diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml new file mode 100644 index 0000000..a3fc2da --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.yml @@ -0,0 +1,97 @@ +name: 🐛 Bug Report +description: Report a bug or unexpected behavior +title: "[Bug]: " +labels: ["bug", "triage"] +body: + - type: markdown + attributes: + value: | + Thanks for taking the time to report this bug! Please fill out the information below to help us resolve the issue. + + - type: textarea + id: description + attributes: + label: Bug Description + description: A clear and concise description of what the bug is. + placeholder: What happened? + validations: + required: true + + - type: textarea + id: steps + attributes: + label: Steps to Reproduce + description: Steps to reproduce the behavior + placeholder: | + 1. Go to '...' + 2. Click on '...' + 3. Scroll down to '...' + 4. See error + validations: + required: true + + - type: textarea + id: expected + attributes: + label: Expected Behavior + description: What did you expect to happen? + placeholder: Describe what you expected to happen + validations: + required: true + + - type: textarea + id: actual + attributes: + label: Actual Behavior + description: What actually happened? + placeholder: Describe what actually happened + validations: + required: true + + - type: dropdown + id: version + attributes: + label: Version + description: Which version of OpenTimeTracker are you using? + options: + - Latest release + - Develop branch + - Specific version (specify in additional context) + validations: + required: true + + - type: dropdown + id: platform + attributes: + label: Platform + description: What operating system are you using? + options: + - Windows + - macOS (Intel) + - macOS (Apple Silicon) + - Linux + validations: + required: true + + - type: textarea + id: logs + attributes: + label: Relevant Logs + description: Please paste any relevant log output or error messages + placeholder: | + Paste logs here (if applicable) + render: shell + + - type: textarea + id: screenshots + attributes: + label: Screenshots + description: If applicable, add screenshots to help explain your problem + placeholder: Drag and drop images here + + - type: textarea + id: context + attributes: + label: Additional Context + description: Add any other context about the problem here (e.g., specific version, commit hash, configuration) + placeholder: Any additional information that might be helpful diff --git a/.github/ISSUE_TEMPLATE/feature_request.yml b/.github/ISSUE_TEMPLATE/feature_request.yml new file mode 100644 index 0000000..b65c2ff --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.yml @@ -0,0 +1,89 @@ +name: ✨ Feature Request +description: Suggest a new feature or enhancement +title: "[Feature]: " +labels: ["enhancement", "triage"] +body: + - type: markdown + attributes: + value: | + Thanks for suggesting a new feature! Please provide as much detail as possible. + + - type: textarea + id: problem + attributes: + label: Problem Statement + description: Is your feature request related to a problem? Please describe. + placeholder: I'm frustrated when... + validations: + required: true + + - type: textarea + id: solution + attributes: + label: Proposed Solution + description: Describe the solution you'd like + placeholder: I would like to see... + validations: + required: true + + - type: textarea + id: alternatives + attributes: + label: Alternatives Considered + description: Describe any alternative solutions or features you've considered + placeholder: Alternative approaches could be... + + - type: dropdown + id: area + attributes: + label: Feature Area + description: Which area of the application does this feature relate to? + options: + - Projects + - Tasks + - Time Entries + - Calendar + - Tags + - UI/UX + - Settings + - Database/Backup + - Performance + - Other + validations: + required: true + + - type: dropdown + id: priority + attributes: + label: Priority + description: How important is this feature to you? + options: + - Low - Nice to have + - Medium - Would improve workflow + - High - Critical for my use case + validations: + required: true + + - type: checkboxes + id: contribution + attributes: + label: Contribution + description: Are you willing to contribute to implementing this feature? + options: + - label: I would like to implement this feature + - label: I