From 45b589942d97ce61527122cfd45a3765fe156be8 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 2 Mar 2026 01:46:24 +0000 Subject: [PATCH 01/10] Initial plan From 1b761fd178e184b6ed2e9ccadb890139b98bc666 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 2 Mar 2026 02:02:09 +0000 Subject: [PATCH 02/10] Apply test naming convention, improve README, add requirements.yaml and reqstream tool Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com> --- .config/dotnet-tools.json | 25 ++- README.md | 125 ++++++++++- requirements.yaml | 199 ++++++++++++++++++ .../AddDotNetPackage.cs | 2 +- .../AddGccPackage.cs | 2 +- .../AddIarEwArmPackage.cs | 2 +- .../AddMsBuildPackage.cs | 2 +- .../AddNugetPackage.cs | 2 +- .../AddVsTestPackage.cs | 2 +- .../GetDotNetVersion.cs | 2 +- .../GetGccVersion.cs | 2 +- .../GetMsBuildVersion.cs | 2 +- .../GetNugetPackagePath.cs | 2 +- .../GetNugetVersion.cs | 2 +- .../GetVsTestVersion.cs | 2 +- 15 files changed, 351 insertions(+), 22 deletions(-) create mode 100644 requirements.yaml diff --git a/.config/dotnet-tools.json b/.config/dotnet-tools.json index b1fc333..d1fe910 100644 --- a/.config/dotnet-tools.json +++ b/.config/dotnet-tools.json @@ -6,37 +6,50 @@ "version": "2.8.0", "commands": [ "spdx-tool" - ] + ], + "rollForward": false }, "demaconsulting.vswheretool": { "version": "3.1.7", "commands": [ "vswhere" - ] + ], + "rollForward": false }, "demaconsulting.pandoctool": { "version": "3.9.0", "commands": [ "pandoc" - ] + ], + "rollForward": false }, "demaconsulting.weasyprinttool": { "version": "68.1.0", "commands": [ "weasyprint" - ] + ], + "rollForward": false }, "demaconsulting.buildmark": { "version": "0.4.0", "commands": [ "buildmark" - ] + ], + "rollForward": false }, "demaconsulting.versionmark": { "version": "1.0.0", "commands": [ "versionmark" - ] + ], + "rollForward": false + }, + "demaconsulting.reqstream": { + "version": "1.3.0", + "commands": [ + "reqstream" + ], + "rollForward": false } } } \ No newline at end of file diff --git a/README.md b/README.md index 708cba2..8799e61 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,46 @@ -# Spdx Workflows +# SpdxWorkflows -This repository contains standard SpdxTool workflow files. +[![GitHub forks][badge-forks]][link-forks] +[![GitHub stars][badge-stars]][link-stars] +[![GitHub contributors][badge-contributors]][link-contributors] +[![License][badge-license]][link-license] +[![Build][badge-build]][link-build] -These files can be executed using the following SpdxTool workflow steps: +DEMA Consulting collection of standard [SpdxTool][link-spdxtool] workflow YAML files for +capturing build-tool version information and populating [SPDX][link-spdx] software bills of +materials (SBOMs). + +## Features + +This collection provides: + +- **Version Discovery Workflows**: Detect and capture the installed versions of common build + tools — .NET SDK, GCC, MSBuild, NuGet, VSTest, and IAR EW ARM +- **SPDX Package Workflows**: Add build-tool packages to an SPDX document — .NET SDK, GCC, + MSBuild, NuGet, VSTest, and IAR EW ARM +- **NuGet SPDX Enhancement**: Enrich an SPDX document package with metadata sourced from a + NuGet package's own SPDX document +- **Multi-Platform Support**: Workflows target Windows and Linux build environments +- **MSTest V4**: Modern unit testing with MSTest framework version 4 +- **Comprehensive CI/CD**: GitHub Actions workflows with quality checks and builds + +## Installation + +SpdxWorkflows are referenced directly by URL inside your own SpdxTool workflow YAML files. +No separate installation step is required beyond having SpdxTool available. + +Install SpdxTool using the .NET CLI: + +```bash +dotnet tool install --global DemaConsulting.SpdxTool +``` + +## Usage + +Reference a workflow by supplying its versioned GitHub URL and an optional SHA-512 integrity +hash to the `run-workflow` command: ```yaml - # Run GetDotNetVersion workflow - command: run-workflow inputs: url: 'https://github.com/demaconsulting/SpdxWorkflows/blob/0.1.0/GetDotNetVersion.yaml' @@ -15,3 +50,85 @@ These files can be executed using the following SpdxTool workflow steps: outputs: ``` + +Replace `0.1.0` with the desired release tag. See [Releases][link-releases] for available +versions and their workflow integrity hashes. + +## Available Workflows + +### Version Discovery + +These workflows detect and capture the installed version of a build tool. All version +discovery workflows produce a single `version` output parameter. + +| Workflow | Description | Platform | +| --- | --- | --- | +| [GetDotNetVersion.yaml][link-wf-getdotnet] | Gets the installed .NET SDK version | Windows, Linux | +| [GetGccVersion.yaml][link-wf-getgcc] | Gets the installed GCC version | Linux | +| [GetIarEwArmVersion.yaml][link-wf-getiar] | Gets the installed IAR EW ARM version | Windows | +| [GetMsBuildVersion.yaml][link-wf-getmsbuild] | Gets the installed MSBuild version | Windows | +| [GetNugetVersion.yaml][link-wf-getnuget] | Gets the installed NuGet version | Windows | +| [GetNugetPackagePath.yaml][link-wf-getnugetpath] | Gets the path to a NuGet package in the local cache | Windows | +| [GetVsTestVersion.yaml][link-wf-getvstest] | Gets the installed VSTest version | Windows | + +### SPDX Package Addition + +These workflows add a build-tool entry as a package to an existing SPDX document. + +| Workflow | Description | Platform | +| --- | --- | --- | +| [AddDotNetPackage.yaml][link-wf-adddotnet] | Adds the .NET SDK package to an SPDX document | Windows, Linux | +| [AddGccPackage.yaml][link-wf-addgcc] | Adds the GCC package to an SPDX document | Linux | +| [AddIarEwArmPackage.yaml][link-wf-addiar] | Adds the IAR EW ARM package to an SPDX document | Windows | +| [AddMsBuildPackage.yaml][link-wf-addmsbuild] | Adds the MSBuild package to an SPDX document | Windows | +| [AddNugetPackage.yaml][link-wf-addnuget] | Adds the NuGet package to an SPDX document | Windows | +| [AddVsTestPackage.yaml][link-wf-addvstest] | Adds the VSTest package to an SPDX document | Windows | +| [EnhancePackageFromNugetSpdx.yaml][link-wf-enhance] | Enhances an SPDX package with metadata from a NuGet SPDX document | Windows | + +For full parameter and output details see the [User Guide][link-guide]. + +## Documentation + +- **[User Guide][link-guide]**: Workflow parameters, outputs, and usage examples + +## License + +Copyright (c) DEMA Consulting. Licensed under the MIT License. See [LICENSE][link-license] for +details. + +By contributing to this project, you agree that your contributions will be licensed under the +MIT License. + + +[badge-forks]: https://img.shields.io/github/forks/demaconsulting/SpdxWorkflows?style=plastic +[badge-stars]: https://img.shields.io/github/stars/demaconsulting/SpdxWorkflows?style=plastic +[badge-contributors]: https://img.shields.io/github/contributors/demaconsulting/SpdxWorkflows?style=plastic +[badge-license]: https://img.shields.io/github/license/demaconsulting/SpdxWorkflows?style=plastic +[badge-build]: https://img.shields.io/github/actions/workflow/status/demaconsulting/SpdxWorkflows/build_on_push.yaml?style=plastic + + +[link-forks]: https://github.com/demaconsulting/SpdxWorkflows/network/members +[link-stars]: https://github.com/demaconsulting/SpdxWorkflows/stargazers +[link-contributors]: https://github.com/demaconsulting/SpdxWorkflows/graphs/contributors +[link-license]: LICENSE +[link-build]: