The files that we maintain by hand are marked as significant. - D-Bus is security critical, but the Qt I-Bus implementation is merely a user, and does not do any parsing or communication on its own. The last known vulnerability CVE-2019-14822 was in the server, not in Qt. - Likewise, QComposeInputContext uses xkb_compose functionality, so any risk is there, not in Qt. - Both of these plugins work with keyboard events, but we do not consider that a risk in general. - The remaining source files in the ibus directory are auto-generated, with a comment explaining that, so we do not modify them. If a vulnerability were found, we would need to fix qdbusxml2cpp first and then re-generate these. QUIP: 23 Fixes: QTBUG-135725 Pick-to: 6.10 6.8 Change-Id: Ie4b0ef3d8151406ab5ddc758098d7871f320fe89 Reviewed-by: Liang Qi <liang.qi@qt.io>