can help test this feature + - label: I can help with documentation + + - type: textarea + id: mockups + attributes: + label: Mockups or Examples + description: If applicable, add mockups, sketches, or examples from other applications + placeholder: Drag and drop images here or describe examples + + - type: textarea + id: context + attributes: + label: Additional Context + description: Add any other context, screenshots, or examples about the feature request + placeholder: Any additional information that might be helpful diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 0000000..2d2f444 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,128 @@ +## Description + + + +### Goal + + + +### Key Changes + + + +- +- +- + +## Type of Change + + + +- [ ] 🐛 Bug fix (non-breaking change which fixes an issue) +- [ ] ✨ New feature (non-breaking change which adds functionality) +- [ ] 💥 Breaking change (fix or feature that would cause existing functionality to not work as expected) +- [ ] 📝 Documentation update +- [ ] 🎨 Style/UI changes +- [ ] ♻️ Refactoring (no functional changes) +- [ ] ⚡ Performance improvement +- [ ] ✅ Test updates +- [ ] 🔧 Build/configuration changes + +## Impact Assessment + +### Database Impact + + + +- [ ] No database changes +- [ ] New migration(s) included +- [ ] Existing data migration required + + + +### Backup Impact + + + +- [ ] No impact on backups +- [ ] Backup format changed +- [ ] Restore compatibility maintained + + + +## Testing + +### How Has This Been Tested? + + + +- [ ] Unit tests +- [ ] Integration tests +- [ ] Manual testing +- [ ] Tested with SonarQube analysis + +### Test Steps + + + +1. +2. +3. + +### Test Configuration + +- **Node version**: +- **npm version**: +- **Platform tested**: + +## UI Changes + + + +### Before + + + +### After + + + +## Checklist + + + +- [ ] My code follows the project's coding standards +- [ ] I have performed a self-review of my code +- [ ] I have commented my code, particularly in hard-to-understand areas +- [ ] I have made corresponding changes to the documentation +- [ ] My changes generate no new warnings or errors +- [ ] I have added tests that prove my fix is effective or that my feature works +- [ ] New and existing unit tests pass locally with my changes +- [ ] I have run `npm run lint` and fixed any issues +- [ ] I have run `npm test` and all tests pass +- [ ] I have run `npm run test:electron` and all tests pass +- [ ] I have run `npm run sonar:check` and the analysis passes +- [ ] Any dependent changes have been merged and published + +## Breaking Changes + + + +- [ ] This PR contains breaking changes + + + +## Related Issues + + + +Closes # +Related to # + +## Additional Context + + + +## Reviewer Notes + + diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..c6d1874 --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,133 @@ +# Contributor Covenant Code of Conduct + +## Our Pledge + +We as members, contributors, and leaders pledge to make participation in our +community a harassment-free experience for everyone, regardless of age, body +size, visible or invisible disability, ethnicity, sex characteristics, gender +identity and expression, level of experience, education, socio-economic status, +nationality, personal appearance, race, caste, color, religion, or sexual +identity and orientation. + +We pledge to act and interact in ways that contribute to an open, welcoming, +diverse, inclusive, and healthy community. + +## Our Standards + +Examples of behavior that contributes to a positive environment for our +community include: + +* Demonstrating empathy and kindness toward other people +* Being respectful of differing opinions, viewpoints, and experiences +* Giving and gracefully accepting constructive feedback +* Accepting responsibility and apologizing to those affected by our mistakes, + and learning from the experience +* Focusing on what is best not just for us as individuals, but for the overall + community + +Examples of unacceptable behavior include: + +* The use of sexualized language or imagery, and sexual attention or advances of + any kind +* Trolling, insulting or derogatory comments, and personal or political attacks +* Public or private harassment +* Publishing others' private information, such as a physical or email address, + without their explicit permission +* Other conduct which could reasonably