parasoft · tobyash86 · Feb 3, 2026 · Feb 3, 2026 · Feb 3, 2026 · Feb 3, 2026
diff --git a/.github/workflows/dottest_min_sa.yml b/.github/workflows/dottest_min_sa.yml
@@ -0,0 +1,60 @@
+# This is a basic workflow to help you get started with Actions
+
+name: dotTEST minimal Static Analysis
+
+# Controls when the action will run. 
+on:
+  # Triggers the workflow on push or pull request events but only for the master branch
+  pull_request:
+    branches: [ main ]
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  # This workflow contains a single job called "build"
+  dotTEST-static-analysis:
+    # The type of runner that the job will run on
+    runs-on: self-hosted
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+      # Depth set to 0 for highest performance
+      - name: Checkout sources
+        uses: actions/checkout@v3
+        with: 
+          fetch-depth: 0
+
+      - name: Run dotTEST min. SA
+        id: dottest_min_sa
+        # You may pin to the exact commit or the version.
+        # uses: tobyash86/run-dottest-analyzer-proto@1bc4be095189f455793afdb10b47127e06ae25ff
+        uses: parasoft/run-dottest-analyzer@2.0.0
+        with:
+          # Path to working directory.
+          installDir: c:\Program Files\Parasoft\dotTEST\2022.2
+          testConfig: OWASP Top 10-2021
+          property: 'scope.scontrol.files.filter.mode=branch;
+            scope.scontrol.ref.branch=origin/main;
+            scope.scontrol=true;
+            scontrol.rep1.type=git;
+            scontrol.rep1.git.url=${{ github.server_url }}/${{ github.repository }};
+            scontrol.rep1.git.workspace=${{ github.workspace }};
+            scontrol.git.exec=C:\Program Files\Git\bin\git.exe'
+
+      # ---------------------------------------------------------------
+      # Upload the findings into the GitHub code scanning alert section
+      - name: Upload static results to GitHub
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: ${{ steps.dottest_min_sa.outputs.report }}
+
+      # ---------------------------------------------------------------
+      # Archive the findings reports as job artifact
+      - name: Upload static analysis artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: Diff SA Report files
+          path: ${{ steps.dottest_min_sa.outputs.reportDir }}/*.*
diff --git a/.github/workflows/dottest_sa.yml b/.github/workflows/dottest_sa.yml
@@ -0,0 +1,51 @@
+# This is a basic workflow to help you get started with Actions
+
+name: dotTEST Static Analysis
+
+# Controls when the action will run. 
+on:
+  # Triggers the workflow on push or pull request events but only for the master branch
+  push:
+    branches: [ main ]
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  # This workflow contains a single job called "build"
+  dotTEST-static-analysis:
+    # The type of runner that the job will run on
+    runs-on: self-hosted
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+      # Depth set to 0 for highest performance
+      - name: Checkout sources
+        uses: actions/checkout@v3
+
+      - name: Run dotTEST static analysis
+        id: dottest_sa
+        # You may pin to the exact commit or the version.
+        # uses: tobyash86/run-dottest-analyzer-proto@1bc4be095189f455793afdb10b47127e06ae25ff
+        uses: parasoft/run-dottest-analyzer@2.0.0
+        with:
+          # Path to working directory.
+          installDir: c:\Program Files\Parasoft\dotTEST\2022.2
+          testConfig: Flow Analysis
+
+      # ---------------------------------------------------------------
+      # Upload the findings into the GitHub code scanning alert section
+      - name: Upload static results to GitHub
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.dottest_sa.outputs.report }}
+
+      # ---------------------------------------------------------------
+      # Archive the findings reports as job artifact
+      - name: Upload static analysis artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: Report files
+          path: ${{ steps.dottest_sa.outputs.reportDir }}/*.*
diff --git a/.github/workflows/dottest_tia.yml b/.github/workflows/dottest_tia.yml
@@ -0,0 +1,62 @@
+# This is a basic workflow to help you get started with Actions
+
+name: dotTEST TIA
+
+# Controls when the action will run. 
