Mark security criticality for most files in qml/parser

Mark the lexing / parsing code as security critical, because they are
data parsers. While _running_ QML code needs to assume trusted input, we
probably should not have this restriction on the parser, so that tools
like qmllint, qmlls and qdoc can safely pass any file to the parser,
without having to worry about security implications.
The criticality extends to qqmljskeywords_p.h, as we do custom bounds
checking in the functions defined there.

qqmljsastfwd_p is marked as insignificant, as it only contains fowrard
declarations and no logic at all.

The other marked files have the default level (significant).

QUIP: 23
Task-number: QTBUG-136966
Pick-to: 6.10 6.9 6.8
Change-Id: I1e44f346d91d6d66c8e9632f0dec4a11fffc935a
Reviewed-by: Ulf Hermann <ulf.hermann@qt.io>

src/qml/parser/qqmljs.g

@@ -1,5 +1,6 @@
 -- Copyright (C) 2016 The Qt Company Ltd.
 -- SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
+-- Qt-Security score:critical reason:dataparser
 
 %parser         QQmlJSGrammar
 %decl           qqmljsparser_p.h

src/qml/parser/qqmljsast.cpp

@@ -1,5 +1,6 @@
 // Copyright (C) 2016 The Qt Company Ltd.
 // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
+// Qt-Security score:significant
 
 #include <QString>
 #include <QLocale>

src/qml/parser/qqmljsast_p.h

@@ -1,5 +1,6 @@
 // Copyright (C) 2016 The Qt Company Ltd.
 // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
+// Qt-Security score:significant
 
 #ifndef QQMLJSAST_P_H
 #define QQMLJSAST_P_H

src/qml/parser/qqmljsastfwd_p.h

@@ -1,5 +1,6 @@
 // Copyright (C) 2016 The Qt Company Ltd.
 // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
+// Qt-Security score:significant reason:forward-declarations-only
 
 #ifndef QQMLJSAST_FWD_P_H
 #define QQMLJSAST_FWD_P_H

src/qml/parser/qqmljsastvisitor.cpp

@@ -1,5 +1,6 @@
 // Copyright (C) 2016 The Qt Company Ltd.
 // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
+// Qt-Security score:significant
 
 #include "qqmljsastvisitor_p.h"
 

src/qml/parser/qqmljsastvisitor_p.h

@@ -1,5 +1,6 @@
 // Copyright (C) 2016 The Qt Company Ltd.
 // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
+// Qt-Security score:significant
 
 #ifndef QQMLJSASTVISITOR_P_H
 #define QQMLJSASTVISITOR_P_H

src/qml/parser/qqmljsengine_p.h

@@ -1,5 +1,6 @@
 // Copyright (C) 2016 The Qt Company Ltd.
 // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
+// Qt-Security score:significant
 
 #ifndef QQMLJSENGINE_P_H
 #define QQMLJSENGINE_P_H

src/qml/parser/qqmljskeywords_p.h

@@ -1,5 +1,6 @@
 // Copyright (C) 2016 The Qt Company Ltd.
 // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
+// Qt-Security score:critical reason:data-parser
 
 #ifndef QQMLJSKEYWORDS_P_H
 #define QQMLJSKEYWORDS_P_H

src/qml/parser/qqmljslexer.cpp

@@ -1,5 +1,6 @@
 // Copyright (C) 2016 The Qt Company Ltd.
 // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
+// Qt-Security score:critical reason:dataparser
 
 #include "qqmljslexer_p.h"
 #include "qqmljsengine_p.h"

src/qml/parser/qqmljslexer_p.h

@@ -1,5 +1,6 @@
 // Copyright (C) 2016 The Qt Company Ltd.
 // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
+// Qt-Security score:significant
 
 #ifndef QQMLJSLEXER_P_H
 #define QQMLJSLEXER_P_H