be considered inappropriate in a + professional setting + +## Enforcement Responsibilities + +Community leaders are responsible for clarifying and enforcing our standards of +acceptable behavior and will take appropriate and fair corrective action in +response to any behavior that they deem inappropriate, threatening, offensive, +or harmful. + +Community leaders have the right and responsibility to remove, edit, or reject +comments, commits, code, wiki edits, issues, and other contributions that are +not aligned to this Code of Conduct, and will communicate reasons for moderation +decisions when appropriate. + +## Scope + +This Code of Conduct applies within all community spaces, and also applies when +an individual is officially representing the community in public spaces. +Examples of representing our community include using an official e-mail address, +posting via an official social media account, or acting as an appointed +representative at an online or offline event. + +## Enforcement + +Instances of abusive, harassing, or otherwise unacceptable behavior may be +reported to the community leaders responsible for enforcement at +**@altaskur** on GitHub. + +All complaints will be reviewed and investigated promptly and fairly. + +All community leaders are obligated to respect the privacy and security of the +reporter of any incident. + +## Enforcement Guidelines + +Community leaders will follow these Community Impact Guidelines in determining +the consequences for any action they deem in violation of this Code of Conduct: + +### 1. Correction + +**Community Impact**: Use of inappropriate language or other behavior deemed +unprofessional or unwelcome in the community. + +**Consequence**: A private, written warning from community leaders, providing +clarity around the nature of the violation and an explanation of why the +behavior was inappropriate. A public apology may be requested. + +### 2. Warning + +**Community Impact**: A violation through a single incident or series of +actions. + +**Consequence**: A warning with consequences for continued behavior. No +interaction with the people involved, including unsolicited interaction with +those enforcing the Code of Conduct, for a specified period of time. This +includes avoiding interactions in community spaces as well as external channels +like social media. Violating these terms may lead to a temporary or permanent +ban. + +### 3. Temporary Ban + +**Community Impact**: A serious violation of community standards, including +sustained inappropriate behavior. + +**Consequence**: A temporary ban from any sort of interaction or public +communication with the community for a specified period of time. No public or +private interaction with the people involved, including unsolicited interaction +with those enforcing the Code of Conduct, is allowed during this period. +Violating these terms may lead to a permanent ban. + +### 4. Permanent Ban + +**Community Impact**: Demonstrating a pattern of violation of community +standards, including sustained inappropriate behavior, harassment of an +individual, or aggression toward or disparagement of classes of individuals. + +**Consequence**: A permanent ban from any sort of public interaction within the +community. + +## Attribution + +This Code of Conduct is adapted from the [Contributor Covenant][homepage], +version 2.1, available at +[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1]. + +Community Impact Guidelines were inspired by +[Mozilla's code of conduct enforcement ladder][Mozilla CoC]. + +For answers to common questions about this code of conduct, see the FAQ at +[https://www.contributor-covenant.org/faq][FAQ]. Translations are available at +[https://www.contributor-covenant.org/translations][translations]. + +[homepage]: https://www.contributor-covenant.org +[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html +[Mozilla CoC]: https://github.com/mozilla/diversity +[FAQ]: https://www.contributor-covenant.org/faq +[translations]: https://www.contributor-covenant.org/translations diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..f8b638b --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,445 @@ +# Contributing to OpenTimeTracker + +Thank you for your interest in contributing to OpenTimeTracker! This guide will help you get started with contributing to the project. + +*Versión en español más