+on:
+  # Triggers the workflow on push or pull request events but only for the master branch
+  pull_request:
+    branches: [ main ]
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  # This workflow contains a single job called "build"
+  dotTEST-TIA:
+    # The type of runner that the job will run on
+    runs-on: self-hosted
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+      # Depth set to 0 for highest performance
+      - name: Checkout sources
+        uses: actions/checkout@v3
+        with: 
+          fetch-depth: 0
+
+      # Download last artifacts and unzip them
+      - uses: blablacar/action-download-last-artifact@master
+        with:
+         name: Test Report files
+         path: baseline_reports
+
+      - name: Run dotTEST TIA
+        id: dottest_ut
+        # You may pin to the exact commit or the version.
+        # uses: tobyash86/run-dottest-analyzer-proto@1bc4be095189f455793afdb10b47127e06ae25ff
+        uses: parasoft/run-dottest-analyzer@2.0.0
+        with:
+          # Path to working directory.
+          installDir: c:\Program Files\Parasoft\dotTEST\2022.2
+          testConfig: Run VSTest Tests with Coverage
+          referenceReportFile: c:\actions-runner\_work\WebGoat.NET\WebGoat.NET\baseline_reports\report.xml
+          referenceCoverageFile: c:\actions-runner\_work\WebGoat.NET\WebGoat.NET\baseline_reports\coverage.xml
+
+      # ---------------------------------------------------------------
+      # Upload the findings into the GitHub code scanning alert section
+      - name: Upload TIA results to GitHub
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.dottest_ut.outputs.report }}
+
+      # ---------------------------------------------------------------
+      # Archive the findings reports as job artifact
+      - name: Upload execution artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: TIA Report files
+          path: ${{ steps.dottest_ut.outputs.reportDir }}/*.*
+
diff --git a/.github/workflows/dottest_ut.yml b/.github/workflows/dottest_ut.yml
@@ -0,0 +1,52 @@
+# This is a basic workflow to help you get started with Actions
+
+name: dotTEST Unit Tests
+
+# Controls when the action will run. 
+on:
+  # Triggers the workflow on push or pull request events but only for the master branch
+  push:
+    branches: [ main ]
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  # This workflow contains a single job called "build"
+  dotTEST-UT-execution:
+    # The type of runner that the job will run on
+    runs-on: self-hosted
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+      # Depth set to 0 for highest performance
+      - name: Checkout sources
+        uses: actions/checkout@v3
+
+      - name: Run dotTEST unit tests
+        id: dottest_ut
+        # You may pin to the exact commit or the version.
+        # uses: tobyash86/run-dottest-analyzer-proto@1bc4be095189f455793afdb10b47127e06ae25ff
+        uses: parasoft/run-dottest-analyzer@master
+        with:
+          # Path to working directory.
+          installDir: c:\Program Files\Parasoft\dotTEST\2022.2
+          testConfig: Run VSTest Tests with Coverage
+
+      # ---------------------------------------------------------------
+      # Upload the findings into the GitHub code scanning alert section
+      - name: Upload UT results to GitHub
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: ${{ steps.dottest_ut.outputs.report }}
+
+      # ---------------------------------------------------------------
+      # Archive the findings reports as job artifact
+      - name: Upload execution artifacts
+        uses: actions/upload-artifact@v3
+        with:
+          name: Test Report files
+          path: ${{ steps.dottest_ut.outputs.reportDir }}/*.*
+
diff --git a/.gitignore b/.gitignore
@@ -8,4 +8,5 @@
 [Rr]elease/
 x64/
 app/
-packages
+packages
+coverage
diff --git a/WebGoat.NET.Tests/BlogRepositoryTests/BlogEntryRepositoryTests.cs b/WebGoat.NET.Tests/BlogRepositoryTests/BlogEntryRepositoryTests.cs
@@ -0,0 +1,55 @@
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.ChangeTracking;
+using Microsoft.EntityFrameworkCore.ChangeTracking.Internal;
+using Microsoft.EntityFrameworkCore.Metadata;
+using Moq;
