demaconsulting · Malcolmnixon · Jan 27, 2026 · Jan 26, 2026 · Jan 26, 2026
diff --git a/.github/codeql-config.yml b/.github/codeql-config.yml
@@ -1,6 +1,8 @@
 ---
 # CodeQL configuration for SonarMark
 # Excludes test code from path-combine security analysis
+# Excludes justified generic exception handlers
+# Excludes HttpResponseMessage disposal warnings in HttpMessageHandler implementations
 
 name: "SonarMark CodeQL Config"
 
@@ -10,3 +12,13 @@ query-filters:
       id: cs/path-combine
     paths:
       - test/**/*.cs
+  - exclude:
+      id: cs/catch-of-all-exceptions
+    paths:
+      - src/DemaConsulting.SonarMark/Context.cs
+      - src/DemaConsulting.SonarMark/Program.cs
+      - src/DemaConsulting.SonarMark/Validation.cs
+  - exclude:
+      id: cs/local-not-disposed
+    paths:
+      - src/DemaConsulting.SonarMark/Validation.cs
diff --git a/src/DemaConsulting.SonarMark/Context.cs b/src/DemaConsulting.SonarMark/Context.cs
@@ -171,6 +171,7 @@ private void OpenLogFile(string logFile)
         {
             _logWriter = new StreamWriter(logFile, append: false);
         }
+        // Generic catch is justified here to wrap any file system exception with context
         catch (Exception ex)
         {
             throw new InvalidOperationException($"Failed to open log file '{logFile}': {ex.Message}", ex);

diff --git a/src/DemaConsulting.SonarMark/Program.cs b/src/DemaConsulting.SonarMark/Program.cs
@@ -211,6 +211,7 @@ private static void ProcessSonarAnalysis(Context context)
                 File.WriteAllText(context.ReportFile, markdown);
                 context.WriteLine("Quality report generated successfully.");
             }
+            // Generic catch is justified here as a top-level handler to log any error without crashing
             catch (Exception ex)
             {
                 context.WriteError($"Error: Failed to write report: {ex.Message}");

diff --git a/src/DemaConsulting.SonarMark/SonarQubeClient.cs b/src/DemaConsulting.SonarMark/SonarQubeClient.cs
@@ -203,21 +203,15 @@ private async Task<string> GetProjectNameByKeyAsync(
     /// <returns>List of quality gate conditions</returns>
     private static List<SonarQualityCondition> ParseQualityGateConditions(JsonElement projectStatus)
     {
-        var conditions = new List<SonarQualityCondition>();
-
         if (!projectStatus.TryGetProperty("conditions", out var conditionsElement) ||
             conditionsElement.ValueKind != JsonValueKind.Array)
         {
-            return conditions;
-        }
-
-        foreach (var condition in conditionsElement.EnumerateArray())
-        {
-            var parsedCondition = ParseQualityGateCondition(condition);
-            conditions.Add(parsedCondition);
+            return [];
         }
 
-        return conditions;
+        return conditionsElement.EnumerateArray()
+            .Select(ParseQualityGateCondition)
+            .ToList();
     }
 
     /// <summary>
@@ -284,20 +278,14 @@ private async Task<List<SonarIssue>> GetIssuesAsync(
     /// <returns>List of parsed issues</returns>
     private static List<SonarIssue> ParseIssues(JsonElement issuesElement)
     {
-        var issues = new List<SonarIssue>();
-
         if (issuesElement.ValueKind != JsonValueKind.Array)
         {
-            return issues;
-        }
-
-        foreach (var issue in issuesElement.EnumerateArray())
-        {
-            var parsedIssue = ParseIssue(issue);
-            issues.Add(parsedIssue);
+            return [];
         }
 
-        return issues;
+        return issuesElement.EnumerateArray()
+            .Select(ParseIssue)
+            .ToList();
     }
 
     /// <summary>
@@ -365,20 +353,14 @@ private async Task<List<SonarHotSpot>> GetHotSpotsAsync(
     /// <returns>List of parsed hot-spots</returns>
     private static List<SonarHotSpot> ParseHotSpots(JsonElement hotSpotsElement)
     {
-        var hotSpots = new List<SonarHotSpot>();
-
         if (hotSpotsElement.ValueKind != JsonValueKind.Array)
         {
-            return hotSpots;
-        }
-
-        foreach (var hotSpot in hotSpotsElement.EnumerateArray())
-        {
-            var parsedHotSpot = ParseHotSpot(hotSpot);
-            hotSpots.Add(parsedHotSpot);
+            return [];
         }
 
-        return hotSpots;
+        return hotSpotsElement.EnumerateArray()
+            .Select(ParseHotSpot)
+            .ToList();
     }
 