abajo / Spanish version below* + +--- + +## Table of Contents + +- [Getting Started](#getting-started) +- [Development Setup](#development-setup) +- [Development Workflow](#development-workflow) +- [Pull Request Guidelines](#pull-request-guidelines) +- [Code Quality Standards](#code-quality-standards) +- [Database Changes](#database-changes) +- [UI and Internationalization](#ui-and-internationalization) +- [Security](#security) +- [Getting Help](#getting-help) + +## Getting Started + +OpenTimeTracker is built with: +- **Angular 21** for the UI +- **Electron 37** for the desktop application +- **Prisma/SQLite** for data persistence +- **License**: GPL-3.0 + +The main branch is `main`, and active development happens on the `develop` branch. + +## Development Setup + +### Prerequisites + +- Node.js 20+ +- npm 10+ +- Docker & Docker Compose (for SonarQube analysis) + +### Installation + +1. Fork and clone the repository: + ```bash + git clone https://github.com/YOUR_USERNAME/OpenTimeTracker.git + cd OpenTimeTracker + ``` + +2. Install dependencies: + ```bash + npm install + npm run prisma:generate + ``` + +3. Run the application: + ```bash + npm start # Angular dev server on port 4200 + npm run dev # Build and run Electron in dev mode + ``` + +## Development Workflow + +### Creating a Branch + +Always branch from `develop` with the appropriate prefix: +- `feat/` - New features +- `fix/` - Bug fixes +- `chore/` - Maintenance tasks + +Example: +```bash +git checkout develop +git pull origin develop +git checkout -b feat/your-feature-name +``` + +### Commit Messages + +We use [Conventional Commits](https://www.conventionalcommits.org/) enforced by commitlint: + +``` +type(scope): description + +[optional body] + +[optional footer] +``` + +Types: `feat`, `fix`, `docs`, `style`, `refactor`, `test`, `chore` + +Examples: +- `feat(projects): add project archiving functionality` +- `fix(calendar): correct date calculation in week view` +- `docs(readme): update installation instructions` + +### Testing Your Changes + +Before submitting a pull request, ensure all checks pass: + +```bash +npm run lint # ESLint +npm test # Angular tests +npm run test:electron # Electron tests +npm run sonar:check # Full quality check (tests + coverage + SonarQube) +``` + +**Note**: The pre-push hook automatically runs `sonar:check` for feature branches. Your push will be blocked if the analysis fails. + +## Pull Request Guidelines + +### Before Submitting + +1. Ensure your branch is up to date with `develop` +2. Run all tests and quality checks +3. Test the application manually +4. Update documentation if needed + +### PR Description + +Your pull request should include: + +- **Goal**: What problem does this solve? +- **Key Changes**: Summary of the implementation +- **Database Impact**: Any schema changes or migrations +- **Backup Impact**: Does this affect backup functionality? +- **UI Changes**: Screenshots or videos if applicable +- **Testing Steps**: How to verify the changes +- **Breaking Changes**: Flag any breaking changes +- **Related Issues**: Link to relevant issues + +### Review Process + +- Maintainers will review your PR as soon as possible +- Address feedback by pushing new commits to your branch +- Once approved, your PR will be merged into `develop` + +## Code Quality Standards + +### SonarQube + +We use SonarQube for static code analysis. To run it locally: + +1. Start SonarQube: + ```bash + docker-compose up -d # First start takes ~2 minutes + ``` + +2. Access SonarQube at http://localhost:9000 + - Default credentials: `admin` / `admin` + - Change password on first login + +3. Generate a token: + - Go to: My Account → Security → Generate Tokens + - Copy the token + +4. Create a `.env` file: + ``` + SONAR_TOKEN=your_generated_token_here + ``` + +5. Run the analysis: + ```bash + npm run sonar:check + ``` + +6. Stop SonarQube: + ```bash + docker-compose down + ``` + +## Database Changes + +When modifying the Prisma schema: + +1. Create a migration: + ```bash + npx prisma migrate dev --name description_of_change + ``` + +2. Update the production template: + ```bash + npm run prisma:template + ``` + +3. Review changes to `prisma/template.db` and migrations +4. **Never commit real user data** to backups or seeds + +## UI and Internationalization + +### UI Framework + +- Uses PrimeNG components and PrimeFlex utilities +- Dark