+using System.Data.Entity.Core.Objects.DataClasses;
+using System.Data.Entity.Infrastructure;
+using WebGoatCore.Data;
+using WebGoatCore.Models;
+using static System.Runtime.InteropServices.JavaScript.JSType;
+using NUnit.Framework;
+
+namespace WebGoat.NET.Tests.BlogRepositoryTests;
+
+[TestFixture]
+public class Tests
+{
+    Mock<NorthwindContext> _context;
+
+    [SetUp]
+    public void Setup()
+    {
+        _context = ContextSetup.CreateContext();
+    }
+
+    [Test]
+    public void GetBlogEntryTest()
+    {
+        var blogEntryRepo = new BlogEntryRepository(_context.Object);
+
+        var entry = blogEntryRepo.GetBlogEntry(1);
+
+        Assert.That(entry.Author, Is.EqualTo("admin"));
+    }
+
+    [Test]
+    public void TestEntryCreation()
+    {
+        var blogEntryRepo = new BlogEntryRepository(_context.Object);
+
+        var entry = blogEntryRepo.CreateBlogEntry("NEW ENTRY", "NEW ENTRY CONTENT", "me");
+
+        Assert.That(entry.Author, Is.EqualTo("me"));
+    }
+
+    [Test]
+    public void GetTopEntriesTest()
+    {
+        var blogEntryRepo = new BlogEntryRepository(_context.Object);
+
+        var entries = blogEntryRepo.GetTopBlogEntries();
+
+        Assert.That(entries.Count, Is.EqualTo(1));
+    }
+}
diff --git a/WebGoat.NET.Tests/BlogRepositoryTests/ContextSetup.cs b/WebGoat.NET.Tests/BlogRepositoryTests/ContextSetup.cs
@@ -0,0 +1,48 @@
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.ChangeTracking;
+using Microsoft.EntityFrameworkCore.ChangeTracking.Internal;
+using Microsoft.EntityFrameworkCore.Metadata;
+using Moq;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+using WebGoatCore.Data;
+using WebGoatCore.Models;
+
+namespace WebGoat.NET.Tests.BlogRepositoryTests
+{
+    internal static class ContextSetup
+    {
+        internal static Mock<NorthwindContext> CreateContext()
+        {
+            // create test DB
+            var initialBlogEntries = new List<BlogEntry> {
+            new BlogEntry() { Author = "admin", Contents = "Test Content", Id = 1, PostedDate = DateTime.Now, Responses = new List<BlogResponse>(), Title = "Test Title" }
+        }.AsQueryable();
+
+            Func<BlogEntry, EntityEntry<BlogEntry>> mockEntityEntry = (BlogEntry data) =>
+            {
+                var internalEntityEntry = new InternalEntityEntry(
+                    new Mock<IStateManager>().Object,
+                    new RuntimeEntityType(nameof(BlogEntry), typeof(BlogEntry), false, null, null, null, ChangeTrackingStrategy.Snapshot, null, false, null),
+                    data);
+
+                var entityEntry = new EntityEntry<BlogEntry>(internalEntityEntry);
+                return entityEntry;
+            };
+
+            var mockSet = DbSetTestUtil.CreateDbSetMock(initialBlogEntries);
+
+            mockSet.Setup(m => m.Add(It.IsAny<BlogEntry>())).Returns(mockEntityEntry);
+
+            var context = new Mock<NorthwindContext>();
+            context.SetupGet(c => c.BlogEntries).Returns(mockSet.Object);
+
+            return context;
+        }
+
+
+    }
+}
diff --git a/WebGoat.NET.Tests/CategoryRepositoryTests/CategoryRepositoryTests.cs b/WebGoat.NET.Tests/CategoryRepositoryTests/CategoryRepositoryTests.cs
@@ -0,0 +1,42 @@
+using Moq;
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+using WebGoatCore.Data;
+
+namespace WebGoat.NET.Tests.CategoryRepositoryTests
+{
+    [TestFixture]
+    public class CategoryRepositoryTests
+    {
+        Mock<NorthwindContext> _context;
+
+        [SetUp]
+        public void Setup()
+        {
+            _context = ContextSetup.CreateContext();
+        }
+
+        [Test]
+        public void GetAllCategoriesTest()
+        {
+            CategoryRepository repo = new CategoryRepository(_context.Object);
+            var cats = repo.GetAllCategories();
+
+            Assert.That(cats.Count(), Is.EqualTo(3));
+        }
+
+        [TestCase(1, "Basic")]
+        [TestCase(2, "Drink")]
+        [TestCase(3, "Sandwich")]
+        public void GetCategoryTest(int id, string expName)
+        {
+            CategoryRepository repo = new CategoryRepository(_context.Object);
+            var cat = repo.GetById(id);
+
+            Assert.That(cat.CategoryName, Is.EqualTo(expName));
+        }
+    }
+}