Mark remaining files in src/corelib/serialization as security-insignificant

The .gitignore file is obviously insignificant. The file format allows
comments, so mark it. Invent a new reason string for that.

The shell script is also insignificant. While it runs qlalr for the
security-critical QtXmlStream classes, as a build-tool, it's not
security-critical itself, and, unlike e.g. util/normalize/main.cpp, it
doesn't itself contain code that ends up being compiled. Invent a new
reason string for that.

This completes the review of src/corelib/serialization:

  $ for i in $(find src/corelib/serialization -type f); do
      if ! grep -qE '^ *(//|#) *Qt[ -]Security +score:' "$i"; then
          echo "$i"
      fi
  done
  <nothing>

QUIP: 23
Fixes: QTBUG-135194
Pick-to: 6.10 6.8
Change-Id: Id5d18244fe0e9d18b8891500a3a946ac530671a4
Reviewed-by: Edward Welbourne <[email protected]>

2 files changed, 2 insertions, 0 deletions

diff --git a/src/corelib/serialization/.gitignore b/src/corelib/serialization/.gitignore
index 89f9ac04aac..8261c031991 100644
--- a/src/corelib/serialization/.gitignore
+++ b/src/corelib/serialization/.gitignore
@@ -1 +1,2 @@
+# Qt-Security score:insignificant reason:gitignore
 out/
diff --git a/src/corelib/serialization/make-xml-parser.sh b/src/corelib/serialization/make-xml-parser.sh
index 18898337003..4174949154c 100755
--- a/src/corelib/serialization/make-xml-parser.sh
+++ b/src/corelib/serialization/make-xml-parser.sh
@@ -1,6 +1,7 @@
 #!/bin/sh
 # Copyright (C) 2016 The Qt Company Ltd.
 # SPDX-License-Identifier: LicenseRef-Qt-Commercial OR GPL-3.0-only WITH Qt-GPL-exception-1.0
+# Qt-Security score:insignificant reason:build-tool-containing-no-compiled-source
 
 me=$(dirname $0)
 mkdir -p $me/out