devZing Blog

Defect documentation and tracking companies QASymphony and devZing have teamed up to integrate the technology driving their qTrace Quality Assurance tool and devZing hosted Bugzilla defect-tracking system.

QASymphony's qTrace works to document defects by recording all steps, screens, and system information associated with a defect. Bugzilla hosted by devZing tracks bugs and issues.

In line with the integration of the two companies' tools, QASymphony also announced version 2.5 of qTrace, which now adds four different single screen capture modes. The concept is that this eliminates the need for the "PrintScreen button" in Windows platform environments, or indeed the use of any other screen capture software.

QASymphony says that qTrace has created a "new category of screen capture"; i.e., qTrace not only captures images of software screens, but also the user's actions such as mouse clicks and entered text. By leveraging the screen images and generated text narration, a tester can describe and submit software defects in full detail quickly and easily.

"Our goal is to make qTrace the only screen capture tool needed by testers," says Vu Lam, CEO of QASymphony. "We've tackled the tough part, which is creating a tool with the intelligence to document long complex defects. But we've heard our users say that for simple cases, one screenshot is enough. We've now tuned qTrace to have robust functions in the capture of a single screenshot, so qTrace is the only tool needed to document simple and complex defects. We're also adding some other goodies that I'm sure our fans will appreciate!"

devZing customers (and anyone else for that matter) can find out more about a great deal on qTrace by visiting devZing.com/qtrace.

The Bugzilla team announced the release of Bugzilla 4.2. The devZing team will be evaluating this release before scheduling upgrades for existing customers. If you are interested in upgrading right away please contact support.

New features:

• You can now create a new attachment simply by pasting some text into a text field, in addition to the normal upload process for attachments.
• By default, bugmails (email notifications about changes to bugs) are now sent in an HTML format that is more readable than the old text format. Those who prefer the old text format can still choose it in their Preferences, however.
• The Custom Search section in the Advanced Search page has been redesigned to work in a more sensible way. Complex queries are easier to build and have more sensible results, as they are built using a more intuitive logic. Some very complicated queries are still impossible to generate, though. Things should improve in future releases.
• Older components, versions and milestones can now be disabled. Bugs already using them are not affected, but these values will no longer be available for new bugs.
• A custom field can now be displayed based on multiple values of another field. (For example, one custom field could now appear in multiple products.) Previously, you could only display a custom field based on a single value of another field.
• Most changes made through the admin interface are now logged to the database, in the audit_log table. There is no UI to access this table yet.
• A project has started thanks to Francisco Donalisio from IBM to make Bugzilla compliant with the W3C Web Accessibility Initiative standards. A lot more work still needs to be done, but we expect a much better compatibility for the next major release.

The Bugzilla team has released a security fix for Bugzilla 4.0.x.

• A CSRF vulnerability in the implementation of the XML-RPC API when running under mod_perl could be used to make changes to bugs or execute some admin tasks without the victim's knowledge.

This defect does not affect any devZing customers. However, all new devZing hosted Bugzilla installs will be created with Bugzilla 4.0.5.

All Bugzilla hosting customers have been upgraded to Bugzilla 4.0.4.

You can read more about the release at the Bugzilla site.

A number of changes were released to address this http://www.bugzilla.org/security/3.4.13/:

• When a user creates a new account, Bugzilla doesn't correctly reject email addresses containing non-ASCII characters, which could be used to impersonate another user account. Such email addresses could look visually identical to other valid email addresses, and an attacker could try to confuse other users and be added to bugs he shouldn't have access to.
• Due to a lack of validation of the Content-Type header when making POST requests to jsonrpc.cgi, a possible CSRF vulnerability was discovered. If a user visits an HTML page with some malicious JS code in it, an attacker could make changes to a remote Bugzilla installation on behalf of the victim's account by using the JSON-RPC API. The user would have had to be already logged in to the target site for the vulnerability to work.

bicho is a Ruby Gem primarily designed for accessing Bugzilla in order to do custom reporting. It has a simple API for searching for and retreiving bugs.

Source: Duncan Mac-Vicar