diff --git a/.config/dotnet-tools.json b/.config/dotnet-tools.json index cefc3ec..52a3107 100644 --- a/.config/dotnet-tools.json +++ b/.config/dotnet-tools.json @@ -33,7 +33,7 @@ ] }, "demaconsulting.reqstream": { - "version": "1.3.0", + "version": "1.4.0", "commands": [ "reqstream" ] diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 639a641..c9de0e4 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -18,6 +18,10 @@ jobs: permissions: contents: read steps: + # === INSTALL DEPENDENCIES === + # This section installs all required dependencies and tools for quality checks. + # Downstream projects: Add any additional dependency installations here. + - name: Checkout uses: actions/checkout@v6 @@ -30,18 +34,34 @@ jobs: run: > dotnet tool restore + # === CAPTURE TOOL VERSIONS === + # This section captures the versions of all tools used in the build process. + # Downstream projects: Add any additional tools to capture here. + - name: Capture tool versions shell: bash run: | + mkdir -p artifacts echo "Capturing tool versions..." - dotnet versionmark --capture --job-id "quality" -- dotnet git versionmark + dotnet versionmark --capture --job-id "quality" \ + --output "artifacts/versionmark-quality.json" -- \ + dotnet git versionmark echo "✓ Tool versions captured" - - name: Upload version capture - uses: actions/upload-artifact@v7 - with: - name: version-capture-quality - path: versionmark-quality.json + # === CAPTURE OTS SELF-VALIDATION RESULTS === + # This section runs the self-validation of each OTS tool and saves TRX results + # so that OTS Software Requirements in requirements.yaml can be satisfied. + # Downstream projects: Add any additional OTS tool self-validation steps here. + + - name: Run VersionMark self-validation + run: > + dotnet versionmark + --validate + --results artifacts/versionmark-self-validation-quality.trx + + # === RUN QUALITY CHECKS === + # This section runs the linting and quality checks for the project. + # Downstream projects: Add any additional quality check steps here. - name: Run markdown linter uses: DavidAnson/markdownlint-cli2-action@v22 @@ -59,6 +79,16 @@ jobs: with: config_file: .yamllint.yaml + # === UPLOAD ARTIFACTS === + # This section uploads all generated artifacts for use by downstream jobs. + # Downstream projects: Add any additional artifact uploads here. + + - name: Upload quality artifacts + uses: actions/upload-artifact@v7 + with: + name: artifacts-quality + path: artifacts/ + # Builds and unit-tests the project on supported operating systems to ensure # unit-tests operate on all platforms and to run SonarScanner for generating # the code quality report. @@ -66,8 +96,8 @@ jobs: name: Build ${{ matrix.os }} needs: quality-checks permissions: - contents: read # To read repository contents - pull-requests: write # To write pull requests analysis results and artifacts + contents: read + pull-requests: write strategy: matrix: @@ -77,6 +107,10 @@ jobs: steps: + # === INSTALL DEPENDENCIES === + # This section installs all required dependencies and tools for building the project. + # Downstream projects: Add any additional dependency installations here. + - name: Checkout uses: actions/checkout@v6 with: @@ -94,6 +128,38 @@ jobs: run: > dotnet tool restore + # === CAPTURE TOOL VERSIONS === + # This section captures the versions of all tools used in the build process. + # Downstream projects: Add any additional tools to capture here. + + - name: Capture tool versions + shell: bash + run: | + mkdir -p artifacts + echo "Capturing tool versions..." + # Create short job ID: build-win, build-ubuntu + OS_SHORT=$(echo "${{ matrix.os }}" | sed 's/windows-latest/win/;s/ubuntu-latest/ubuntu/') + JOB_ID="build-${OS_SHORT}" + dotnet versionmark --capture --job-id "${JOB_ID}" \ + --output "artifacts/versionmark-${JOB_ID}.json" -- \ + dotnet git dotnet-sonarscanner versionmark + echo "✓ Tool versions captured" + + # === CAPTURE OTS SELF-VALIDATION RESULTS === + # This section runs the self-validation of each OTS tool and saves TRX results + # so that OTS Software Requirements in requirements.yaml can be satisfied. + # Downstream projects: Add any additional OTS tool self-validation steps here. + + - name: Run VersionMark self-validation + run: > + dotnet versionmark + --validate + --results artifacts/versionmark-self-validation-${{ matrix.os }}.trx + + # === BUILD AND TEST === + # This section builds and tests the project. + # Downstream projects: Add any additional build or test steps here. + - name: Restore Dependencies run: > dotnet restore @@ -126,7 +192,7 @@ jobs: --property:Version=${{ inputs.version }} --collect "XPlat Code Coverage;Format=opencover" --logger "trx;LogFilePrefix=${{ matrix.os }}" - --results-directory test-results + --results-directory artifacts - name: End Sonar Scanner env: @@ -136,40 +202,27 @@ jobs: end /d:sonar.token="${{ secrets.SONAR_TOKEN }}" - - name: Create Dotnet Tool + - name: Create Library Package run: > dotnet pack --no-build --no-restore --property:PackageVersion=${{ inputs.version }} - - name: Capture tool versions - shell: bash - run: | - echo "Capturing tool versions..." - # Create short job ID: build-win, build-ubuntu - OS_SHORT=$(echo "${{ matrix.os }}" | sed 's/windows-latest/win/;s/ubuntu-latest/ubuntu/') - JOB_ID="build-${OS_SHORT}" - dotnet versionmark --capture --job-id "${JOB_ID}" -- \ - dotnet git dotnet-sonarscanner versionmark - echo "✓ Tool versions captured" - - - name: Upload version capture - uses: actions/upload-artifact@v7 - with: - name: version-capture-${{ matrix.os }} - path: versionmark-build-*.json + # === UPLOAD ARTIFACTS === + # This section uploads all generated artifacts for use by downstream jobs. + # Downstream projects: Add any additional artifact uploads here. - - name: Upload Test Results + - name: Upload build artifacts uses: actions/upload-artifact@v7 with: - name: test-results-${{ matrix.os }} - path: test-results/*.trx + name: artifacts-build-${{ matrix.os }} + path: artifacts/ - - name: Upload Artifacts + - name: Upload packages uses: actions/upload-artifact@v7 with: - name: artifacts-${{ matrix.os }} + name: packages-${{ matrix.os }} path: | src/DemaConsulting.SpdxModel/bin/Release/*.nupkg src/DemaConsulting.SpdxModel/bin/Release/*.snupkg @@ -186,6 +239,10 @@ jobs: security-events: write steps: + # === INSTALL DEPENDENCIES === + # This section installs all required dependencies and tools for CodeQL analysis. + # Downstream projects: Add any additional dependency installations here. + - name: Checkout uses: actions/checkout@v6 with: @@ -214,6 +271,10 @@ jobs: run: > dotnet restore + # === BUILD AND ANALYZE === + # This section builds the project and performs CodeQL analysis. + # Downstream projects: Add any additional analysis steps here. + - name: Build run: > dotnet build @@ -225,14 +286,18 @@ jobs: uses: github/codeql-action/analyze@v4 with: category: "/language:csharp" - output: sarif-results + output: artifacts upload: false - - name: Upload CodeQL SARIF + # === UPLOAD ARTIFACTS === + # This section uploads all generated artifacts for use by downstream jobs. + # Downstream projects: Add any additional artifact uploads here. + + - name: Upload CodeQL artifacts uses: actions/upload-artifact@v7 with: - name: codeql-sarif - path: sarif-results/csharp.sarif + name: artifacts-codeql + path: artifacts/ # Builds the supporting documentation including user guides, requirements, # trace matrices, code quality reports, and build notes. @@ -252,24 +317,12 @@ jobs: - name: Checkout uses: actions/checkout@v6 - - name: Download all test results + - name: Download all