full list of changes, see the Power Pack 4 release notes and RBTools 3 release notes.

Today's release of Review Board 4.0.6 fixes bugs throughout the product, improving areas such as interdiffs, mobile styling, and Python 3 compatibility.

It also introduces new diff parsing capabilities and API enhancements, which will be used by the upcoming Review Bot 3 release.

Diff Improvements

Diff parsing now tracks symlink target and UNIX file mode changes for Git,
Mercurial, and DiffX diffs.

These, along with binary file information, are now exposed in the API, allowing
your in-house scripts and webhooks to better work with changes posted to Review
Board.

We've also fixed the display of indentation-only changes when viewing
interdiffs, the display of symlink changes in Git-style Mercurial diffs, and
downloading patch error bundles on Python 3, and

Bug Fixes

We've fixed some issues upgrading from very old versions of Review Board to
4.0.6+.

Parsing of Bitbucket API error payloads on Python 3 now works for all error
types.

If using Review Bot, you can now once again view the in-database state for
tools.

Some UI issues in mobile styling and in the issue summary table have been
fixed.

Upgrade today!

Builds are now available for Python 2 and 3, and our official
Docker images have been updated.

Check out the release notes
for the full list of changes.

Review Board 4.0.5 introduces new experimental features for defining custom ACLs for diffs, integrating with our proposed DiffX file format, and eases installation on Python 2.7 and 3.10.

Diff ACLs

Through the new FileDiffACLHook, extensions can check whether a user is allowed to see the contents of particular files before a diff is rendered.

You can connect this to in-house access control lists you've already defined, such as Perforce's p4 protect (there's an example for this in the documentation).

Right now, Diff ACLs are experimental, and must be specifically enabled on your server. We're excited to find out how you might use this feature, and will be making it standard in Review Board 5.

DiffX

Surprisingly, there isn't much in common between most diff formats. Every source code management solution has had to invent its own variation of the format, and with this comes problems.

We've been working on addressing this through a proposed standard format called DiffX. This introduces standard parsing rules, multi-commit diffs, custom metadata, and is backwards-compatible with existing diffs

Review Board now includes built-in DiffX support. Right now, this is opt-in, but we'll be using it with some upcoming SCMs solutions we're integrating with. In the future, we plan to make DiffX available universally.

Compatibility Improvements

We've fixed a handful of issues with installing, upgrading, and using Review Board:

• Some Python 2.7 dependencies have been tweaked to ease installation without running into dependency issues.

• Python 3.10 support has been added. We're having to work around issues in third-party modules we depend on, so let us know if you hit any issues.

• Newer versions of mysqlclient on Python 3 are now supported. No need to downgrade.

• Fixed issues that could trigger failed upgrades from very old Review Board databases (you will need to manually upgrade django_evolution to 2.1.3 or higher).

• Fixed a Markdown rendering issue on Python 3.

Plus...

• Improved TLS support in Active directory.
• Fixed displaying the Change field on review requests.
• Internal preparations for Review Board 5, coming soon!

We're aiming to get Review Board 5 in beta form in the next couple of months. This will largely be an architectural upgrade, switching us to Django 3.2 LTS and Python 3.7+. We'll have an announcement when this is ready to test.

In the meantime, see the release notes for the full list of changes in Review Board 4.0.5.

The big tech news this week has been CVE-2021-44228, the vulnerability in Log4j2, a widely-used logging library for Java.

We've received a lot of questions as to whether Review Board is impacted.

The answer is no. Review Board is not impacted by the Log4j2 vulnerability. It's written in Python and JavaScript, and we do not make use of Java or Log4j2 anywhere in our stack.

However, Review Board may talk to other services in your network that use Log4j2, which themselves may be impacted. We recommend thoroughly auditing your infrastructure at this time.

This is a pretty rough issue, and we want to acknowledge and praise the hard work and long hours so many people are putting in to address this issue, both inside and outside the Log4j2 project. If your company depends on Log4j2, or any other critical open source components, consider reaching out to those projects to see how you can help give back.