https://github.com/demaconsulting/SpdxWorkflows/actions/workflows/build_on_push.yaml +[link-releases]: https://github.com/demaconsulting/SpdxWorkflows/releases +[link-guide]: docs/guide/guide.md +[link-spdxtool]: https://github.com/demaconsulting/SpdxTool +[link-spdx]: https://spdx.dev + + +[link-wf-getdotnet]: https://github.com/demaconsulting/SpdxWorkflows/blob/main/GetDotNetVersion.yaml +[link-wf-getgcc]: https://github.com/demaconsulting/SpdxWorkflows/blob/main/GetGccVersion.yaml +[link-wf-getiar]: https://github.com/demaconsulting/SpdxWorkflows/blob/main/GetIarEwArmVersion.yaml +[link-wf-getmsbuild]: https://github.com/demaconsulting/SpdxWorkflows/blob/main/GetMsBuildVersion.yaml +[link-wf-getnuget]: https://github.com/demaconsulting/SpdxWorkflows/blob/main/GetNugetVersion.yaml +[link-wf-getnugetpath]: https://github.com/demaconsulting/SpdxWorkflows/blob/main/GetNugetPackagePath.yaml +[link-wf-getvstest]: https://github.com/demaconsulting/SpdxWorkflows/blob/main/GetVsTestVersion.yaml +[link-wf-adddotnet]: https://github.com/demaconsulting/SpdxWorkflows/blob/main/AddDotNetPackage.yaml +[link-wf-addgcc]: https://github.com/demaconsulting/SpdxWorkflows/blob/main/AddGccPackage.yaml +[link-wf-addiar]: https://github.com/demaconsulting/SpdxWorkflows/blob/main/AddIarEwArmPackage.yaml +[link-wf-addmsbuild]: https://github.com/demaconsulting/SpdxWorkflows/blob/main/AddMsBuildPackage.yaml +[link-wf-addnuget]: https://github.com/demaconsulting/SpdxWorkflows/blob/main/AddNugetPackage.yaml +[link-wf-addvstest]: https://github.com/demaconsulting/SpdxWorkflows/blob/main/AddVsTestPackage.yaml +[link-wf-enhance]: https://github.com/demaconsulting/SpdxWorkflows/blob/main/EnhancePackageFromNugetSpdx.yaml diff --git a/requirements.yaml b/requirements.yaml new file mode 100644 index 0000000..1007a66 --- /dev/null +++ b/requirements.yaml @@ -0,0 +1,199 @@ +--- +# SpdxWorkflows Requirements +# +# This file defines the requirements for the SpdxWorkflows project. +# Each requirement is linked to one or more test cases for traceability. +# +# Enforced in CI via: +# dotnet reqstream --requirements requirements.yaml +# --tests "test-results/**/*.trx" +# --enforce +# +# NOTE: Two workflows currently lack test coverage and are excluded from +# enforcement until tests are provided: +# - GetIarEwArmVersion (REQ-GIV-001): requires IAR EW ARM installation +# - EnhancePackageFromNugetSpdx (REQ-EPF-001): requires NuGet package with SPDX + +sections: + + - title: Get Version Workflows + requirements: + + - id: REQ-GDN-001 + title: >- + The GetDotNetVersion workflow shall output the installed .NET SDK + version as a version string. + justification: | + Consumers of SpdxWorkflows need to capture .NET SDK version information + into SPDX documents to satisfy NTIA minimum elements and software supply + chain transparency requirements. The version output must be a parseable + version string matching the installed SDK. + tests: + - GetDotNetVersion_OnAnyOS_ReturnsVersion + + - id: REQ-GGV-001 + title: >- + The GetGccVersion workflow shall output the installed GCC compiler + version as a version string. + justification: | + Consumers building firmware or embedded software with GCC need to capture + GCC version information into SPDX documents to satisfy NTIA minimum + elements and software supply chain transparency requirements. + tests: + - GetGccVersion_OnLinux_ReturnsVersion + + - id: REQ-GIV-001 + title: >- + The GetIarEwArmVersion workflow shall output the installed IAR Embedded + Workbench for ARM version as a version string. + justification: | + Consumers building embedded software with IAR EW ARM need to capture + version information into SPDX documents to satisfy NTIA minimum elements + and software supply chain transparency requirements. + # No test yet - requires IAR EW ARM installation in CI + # Pending test: GetIarEwArmVersion_OnWindows_ReturnsVersion + + - id: REQ-GMV-001 + title: >- + The GetMsBuildVersion workflow shall output the installed MSBuild + version as a version string. + justification: | + Consumers building .NET or Visual Studio solutions with MSBuild need to + capture MSBuild version information into SPDX documents to satisfy NTIA + minimum elements and software supply chain transparency requirements. + tests: + - GetMsBuildVersion_OnWindows_ReturnsVersion + + - id: REQ-GNV-001 + title: >- + The GetNugetVersion workflow shall output the installed NuGet CLI + version as a version string. + justification: | + Consumers using NuGet to manage package dependencies need to capture + NuGet version information into SPDX documents to satisfy NTIA minimum + elements and software supply chain transparency requirements. + tests: + - GetNugetVersion_OnWindows_ReturnsVersion + + - id: REQ-GNP-001 + title: >- + The GetNugetPackagePath workflow shall output the file system path to + the specified NuGet package in the local package cache. + justification: | + The EnhancePackageFromNugetSpdx workflow and consumers need to locate + NuGet packages on disk by name and version in order to read SPDX + documents embedded within those packages. + tests: + - GetNugetPackagePath_WithPackageAndVersion_ReturnsPath + + - id: REQ-GVV-001 + title: >- + The GetVsTestVersion workflow shall output the installed Visual Studio + Test Platform (VSTest) version as a version string. + justification: | + Consumers using VSTest to run automated tests need to capture version + information into SPDX documents to satisfy NTIA minimum elements and + software supply chain transparency requirements. + tests: + - GetVsTestVersion_OnWindows_ReturnsVersion + + - title: Add Package Workflows + requirements: + + - id: REQ-ADP-001 + title: >- + The AddDotNetPackage workflow shall add a .NET SDK package entry to the + specified SPDX document with accurate metadata including name, version, + license, copyright, supplier, originator, and homepage. + justification: | + SPDX documents require accurate, consistent package metadata to satisfy + NTIA minimum elements and software supply chain transparency standards. + The .NET SDK metadata is fixed and well-known, sourced from Microsoft's + published information and the dotnet/dotnet GitHub repository. + tests: + - AddDotNetPackage_WithValidParameters_AddsPackageToDocument + + - id: REQ-AGP-001 + title: >- + The AddGccPackage workflow shall add a GNU Compiler Collection package + entry to the specified SPDX document with accurate metadata including + name, version, license, copyright, originator, homepage, and PURL. + justification: | + SPDX documents require accurate, consistent package metadata to satisfy + NTIA minimum elements and software supply chain transparency standards. + GCC metadata is publicly available from the GNU project and the + gcc-mirror/gcc GitHub repository. + tests: + - AddGccPackage_WithValidParameters_AddsPackageToDocument + + - id: REQ-AIP-001 + title: >- + The AddIarEwArmPackage workflow shall add an IAR Embedded Workbench for + ARM package entry to the specified SPDX document with accurate metadata + including name, version, supplier, originator, and homepage. + justification: | + SPDX documents require accurate, consistent package metadata to satisfy + NTIA minimum elements and software supply chain transparency standards. + IAR EW ARM metadata is sourced from IAR Systems' published product + information. + tests: + - AddIarEwArmPackage_WithValidParameters_AddsPackageToDocument + + - id: REQ-AMP-001 + title: >- + The AddMsBuildPackage workflow shall add a Microsoft Build Engine package + entry to the specified SPDX document with accurate metadata including + name, version, license, copyright, supplier, originator, homepage, + and PURL. + justification: | + SPDX documents require accurate, consistent package metadata to satisfy + NTIA minimum elements and software supply chain transparency standards. + MSBuild metadata is publicly available from Microsoft's documentation and + the dotnet/msbuild GitHub repository. + tests: + - AddMsBuildPackage_WithValidParameters_AddsPackageToDocument + + - id: REQ-ANP-001 + title: >- + The AddNugetPackage workflow shall add a NuGet CLI package entry to the + specified SPDX document with accurate metadata including name, version, + license, copyright, supplier, originator, homepage, and PURL. + justification: | + SPDX documents require accurate, consistent package metadata to satisfy + NTIA minimum elements and software supply chain transparency standards. + NuGet CLI metadata is publicly available from nuget.org and the + NuGet/NuGet.Client GitHub repository. + tests: + - AddNugetPackage_WithValidParameters_AddsPackageToDocument + + - id: REQ-AVP-001 + title: >- + The AddVsTestPackage workflow shall add a Visual Studio Test Platform + package entry to the specified SPDX document with accurate metadata + including name, version, license, copyright, supplier, originator, + homepage, and PURL. + justification: | + SPDX documents require accurate, consistent package metadata to satisfy + NTIA minimum elements and software supply chain transparency standards. + VSTest metadata is publicly available from Microsoft's documentation and + the microsoft/vstest GitHub repository. + tests: + - AddVsTestPackage_WithValidParameters_AddsPackageToDocument + + - title: Enhance Package Workflows + requirements: + + - id: REQ-EPF-001 + title: >- + The EnhancePackageFromNugetSpdx workflow shall update an existing + package entry in an SPDX document with enriched metadata copied from + the SPDX document embedded in the corresponding NuGet package. + justification: | + NuGet packages often include embedded SPDX documents with comprehensive + metadata such as license texts, checksums, and CPE identifiers that + exceed what is manually catalogued. Enhancing packages from this embedded + source improves SPDX document accuracy and completeness without + requiring manual data entry. + # No test yet - integration test requires a NuGet package with SPDX + # embedded in the local cache. This is a complex integration scenario. + # Pending test: EnhancePackageFromNugetSpdx_WithValidPackage_EnhancesDocument diff --git a/test/DemaConsulting.SpdxWorkflows.Tests/AddDotNetPackage.cs b/test/DemaConsulting.SpdxWorkflows.Tests/AddDotNetPackage.cs index 55a7e08..7408f73 100644 --- a/test/DemaConsulting.SpdxWorkflows.Tests/AddDotNetPackage.cs +++ b/test/DemaConsulting.SpdxWorkflows.Tests/AddDotNetPackage.cs @@ -4,7 +4,7 @@ public class AddDotNetPackage : AddPackageTest { [TestMethod, TestCategory("AnyOS")] - public void TestAddDotNetPackage() + public void AddDotNetPackage_WithValidParameters_AddsPackageToDocument() { var doc = RunAddPackageWorkflow( "AddDotNetPackage.yaml", diff --git a/test/DemaConsulting.SpdxWorkflows.Tests/AddGccPackage.cs b/test/DemaConsulting.SpdxWorkflows.Tests/AddGccPackage.cs index 293a634..b649dc5 100644 --- a/test/DemaConsulting.SpdxWorkflows.Tests/AddGccPackage.cs +++ b/test/DemaConsulting.SpdxWorkflows.Tests/AddGccPackage.cs @@ -4,7 +4,7 @@ public class AddGccPackage : AddPackageTest { [TestMethod, TestCategory("AnyOS")] - public void TestAddGccPackage() + public void AddGccPackage_WithValidParameters_AddsPackageToDocument() { var doc = RunAddPackageWorkflow( "AddGccPackage.yaml", diff --git a/test/DemaConsulting.SpdxWorkflows.Tests/AddIarEwArmPackage.cs b/test/DemaConsulting.SpdxWorkflows.Tests/AddIarEwArmPackage.cs index 24a341b..4476bd1 100644 --- a/test/DemaConsulting.SpdxWorkflows.Tests/AddIarEwArmPackage.cs +++ b/test/DemaConsulting.SpdxWorkflows.Tests/AddIarEwArmPackage.cs @@ -4,7 +4,7 @@ public class AddIarEwArmPackage : AddPackageTest { [TestMethod, TestCategory("AnyOS")] - public void TestAddIarEwArmPackage() + public void AddIarEwArmPackage_WithValidParameters_AddsPackageToDocument() { var doc = RunAddPackageWorkflow( "AddIarEwArmPackage.yaml", diff --git a/test/DemaConsulting.SpdxWorkflows.Tests/AddMsBuildPackage.cs b/test/DemaConsulting.SpdxWorkflows.Tests/AddMsBuildPackage.cs index 7cad977..58daf16 100644 --- a/test/DemaConsulting.SpdxWorkflows.Tests/AddMsBuildPackage.cs +++ b/test/DemaConsulting.SpdxWorkflows.Tests/AddMsBuildPackage.cs @@ -4,7 +4,7 @@ public class AddMsBuildPackage : AddPackageTest { [TestMethod, TestCategory("AnyOS")] - public void TestAddMsBuildPackage() + public void AddMsBuildPackage_WithValidParameters_AddsPackageToDocument() { var doc = RunAddPackageWorkflow( "AddMsBuildPackage.yaml", diff --git a/test/DemaConsulting.SpdxWorkflows.Tests/AddNugetPackage.cs b/test/DemaConsulting.SpdxWorkflows.Tests/AddNugetPackage.cs index c510cce..051d710 100644 --- a/test/DemaConsulting.SpdxWorkflows.Tests/AddNugetPackage.cs +++ b/test/DemaConsulting.SpdxWorkflows.Tests/AddNugetPackage.cs @@ -4,7 +4,7 @@ public class AddNugetPackage : AddPackageTest { [TestMethod, TestCategory("AnyOS")] - public void TestAddNugetPackage() + public void AddNugetPackage_WithValidParameters_AddsPackageToDocument() { var doc = RunAddPackageWorkflow( "AddNugetPackage.yaml", diff --git a/test/DemaConsulting.SpdxWorkflows.Tests/AddVsTestPackage.cs b/test/DemaConsulting.SpdxWorkflows.Tests/AddVsTestPackage.cs index c0c5606..f2278bb 100644 --- a/test/DemaConsulting.SpdxWorkflows.Tests/AddVsTestPackage.cs +++ b/test/DemaConsulting.SpdxWorkflows.Tests/AddVsTestPackage.cs @@ -4,7 +4,7 @@ public class AddVsTestPackage : AddPackageTest { [TestMethod, TestCategory("AnyOS")] - public void TestAddVsTestPackage() + public void AddVsTestPackage_WithValidParameters_AddsPackageToDocument() { var doc = RunAddPackageWorkflow( "AddVsTestPackage.yaml", diff --git a/test/DemaConsulting.SpdxWorkflows.Tests/GetDotNetVersion.cs b/test/DemaConsulting.SpdxWorkflows.Tests/GetDotNetVersion.cs index 99a15d2..33c5472 100644 --- a/test/DemaConsulting.SpdxWorkflows.Tests/GetDotNetVersion.cs +++ b/test/DemaConsulting.SpdxWorkflows.Tests/GetDotNetVersion.cs @@ -6,7 +6,7 @@ namespace DemaConsulting.SpdxWorkflows.Tests; public partial class GetDotNetVersion : WorkflowTest { [TestMethod, TestCategory("AnyOS")] - public void TestGetDotNetVersion() + public void GetDotNetVersion_OnAnyOS_ReturnsVersion() { // Run the workflow var exitCode = RunWorkflow( diff --git a/test/DemaConsulting.SpdxWorkflows.Tests/GetGccVersion.cs b/test/DemaConsulting.SpdxWorkflows.Tests/GetGccVersion.cs index 7bf6d2d..8a44f09 100644 --- a/test/DemaConsulting.SpdxWorkflows.Tests/GetGccVersion.cs +++ b/test/DemaConsulting.SpdxWorkflows.Tests/GetGccVersion.cs @@ -6,7 +6,7 @@ namespace DemaConsulting.SpdxWorkflows.Tests; public partial class GetGccVersion : WorkflowTest { [TestMethod, TestCategory("Linux")] - public void TestGetGccVersion() + public void GetGccVersion_OnLinux_ReturnsVersion() { // Run the workflow var exitCode = RunWorkflow( diff --git a/test/DemaConsulting.SpdxWorkflows.Tests/GetMsBuildVersion.cs b/test/DemaConsulting.SpdxWorkflows.Tests/GetMsBuildVersion.cs index 