From 08072b5eb3920cd4aadf10dce8ff485314dbbe7e Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 27 Jan 2026 02:10:51 +0000 Subject: [PATCH 1/3] Initial plan From 45d2dc4dc562bcabf38bd311d3b914fa31aa1345 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 27 Jan 2026 02:14:20 +0000 Subject: [PATCH 2/3] Add code quality report infrastructure and workflow Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com> --- .config/dotnet-tools.json | 12 +++ .cspell.json | 6 +- .github/codeql-config.yml | 17 +++++ .github/workflows/build.yaml | 110 ++++++++++++++++++++++++++- .github/workflows/build_on_push.yaml | 1 + .github/workflows/release.yaml | 1 + docs/quality/definition.yaml | 16 ++++ docs/quality/introduction.md | 35 +++++++++ docs/quality/title.txt | 17 +++++ 9 files changed, 213 insertions(+), 2 deletions(-) create mode 100644 .github/codeql-config.yml create mode 100644 docs/quality/definition.yaml create mode 100644 docs/quality/introduction.md create mode 100644 docs/quality/title.txt diff --git a/.config/dotnet-tools.json b/.config/dotnet-tools.json index 2443ee1..443ebff 100644 --- a/.config/dotnet-tools.json +++ b/.config/dotnet-tools.json @@ -19,6 +19,18 @@ "commands": [ "weasyprint" ] + }, + "demaconsulting.sonarmark": { + "version": "1.0.0", + "commands": [ + "sonarmark" + ] + }, + "demaconsulting.sarifmark": { + "version": "1.0.1", + "commands": [ + "sarifmark" + ] } } } \ No newline at end of file diff --git a/.cspell.json b/.cspell.json index 1e3107c..f1152c8 100644 --- a/.cspell.json +++ b/.cspell.json @@ -28,7 +28,11 @@ "Blockquotes", "tracematrix", "testname", - "filepart" + "filepart", + "hotspots", + "CodeQL", + "SonarMark", + "SarifMark" ], "ignorePaths": [ "node_modules", diff --git a/.github/codeql-config.yml b/.github/codeql-config.yml new file mode 100644 index 0000000..06b30e6 --- /dev/null +++ b/.github/codeql-config.yml @@ -0,0 +1,17 @@ +--- +# CodeQL configuration for ReqStream +# Excludes test code from path-combine security analysis +# Excludes justified generic exception handlers + +name: "ReqStream CodeQL Config" + +# Query filters to disable specific queries for certain paths +query-filters: + - exclude: + id: cs/path-combine + paths: + - test/**/*.cs + - exclude: + id: cs/catch-of-all-exceptions + paths: + - src/DemaConsulting.ReqStream/Program.cs diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index e7b2282..3005c12 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -197,10 +197,65 @@ jobs: name: integration-test-results-${{ matrix.os }}-dotnet${{ matrix.dotnet-version }} path: integration-test-*.trx + codeql: + name: CodeQL Analysis + needs: quality-checks + runs-on: ubuntu-latest + permissions: + actions: read + contents: read + security-events: write + + steps: + - name: Checkout repository + uses: actions/checkout@v6 + + - name: Setup dotnet + uses: actions/setup-dotnet@v5 + with: + dotnet-version: | + 8.x + 9.x + 10.x + + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: csharp + queries: security-and-quality + config-file: ./.github/codeql-config.yml + build-mode: manual + + - name: Restore dotnet tools + run: dotnet tool restore + + - name: Restore dependencies + run: dotnet restore + + - name: Build + run: > + dotnet build + --no-restore + --configuration Release + --property:Version=${{ inputs.version }} + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4 + with: + category: "/language:csharp" + output: sarif-results + upload: false + + - name: Upload SARIF + uses: actions/upload-artifact@v6 + with: + name: codeql-sarif + path: sarif-results/csharp.sarif + build-docs: name: Build Documentation runs-on: windows-latest - needs: [build, integration-test] + needs: [build, integration-test, codeql] permissions: contents: read @@ -221,6 +276,12 @@ jobs: name: packages-windows-latest path: packages + - name: Download CodeQL SARIF + uses: actions/download-artifact@v7 + with: + name: codeql-sarif + path: codeql-results + - name: Setup Node.js uses: actions/setup-node@v6 with: @@ -291,6 +352,53 @@ jobs: docs/tracematrix/tracematrix.html "docs/ReqStream Trace Matrix.pdf" + - name: Generate CodeQL Quality Report with SarifMark + shell: pwsh + run: > + dotnet sarifmark + --sarif codeql-results/csharp.sarif + --report docs/quality/codeql-quality.md + --heading "ReqStream CodeQL Analysis" + --report-depth 1 + + - name: Display CodeQL Quality Report + shell: pwsh + run: | + echo "=== CodeQL Quality Report ===" + Get-Content docs/quality/codeql-quality.md + + - name: Generate Code Quality Report with SonarMark + shell: pwsh + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + run: > + dotnet sonarmark + --server https://sonarcloud.io + --project-key