job artifacts uses: actions/download-artifact@v8 with: - path: test-results - pattern: '*test-results*' - continue-on-error: true - - - name: Download CodeQL SARIF - uses: actions/download-artifact@v8 - with: - name: codeql-sarif - path: codeql-results - - - name: Download all version captures - uses: actions/download-artifact@v8 - with: - path: version-captures - pattern: 'version-capture-*' + path: artifacts + pattern: 'artifacts-*' + merge-multiple: true continue-on-error: true # === INSTALL DEPENDENCIES === @@ -300,10 +353,46 @@ jobs: shell: bash run: | echo "Capturing tool versions..." - dotnet versionmark --capture --job-id "build-docs" -- \ + dotnet versionmark --capture --job-id "build-docs" \ + --output "artifacts/versionmark-build-docs.json" -- \ dotnet git node npm pandoc weasyprint sarifmark sonarmark reqstream buildmark versionmark echo "✓ Tool versions captured" + # === CAPTURE OTS SELF-VALIDATION RESULTS === + # This section runs the self-validation of each OTS tool and saves TRX results + # so that OTS Software Requirements in requirements.yaml can be satisfied. + # Downstream projects: Add any additional OTS tool self-validation steps here. + + - name: Run ReqStream self-validation + run: > + dotnet reqstream + --validate + --results artifacts/reqstream-self-validation.trx + + - name: Run BuildMark self-validation + run: > + dotnet buildmark + --validate + --results artifacts/buildmark-self-validation.trx + + - name: Run VersionMark self-validation + run: > + dotnet versionmark + --validate + --results artifacts/versionmark-self-validation.trx + + - name: Run SarifMark self-validation + run: > + dotnet sarifmark + --validate + --results artifacts/sarifmark-self-validation.trx + + - name: Run SonarMark self-validation + run: > + dotnet sonarmark + --validate + --results artifacts/sonarmark-self-validation.trx + # === GENERATE MARKDOWN REPORTS === # This section generates all markdown reports from various tools and sources. # Downstream projects: Add any additional markdown report generation steps here. @@ -312,17 +401,16 @@ jobs: run: > dotnet reqstream --requirements requirements.yaml - --tests "test-results/**/*.trx" + --tests "artifacts/**/*.trx" --report docs/requirements/requirements.md --justifications docs/justifications/justifications.md --matrix docs/tracematrix/tracematrix.md --enforce - name: Generate CodeQL Quality Report with SarifMark - shell: bash run: > dotnet sarifmark - --sarif codeql-results/csharp.sarif + --sarif artifacts/csharp.sarif --report docs/quality/codeql-quality.md --heading "SpdxModel CodeQL Analysis" --report-depth 1 @@ -373,7 +461,7 @@ jobs: run: | echo "Publishing tool versions..." dotnet versionmark --publish --report docs/buildnotes/versions.md --report-depth 1 \ - -- "versionmark-*.json" "version-captures/**/versionmark-*.json" + -- "artifacts/**/versionmark-*.json" echo "✓ Tool versions published" - name: Display Tool Versions Report @@ -390,30 +478,28 @@ jobs: shell: bash run: > dotnet pandoc - docs/buildnotes/title.txt --defaults docs/buildnotes/definition.yaml + --filter node_modules/.bin/mermaid-filter.cmd --metadata version="${{ inputs.version }}" --metadata date="$(date +'%Y-%m-%d')" - --filter node_modules/.bin/mermaid-filter.cmd --output docs/buildnotes/buildnotes.html - name: Generate User Guide HTML with Pandoc shell: bash run: > dotnet pandoc - docs/guide/title.txt --defaults docs/guide/definition.yaml + --filter node_modules/.bin/mermaid-filter.cmd --metadata version="${{ inputs.version }}" --metadata date="$(date +'%Y-%m-%d')" - --filter node_modules/.bin/mermaid-filter.cmd --output docs/guide/guide.html - name: Generate Code Quality HTML with Pandoc shell: bash run: > dotnet pandoc - docs/quality/title.txt --defaults docs/quality/definition.yaml + --filter