41ef8cb..e799346 100644 --- a/test/DemaConsulting.SpdxWorkflows.Tests/GetMsBuildVersion.cs +++ b/test/DemaConsulting.SpdxWorkflows.Tests/GetMsBuildVersion.cs @@ -6,7 +6,7 @@ namespace DemaConsulting.SpdxWorkflows.Tests; public partial class GetMsBuildVersion : WorkflowTest { [TestMethod, TestCategory("Windows")] - public void TestGetMsBuildVersion() + public void GetMsBuildVersion_OnWindows_ReturnsVersion() { // Use vswhere to find MSBuild Runner.Run( diff --git a/test/DemaConsulting.SpdxWorkflows.Tests/GetNugetPackagePath.cs b/test/DemaConsulting.SpdxWorkflows.Tests/GetNugetPackagePath.cs index 02795fa..28824db 100644 --- a/test/DemaConsulting.SpdxWorkflows.Tests/GetNugetPackagePath.cs +++ b/test/DemaConsulting.SpdxWorkflows.Tests/GetNugetPackagePath.cs @@ -6,7 +6,7 @@ namespace DemaConsulting.SpdxWorkflows.Tests; public partial class GetNugetPackagePath : WorkflowTest { [TestMethod, TestCategory("Windows")] - public void TestGetNugetPackagePath() + public void GetNugetPackagePath_WithPackageAndVersion_ReturnsPath() { // Run the workflow var exitCode = RunWorkflow( diff --git a/test/DemaConsulting.SpdxWorkflows.Tests/GetNugetVersion.cs b/test/DemaConsulting.SpdxWorkflows.Tests/GetNugetVersion.cs index 80cbf14..de95b21 100644 --- a/test/DemaConsulting.SpdxWorkflows.Tests/GetNugetVersion.cs +++ b/test/DemaConsulting.SpdxWorkflows.Tests/GetNugetVersion.cs @@ -6,7 +6,7 @@ namespace DemaConsulting.SpdxWorkflows.Tests; public partial class GetNugetVersion : WorkflowTest { [TestMethod, TestCategory("Windows")] - public void TestGetNugetVersion() + public void GetNugetVersion_OnWindows_ReturnsVersion() { // Run the workflow var exitCode = RunWorkflow( diff --git a/test/DemaConsulting.SpdxWorkflows.Tests/GetVsTestVersion.cs b/test/DemaConsulting.SpdxWorkflows.Tests/GetVsTestVersion.cs index 0451f62..49973ab 100644 --- a/test/DemaConsulting.SpdxWorkflows.Tests/GetVsTestVersion.cs +++ b/test/DemaConsulting.SpdxWorkflows.Tests/GetVsTestVersion.cs @@ -6,7 +6,7 @@ namespace DemaConsulting.SpdxWorkflows.Tests; public partial class GetVsTestVersion : WorkflowTest { [TestMethod, TestCategory("Windows")] - public void TestGetVsTestVersion() + public void GetVsTestVersion_OnWindows_ReturnsVersion() { // Use vswhere to find VSTest Runner.Run( From 905d3b72c7ee6c7ee77023470e1e506d1da3d450 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 2 Mar 2026 02:08:04 +0000 Subject: [PATCH 03/10] Add requirements docs (requirements/justifications/tracematrix), update build.yaml for TRX and reqstream Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com> --- .cspell.json | 1 + .github/workflows/build.yaml | 78 +++++++++++++++++++++++++++++ docs/justifications/definition.yaml | 11 ++++ docs/justifications/introduction.md | 26 ++++++++++ docs/justifications/title.txt | 13 +++++ docs/requirements/definition.yaml | 11 ++++ docs/requirements/introduction.md | 26 ++++++++++ docs/requirements/title.txt | 13 +++++ docs/tracematrix/definition.yaml | 11 ++++ docs/tracematrix/introduction.md | 27 ++++++++++ docs/tracematrix/title.txt | 14 ++++++ 11 files changed, 231 insertions(+) create mode 100644 docs/justifications/definition.yaml create mode 100644 docs/justifications/introduction.md create mode 100644 docs/justifications/title.txt create mode 100644 docs/requirements/definition.yaml create mode 100644 docs/requirements/introduction.md create mode 100644 docs/requirements/title.txt create mode 100644 docs/tracematrix/definition.yaml create mode 100644 docs/tracematrix/introduction.md create mode 100644 docs/tracematrix/title.txt diff --git a/.cspell.json b/.cspell.json index 913b18d..22b2db3 100644 --- a/.cspell.json +++ b/.cspell.json @@ -41,6 +41,7 @@ "myterm", "ncipollo", "NOASSERTION", + "NTIA", "nuget", "nupkg", "opencover", diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 82754ba..2016606 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -76,6 +76,8 @@ jobs: --no-restore --verbosity normal --filter "TestCategory=AnyOS|TestCategory=Windows" + --logger "trx;LogFilePrefix=windows" + --results-directory test-results - name: Run Linux Tests if: startsWith(matrix.os, 'ubuntu') @@ -85,6 +87,8 @@ jobs: --no-restore --verbosity normal --filter "TestCategory=AnyOS|TestCategory=Linux" + --logger "trx;LogFilePrefix=ubuntu" + --results-directory test-results - name: Create Dotnet Tool run: | @@ -98,6 +102,12 @@ jobs: path: | pack/*.nupkg + - name: Upload Test Results + uses: actions/upload-artifact@v7 + with: + name: test-results-${{ matrix.os }} + path: test-results/*.trx + - name: Capture tool versions shell: bash run: | @@ -137,6 +147,13 @@ jobs: pattern: 'version-capture-*' continue-on-error: true + - name: Download all test results + uses: actions/download-artifact@v8 + with: + path: test-results + pattern: 'test-results-*' + continue-on-error: true + # === INSTALL DEPENDENCIES === # This section installs all required dependencies and tools for document generation. # Downstream projects: Add any additional dependency installations here. @@ -189,6 +206,16 @@ jobs: echo "=== Build Notes Report ===" cat docs/buildnotes.md + - name: Generate Requirements with ReqStream + shell: bash + run: > + dotnet reqstream + --requirements requirements.yaml + --tests "test-results/**/*.trx" + --report docs/requirements/requirements.md + --justifications docs/justifications/justifications.md + --trace-matrix docs/tracematrix/tracematrix.md + - name: Publish Tool Versions shell: bash run: | @@ -227,6 +254,36 @@ jobs: --metadata date="$(date +'%Y-%m-%d')" --output docs/guide/guide.html + - name: Generate Requirements HTML with Pandoc + shell: bash + run: > + dotnet pandoc + --defaults docs/requirements/definition.yaml + --filter node_modules/.bin/mermaid-filter.cmd + --metadata version="${{ inputs.version }}" + --metadata date="$(date +'%Y-%m-%d')" + --output docs/requirements/requirements.html + + - name: Generate Requirements Justifications HTML with Pandoc + shell: bash + run: > + dotnet pandoc + --defaults docs/justifications/definition.yaml + --filter node_modules/.bin/mermaid-filter.cmd + --metadata version="${{ inputs.version }}" + --metadata date="$(date +'%Y-%m-%d')" + --output docs/justifications/justifications.html + + - name: Generate Trace Matrix HTML with Pandoc + shell: bash + run: > + dotnet pandoc + --defaults docs/tracematrix/definition.yaml + --filter node_modules/.bin/mermaid-filter.cmd + --metadata version="${{ inputs.version }}" + --metadata date="$(date +'%Y-%m-%d')" + --output docs/tracematrix/tracematrix.html + # === GENERATE PDF DOCUMENTS WITH WEASYPRINT === # This section converts HTML documents to PDF using Weasyprint. # Downstream projects: Add any additional Weasyprint PDF generation steps here. @@ -245,6 +302,27 @@ jobs: docs/guide/guide.html "docs/SpdxWorkflows User Guide.pdf" + - name: Generate Requirements PDF with Weasyprint + run: > + dotnet weasyprint + --pdf-variant pdf/a-3u + docs/requirements/requirements.html + "docs/SpdxWorkflows Requirements.pdf" + + - name: Generate Requirements Justifications PDF with Weasyprint + run: > + dotnet weasyprint + --pdf-variant pdf/a-3u + docs/justifications/justifications.html + "docs/SpdxWorkflows Requirements Justifications.pdf" + + - name: Generate Trace Matrix PDF with Weasyprint + run: > + dotnet weasyprint + --pdf-variant pdf/a-3u + docs/tracematrix/tracematrix.html + "docs/SpdxWorkflows Trace Matrix.pdf" + # === UPLOAD ARTIFACTS === # This