Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions .config/dotnet-tools.json
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,18 @@
"commands": [
"weasyprint"
]
},
"demaconsulting.sonarmark": {
"version": "1.0.0",
"commands": [
"sonarmark"
]
},
"demaconsulting.sarifmark": {
"version": "1.0.1",
"commands": [
"sarifmark"
]
}
}
}
6 changes: 5 additions & 1 deletion .cspell.json
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,11 @@
"Blockquotes",
"tracematrix",
"testname",
"filepart"
"filepart",
"hotspots",
"CodeQL",
"SonarMark",
"SarifMark"
],
"ignorePaths": [
"node_modules",
Expand Down
17 changes: 17 additions & 0 deletions .github/codeql-config.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
---
# CodeQL configuration for ReqStream
# Excludes test code from path-combine security analysis
# Excludes justified generic exception handlers

name: "ReqStream CodeQL Config"

# Query filters to disable specific queries for certain paths
query-filters:
- exclude:

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are these excludes needed? Did you make sure the code actually requires these by inspecting the CodeQL analysis, or are these just copies from the other project?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, both excludes are justified by the actual code:

  1. cs/path-combine: Test code uses Path.Combine extensively (100+ occurrences) to create temporary test files with controlled values (e.g., Path.Combine(_testDirectory, "requirements.yaml")). These are not security risks since they use hardcoded strings and GUIDs, not user input.

  2. cs/catch-of-all-exceptions: Program.cs line 74 has a justified catch-all handler that logs unexpected errors and re-throws them for event logging - a standard pattern for top-level exception handling.

id: cs/path-combine
paths:
- test/**/*.cs
- exclude:
id: cs/catch-of-all-exceptions
paths:
- src/DemaConsulting.ReqStream/Program.cs
110 changes: 109 additions & 1 deletion .github/workflows/build.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -197,10 +197,65 @@ jobs:
name: integration-test-results-${{ matrix.os }}-dotnet${{ matrix.dotnet-version }}
path: integration-test-*.trx

codeql:
name: CodeQL Analysis
needs: quality-checks
runs-on: ubuntu-latest
permissions:
actions: read
contents: read
security-events: write

steps:
- name: Checkout repository
uses: actions/checkout@v6

- name: Setup dotnet
uses: actions/setup-dotnet@v5
with:
dotnet-version: |
8.x
9.x
10.x

- name: Initialize CodeQL
uses: github/codeql-action/init@v4
with:
languages: csharp
queries: security-and-quality
config-file: ./.github/codeql-config.yml
build-mode: manual

- name: Restore dotnet tools
run: dotnet tool restore

- name: Restore dependencies
run: dotnet restore

- name: Build
run: >
dotnet build
--no-restore
--configuration Release
--property:Version=${{ inputs.version }}

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
with:
category: "/language:csharp"
output: sarif-results
upload: false

- name: Upload SARIF
uses: actions/upload-artifact@v6
with:
name: codeql-sarif
path: sarif-results/csharp.sarif

build-docs:
name: Build Documentation
runs-on: windows-latest
needs: [build, integration-test]
needs: [build, integration-test, codeql]
permissions:
contents: read

Expand All @@ -221,6 +276,12 @@ jobs:
name: packages-windows-latest
path: packages

- name: Download CodeQL SARIF
uses: actions/download-artifact@v7
with:
name: codeql-sarif
path: codeql-results

- name: Setup Node.js
uses: actions/setup-node@v6
with:
Expand Down Expand Up @@ -291,6 +352,53 @@ jobs:
docs/tracematrix/tracematrix.html
"docs/ReqStream Trace Matrix.pdf"

- name: Generate CodeQL Quality Report with SarifMark
shell: pwsh
run: >
dotnet sarifmark
--sarif codeql-results/csharp.sarif
--report docs/quality/codeql-quality.md
--heading "ReqStream CodeQL Analysis"
--report-depth 1

- name: Display CodeQL Quality Report
shell: pwsh
run: |
echo "=== CodeQL Quality Report ==="
Get-Content docs/quality/codeql-quality.md

- name: Generate Code Quality Report with SonarMark
shell: pwsh
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
run: >
dotnet sonarmark
--server https://sonarcloud.io
--project-key demaconsulting_ReqStream
--branch ${{ github.ref_name }}
--token "$env:SONAR_TOKEN"
--report docs/quality/sonar-quality.md
--report-depth 1

- name: Display SonarCloud Quality Report
shell: pwsh
run: |
echo "=== SonarCloud Quality Report ==="
Get-Content docs/quality/sonar-quality.md

- name: Generate Code Quality HTML with Pandoc
run: >
dotnet pandoc
--defaults docs/quality/definition.yaml
--output docs/quality/quality.html

- name: Generate Code Quality PDF with Weasyprint
run: >
dotnet weasyprint
--pdf-variant pdf/a-3u
docs/quality/quality.html
"docs/ReqStream Code Quality.pdf"

- name: Upload documentation
uses: actions/upload-artifact@v6
with:
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/build_on_push.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,10 @@ jobs:
build:
name: Build
permissions:
actions: read
contents: read
pull-requests: write
security-events: write
uses: ./.github/workflows/build.yaml
with:
version: 0.0.0-run.${{ github.run_number }}
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,10 @@ jobs:
build:
name: Build
permissions:
actions: read
contents: read
pull-requests: write
security-events: write
uses: ./.github/workflows/build.yaml
with:
version: ${{ inputs.version }}
Expand Down
16 changes: 16 additions & 0 deletions docs/quality/definition.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
---
resource-path:
- docs/quality
- docs/template

input-files:
- docs/quality/title.txt
- docs/quality/introduction.md
- docs/quality/codeql-quality.md
- docs/quality/sonar-quality.md

template: template.html

table-of-contents: true

number-sections: true
35 changes: 35 additions & 0 deletions docs/quality/introduction.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
# Introduction

This document contains the code quality analysis report for the ReqStream project.

## Purpose

This report serves as evidence that the ReqStream codebase maintains good quality
standards. It provides a comprehensive analysis of code quality metrics, including
quality gate status, code issues, security hotspots, technical debt, and code coverage.

## Scope

This code quality report covers:

- Quality gate status and conditions
- Code issues categorized by type and severity
- Security hotspots requiring review
- Technical debt assessment
- Code coverage and duplication metrics

## Analysis Source

This report contains quality analysis results captured at the time this version of ReqStream
was built. It serves as evidence that the code maintains good quality standards and provides
transparency about the project's code health. The analysis includes results from various
quality tools run during the build process.

## Audience

This document is intended for:

- Software developers working on ReqStream
- Quality assurance teams reviewing code quality
- Project stakeholders evaluating project health
- Contributors understanding quality standards
17 changes: 17 additions & 0 deletions docs/quality/title.txt
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
---
title: ReqStream Tool
subtitle: Code Quality Report
author: DEMA Consulting
description: Code Quality Report for the ReqStream Tool for managing requirements in YAML format
lang: en-US
keywords:
- ReqStream
- Code Quality
- SonarCloud
- CodeQL
- Analysis
- C#
- .NET
- Requirements
- YAML
---
Loading