Skip to content

Commit 441cd36

Browse files
mariojmdavidmariojmdavid
committed
implement comments in PR #93 
1 parent 34835aa commit 441cd36

File tree

1 file changed

+58
-60
lines changed

1 file changed

+58
-60
lines changed

content/06.quality_criteria.md

Lines changed: 58 additions & 60 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ Consequently, software components are more eligible for deployment in production
1313
reducing the likelihood of service disruption.
1414

1515

16-
## 4.1. Code management
16+
## 4.1. Code handling
1717

1818
### 4.1.1. Code Accessibility [QC.Acc]
1919

@@ -91,6 +91,59 @@ A change-based approach is accomplished with a branching model.
9191
* **[QC.Man02.6]** The pull/merge request description **SHOULD** make reference to the identifiers
9292
of the issues it is fixing (to eventually close them, either manually or automatically).
9393

94+
### 4.1.4. Code Review [QC.Rev]
95+
96+
Code review implies the informal, non-automated, peer review of any change in the source code
97+
[@https://owasp.org/www-project-code-review-guide/migrated_content]. It appears as the last step in
98+
the change management pipeline, once the candidate change has successfully passed over the required
99+
set of change-based tests.
100+
101+
* **[QC.Rev01]** Code reviews **MUST** be done in the agreed peer review tool within the project,
102+
with the following RECOMMENDED functionality:
103+
104+
* **[QC.Rev01.1]** Allows general and specific comments on the line or lines that need to be
105+
reviewed.
106+
107+
* **[QC.Rev01.2]** Shows the results of the required change-based test executions.
108+
109+
* **[QC.Rev01.3]** Allows to prevent merges of the candidate change whenever not all the required
110+
tests are successful. Exceptions to this rule cover the third-party or upstream contributions
111+
which MAY use the existing mechanisms or tools for code review provided by the target software
112+
project. This exception **MUST** only be allowed whenever the external revision lifecycle does
113+
not interfere with the project deadlines.
114+
115+
* **[QC.Rev02]** Code reviews **MUST** be open and collaborative, allowing external experts
116+
revisions.
117+
118+
* **[QC.Rev03]** Code reviews **SHOULD** be concise and use neutral language. The areas where the
119+
reviewers MAY focus are:
120+
121+
* **[QC.Rev03.1]** Message description: commit message is clear, self-explanatory and describes
122+
precisely the objectives being addressed.
123+
124+
* **[QC.Rev03.2]** Goal or scope: change is needed and/or addresses/fixes the whole set of
125+
objectives.
126+
127+
* **[QC.Rev03.3]** Code analysis: useless statements in the code, library or modules imported but
128+
never used or code style suggestions.
129+
130+
* **[QC.Rev03.4]** Review of required tests: check if they include tests of the changes, such as
131+
tests of new features, or tests of bug fixing (regression tests), ensuring proper validation of
132+
the changes.
133+
134+
* **[QC.Rev03.5]** Review of documentation: whether the change **SHOULD** bring along a
135+
corresponding update in the documentation.
136+
137+
* **[QC.Rev04]** Code reviews **MUST** be checked on change basis.
138+
139+
* **[QC.Rev05]** Code reviews **SHOULD** assess the inherent security risk of the changes, ensuring
140+
that the security model has not been downgraded or compromised by the changes.
141+
142+
### 4.1.5. Semantic Versioning [QC.Ver]
143+
144+
* **[QC.Ver01]** Semantic Versioning [@https://semver.org] specification is **RECOMMENDED** for
145+
tagging the production releases.
146+
94147
## 4.2. Files and documents
95148

96149
### 4.2.1. Licensing [QC.Lic]
@@ -322,64 +375,9 @@ especially effective at the source code level.
322375
* **[QC.Sec04]** World-writable files or directories **MUST NOT** be present in the product’s
323376
configuration or logging locations.
324377

325-
## 4.4. Code release
326-
327-
### 4.4.1. Semantic Versioning [QC.Ver]
328-
329-
* **[QC.Ver01]** Semantic Versioning [@https://semver.org] specification is **RECOMMENDED** for
330-
tagging the production releases.
331-
332-
### 4.4.2. Code Review [QC.Rev]
333-
334-
Code review implies the informal, non-automated, peer review of any change in the source code
335-
[@https://owasp.org/www-project-code-review-guide/migrated_content]. It appears as the last step in
336-
the change management pipeline, once the candidate change has successfully passed over the required
337-
set of change-based tests.
338-
339-
* **[QC.Rev01]** Code reviews **MUST** be done in the agreed peer review tool within the project,
340-
with the following RECOMMENDED functionality:
341-
342-
* **[QC.Rev01.1]** Allows general and specific comments on the line or lines that need to be
343-
reviewed.
344-
345-
* **[QC.Rev01.2]** Shows the results of the required change-based test executions.
346-
347-
* **[QC.Rev01.3]** Allows to prevent merges of the candidate change whenever not all the required
348-
tests are successful. Exceptions to this rule cover the third-party or upstream contributions
349-
which MAY use the existing mechanisms or tools for code review provided by the target software
350-
project. This exception **MUST** only be allowed whenever the external revision lifecycle does
351-
not interfere with the project deadlines.
352-
353-
* **[QC.Rev02]** Code reviews **MUST** be open and collaborative, allowing external experts
354-
revisions.
355-
356-
* **[QC.Rev03]** Code reviews **SHOULD** be concise and use neutral language. The areas where the
357-
reviewers MAY focus are:
358-
359-
* **[QC.Rev03.1]** Message description: commit message is clear, self-explanatory and describes
360-
precisely the objectives being addressed.
361-
362-
* **[QC.Rev03.2]** Goal or scope: change is needed and/or addresses/fixes the whole set of
363-
objectives.
364-
365-
* **[QC.Rev03.3]** Code analysis: useless statements in the code, library or modules imported but
366-
never used or code style suggestions.
367-
368-
* **[QC.Rev03.4]** Review of required tests: check if they include tests of the changes, such as
369-
tests of new features, or tests of bug fixing (regression tests), ensuring proper validation of
370-
the changes.
371-
372-
* **[QC.Rev03.5]** Review of documentation: whether the change **SHOULD** bring along a
373-
corresponding update in the documentation.
374-
375-
* **[QC.Rev04]** Code reviews **MUST** be checked on change basis.
376-
377-
* **[QC.Rev05]** Code reviews **SHOULD** assess the inherent security risk of the changes, ensuring
378-
that the security model has not been downgraded or compromised by the changes.
379-
380-
## 4.5. Delivery
378+
## 4.4. Delivery
381379

382-
### 4.5.1. Automated Delivery [QC.Del]
380+
### 4.4.1. Automated Delivery [QC.Del]
383381

384382
Automated delivery comprises the build of Software into an artifact, its upload/registration into a
385383
public repository of such artifacts and notification of the success of the process.
@@ -396,9 +394,9 @@ public repository of such artifacts and notification of the success of the proce
396394
* **[QC.Del03]** Upon success of the previous (**QC.Del02**) process, a notification **MUST** be
397395
sent to pre-defined parties such as the main developer or team.
398396

399-
## 4.6. Deployment
397+
## 4.5. Deployment
400398

401-
### 4.6.1. Automated Deployment [QC.Dep]
399+
### 4.5.1. Automated Deployment [QC.Dep]
402400

403401
* **[QC.Dep01]** Production-ready code **MUST** be deployed as a workable system with the minimal
404402
user or system administrator interaction leveraging software configuration management (SCM) tools.

0 commit comments

Comments
 (0)