What's New in Review Board

The all-new Review Bot 3 brings enhancements to every area of the product. New Docker images to ease installation, new code review tools to spot problems in more languages, a new Secret Scanner that looks for leaked credentials or API tokens, and a new worker experience. Plus many, many bug fixes.

Docker Images

Review Bot is now easier to install than ever, thanks to our new official Docker images.

You can create your own Review Bot worker image with the specific tools you need by using beanbag/reviewbot-base, or you can use one or more of the following pre-built images for reviewing:

• reviewbot-c: C/C++ and Objective-C/C++
• reviewbot-go: Go
• reviewbot-java: Java
• reviewbot-javascript: JavaScript
• reviewbot-python: Python
• reviewbot-ruby: Ruby
• reviewbot-rust: Rust
• reviewbot-shell: Shell Scripts
• reviewbot-fbinfer: Multiple languages through FBInfer
• reviewbot-pmd: Multiple languages through PMD

Our Review Board Docker image has been updated to include the extension for Review Bot 3.

See our documentation on using or customizing the Review Bot docker images.

Secret Scanning

Review Bot can now check all published diffs for any accidental passwords, API tokens, or other credentials included in the code. This is a red flag to the author of the change to quickly reset those credentials

This is built into the Review Bot worker. No special tools are required. See the Secret Scanner documentation for information on what kinds of credentials Review Bot looks for, and let us know if you have any you’d like us to add.

Improved Code Review Tools

Review Bot 3 includes new tools for reviewing Go, Rust, Ruby, and Bash/Dash/KSH/SH shell script code. It also now includes support for Facebook’s FBInfer tool.

For more information, see our documentation on:

• CargoTool
• FBInfer
• Go Fmt
• Go Tool
• RuboCop
• RustFmt
• ShellCheck

Most existing tools have also been improved, with better reporting capabilities, new configuration options, and better compatibility.

A New Worker Experience

We’ve completely reworked the Review Bot worker, adding new configuration options, a more useful startup and diagnostics screen, and a streamlined command line.

Configuration improvements include:

• Authentication cookie paths, tool executable paths, and Java classpaths are all customizable.
• The location of the Review Bot configuration can now be set on each worker.
• The list of full-access repositories or Review Board servers can now be managed in JSON files you control.

During startup, if anything is missing or any full-access repositories are misconfigured, Review Bot will now let you know.

All changes are backwards-compatible.

Lots of Bug Fixes

Compatibility issues with tools and corner cases with applying patches have all been fixed.

We’ve addressed many headaches with getting things configured, providing better guidance when things go wrong.

Race conditions between workers on full-access repositories are no more.

Performance has also been improved throughout the product.

Ready To Upgrade?

Upgrading is easy, and we have an upgrade guide to get you going.

If you’re new to Review Bot, the new Docker images make it easier than ever to get started.

See the Review Bot documentation for installation and usage instructions, and for the complete list of supported tools.

If you want to know what else is in 3.0, check out the release notes.

We have a few exciting announcements today!

Power Pack 4 and RBTools 3 are now available. There’s a few big features to cover, and we’d like to start with VersionVault and ClearCase.

HCL VersionVault and IBM ClearCase

HCL VersionVault and IBM Rational ClearCase are enterprise source code management products, built for distributed teams that need to collaborate on very large projects.

Power Pack 4 ships support for both VersionVault and ClearCase repositories, allowing your teams across the world to collaborate on code reviews and document reviews.

To get started:

1. Install Review Board 4.0.5 (or newer)
2. Install Power Pack 4 on the Review Board server
3. Download a Power Pack trial license or purchase a license
4. Configure your repositories (each can map to one or more VOBs)
5. Have your developers install the RBTools 3 command line tools to post changes for review

You can then post code for review using rbt post, and review it right from your Review Board server.

Power Pack is a licensed add-on to Review Board. You can buy a license for as many or as few users as needed. A user must be licensed to post changes for review, but anybody can review posted changes.

Please note, this replaces the old, legacy community-driven ClearCase implementation found in Review Board. You’ll want to select “VersionVault / ClearCase” when setting up your new repositories.

For more information, see the documentation on:

• Configuring VersionVault/ClearCase Repositories
• Posting VersionVault/ClearCase Changes

Database Import/Export

There are times when you may want to take the content from one Review Board server and move it to another. The simplest way to do this is just to copy the database, but there are some times when that will not suffice:

• You want to export only a subset of the content (for example, if part of a business is being spun-out or acquired).
• You want to combine two separate Review Board instances into one.
• You want to change database backend types (for example, moving from MySQL to Postgres).

Power Pack 4’s new import/export feature makes it easy to handle these kinds of scenarios by exporting a full or partial Review Board server into a database-agnostic bundle, which can then be imported into a new or existing server.

Power Pack 4 must be installed to perform the export or the import, but at this time, a license is not required to use the feature.