theme (Aura Black) is the default +- Follow existing component patterns + +### Adding Translations + +Add new strings to both language files: +- `src/assets/i18n/en.json` +- `src/assets/i18n/es.json` + +### Accessibility + +Ensure your UI changes: +- Have proper labels for form controls +- Maintain visible focus indicators +- Meet color contrast requirements +- Work with keyboard navigation + +## Security + +- **Never commit** `.env` files or tokens to the repository +- Use environment variables for sensitive configuration +- Report security vulnerabilities privately (see [SECURITY.md](SECURITY.md)) +- Follow secure coding practices + +## Getting Help + +- Check the [README.md](README.md) for project overview and commands +- Review [COLLABORATION.md](COLLABORATION.md) for additional workflow details +- Read the [Code of Conduct](CODE_OF_CONDUCT.md) +- Open an issue for questions or bug reports + +--- + +## Colaboración en OpenTimeTracker (Español) + +Gracias por tu interés en contribuir a OpenTimeTracker. Esta guía te ayudará a comenzar. + +--- + +## Tabla de Contenidos + +- [Comenzando](#comenzando) +- [Configuración del Entorno](#configuración-del-entorno) +- [Flujo de Trabajo](#flujo-de-trabajo) +- [Guía para Pull Requests](#guía-para-pull-requests) +- [Estándares de Calidad](#estándares-de-calidad) +- [Cambios en la Base de Datos](#cambios-en-la-base-de-datos) +- [UI e Internacionalización](#ui-e-internacionalización) +- [Seguridad](#seguridad-1) +- [Obtener Ayuda](#obtener-ayuda) + +## Comenzando + +OpenTimeTracker está construido con: +- **Angular 21** para la interfaz +- **Electron 37** para la aplicación de escritorio +- **Prisma/SQLite** para persistencia de datos +- **Licencia**: GPL-3.0 + +La rama principal es `main`, y el desarrollo activo ocurre en la rama `develop`. + +## Configuración del Entorno + +### Requisitos Previos + +- Node.js 20+ +- npm 10+ +- Docker & Docker Compose (para análisis de SonarQube) + +### Instalación + +1. Haz fork y clona el repositorio: + ```bash + git clone https://github.com/TU_USUARIO/OpenTimeTracker.git + cd OpenTimeTracker + ``` + +2. Instala las dependencias: + ```bash + npm install + npm run prisma:generate + ``` + +3. Ejecuta la aplicación: + ```bash + npm start # Servidor Angular en puerto 4200 + npm run dev # Construye y ejecuta Electron en modo dev + ``` + +## Flujo de Trabajo + +### Crear una Rama + +Siempre crea ramas desde `develop` con el prefijo apropiado: +- `feat/` - Nuevas características +- `fix/` - Corrección de errores +- `chore/` - Tareas de mantenimiento + +Ejemplo: +```bash +git checkout develop +git pull origin develop +git checkout -b feat/nombre-de-tu-caracteristica +``` + +### Mensajes de Commit + +Usamos [Conventional Commits](https://www.conventionalcommits.org/) validados por commitlint: + +``` +tipo(alcance): descripción + +[cuerpo opcional] + +[pie opcional] +``` + +Tipos: `feat`, `fix`, `docs`, `style`, `refactor`, `test`, `chore` + +Ejemplos: +- `feat(proyectos): añadir funcionalidad de archivo de proyectos` +- `fix(calendario): corregir cálculo de fecha en vista semanal` +- `docs(readme): actualizar instrucciones de instalación` + +### Probar tus Cambios + +Antes de enviar un pull request, asegúrate de que todas las pruebas pasen: + +```bash +npm run lint # ESLint +npm test # Pruebas de Angular +npm run test:electron # Pruebas de Electron +npm run sonar:check # Verificación completa (pruebas + cobertura + SonarQube) +``` + +**Nota**: El hook pre-push ejecuta automáticamente `sonar:check` para ramas de características. Tu push será bloqueado si el análisis falla. + +## Guía para Pull Requests + +### Antes de Enviar + +1. Asegúrate de que tu rama esté actualizada con `develop` +2. Ejecuta todas las pruebas y verificaciones de calidad +3. Prueba la aplicación manualmente +4. Actualiza la documentación si es necesario + +### Descripción del PR + +Tu pull request debe incluir: + +- **Objetivo**: ¿Qué problema resuelve esto? +- **Cambios Clave**: Resumen de la implementación +- **Impacto en la Base de Datos**: Cambios de esquema o migraciones +- **Impacto en Backups**: ¿Esto afecta la funcionalidad de backup? +- **Cambios de UI**: Capturas de pantalla o videos si aplica +- **Pasos de Prueba**: Cómo verificar los cambios +- **Cambios Incompatibles**: Marcar cambios que rompen compatibilidad +- **Issues Relacionados**: Enlazar a issues