     /// <summary>

diff --git a/src/DemaConsulting.SonarMark/Validation.cs b/src/DemaConsulting.SonarMark/Validation.cs
@@ -317,6 +317,7 @@
                 context.WriteError($"✗ {displayName} - FAILED: Exit code {exitCode}");
             }
         }
+        // Generic catch is justified here to handle any exception during test execution
         catch (Exception ex)
         {
             HandleTestException(test, context, displayName, ex);
@@ -370,6 +371,7 @@
             File.WriteAllText(context.ResultsFile, content);
             context.WriteLine($"Results written to {context.ResultsFile}");
         }
+        // Generic catch is justified here as a top-level handler to log file write errors
         catch (Exception ex)
         {
             context.WriteError($"Error: Failed to write results file: {ex.Message}");
@@ -427,6 +429,11 @@
     /// <summary>
     ///     Mock HTTP message handler that returns predefined responses for validation testing.
     /// </summary>
+    /// <remarks>
+    ///     HttpResponseMessage objects returned from SendAsync are owned by the HttpClient
+    ///     and will be disposed by the framework. CodeQL warnings about non-disposal here
+    ///     are false positives as this follows the standard HttpMessageHandler pattern.
+    /// </remarks>
     private sealed class MockHttpMessageHandler : HttpMessageHandler
     {
         /// <summary>
@@ -452,7 +459,7 @@
                    """;
                return Task.FromResult(new HttpResponseMessage(HttpStatusCode.OK)
                {
                    Content = new StringContent(json, Encoding.UTF8, "application/json")
                });
            }


diff --git a/test/DemaConsulting.SonarMark.Tests/ContextTests.cs b/test/DemaConsulting.SonarMark.Tests/ContextTests.cs
@@ -394,7 +394,7 @@ public void Context_Create_UnsupportedArgument_ThrowsException()
     public void Context_WriteLine_NormalMode_WritesToConsole()
     {
         var originalOut = Console.Out;
-        var output = new StringWriter();
+        using var output = new StringWriter();
         Console.SetOut(output);
 
         try
@@ -417,7 +417,7 @@ public void Context_WriteLine_NormalMode_WritesToConsole()
     public void Context_WriteLine_SilentMode_DoesNotWriteToConsole()
     {
         var originalOut = Console.Out;
-        var output = new StringWriter();
+        using var output = new StringWriter();
         Console.SetOut(output);
 
         try
@@ -440,7 +440,7 @@ public void Context_WriteLine_SilentMode_DoesNotWriteToConsole()
     public void Context_WriteError_NormalMode_WritesToConsole()
     {
         var originalOut = Console.Out;
-        var output = new StringWriter();
+        using var output = new StringWriter();
         Console.SetOut(output);
 
         try
@@ -464,7 +464,7 @@ public void Context_WriteError_NormalMode_WritesToConsole()
     public void Context_WriteError_SilentMode_DoesNotWriteToConsole()
     {
         var originalOut = Console.Out;
-        var output = new StringWriter();
+        using var output = new StringWriter();
         Console.SetOut(output);
 
         try

diff --git a/test/DemaConsulting.SonarMark.Tests/ProgramTests.cs b/test/DemaConsulting.SonarMark.Tests/ProgramTests.cs
@@ -23,7 +23,7 @@ public void Program_Version_NotEmpty_IsNotEmpty()
     public void Program_Run_VersionFlag_OutputsVersion()
     {
         var originalOut = Console.Out;
-        var output = new StringWriter();
+        using var output = new StringWriter();
         Console.SetOut(output);
 
         try
@@ -46,7 +46,7 @@ public void Program_Run_VersionFlag_OutputsVersion()
     public void Program_Run_HelpFlag_OutputsBannerAndHelp()
     {
         var originalOut = Console.Out;
-        var output = new StringWriter();
+        using var output = new StringWriter();
         Console.SetOut(output);
 
         try
@@ -86,7 +86,7 @@ public void Program_Run_ValidateFlag_OutputsNotImplemented()
     public void Program_Run_NoFlags_OutputsBannerAndRequiresServer()
     {
         var originalOut = Console.Out;
-        var output = new StringWriter();
+        using var output = new StringWriter();
         Console.SetOut(output);
 
         try
@@ -112,7 +112,7 @@ public void Program_Run_NoFlags_OutputsBannerAndRequiresServer()
     public void Program_Run_ServerWithoutProjectKey_OutputsError()
     {
         var originalOut = Console.Out;
-        var output = new StringWriter();
+        using var output = new StringWriter();
         Console.SetOut(output);
 
         try
@@ -137,7 +137,7 @@ public void Program_Run_ServerWithoutProjectKey_OutputsError()
     public void Program_Run_SilentFlag_SuppressesBanner()
     {
         var originalOut = Console.Out;
-        var output = new StringWriter();
+        using var output = new StringWriter();
         Console.SetOut(output);
 
         try