node_modules/.bin/mermaid-filter.cmd --metadata version="${{ inputs.version }}" --metadata date="$(date +'%Y-%m-%d')" --output docs/quality/quality.html @@ -422,18 +508,18 @@ jobs: shell: bash run: > dotnet pandoc - docs/requirements/title.txt --defaults docs/requirements/definition.yaml + --filter node_modules/.bin/mermaid-filter.cmd --metadata version="${{ inputs.version }}" --metadata date="$(date +'%Y-%m-%d')" --output docs/requirements/requirements.html - - name: Generate Justifications HTML with Pandoc + - name: Generate Requirements Justifications HTML with Pandoc shell: bash run: > dotnet pandoc - docs/justifications/title.txt --defaults docs/justifications/definition.yaml + --filter node_modules/.bin/mermaid-filter.cmd --metadata version="${{ inputs.version }}" --metadata date="$(date +'%Y-%m-%d')" --output docs/justifications/justifications.html @@ -442,8 +528,8 @@ jobs: shell: bash run: > dotnet pandoc - docs/tracematrix/title.txt --defaults docs/tracematrix/definition.yaml + --filter node_modules/.bin/mermaid-filter.cmd --metadata version="${{ inputs.version }}" --metadata date="$(date +'%Y-%m-%d')" --output docs/tracematrix/tracematrix.html diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 67ab43f..d3cb7ab 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -55,7 +55,7 @@ jobs: - name: Download package artifacts uses: actions/download-artifact@v8 with: - name: artifacts-ubuntu-latest + name: packages-ubuntu-latest path: artifacts - name: Download documents artifact diff --git a/AGENTS.md b/AGENTS.md index a9c7f10..0d839d1 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -20,7 +20,7 @@ and deserializing SPDX SBOMs into an in-memory representation. ## Key Files - **`requirements.yaml`** - All requirements with test linkage (enforced via `dotnet reqstream --enforce`) -- **`.editorconfig`** - Code style (file-scoped namespaces, 4-space indent, UTF-8+BOM, LF endings) +- **`.editorconfig`** - Code style (file-scoped namespaces, 4-space indent, UTF-8, LF endings) - **`.cspell.json`, `.markdownlint-cli2.jsonc`, `.yamllint.yaml`** - Linting configs ## Requirements @@ -28,7 +28,7 @@ and deserializing SPDX SBOMs into an in-memory representation. - All requirements MUST be linked to tests - Not all tests need to be linked to requirements (tests may exist for corner cases, design testing, failure-testing, etc.) -- Enforced in CI: `dotnet reqstream --requirements requirements.yaml --tests "test-results/**/*.trx" --enforce` +- Enforced in CI: `dotnet reqstream --requirements requirements.yaml --tests "artifacts/**/*.trx" --enforce` - When adding features: add requirement + link to test ## Test Source Filters diff --git a/docs/buildnotes/definition.yaml b/docs/buildnotes/definition.yaml index d93a4ba..7eb0c4c 100644 --- a/docs/buildnotes/definition.yaml +++ b/docs/buildnotes/definition.yaml @@ -7,6 +7,7 @@ input-files: - docs/buildnotes/title.txt - docs/buildnotes/introduction.md - docs/buildnotes.md + - docs/buildnotes/versions.md template: template.html diff --git a/docs/guide/definition.yaml b/docs/guide/definition.yaml index d599e45..07533af 100644 --- a/docs/guide/definition.yaml +++ b/docs/guide/definition.yaml @@ -4,6 +4,7 @@ resource-path: - docs/template input-files: + - docs/guide/title.txt - docs/guide/guide.md template: template.html diff --git a/docs/justifications/definition.yaml b/docs/justifications/definition.yaml index ac9ad34..f197d59 100644 --- a/docs/justifications/definition.yaml +++ b/docs/justifications/definition.yaml @@ -4,6 +4,7 @@ resource-path: - docs/template input-files: + - docs/justifications/title.txt - docs/justifications/introduction.md - docs/justifications/justifications.md diff --git a/docs/quality/definition.yaml b/docs/quality/definition.yaml index f5e3f15..65420a4 100644 --- a/docs/quality/definition.yaml +++ b/docs/quality/definition.yaml @@ -4,6 +4,7 @@ resource-path: - docs/template input-files: + - docs/quality/title.txt - docs/quality/introduction.md - docs/quality/codeql-quality.md - docs/quality/sonar-quality.md diff --git a/docs/requirements/definition.yaml b/docs/requirements/definition.yaml index 09f51c0..8f22e65 100644 --- a/docs/requirements/definition.yaml +++ b/docs/requirements/definition.yaml @@ -4,6 +4,7 @@ resource-path: - docs/template input-files: + - docs/requirements/title.txt - docs/requirements/introduction.md - docs/requirements/requirements.md diff --git a/docs/tracematrix/definition.yaml b/docs/tracematrix/definition.yaml index 5963d9c..98c8447 100644 --- a/docs/tracematrix/definition.yaml +++ b/docs/tracematrix/definition.yaml @@ -4,6 +4,7 @@ resource-path: - docs/template input-files: + - docs/tracematrix/title.txt - docs/tracematrix/introduction.md - docs/tracematrix/tracematrix.md diff --git a/requirements.yaml b/requirements.yaml index e816f79..8acef05 100644 --- a/requirements.yaml +++ b/requirements.yaml @@ -11,7 +11,7 @@ sections: sections: - title: Serialization requirements: - - id: REQ-SER-001 + - id: SpdxModel-Ser-Deserialize22Json title: The library shall support deserializing SPDX 2.2 JSON documents. tags: - serialization @@ -22,7 +22,7 @@ sections: tests: - Spdx2JsonDeserializer_Deserialize_ValidSpdx22JsonReturnsExpectedDocument - - id: REQ-SER-002 + - id: SpdxModel-Ser-Deserialize23Json title: The library shall support deserializing SPDX 2.3 JSON documents. tags: - serialization @@ -33,7 +33,7 @@ sections: tests: - Spdx2JsonDeserializer_Deserialize_ValidSpdx23JsonReturnsExpectedDocument - - id: REQ-SER-003 + - id: SpdxModel-Ser-SerializeJson title: The library shall support serializing SPDX documents to JSON format. tags: - serialization @@ -46,7 +46,7 @@ sections: - title: Data Model requirements: - - id: REQ-DATA-001 + - id: SpdxModel-Data-CreationInformation title: The library shall support SPDX document creation information. tags: - data-model @@ -59,7 +59,7 @@ sections: - Spdx2JsonDeserializer_DeserializeCreationInformation_CorrectResults - Spdx2JsonSerializer_SerializeCreationInformation_CorrectResults - - id: REQ-DATA-002 + - id: SpdxModel-Data-Packages title: The library shall support SPDX packages. tags: - data-model @@ -73,7 +73,7 @@ sections: - Spdx2JsonDeserializer_DeserializePackage_CorrectResults - Spdx2JsonSerializer_SerializePackage_CorrectResults - - id: REQ-DATA-003 + - id: SpdxModel-Data-Files title: The library shall support SPDX files. tags: - data-model @@ -87,7 +87,7 @@ sections: - Spdx2JsonDeserializer_DeserializeFile_CorrectResults - Spdx2JsonSerializer_SerializeFile_CorrectResults - - id: REQ-DATA-004 + - id: SpdxModel-Data-Snippets title: The library shall support SPDX snippets. tags: - data-model @@ -101,7 +101,7 @@ sections: - Spdx2JsonDeserializer_DeserializeSnippet_CorrectResults - Spdx2JsonSerializer_SerializeSnippet_CorrectResults - - id: REQ-DATA-005 + - id: SpdxModel-Data-Relationships title: The library shall support SPDX relationships. tags: - data-model @@ -115,7 +115,7 @@ sections: - Spdx2JsonDeserializer_DeserializeRelationship_CorrectResults - Spdx2JsonSerializer_SerializeRelationship_CorrectResults - - id: REQ-DATA-006 + - id: SpdxModel-Data-Annotations title: The library shall support SPDX annotations. tags: - data-model @@ -129,7 +129,7 @@ sections: - Spdx2JsonDeserializer_DeserializeAnnotation_CorrectResults - Spdx2JsonSerializer_SerializeAnnotation_CorrectResults - - id: REQ-DATA-007 + - id: SpdxModel-Data-Checksums title: The library shall support SPDX checksums with multiple algorithms. tags: - data-model @@ -143,7 +143,7 @@ sections: - Spdx2JsonDeserializer_DeserializeChecksum_CorrectResults - Spdx2JsonSerializer_SerializeChecksum_CorrectResults - - id: REQ-DATA-008 + - id: SpdxModel-Data-ExternalReferences title: The library shall support SPDX external references. tags: - data-model @@ -157,7 +157,7 @@ sections: - Spdx2JsonDeserializer_DeserializeExternalReference_CorrectResults - Spdx2JsonSerializer_SerializeExternalReference_CorrectResults - - id: REQ-DATA-009 + - id: SpdxModel-Data-ExternalDocumentReferences title: The library shall support SPDX external document references. tags: - data-model @@ -171,7 +171,7 @@ sections: - Spdx2JsonDeserializer_DeserializeExternalDocumentReference_CorrectResults - Spdx2JsonSerializer_SerializeExternalDocumentReference_CorrectResults - - id: REQ-DATA-010 + - id: SpdxModel-Data-ExtractedLicensingInfo title: The library shall support SPDX extracted licensing information. tags: - data-model @@ -185,7 +185,7 @@ sections: - Spdx2JsonDeserializer_DeserializeExtractedLicensingInfo_CorrectResults - Spdx2JsonSerializer_SerializeExtractedLicensingInfo_CorrectResults - - id: REQ-DATA-011 + - id: SpdxModel-Data-PackageVerificationCodes title: The library shall support SPDX package verification codes. tags: - data-model @@ -199,7 +199,7 @@ sections: - Spdx2JsonDeserializer_DeserializePackageVerificationCode_CorrectResults - Spdx2JsonSerializer_SerializePackageVerificationCode_CorrectResults - - id: REQ-DATA-012 + - id: SpdxModel-Data-RelationshipUtilities title: The library shall provide utilities for manipulating SPDX relationships. tags: - data-model @@ -211,7 +211,7 @@ sections: - SpdxRelationships_AddSingle_Success - SpdxRelationships_AddMultiple_Success - - id: REQ-DATA-013 + - id: SpdxModel-Data-RootPackages title: The library shall support retrieving root packages from an SPDX document. tags: - data-model @@ -222,7 +222,7 @@ sections: tests: - SpdxDocument_GetRootPackages_CorrectPackages - - id: REQ-DATA-014 + - id: SpdxModel-Data-DeepCopy title: The library shall support deep copying of SPDX elements. tags: - data-model @@ -235,7 +235,7 @@ sections: - SpdxPackage_DeepCopy_CreatesEqualButDistinctInstance - SpdxFile_DeepCopy_CreatesEqualButDistinctInstance - - id: REQ-DATA-015 + - id: SpdxModel-Data-NullableReferenceTypes title: The library shall provide type-safe APIs with nullable reference types. tags: - data-model @@ -247,7 +247,7 @@ sections: - SpdxDocument_DeepCopy_CreatesEqualButDistinctInstance - SpdxPackage_DeepCopy_CreatesEqualButDistinctInstance - - id: REQ-DATA-016 + - id: SpdxModel-Data-ComparisonUtilities title: The library shall provide comparison utilities for SPDX elements. tags: - data-model @@ -263,7 +263,7 @@ sections: - title: Validation requirements: - - id: REQ-VAL-001 + - id: SpdxModel-Val-ElementValidation title: The library shall support validation of SPDX elements. tags: - validation @@ -279,7 +279,7 @@ sections: - title: Platform Requirements requirements: - - id: REQ-PLAT-001 + - id: SpdxModel-Plt-Net8 title: The library shall support .NET 8 runtime. tags: - platform @@ -291,7 +291,7 @@ sections: - net8.0@Spdx2JsonDeserializer_Deserialize_ValidSpdx22JsonReturnsExpectedDocument - net8.0@Spdx2JsonSerializer_SerializeDocument_CorrectResults - - id: REQ-PLAT-002 + - id: SpdxModel-Plt-Net9 title: The library shall support .NET 9 runtime. tags: - platform @@ -303,7 +303,7 @@ sections: - net9.0@Spdx2JsonDeserializer_Deserialize_ValidSpdx22JsonReturnsExpectedDocument - net9.0@Spdx2JsonSerializer_SerializeDocument_CorrectResults - - id: REQ-PLAT-003 + - id: SpdxModel-Plt-Net10 title: The library shall support .NET 10 runtime. tags: - platform @@ -315,7 +315,7 @@ sections: - net10.0@Spdx2JsonDeserializer_Deserialize_ValidSpdx22JsonReturnsExpectedDocument - net10.0@Spdx2JsonSerializer_SerializeDocument_CorrectResults - - id: REQ-PLAT-004 + - id: SpdxModel-Plt-NetStd20 title: The library shall support