relevantes + +### Proceso de Revisión + +- Los mantenedores revisarán tu PR tan pronto como sea posible +- Aborda el feedback haciendo nuevos commits en tu rama +- Una vez aprobado, tu PR será fusionado en `develop` + +## Estándares de Calidad + +### SonarQube + +Usamos SonarQube para análisis estático de código. Para ejecutarlo localmente: + +1. Inicia SonarQube: + ```bash + docker-compose up -d # El primer inicio tarda ~2 minutos + ``` + +2. Accede a SonarQube en http://localhost:9000 + - Credenciales por defecto: `admin` / `admin` + - Cambia la contraseña en el primer inicio + +3. Genera un token: + - Ve a: Mi Cuenta → Seguridad → Generar Tokens + - Copia el token + +4. Crea un archivo `.env`: + ``` + SONAR_TOKEN=tu_token_generado_aqui + ``` + +5. Ejecuta el análisis: + ```bash + npm run sonar:check + ``` + +6. Detén SonarQube: + ```bash + docker-compose down + ``` + +## Cambios en la Base de Datos + +Al modificar el esquema de Prisma: + +1. Crea una migración: + ```bash + npx prisma migrate dev --name descripcion_del_cambio + ``` + +2. Actualiza la plantilla de producción: + ```bash + npm run prisma:template + ``` + +3. Revisa los cambios en `prisma/template.db` y las migraciones +4. **Nunca subas datos reales de usuario** a backups o seeds + +## UI e Internacionalización + +### Framework de UI + +- Usa componentes PrimeNG y utilidades PrimeFlex +- El tema oscuro (Aura Black) es el predeterminado +- Sigue los patrones de componentes existentes + +### Añadir Traducciones + +Añade nuevas cadenas a ambos archivos de idioma: +- `src/assets/i18n/en.json` +- `src/assets/i18n/es.json` + +### Accesibilidad + +Asegúrate de que tus cambios de UI: +- Tengan etiquetas apropiadas para controles de formulario +- Mantengan indicadores de foco visibles +- Cumplan requisitos de contraste de color +- Funcionen con navegación por teclado + +## Seguridad + +- **Nunca subas** archivos `.env` o tokens al repositorio +- Usa variables de entorno para configuración sensible +- Reporta vulnerabilidades de seguridad de forma privada (ver [SECURITY.md](SECURITY.md)) +- Sigue prácticas de codificación segura + +## Obtener Ayuda + +- Consulta [README.md](README.md) para descripción general y comandos +- Revisa [COLLABORATION.md](COLLABORATION.md) para detalles adicionales del flujo de trabajo +- Lee el [Código de Conducta](CODE_OF_CONDUCT.md) +- Abre un issue para preguntas o reportes de errores + +--- + +Thank you for contributing to OpenTimeTracker! 🚀 diff --git a/README.md b/README.md index 1e992f7..88cb8dd 100644 --- a/README.md +++ b/README.md @@ -191,13 +191,34 @@ This project uses **SonarQube** for static code analysis. Before contributing to ## 🤝 Contributing -Contributions are welcome! Please feel free to submit a Pull Request. +Contributions are welcome! We appreciate your interest in improving OpenTimeTracker. + +### Getting Started + +Please read our contributing guidelines to get started: + +- **[CONTRIBUTING.md](CONTRIBUTING.md)** - Comprehensive guide for contributors (includes setup, workflow, and testing) +- **[CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md)** - Community standards and expectations +- **[SECURITY.md](SECURITY.md)** - How to report security vulnerabilities +- **[COLLABORATION.md](COLLABORATION.md)** - Additional workflow and technical details + +### Quick Start 1. Fork the repository -2. Create your feature branch (`git checkout -b feature/AmazingFeature`) -3. Commit your changes (`git commit -m 'Add some AmazingFeature'`) -4. Push to the branch (`git push origin feature/AmazingFeature`) -5. Open a Pull Request +2. Create your feature branch from `develop` (`git checkout -b feat/AmazingFeature`) +3. Make your changes following our [coding standards](CONTRIBUTING.md) +4. Run tests and quality checks: `npm run lint && npm test && npm run sonar:check` +5. Commit your changes using [Conventional Commits](https://www.conventionalcommits.org/) +6. Push to your branch (`git push origin feat/AmazingFeature`) +7. Open a Pull Request against the `develop` branch + +### Questions or Issues? + +- Check existing [issues](https://github.com/altaskur/OpenTimeTracker/issues) +- Use our [issue templates](.github/ISSUE_TEMPLATE) for bug reports or feature requests +- Follow the [pull request template](.github/pull_request_template.md) when submitting PRs + +Thank you for contributing! 