You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/query-metadata-style-guide.md
+39-17Lines changed: 39 additions & 17 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -121,12 +121,47 @@ Alert queries (`@kind problem` or `path-problem`) support two further properties
121
121
122
122
## Query tags `@tags`
123
123
124
-
The `@tags` property is used to define categories that the query relates to. Each alert query should belong to one (or more, if necessary) of the following four top-level categories:
124
+
The `@tags` property is used to define categories that the query relates to. As we prepare for the release of a dedicated code quality product, we will use tagging to prepare a stronger delineation between queries that are part of our existing "code security" product offering and those that are better suited as part of a "quality" product offering. Each alert query should belong to one of the following two top-level categories, with additional sub-categories:
125
125
126
-
*`@tags correctness`–for queries that detect incorrect program behavior.
127
-
*`@tags maintainability`–for queries that detect patterns that make it harder for developers to make changes to the code.
128
-
*`@tags readability`–for queries that detect confusing patterns that make it harder for developers to read the code.
126
+
#### High level category `@tags`
129
127
*`@tags security`–for queries that detect security weaknesses. See below for further information.
128
+
*`@tags quality`–for queries that detect code quality issues. See below for further information.
129
+
130
+
#### Security query `@tags`
131
+
132
+
If your query is a security query, use one or more `@tags` to associate it with the relevant CWEs. Add `@tags` for the most specific Base Weakness or Class Weakness in [View 1000](https://cwe.mitre.org/data/definitions/1000.html), using the parent/child relationship. For example:
133
+
134
+
|`@tags security`|`external/cwe/cwe-022`|
135
+
|-|-|
136
+
||`external/cwe/cwe-023`|
137
+
||`external/cwe/cwe-036`|
138
+
||`external/cwe/cwe-073`|
139
+
140
+
When you tag a query like this, the associated CWE pages from [MITRE.org](https://cwe.mitre.org/index.html) will automatically appear in the references section of its associated qhelp file.
141
+
142
+
> [!NOTE]
143
+
> The automatic addition of CWE reference links works only if the qhelp file already contains a `<references>` section.
144
+
145
+
#### Quality query sub-category `@tags`
146
+
147
+
*`@tags maintainability`–for queries that detect patterns that make it harder for developers to make changes to the code.
148
+
*`@tags reliability`–for queries that detect issues that affect whether the code will perform as expected during execution.
149
+
150
+
Software quality doesn't have as universally-agreed categorization method as security issues like CWE, so we will do our own categorization instead of using tags like CWE.
151
+
152
+
We'll have two "top-level" categories of quality queries, with sub-categories beneath:
153
+
154
+
*`@tags maintainability`–for queries that detect patterns that make it harder for developers to make changes to the code.
155
+
*`@tags readability`–for queries that detect confusing patterns that make it harder for developers to read the code.
156
+
*
157
+
158
+
159
+
*`@tags reliability`–for queries that detect issues that affect whether the code will perform as expected during execution.
160
+
*`@tags correctness`–for queries that detect incorrect program behavior.
161
+
162
+
163
+
164
+
130
165
131
166
There are also more specific `@tags` that can be added. See, the following pages for examples of the low-level tags:
132
167
@@ -145,20 +180,7 @@ If necessary, you can also define your own low-level tags to categorize the quer
145
180
* Use a forward slash / to indicate a hierarchical relationship between tags if necessary. For example, a query with tag `foo/bar` is also interpreted as also having tag `foo`, but not `bar`.
146
181
* Use a single-word `@tags` name. Multiple words, separated with hyphens, can be used for clarity if necessary.
147
182
148
-
#### Security query `@tags`
149
-
150
-
If your query is a security query, use one or more `@tags` to associate it with the relevant CWEs. Add `@tags` for the most specific Base Weakness or Class Weakness in [View 1000](https://cwe.mitre.org/data/definitions/1000.html), using the parent/child relationship. For example:
151
183
152
-
|`@tags security`|`external/cwe/cwe-022`|
153
-
|-|-|
154
-
||`external/cwe/cwe-023`|
155
-
||`external/cwe/cwe-036`|
156
-
||`external/cwe/cwe-073`|
157
-
158
-
When you tag a query like this, the associated CWE pages from [MITRE.org](https://cwe.mitre.org/index.html) will automatically appear in the references section of its associated qhelp file.
159
-
160
-
> [!NOTE]
161
-
> The automatic addition of CWE reference links works only if the qhelp file already contains a `<references>` section.
0 commit comments