See the Import/Export documentation for instructions.

RBTools 3

Along with support for VersionVault and ClearCase, the all-new RBTools 3 has some new capabilities to help you build your own solutions around Review Board.

JSON Output

All commands now accept a --json argument, which will cause the command to output a JSON document showing if the command was successful or listing any errors.

Many commands (including rbt post, rbt land, rbt status-update, and rbt status) provide additional information, built to help you integrate RBTools into your own scripts.

See the documentation for each command for their JSON schemas.

We are still working to improve the JSON output. If you use this feature, please let us know what would be useful to you!

rbt review

The new rbt review command allows you to construct reviews, add comments, and publish or discard, right from the command line or scripts.

This is intended to help with in-house automation around Review Board. We’re still improving this command, so once again, let us know if you find it useful and want to see any improvements.

Let’s Get Started!

Ready to set up VersionVault/ClearCase? Or play with RBTools’s new JSON output or review automation? Or prepare for some data migration?

Upgrade to Power Pack 4 and RBTools 3 to take advantage of all these new features.

To see the full list of changes, see the Power Pack 4 release notes and RBTools 3 release notes.

Today's release of Review Board 4.0.6 fixes bugs throughout the product, improving areas such as interdiffs, mobile styling, and Python 3 compatibility.

It also introduces new diff parsing capabilities and API enhancements, which will be used by the upcoming Review Bot 3 release.

Diff Improvements

Diff parsing now tracks symlink target and UNIX file mode changes for Git,
Mercurial, and DiffX diffs.

These, along with binary file information, are now exposed in the API, allowing
your in-house scripts and webhooks to better work with changes posted to Review
Board.

We've also fixed the display of indentation-only changes when viewing
interdiffs, the display of symlink changes in Git-style Mercurial diffs, and
downloading patch error bundles on Python 3, and

Bug Fixes

We've fixed some issues upgrading from very old versions of Review Board to
4.0.6+.

Parsing of Bitbucket API error payloads on Python 3 now works for all error
types.

If using Review Bot, you can now once again view the in-database state for
tools.

Some UI issues in mobile styling and in the issue summary table have been
fixed.

Upgrade today!

Builds are now available for Python 2 and 3, and our official
Docker images have been updated.

Check out the release notes
for the full list of changes.

Review Board 4.0.5 introduces new experimental features for defining custom ACLs for diffs, integrating with our proposed DiffX file format, and eases installation on Python 2.7 and 3.10.

Diff ACLs

Through the new FileDiffACLHook, extensions can check whether a user is allowed to see the contents of particular files before a diff is rendered.

You can connect this to in-house access control lists you've already defined, such as Perforce's p4 protect (there's an example for this in the documentation).

Right now, Diff ACLs are experimental, and must be specifically enabled on your server. We're excited to find out how you might use this feature, and will be making it standard in Review Board 5.

DiffX

Surprisingly, there isn't much in common between most diff formats. Every source code management solution has had to invent its own variation of the format, and with this comes problems.

We've been working on addressing this through a proposed standard format called DiffX. This introduces standard parsing rules, multi-commit diffs, custom metadata, and is backwards-compatible with existing diffs

Review Board now includes built-in DiffX support. Right now, this is opt-in, but we'll be using it with some upcoming SCMs solutions we're integrating with. In the future, we plan to make DiffX available universally.

Compatibility Improvements

We've fixed a handful of issues with installing, upgrading, and using Review Board:

• Some Python 2.7 dependencies have been tweaked to ease installation without running into dependency issues.

• Python 3.10 support has been added. We're having to work around issues in third-party modules we depend on, so let us know if you hit any issues.

• Newer versions of mysqlclient on Python 3 are now supported. No need to downgrade.

• Fixed issues that could trigger failed upgrades from very old Review Board databases (you will need to manually upgrade django_evolution to 2.1.3 or higher).

• Fixed a Markdown rendering issue on Python 3.

Plus...

• Improved TLS support in Active directory.
• Fixed displaying the Change field on review requests.
• Internal preparations for Review Board 5, coming soon!

We're aiming to get Review Board 5 in beta form in the next couple of months. This will largely be an architectural upgrade, switching us to Django 3.2 LTS and Python 3.7+. We'll have an announcement when this is ready to test.

In the meantime, see the release notes for the full list of changes in Review Board 4.0.5.

The big tech news this week has been CVE-2021-44228, the vulnerability in Log4j2, a widely-used logging library for Java.

We've received a lot of questions as to whether Review Board is impacted.

The answer is no. Review Board is not impacted by the Log4j2 vulnerability. It's written in Python and JavaScript, and we do not make use of Java or Log4j2 anywhere in our stack.

However, Review Board may talk to other services in your network that use Log4j2, which themselves may be impacted. We recommend thoroughly auditing your infrastructure at this time.