🚀 ## 📄 License diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..75b4d87 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,103 @@ +# Security Policy + +## Reporting a Vulnerability + +The OpenTimeTracker team takes security vulnerabilities seriously. We appreciate your efforts to responsibly disclose your findings and will make every effort to acknowledge your contributions. + +### How to Report a Security Vulnerability + +**Please DO NOT report security vulnerabilities through public GitHub issues.** + +Instead, please report security vulnerabilities by: + +1. **Opening a private security advisory** on GitHub: + - Go to the [Security tab](https://github.com/altaskur/OpenTimeTracker/security/advisories) + - Click "Report a vulnerability" + - Fill in the details + +2. **Contacting the maintainer directly**: + - GitHub: [@altaskur](https://github.com/altaskur) + - Please include "SECURITY" in the subject line + +### What to Include in Your Report + +To help us understand and address the issue quickly, please include as much of the following information as possible: + +- **Type of vulnerability** (e.g., SQL injection, XSS, authentication bypass, etc.) +- **Full paths of source file(s)** related to the manifestation of the issue +- **Location of the affected source code** (tag/branch/commit or direct URL) +- **Step-by-step instructions** to reproduce the issue +- **Proof-of-concept or exploit code** (if possible) +- **Impact of the issue**, including how an attacker might exploit it +- **Your assessment of severity** (Critical, High, Medium, Low) +- **Any possible mitigations** you've identified + +### What to Expect + +- **Acknowledgment**: We will acknowledge receipt of your vulnerability report within 3 business days. +- **Assessment**: We will work to verify and assess the vulnerability within 7 days. +- **Updates**: We will keep you informed about the progress of fixing the issue. +- **Resolution**: We aim to release a fix within 30 days for critical vulnerabilities, longer for less severe issues. +- **Credit**: With your permission, we will publicly acknowledge your responsible disclosure once the vulnerability is fixed. + +## Security Update Process + +When a security vulnerability is confirmed: + +1. We will develop and test a fix +2. We will prepare a security advisory +3. We will release a patched version +4. We will publish the security advisory with details and credit + +## Supported Versions + +We provide security updates for the following versions: + +| Version | Supported | +| ------- | ------------------ | +| Latest release (main branch) | :white_check_mark: | +| Develop branch | :white_check_mark: | +| Older releases | :x: | + +We recommend always using the latest stable release. + +## Security Best Practices for Contributors + +When contributing to OpenTimeTracker: + +- **Never commit secrets**: Don't commit `.env` files, API keys, tokens, or passwords +- **Use environment variables**: Store sensitive configuration in environment variables +- **Validate input**: Always validate and sanitize user input +- **Follow secure coding practices**: Review OWASP guidelines for common vulnerabilities +- **Keep dependencies updated**: Regularly update npm packages to patch known vulnerabilities +- **Review security alerts**: Pay attention to GitHub security advisories and Dependabot alerts + +## Known Security Considerations + +### Data Storage + +OpenTimeTracker stores all data locally in a SQLite database. Users are responsible for: +- Securing their local database files +- Managing backups securely +- Protecting their system from unauthorized access + +### Electron Security + +The application uses Electron with the following security measures: +- Context isolation enabled in preload scripts +- Node integration disabled in renderer processes +- IPC communication through secure channels + +## Additional Resources + +- [OWASP Top Ten](https://owasp.org/www-project-top-ten/) +- [Electron Security Checklist](https://www.electronjs.org/docs/latest/tutorial/security) +- [GitHub Security Advisories](https://docs.github.com/en/code-security/security-advisories) + +## Questions? + +If you have questions about this security policy, please open a regular (non-security) issue in the repository or contact [@altaskur](https://github.com/altaskur). + +--- + +Thank you for helping keep OpenTimeTracker and its users safe!