From fe86c02a5206c26d22dbdc6f4a07e8b959194c0c Mon Sep 17 00:00:00 2001
From: Antony Nevis <asocial@nevisfamily.com>
Date: Mon, 8 Apr 2024 12:21:15 +1000
Subject: [PATCH] Security update

- Added SonarCloud with coverage
- Auto trigger CD on certain directory changes
---
 .github/workflows/cd.yaml            | 12 ++++++----
 .github/workflows/ci.yaml            |  7 +++++-
 SECURITY.md                          | 36 ++++++++++++++++++++++++++++
 devbox.json                          |  3 +++
 docs/DEVELOPER.md                    |  4 ++++
 setup.py                             |  2 +-
 sonar-project.properties             | 10 ++++++++
 src/yaml_to_markdown/convert_test.py |  9 +++----
 8 files changed, 72 insertions(+), 11 deletions(-)
 create mode 100644 SECURITY.md
 create mode 100644 sonar-project.properties

diff --git a/.github/workflows/cd.yaml b/.github/workflows/cd.yaml
index 6fcb151..c679c88 100644
--- a/.github/workflows/cd.yaml
+++ b/.github/workflows/cd.yaml
@@ -2,9 +2,15 @@ name: CD Pipeline
 run-name: CD 📦🚀
 
 on:
-  workflow_dispatch:
+  workflow_run:
+    workflows: ["CI Pipeline"]
+    types: [completed]
     branches:
       - "main"
+    paths:
+      - "src/**"
+      - "requirements.txt"
+      - "LICENSE"
 
 jobs:
   CD:
@@ -21,10 +27,6 @@ jobs:
         uses: jetpack-io/devbox-install-action@v0.8.0
       - name: Install all dependencies 📦
         run: devbox run install
-      - name: 🧹 Linting & Formatting
-        run: devbox run lint && devbox run format
-      - name: 🧪 Running Tests
-        run: devbox run test
       - name: 📦 Package
         run: devbox run build
       - name: 🚀 Publish to PyPI
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index 6d3fba0..578043b 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -19,5 +19,10 @@ jobs:
       - name: 🧹 Linting & Formatting
         run: devbox run lint && devbox run format
       - name: 🧪 Running Tests
-        run: devbox run test
+        run: devbox run test-cov
+      - name: SonarCloud Scan
+        uses: SonarSource/sonarcloud-github-action@master
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
       - run: echo "🍏 This job's status is ${{ job.status }}."
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..86debef
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,36 @@
+# Security Policy
+
+We take the security of our software seriously. If you believe you've found a security issue in this package, we
+encourage you to notify us. We welcome working with you to resolve the issue promptly.
+
+## Supported Versions
+
+We recommend you to use the latest version of the package. We release patches for security vulnerabilities for the
+following versions:
+
+| Version | Supported          |
+|---------|--------------------|
+| 0.1.x   | :white_check_mark: |
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability within this package, please contact us by sending an email
+to [nss@nevisfamily.com](mailto:nss@nevisfamily.com). All security vulnerabilities will be promptly addressed.
+
+When reporting a security issue, please provide the following information:
+
+- Your name and affiliation (if any).
+- An e-mail address for further discussion.
+- Whether you would like to be credited for your discovery.
+- If you are not the original discoverer of the vulnerability, please provide contact details of the original
+  discoverer.
+- A description of the technical details of the vulnerabilities. It is very important to let us know how we can
+  reproduce the vulnerability.
+- The versions affected.
+- If possible, please provide a proof-of-concept.
+- Any configuration information that is important in reproducing the issue.
+- The CVSS score for the vulnerability.
+- Please do not disclose the vulnerability to the public until we have addressed it.
+
+**Please do not report specifics of security vulnerabilities through public GitHub issues, discussions, or pull
+requests.**
diff --git a/devbox.json b/devbox.json
index 837b665..4acaad5 100644
--- a/devbox.json
+++ b/devbox.json
@@ -16,6 +16,9 @@
       "test": [
         "pytest src/"
       ],
+      "test-cov": [
+        "pytest src/ --cov=src/ --cov-report=xml"
+      ],
       "lint": [
         "flake8 src/"
       ],
diff --git a/docs/DEVELOPER.md b/docs/DEVELOPER.md
index 3b59290..15db1f4 100644
--- a/docs/DEVELOPER.md
+++ b/docs/DEVELOPER.md
@@ -70,6 +70,10 @@ From outside devbox shell
 ```bash
 devbox run test
 ```
+With Coverage, the coverage report will be generated in the `coverage.xml` file.
+```bash
+devbox run test-cov
+```
 
 ## Linting & Formatting
 
diff --git a/setup.py b/setup.py
index 2d7a51b..cb9dab1 100644
--- a/setup.py
+++ b/setup.py
@@ -12,7 +12,7 @@
 
 long_description = long_description.replace(
     "](", "](https://anevis.github.io/yaml-to-markdown/"
-)
+).replace(".md)", ".html)")
 
 with open("requirements.txt", "r") as req_file:
     raw_requirements = req_file.readlines()
diff --git a/sonar-project.properties b/sonar-project.properties
new file mode 100644
index 0000000..2af7c1a
--- /dev/null
+++ b/sonar-project.properties
@@ -0,0 +1,10 @@
+sonar.projectKey=anevis_yaml-to-markdown
+sonar.organization=anevis
+
+# This is the name and version displayed in the SonarCloud UI.
+sonar.projectName=yaml-to-markdown
+#sonar.projectVersion=1.0
+
+sonar.sources=src/
+sonar.coverage.exclusions=./.pytest_cache/**,**_test.py,**.xml,**.yaml,**.yml
+sonar.python.coverage.reportPaths=coverage.xml
diff --git a/src/yaml_to_markdown/convert_test.py b/src/yaml_to_markdown/convert_test.py
index e591fae..895a809 100644
--- a/src/yaml_to_markdown/convert_test.py
+++ b/src/yaml_to_markdown/convert_test.py
@@ -6,6 +6,7 @@
 from yaml_to_markdown.convert import convert
 
 _JSON_DATA = '{"key": "value"}'
+_OUTPUT_FILE_NAME = "output.md"
 
 
 def test_convert_with_no_file() -> None:
@@ -22,11 +23,11 @@ def test_convert_with_json_data(mock_open_file: Mock) -> None:
     mock_open_file.return_value.__enter__.return_value = StringIO(_JSON_DATA)
 
     # Execute
-    convert(output_file="output.md", json_file="test.json")
+    convert(output_file=_OUTPUT_FILE_NAME, json_file="test.json")
 
     # Assert
     mock_open_file.assert_any_call("test.json", "r", encoding="utf-8")
-    mock_open_file.assert_any_call("output.md", "w", encoding="utf-8")
+    mock_open_file.assert_any_call(_OUTPUT_FILE_NAME, "w", encoding="utf-8")
 
 
 @patch("io.open", new_callable=mock_open())
@@ -36,8 +37,8 @@ def test_convert_with_yaml_data(mock_open_file: Mock) -> None:
     mock_open_file.return_value.__enter__.return_value = StringIO(data)
 
     # Execute
-    convert(output_file="output.md", yaml_file="test.yaml")
+    convert(output_file=_OUTPUT_FILE_NAME, yaml_file="test.yaml")
 
     # Assert
     mock_open_file.assert_any_call("test.yaml", "r", encoding="utf-8")
-    mock_open_file.assert_any_call("output.md", "w", encoding="utf-8")
+    mock_open_file.assert_any_call(_OUTPUT_FILE_NAME, "w", encoding="utf-8")