demaconsulting_ReqStream + --branch ${{ github.ref_name }} + --token "$env:SONAR_TOKEN" + --report docs/quality/sonar-quality.md + --report-depth 1 + + - name: Display SonarCloud Quality Report + shell: pwsh + run: | + echo "=== SonarCloud Quality Report ===" + Get-Content docs/quality/sonar-quality.md + + - name: Generate Code Quality HTML with Pandoc + run: > + dotnet pandoc + --defaults docs/quality/definition.yaml + --output docs/quality/quality.html + + - name: Generate Code Quality PDF with Weasyprint + run: > + dotnet weasyprint + --pdf-variant pdf/a-3u + docs/quality/quality.html + "docs/ReqStream Code Quality.pdf" + - name: Upload documentation uses: actions/upload-artifact@v6 with: diff --git a/.github/workflows/build_on_push.yaml b/.github/workflows/build_on_push.yaml index 6d22ef9..94029b9 100644 --- a/.github/workflows/build_on_push.yaml +++ b/.github/workflows/build_on_push.yaml @@ -13,6 +13,7 @@ jobs: permissions: contents: read pull-requests: write + security-events: write uses: ./.github/workflows/build.yaml with: version: 0.0.0-run.${{ github.run_number }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index abb5914..e5ad283 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -23,6 +23,7 @@ jobs: permissions: contents: read pull-requests: write + security-events: write uses: ./.github/workflows/build.yaml with: version: ${{ inputs.version }} diff --git a/docs/quality/definition.yaml b/docs/quality/definition.yaml new file mode 100644 index 0000000..65420a4 --- /dev/null +++ b/docs/quality/definition.yaml @@ -0,0 +1,16 @@ +--- +resource-path: + - docs/quality + - docs/template + +input-files: + - docs/quality/title.txt + - docs/quality/introduction.md + - docs/quality/codeql-quality.md + - docs/quality/sonar-quality.md + +template: template.html + +table-of-contents: true + +number-sections: true diff --git a/docs/quality/introduction.md b/docs/quality/introduction.md new file mode 100644 index 0000000..ebcadf9 --- /dev/null +++ b/docs/quality/introduction.md @@ -0,0 +1,35 @@ +# Introduction + +This document contains the code quality analysis report for the ReqStream project. + +## Purpose + +This report serves as evidence that the ReqStream codebase maintains good quality +standards. It provides a comprehensive analysis of code quality metrics, including +quality gate status, code issues, security hotspots, technical debt, and code coverage. + +## Scope + +This code quality report covers: + +- Quality gate status and conditions +- Code issues categorized by type and severity +- Security hotspots requiring review +- Technical debt assessment +- Code coverage and duplication metrics + +## Analysis Source + +This report contains quality analysis results captured at the time this version of ReqStream +was built. It serves as evidence that the code maintains good quality standards and provides +transparency about the project's code health. The analysis includes results from various +quality tools run during the build process. + +## Audience + +This document is intended for: + +- Software developers working on ReqStream +- Quality assurance teams reviewing code quality +- Project stakeholders evaluating project health +- Contributors understanding quality standards diff --git a/docs/quality/title.txt b/docs/quality/title.txt new file mode 100644 index 0000000..86f9f72 --- /dev/null +++ b/docs/quality/title.txt @@ -0,0 +1,17 @@ +--- +title: ReqStream Tool +subtitle: Code Quality Report +author: DEMA Consulting +description: Code Quality Report for the ReqStream Tool for managing requirements in YAML format +lang: en-US +keywords: + - ReqStream + - Code Quality + - SonarCloud + - CodeQL + - Analysis + - C# + - .NET + - Requirements + - YAML +--- From 9b23b50e824be24c6e62cd98d319b59e1e1b8bf9 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 27 Jan 2026 02:19:46 +0000 Subject: [PATCH 3/3] Add actions:read permission to workflow callers for CodeQL Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com> --- .github/workflows/build_on_push.yaml | 1 + .github/workflows/release.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/build_on_push.yaml b/.github/workflows/build_on_push.yaml index 94029b9..344b21a 100644 --- a/.github/workflows/build_on_push.yaml +++ b/.github/workflows/build_on_push.yaml @@ -11,6 +11,7 @@ jobs: build: name: Build permissions: + actions: read contents: read pull-requests: write security-events: write diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index e5ad283..2ff0b87 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -21,6 +21,7 @@ jobs: build: name: Build permissions: + actions: read contents: read pull-requests: write security-events: write