the .NET Standard 2.0 target framework. tags: - platform @@ -329,3 +329,85 @@ sections: tests: - "net481@Spdx2JsonDeserializer_Deserialize_ValidSpdx22JsonReturnsExpectedDocument" - "net481@Spdx2JsonSerializer_SerializeDocument_CorrectResults" + + - title: OTS Software + requirements: + - id: SpdxModel-OTS-MSTest + title: MSTest shall execute unit tests and report results. + tags: + - ots + justification: | + MSTest (MSTest.TestFramework and MSTest.TestAdapter) is the unit-testing framework used + by the project. It discovers and runs all test methods and writes TRX result files that + feed into coverage reporting and requirements traceability. Passing tests confirm the + framework is functioning correctly. + tests: + - Spdx2JsonDeserializer_Deserialize_ValidSpdx22JsonReturnsExpectedDocument + - Spdx2JsonDeserializer_Deserialize_ValidSpdx23JsonReturnsExpectedDocument + - Spdx2JsonSerializer_SerializeDocument_CorrectResults + + - id: SpdxModel-OTS-ReqStream + title: ReqStream shall enforce that every requirement is linked to passing test evidence. + tags: + - ots + justification: | + DemaConsulting.ReqStream processes requirements.yaml and the TRX test-result files to + produce a requirements report, justifications document, and traceability matrix. When + run with --enforce, it exits with a non-zero code if any requirement lacks test evidence, + making unproven requirements a build-breaking condition. A successful pipeline run with + --enforce proves all requirements are covered and that ReqStream is functioning. + tests: + - ReqStream_EnforcementMode + + - id: SpdxModel-OTS-BuildMark + title: BuildMark shall generate build-notes documentation from GitHub Actions metadata. + tags: + - ots + justification: | + DemaConsulting.BuildMark queries the GitHub API to capture workflow run details and + renders them as a markdown build-notes document included in the release artifacts. + It runs as part of the same CI pipeline that produces the TRX test results, so a + successful pipeline run is evidence that BuildMark executed without error. + tests: + - BuildMark_MarkdownReportGeneration + + - id: SpdxModel-OTS-VersionMark + title: VersionMark shall publish captured tool-version information. + tags: + - ots + justification: | + DemaConsulting.VersionMark reads version metadata for each dotnet tool used in the + pipeline and writes a versions markdown document included in the release artifacts. + It runs in the same CI pipeline that produces the TRX test results, so a successful + pipeline run is evidence that VersionMark executed without error. + tests: + - VersionMark_CapturesVersions + - VersionMark_GeneratesMarkdownReport + + - id: SpdxModel-OTS-SarifMark + title: SarifMark shall convert CodeQL SARIF results into a markdown report. + tags: + - ots + justification: | + DemaConsulting.SarifMark reads the SARIF output produced by CodeQL code scanning and + renders it as a human-readable markdown document included in the release artifacts. + It runs in the same CI pipeline that produces the TRX test results, so a successful + pipeline run is evidence that SarifMark executed without error. + tests: + - SarifMark_SarifReading + - SarifMark_MarkdownReportGeneration + + - id: SpdxModel-OTS-SonarMark + title: SonarMark shall generate a SonarCloud quality report. + tags: + - ots + justification: | + DemaConsulting.SonarMark retrieves quality-gate and metrics data from SonarCloud and + renders it as a markdown document included in the release artifacts. It runs in the + same CI pipeline that produces the TRX test results, so a successful pipeline run is + evidence that SonarMark executed without error. + tests: + - SonarMark_QualityGateRetrieval + - SonarMark_IssuesRetrieval + - SonarMark_HotSpotsRetrieval + - SonarMark_MarkdownReportGeneration