section uploads all generated documentation artifacts. # Downstream projects: Add any additional artifact uploads here. diff --git a/docs/justifications/definition.yaml b/docs/justifications/definition.yaml new file mode 100644 index 0000000..d0bbbee --- /dev/null +++ b/docs/justifications/definition.yaml @@ -0,0 +1,11 @@ +--- +resource-path: + - docs/justifications + - docs/template +input-files: + - docs/justifications/title.txt + - docs/justifications/introduction.md + - docs/justifications/justifications.md +template: template.html +table-of-contents: true +number-sections: true diff --git a/docs/justifications/introduction.md b/docs/justifications/introduction.md new file mode 100644 index 0000000..834efc4 --- /dev/null +++ b/docs/justifications/introduction.md @@ -0,0 +1,26 @@ +# Introduction + +This document contains the justifications for the requirements of the SpdxWorkflows project. + +## Purpose + +This justifications document provides the rationale behind each requirement in the SpdxWorkflows +project. Each requirement justification explains why the requirement exists, what problem it +solves, and how it contributes to the overall value of the workflows. + +## Scope + +This document covers justifications for: + +- Version discovery workflow requirements +- Package addition workflow requirements +- Package enhancement workflow requirements + +## Audience + +This document is intended for: + +- Software developers understanding design decisions +- Quality assurance teams reviewing requirement rationale +- Project stakeholders evaluating project scope +- Compliance and audit teams reviewing requirements traceability diff --git a/docs/justifications/title.txt b/docs/justifications/title.txt new file mode 100644 index 0000000..b13d8de --- /dev/null +++ b/docs/justifications/title.txt @@ -0,0 +1,13 @@ +--- +title: SpdxWorkflows Requirements Justifications +subtitle: Requirements Justifications for SpdxWorkflows +author: DEMA Consulting +description: Requirements Justifications for the SpdxWorkflows project +lang: en-US +keywords: + - SpdxWorkflows + - Requirements + - Justifications + - SPDX + - Workflows +--- diff --git a/docs/requirements/definition.yaml b/docs/requirements/definition.yaml new file mode 100644 index 0000000..a0f3371 --- /dev/null +++ b/docs/requirements/definition.yaml @@ -0,0 +1,11 @@ +--- +resource-path: + - docs/requirements + - docs/template +input-files: + - docs/requirements/title.txt + - docs/requirements/introduction.md + - docs/requirements/requirements.md +template: template.html +table-of-contents: true +number-sections: true diff --git a/docs/requirements/introduction.md b/docs/requirements/introduction.md new file mode 100644 index 0000000..4b97341 --- /dev/null +++ b/docs/requirements/introduction.md @@ -0,0 +1,26 @@ +# Introduction + +This document contains the requirements for the SpdxWorkflows project. + +## Purpose + +SpdxWorkflows is a collection of standard SpdxTool workflow files for generating SPDX +software bill of materials documents. It provides reusable workflows for capturing version +information and adding package entries for common build tools. + +## Scope + +This requirements document covers: + +- Version discovery workflows for build tools +- Package addition workflows for SPDX documents +- Package enhancement workflows from NuGet SPDX data + +## Audience + +This document is intended for: + +- Software developers working on SpdxWorkflows +- Quality assurance teams validating requirements +- Project stakeholders reviewing project scope +- Users understanding the workflows' capabilities diff --git a/docs/requirements/title.txt b/docs/requirements/title.txt new file mode 100644 index 0000000..3964b01 --- /dev/null +++ b/docs/requirements/title.txt @@ -0,0 +1,13 @@ +--- +title: SpdxWorkflows Requirements +subtitle: Requirements Specification for SpdxWorkflows +author: DEMA Consulting +description: Requirements Specification for the SpdxWorkflows project +lang: en-US +keywords: + - SpdxWorkflows + - Requirements + - Specification + - SPDX + - Workflows +--- diff --git a/docs/tracematrix/definition.yaml b/docs/tracematrix/definition.yaml new file mode 100644 index 0000000..ba93d57 --- /dev/null +++ b/docs/tracematrix/definition.yaml @@ -0,0 +1,11 @@ +--- +resource-path: + - docs/tracematrix + - docs/template +input-files: + - docs/tracematrix/title.txt + - docs/tracematrix/introduction.md + - docs/tracematrix/tracematrix.md +template: template.html +table-of-contents: true +number-sections: true diff --git a/docs/tracematrix/introduction.md b/docs/tracematrix/introduction.md new file mode 100644 index 0000000..2ce7875 --- /dev/null +++ b/docs/tracematrix/introduction.md @@ -0,0 +1,27 @@ +# Introduction + +This document contains the requirements traceability matrix for the SpdxWorkflows project. + +## Purpose + +The trace matrix provides traceability between requirements and test cases, ensuring that +all requirements are validated through appropriate testing. This demonstrates that the +SpdxWorkflows meet their specified requirements. + +## Scope + +This traceability matrix covers: + +- Mapping of requirements to test cases +- Test execution results linked to requirements +- Validation of requirement coverage +- Platform-specific test execution + +## Audience + +This document is intended for: + +- Software developers working on SpdxWorkflows +- Quality assurance teams validating requirements coverage +- Project stakeholders reviewing test coverage +- Auditors verifying requirements traceability diff --git a/docs/tracematrix/title.txt b/docs/tracematrix/title.txt new file mode 100644 index 0000000..b83e46f --- /dev/null +++ b/docs/tracematrix/title.txt @@ -0,0 +1,14 @@ +--- +title: SpdxWorkflows Trace Matrix +subtitle: Requirements Traceability Matrix for SpdxWorkflows +author: DEMA Consulting +description: Requirements Traceability Matrix for the SpdxWorkflows project +lang: en-US +keywords: + - SpdxWorkflows + - Trace Matrix + - Traceability + - Requirements + - Testing + - SPDX +--- From 806aca98b0ca41841a5ca2665faabc55c772f762 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 2 Mar 2026 02:18:58 +0000 Subject: [PATCH 04/10] Remove rollForward settings, add platform prefixes to test links, comment out Enhance section Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com> --- .config/dotnet-tools.json | 21 ++++------ requirements.yaml | 81 +++++++++++++++++++++++---------------- 2 files changed, 55 insertions(+), 47 deletions(-) diff --git a/.config/dotnet-tools.json b/.config/dotnet-tools.json index d1fe910..23c2bda 100644 --- a/.config/dotnet-tools.json +++ b/.config/dotnet-tools.json @@ -6,50 +6,43 @@ "version": "2.8.0", "commands": [ "spdx-tool" - ], - "rollForward": false + ] }, "demaconsulting.vswheretool": { "version": "3.1.7", "commands": [ "vswhere" - ], - "rollForward": false + ] }, "demaconsulting.pandoctool": { "version": "3.9.0", "commands": [ "pandoc" - ], - "rollForward": false + ] }, "demaconsulting.weasyprinttool": { "version": "68.1.0", "commands": [ "weasyprint" - ], - "rollForward": false + ] }, "demaconsulting.buildmark": { "version": "0.4.0", "commands": [ "buildmark" - ], - "rollForward": false + ] }, "demaconsulting.versionmark": { "version": "1.0.0", "commands": [ "versionmark" - ], - "rollForward": false + ] }, "demaconsulting.reqstream": { "version": "1.3.0", "commands": [ "reqstream" - ], - "rollForward": false + ] } } } \ No newline at end of file diff --git a/requirements.yaml b/requirements.yaml index 1007a66..256f61a 100644 --- a/requirements.yaml +++ b/requirements.yaml @@ -9,10 +9,16 @@ # --tests "test-results/**/*.trx" # --enforce # -# NOTE: Two workflows currently lack test coverage and are excluded from -# enforcement until tests are provided: -# - GetIarEwArmVersion (REQ-GIV-001): requires IAR EW ARM installation -# - EnhancePackageFromNugetSpdx (REQ-EPF-001): requires NuGet package with SPDX +# Test links can include a source filter prefix (e.g. "windows@", "ubuntu@") to +# restrict which test results count as evidence for a requirement. This is critical +# for platform-specific requirements - removing these filters invalidates the proof. +# +# Source filter prefixes: +# windows@TestName - proves the test passed on a Windows platform +# ubuntu@TestName - proves the test passed on a Linux (Ubuntu) platform +# +# NOTE: GetIarEwArmVersion (REQ-GIV-001) currently lacks test coverage as it +# requires IAR EW ARM to be installed in CI. sections: @@ -29,7 +35,8 @@ sections: chain transparency requirements. The version output must be a parseable version string matching the installed SDK. tests: - - GetDotNetVersion_OnAnyOS_ReturnsVersion + - windows@GetDotNetVersion_OnAnyOS_ReturnsVersion + - ubuntu@GetDotNetVersion_OnAnyOS_ReturnsVersion - id: REQ-GGV-001 title: >- @@ -40,7 +47,7 @@ sections: GCC version information into SPDX documents to satisfy NTIA minimum elements and software supply chain transparency requirements. tests: - - GetGccVersion_OnLinux_ReturnsVersion + - ubuntu@GetGccVersion_OnLinux_ReturnsVersion - id: REQ-GIV-001 title: >- @@ -62,7 +69,7 @@ sections: capture MSBuild version information into SPDX documents to satisfy NTIA minimum elements and software supply chain transparency requirements. tests: - - GetMsBuildVersion_OnWindows_ReturnsVersion + - windows@GetMsBuildVersion_OnWindows_ReturnsVersion - id: REQ-GNV-001 title: >- @@ -73,7 +80,7 @@ sections: NuGet version information into SPDX documents to satisfy NTIA minimum elements and software supply chain transparency requirements. tests: - - GetNugetVersion_OnWindows_ReturnsVersion + - windows@GetNugetVersion_OnWindows_ReturnsVersion - id: REQ-GNP-001 title: >- @@ -84,7 +91,7 @@ sections: NuGet packages on disk by name and version in order to read SPDX documents embedded within those packages. tests: - - GetNugetPackagePath_WithPackageAndVersion_ReturnsPath + - windows@GetNugetPackagePath_WithPackageAndVersion_ReturnsPath - id: REQ-GVV-001 title: >- @@ -95,7 +102,7 @@ sections: information into SPDX documents to satisfy NTIA minimum elements and software supply chain transparency requirements. tests: - - GetVsTestVersion_OnWindows_ReturnsVersion + - windows@GetVsTestVersion_OnWindows_ReturnsVersion - title: Add Package Workflows requirements: @@ -111,7 +118,8 @@ sections: The .NET SDK metadata is fixed and well-known, sourced from Microsoft's published information and the dotnet/dotnet GitHub repository. tests: - - AddDotNetPackage_WithValidParameters_AddsPackageToDocument + - windows@AddDotNetPackage_WithValidParameters_AddsPackageToDocument + - ubuntu@AddDotNetPackage_WithValidParameters_AddsPackageToDocument - id: REQ-AGP-001 title: >- @@ -124,7 +132,8 @@ sections: GCC metadata is publicly available from the GNU project and the gcc-mirror/gcc GitHub repository. tests: - - AddGccPackage_WithValidParameters_AddsPackageToDocument + - windows@AddGccPackage_WithValidParameters_AddsPackageToDocument + - ubuntu@AddGccPackage_WithValidParameters_AddsPackageToDocument - id: REQ-AIP-001 title: >- @@ -137,7 +146,8 @@ sections: IAR EW ARM metadata is sourced from IAR Systems' published product information. tests: - - AddIarEwArmPackage_WithValidParameters_AddsPackageToDocument + - windows@AddIarEwArmPackage_WithValidParameters_AddsPackageToDocument + - ubuntu@AddIarEwArmPackage_WithValidParameters_AddsPackageToDocument - id: REQ-AMP-001 title: >- @@ -151,7 +161,8 @@ sections: MSBuild metadata is publicly available from Microsoft's documentation and the dotnet/msbuild GitHub repository. tests: - - AddMsBuildPackage_WithValidParameters_AddsPackageToDocument + - windows@AddMsBuildPackage_WithValidParameters_AddsPackageToDocument + - ubuntu@AddMsBuildPackage_WithValidParameters_AddsPackageToDocument - id: REQ-ANP-001 title: >- @@ -164,7 +175,8 @@ sections: NuGet CLI metadata is publicly available from nuget.org and the NuGet/NuGet.Client GitHub repository. tests: - - AddNugetPackage_WithValidParameters_AddsPackageToDocument + - windows@AddNugetPackage_WithValidParameters_AddsPackageToDocument + - ubuntu@AddNugetPackage_WithValidParameters_AddsPackageToDocument - id: REQ-AVP-001 title: >- @@ -178,22 +190,25 @@ sections: VSTest metadata is publicly available from Microsoft's documentation and the microsoft/vstest GitHub repository. tests: - - AddVsTestPackage_WithValidParameters_AddsPackageToDocument - - - title: Enhance Package Workflows - requirements: + - windows@AddVsTestPackage_WithValidParameters_AddsPackageToDocument + - ubuntu@AddVsTestPackage_WithValidParameters_AddsPackageToDocument - - id: REQ-EPF-001 - title: >- - The EnhancePackageFromNugetSpdx workflow shall update an existing - package entry in an SPDX document with enriched metadata copied from - the SPDX document embedded in the corresponding NuGet package. - justification: | - NuGet packages often include embedded SPDX documents with comprehensive - metadata such as license texts, checksums, and CPE identifiers that - exceed what is manually catalogued. Enhancing packages from this embedded - source improves SPDX document accuracy and completeness without - requiring manual data entry. - # No test yet - integration test requires a NuGet package with SPDX - # embedded in the local cache. This is a complex integration scenario. - # Pending test: EnhancePackageFromNugetSpdx_WithValidPackage_EnhancesDocument +# The Enhance Package Workflows section is commented out until test coverage is +# available. The EnhancePackageFromNugetSpdx workflow requires a NuGet package +# with an embedded SPDX document in the local cache which is not available in CI. +# +# - title: Enhance Package Workflows +# requirements: +# +# - id: REQ-EPF-001 +# title: >- +# The EnhancePackageFromNugetSpdx workflow shall update an existing +# package entry in an SPDX document with enriched metadata copied from +# the SPDX document embedded in the corresponding NuGet package. +# justification: | +# NuGet packages often include embedded SPDX documents with comprehensive +# metadata such as license texts, checksums, and CPE identifiers that +# exceed what is manually catalogued. Enhancing packages from this embedded +# source improves SPDX document accuracy and completeness without +# requiring manual data entry. +# # Pending test: EnhancePackageFromNugetSpdx_WithValidPackage_EnhancesDocument From 754726b2bde0438e032bf1194c0cf8fee3d27d2e Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 2 Mar 2026 02:19:51 +0000 Subject: [PATCH 05/10] Comment out IAR EW ARM requirements (REQ-GIV-001, REQ-AIP-001) Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com> --- requirements.yaml | 60 +++++++++++++++++++++++++++-------------------- 1 file changed, 35 insertions(+), 25 deletions(-) diff --git a/requirements.yaml b/requirements.yaml index 256f61a..3ff238a 100644 --- a/requirements.yaml +++ b/requirements.yaml @@ -17,8 +17,9 @@ # windows@TestName - proves the test passed on a Windows platform # ubuntu@TestName - proves the test passed on a Linux (Ubuntu) platform # -# NOTE: GetIarEwArmVersion (REQ-GIV-001) currently lacks test coverage as it -# requires IAR EW ARM to be installed in CI. +# NOTE: Requirements for IAR EW ARM workflows (REQ-GIV-001, REQ-AIP-001) and the +# EnhancePackageFromNugetSpdx workflow are commented out until test coverage is +# available in CI. sections: @@ -49,16 +50,20 @@ sections: tests: - ubuntu@GetGccVersion_OnLinux_ReturnsVersion - - id: REQ-GIV-001 - title: >- - The GetIarEwArmVersion workflow shall output the installed IAR Embedded - Workbench for ARM version as a version string. - justification: | - Consumers building embedded software with IAR EW ARM need to capture - version information into SPDX documents to satisfy NTIA minimum elements - and software supply chain transparency requirements. - # No test yet - requires IAR EW ARM installation in CI - # Pending test: GetIarEwArmVersion_OnWindows_ReturnsVersion + # REQ-GIV-001 is commented out until test coverage is available. + # The GetIarEwArmVersion workflow requires IAR EW ARM to be installed in CI. + # Pending test: windows@GetIarEwArmVersion_OnWindows_ReturnsVersion + # + # - id: REQ-GIV-001 + # title: >- + # The GetIarEwArmVersion workflow shall output the installed IAR Embedded + # Workbench for ARM version as a version string. + # justification: | + # Consumers building embedded software with IAR EW ARM need to capture + # version information into SPDX documents to satisfy NTIA minimum elements + # and software supply chain transparency requirements. + # tests: + # - windows@GetIarEwArmVersion_OnWindows_ReturnsVersion - id: REQ-GMV-001 title: >- @@ -135,19 +140,24 @@ sections: - windows@AddGccPackage_WithValidParameters_AddsPackageToDocument - ubuntu@AddGccPackage_WithValidParameters_AddsPackageToDocument - - id: REQ-AIP-001 - title: >- - The AddIarEwArmPackage workflow shall add an IAR Embedded Workbench for - ARM package entry to the specified SPDX document with accurate metadata - including name, version, supplier, originator, and homepage. - justification: | - SPDX documents require accurate, consistent package metadata to satisfy - NTIA minimum elements and software supply chain transparency standards. - IAR EW ARM metadata is sourced from IAR Systems' published product - information. - tests: - - windows@AddIarEwArmPackage_WithValidParameters_AddsPackageToDocument - - ubuntu@AddIarEwArmPackage_WithValidParameters_AddsPackageToDocument + # REQ-AIP-001 is commented out until test coverage is available. + # The AddIarEwArmPackage test requires IAR EW ARM to be installed in CI. + # Pending tests: windows@AddIarEwArmPackage_WithValidParameters_AddsPackageToDocument + # ubuntu@AddIarEwArmPackage_WithValidParameters_AddsPackageToDocument + # + # - id: REQ-AIP-001 + # title: >- + # The AddIarEwArmPackage workflow shall add an IAR Embedded Workbench for + # ARM package entry to the specified SPDX document with accurate metadata + # including name, version, supplier, originator, and homepage. + # justification: | + # SPDX documents require accurate, consistent package metadata to satisfy + # NTIA minimum elements and software supply chain transparency standards. + # IAR EW ARM metadata is sourced from IAR Systems' published product + # information. + # tests: + # - windows@AddIarEwArmPackage_WithValidParameters_AddsPackageToDocument + # - ubuntu@AddIarEwArmPackage_WithValidParameters_AddsPackageToDocument - id: REQ-AMP-001 title: >- From 33d6726ca4f2671aa0aec2fba8d7b8f8a8142c25 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 2 Mar 2026 02:21:58 +0000 Subject: [PATCH 06/10] Uncomment REQ-AIP-001 (AddIarEwArmPackage does not require IAR installed) Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com> --- requirements.yaml | 33 ++++++++++++++------------------- 1 file changed, 14 insertions(+), 19 deletions(-) diff --git a/requirements.yaml b/requirements.yaml index 3ff238a..b31c65a 100644 --- a/requirements.yaml +++ b/requirements.yaml @@ -17,7 +17,7 @@ # windows@TestName - proves the test passed on a Windows platform # ubuntu@TestName - proves the test passed on a Linux (Ubuntu) platform # -# NOTE: Requirements for IAR EW ARM workflows (REQ-GIV-001, REQ-AIP-001) and the +# NOTE: The GetIarEwArmVersion requirement (REQ-GIV-001) and the # EnhancePackageFromNugetSpdx workflow are commented out until test coverage is # available in CI. @@ -140,24 +140,19 @@ sections: - windows@AddGccPackage_WithValidParameters_AddsPackageToDocument - ubuntu@AddGccPackage_WithValidParameters_AddsPackageToDocument - # REQ-AIP-001 is commented out until test coverage is available. - # The AddIarEwArmPackage test requires IAR EW ARM to be installed in CI. - # Pending tests: windows@AddIarEwArmPackage_WithValidParameters_AddsPackageToDocument - # ubuntu@AddIarEwArmPackage_WithValidParameters_AddsPackageToDocument - # - # - id: REQ-AIP-001 - # title: >- - # The AddIarEwArmPackage workflow shall add an IAR Embedded Workbench for - # ARM package entry to the specified SPDX document with accurate metadata - # including name, version, supplier, originator, and homepage. - # justification: | - # SPDX documents require accurate, consistent package metadata to satisfy - # NTIA minimum elements and software supply chain transparency standards. - # IAR EW ARM metadata is sourced from IAR Systems' published product - # information. - # tests: - # - windows@AddIarEwArmPackage_WithValidParameters_AddsPackageToDocument - # - ubuntu@AddIarEwArmPackage_WithValidParameters_AddsPackageToDocument + - id: REQ-AIP-001 + title: >- + The AddIarEwArmPackage workflow shall add an IAR Embedded Workbench for + ARM package entry to the specified SPDX document with accurate metadata + including name, version, supplier, originator, and homepage. + justification: | + SPDX documents require accurate, consistent package metadata to satisfy + NTIA minimum elements and software supply chain transparency standards. + IAR EW ARM metadata is sourced from IAR Systems' published product + information. + tests: + - windows@AddIarEwArmPackage_WithValidParameters_AddsPackageToDocument + - ubuntu@AddIarEwArmPackage_WithValidParameters_AddsPackageToDocument - id: REQ-AMP-001 title: >- From c6f7a1969555635f0e2d2801d8a9bae14305fd7d Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 2 Mar 2026 02:41:10 +0000 Subject: [PATCH 07/10] Fix --trace-matrix to --matrix in reqstream command in build.yaml Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com> --- .github/workflows/build.