This is a pretty rough issue, and we want to acknowledge and praise the hard work and long hours so many people are putting in to address this issue, both inside and outside the Log4j2 project. If your company depends on Log4j2, or any other critical open source components, consider reaching out to those projects to see how you can help give back.

Power Pack 3.0.6 introduces support for Microsoft Azure DevOps, and fixes compatibility issues with Python 3 and Review Board 4.

Azure DevOps

Microsoft Azure DevOps is the successor to Team Foundation Server. Power Pack 3.0.6 now supports authenticating and communicating with Azure DevOps, using our existing Team Foundation Server integration.

Personal Access Tokens can now be used to communicate with Azure DevOps or with recent versions of Team Foundation Server that are set to require them.

Compatibility Fixes

Power Pack is now compatible with the most recent versions of Python 3, fixing some crashes during startup.

Review Board 4 support has also improved. Issues with licensed user management on this release have been resolved, and styling has improved in the Power Pack configuration page, helping it fit better with the rest of the UI.

If you haven't upgraded lately...

In recent releases, we've added compatibility with Review Board 4.0 release and improved Reports and PDF compatibility. We have more features on the way, including new support for new source code management solutions and cross-database import/export.

Now's a great time to upgrade, or to start using Power Pack for the first time.

Learn more about Power Pack or upgrade your copy today!

Today's release of Review Board 4.0.4 introduces support for Amazon SES as an e-mail service, improves code highlighting in text areas, cron support for our Docker image, and fixes a handful of bugs.

Amazon SES

Amazon SES is a widely-used e-mail service for users of Amazon Web Services. While Review Board could communicate with it before, it wasn't compatible with SES's method of threading e-mails.

Review Board now adds direct support for SES and its e-mail threading. It will automatically detect SES and enable the correct behavior. If you're using SES today, there's nothing you need to do.

Code Highlighting

We've updated CodeMirror, which we use for text fields, from 5.48.4 to 5.62. This adds improved syntax highlighting for:

• CSS
• JSX
• Markdown
• Pascal
• Python format strings
• SQL
• Shell scripts
• TypeScript
• XML

If you've run into code highlighting problems in the past, give it a try now!

Cron for Docker

Our Docker image now supports using crontabs to run automated tasks, such as search indexing. This is done by pointing the REVIEWBOARD_CRONTAB environment variable at a cron file to load.

See the documentation for usage instructions.

Bug Fixes

That's not all. We've fixed several new bugs and regression from previous releases, including:

• Packaging fixes for Python 2.7
• Scrolling through commits in the New Review Request page
• Downloading diffs for Mercurial
• Status Updates loading issues for automated code review
• Subversion diff parsing

And more. See the release notes for the full list of changes.

RBTools 2.0.1 introduces two new features:

• Support for Breezy, a modern fork of Bazaar
• Ability to download and write patches to local files using rbt patch --write

We'll be adding support for Breezy to Review Board in an upcoming release.

Along with these improvements, there's a fix for rbt land on Mercurial, and the removal of some harmless but noisy warnings when running on Python 3 with warnings enabled.

See the release notes for the complete list of changes.

Review Board 4.0.3 fixes an assortment of bugs throughout the product, some of which are specific to running on Python 3. The highlights include:

• Sending e-mails with long Unicode subjects
• Posting messages to Slack and Mattermost
• Triggering builds on Jenkins
• Looking up files from GitWeb or HgWeb
• Scrolling in the comment dialog
• Filtering repositories and loading commits in the New Review Request page
• Adding groups as reviewers when Depends On is set
• Displaying validation errors when configuring repositories or WebHooks

For the full list of changes, see the release notes.

Today's releases of Review Board 3.0.24 and 4.0.2 fix a handful of bugs and one security issue, and introduces support for defining safe URL protocols for Markdown text.

Security Fix for Markdown Review UI

Attackers could post a Markdown document for review that contained bad links that, when clicked, could invoke JavaScript code. We fixed a similar issue in 3.0.21, but this is specific to the Markdown Review UI.

Though this is a pretty small attack vector, we do strongly recommend that everyone upgrades as a precaution.

Custom URL Protocols

Administrators can now set a list of URL protocols (like eclipse://. ftp://, gopher://, etc.) they consider safe for their environment by modifying conf/settings_local.py: These will then be preserved when building links. For example:

ALLOWED_MARKDOWN_URL_PROTOCOLS = ['eclipse', 'ftp', 'gopher']

Bug Fixes

There are also fixes for:

• Marking session and CSRF cookies as secure
• Handling Subversion diffs with (nonexistent) revisions
• Markdown rendering of e-mail addresses
• Connecting to GitLab (in Review Board 4.0.2)

See the 3.0.24 release notes and 4.0.2 release notes for the full lists of changes.

Note: If you're upgrading to 3.0.24, please follow the installation instructions in the release notes so you don't end up on 4.0.2.