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml index 2016606..0560ea7 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build.yaml @@ -214,7 +214,7 @@ jobs: --tests "test-results/**/*.trx" --report docs/requirements/requirements.md --justifications docs/justifications/justifications.md - --trace-matrix docs/tracematrix/tracematrix.md + --matrix docs/tracematrix/tracematrix.md - name: Publish Tool Versions shell: bash From c990261a3e496e60fcd60bf27f5d26bb19e823a2 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 2 Mar 2026 02:48:27 +0000 Subject: [PATCH 08/10] Add MSBuild env vars to Runner to prevent lingering processes on Windows Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com> --- test/DemaConsulting.SpdxWorkflows.Tests/Runner.cs | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/test/DemaConsulting.SpdxWorkflows.Tests/Runner.cs b/test/DemaConsulting.SpdxWorkflows.Tests/Runner.cs index 78b9d01..4fb5589 100644 --- a/test/DemaConsulting.SpdxWorkflows.Tests/Runner.cs +++ b/test/DemaConsulting.SpdxWorkflows.Tests/Runner.cs @@ -26,6 +26,11 @@ public static int Run(out string output, string program, params string[] argumen CreateNoWindow = true }; + // Disable MSBuild server and node reuse to prevent lingering child + // processes that cause VSTest to hang waiting for process tree exit. + startInfo.Environment["DOTNET_CLI_DO_NOT_USE_MSBUILD_SERVER"] = "1"; + startInfo.Environment["MSBUILDDISABLENODEREUSE"] = "1"; + // Add the arguments foreach (var argument in arguments) startInfo.ArgumentList.Add(argument); From c1f2f8e9d0cb628f8ccc85634ef74b852f8b3bee Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 2 Mar 2026 02:51:10 +0000 Subject: [PATCH 09/10] Add MSBUILDDISABLENODEREUSE to cspell dictionary to fix quality check Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com> --- .cspell.json | 1 + 1 file changed, 1 insertion(+) diff --git a/.cspell.json b/.cspell.json index 22b2db3..b81e187 100644 --- a/.cspell.json +++ b/.cspell.json @@ -37,6 +37,7 @@ "markdownlint", "mermaid", "msbuild", + "MSBUILDDISABLENODEREUSE", "mstest", "myterm", "ncipollo", From c6adc0cbac51d79c2bc193af706271052cf1122c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 2 Mar 2026 03:04:10 +0000 Subject: [PATCH 10/10] Add ID naming convention section to requirements.yaml header Co-authored-by: Malcolmnixon <1863707+Malcolmnixon@users.noreply.github.com> --- .cspell.json | 1 + requirements.yaml | 37 +++++++++++++++++++++---------------- 2 files changed, 22 insertions(+), 16 deletions(-) diff --git a/.cspell.json b/.cspell.json index b81e187..b034d80 100644 --- a/.cspell.json +++ b/.cspell.json @@ -59,6 +59,7 @@ "Semgrep", "semver", "SPDXID", + "SPWF", "spdxmodel", "slnx", "snupkg", diff --git a/requirements.yaml b/requirements.yaml index b31c65a..c062a74 100644 --- a/requirements.yaml +++ b/requirements.yaml @@ -9,6 +9,11 @@ # --tests "test-results/**/*.trx" # --enforce # +# Requirement ID naming convention: +# SPWF-GET-NNN - Get Version workflow requirements +# SPWF-ADD-NNN - Add Package workflow requirements +# SPWF-ENH-NNN - Enhance Package workflow requirements +# # Test links can include a source filter prefix (e.g. "windows@", "ubuntu@") to # restrict which test results count as evidence for a requirement. This is critical # for platform-specific requirements - removing these filters invalidates the proof. @@ -17,7 +22,7 @@ # windows@TestName - proves the test passed on a Windows platform # ubuntu@TestName - proves the test passed on a Linux (Ubuntu) platform # -# NOTE: The GetIarEwArmVersion requirement (REQ-GIV-001) and the +# NOTE: The GetIarEwArmVersion requirement (SPWF-GET-003) and the # EnhancePackageFromNugetSpdx workflow are commented out until test coverage is # available in CI. @@ -26,7 +31,7 @@ sections: - title: Get Version Workflows requirements: - - id: REQ-GDN-001 + - id: SPWF-GET-001 title: >- The GetDotNetVersion workflow shall output the installed .NET SDK version as a version string. @@ -39,7 +44,7 @@ sections: - windows@GetDotNetVersion_OnAnyOS_ReturnsVersion - ubuntu@GetDotNetVersion_OnAnyOS_ReturnsVersion - - id: REQ-GGV-001 + - id: SPWF-GET-002 title: >- The GetGccVersion workflow shall output the installed GCC compiler version as a version string. @@ -50,11 +55,11 @@ sections: tests: - ubuntu@GetGccVersion_OnLinux_ReturnsVersion - # REQ-GIV-001 is commented out until test coverage is available. + # SPWF-GET-003 is commented out until test coverage is available. # The GetIarEwArmVersion workflow requires IAR EW ARM to be installed in CI. # Pending test: windows@GetIarEwArmVersion_OnWindows_ReturnsVersion # - # - id: REQ-GIV-001 + # - id: SPWF-GET-003 # title: >- # The GetIarEwArmVersion workflow shall output the installed IAR Embedded # Workbench for ARM version as a version string. @@ -65,7 +70,7 @@ sections: # tests: # - windows@GetIarEwArmVersion_OnWindows_ReturnsVersion - - id: REQ-GMV-001 + - id: SPWF-GET-004 title: >- The GetMsBuildVersion workflow shall output the installed MSBuild version as a version string. @@ -76,7 +81,7 @@ sections: tests: - windows@GetMsBuildVersion_OnWindows_ReturnsVersion - - id: REQ-GNV-001 + - id: SPWF-GET-005 title: >- The GetNugetVersion workflow shall output the installed NuGet CLI version as a version string. @@ -87,7 +92,7 @@ sections: tests: - windows@GetNugetVersion_OnWindows_ReturnsVersion - - id: REQ-GNP-001 + - id: SPWF-GET-006 title: >- The GetNugetPackagePath workflow shall output the file system path to the specified NuGet package in the local package cache. @@ -98,7 +103,7 @@ sections: tests: - windows@GetNugetPackagePath_WithPackageAndVersion_ReturnsPath - - id: REQ-GVV-001 + - id: SPWF-GET-007 title: >- The GetVsTestVersion workflow shall output the installed Visual Studio Test Platform (VSTest) version as a version string. @@ -112,7 +117,7 @@ sections: - title: Add Package Workflows requirements: - - id: REQ-ADP-001 + - id: SPWF-ADD-001 title: >- The AddDotNetPackage workflow shall add a .NET SDK package entry to the specified SPDX document with accurate metadata including name, version, @@ -126,7 +131,7 @@ sections: - windows@AddDotNetPackage_WithValidParameters_AddsPackageToDocument - ubuntu@AddDotNetPackage_WithValidParameters_AddsPackageToDocument - - id: REQ-AGP-001 + - id: SPWF-ADD-002 title: >- The AddGccPackage workflow shall add a GNU Compiler Collection package entry to the specified SPDX document with accurate metadata including @@ -140,7 +145,7 @@ sections: - windows@AddGccPackage_WithValidParameters_AddsPackageToDocument - ubuntu@AddGccPackage_WithValidParameters_AddsPackageToDocument - - id: REQ-AIP-001 + - id: SPWF-ADD-003 title: >- The AddIarEwArmPackage workflow shall add an IAR Embedded Workbench for ARM package entry to the specified SPDX document with accurate metadata @@ -154,7 +159,7 @@ sections: - windows@AddIarEwArmPackage_WithValidParameters_AddsPackageToDocument - ubuntu@AddIarEwArmPackage_WithValidParameters_AddsPackageToDocument - - id: REQ-AMP-001 + - id: SPWF-ADD-004 title: >- The AddMsBuildPackage workflow shall add a Microsoft Build Engine package entry to the specified SPDX document with accurate metadata including @@ -169,7 +174,7 @@ sections: - windows@AddMsBuildPackage_WithValidParameters_AddsPackageToDocument - ubuntu@AddMsBuildPackage_WithValidParameters_AddsPackageToDocument - - id: REQ-ANP-001 + - id: SPWF-ADD-005 title: >- The AddNugetPackage workflow shall add a NuGet CLI package entry to the specified SPDX document with accurate metadata including name, version, @@ -183,7 +188,7 @@ sections: - windows@AddNugetPackage_WithValidParameters_AddsPackageToDocument - ubuntu@AddNugetPackage_WithValidParameters_AddsPackageToDocument - - id: REQ-AVP-001 + - id: SPWF-ADD-006 title: >- The AddVsTestPackage workflow shall add a Visual Studio Test Platform package entry to the specified SPDX document with accurate metadata @@ -205,7 +210,7 @@ sections: # - title: Enhance Package Workflows # requirements: # -# - id: REQ-EPF-001 +# - id: SPWF-ENH-001 # title: >- # The EnhancePackageFromNugetSpdx workflow shall update an existing # package entry in an SPDX document with enriched metadata copied from