-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathsonar-project.properties
More file actions
101 lines (90 loc) · 5.16 KB
/
sonar-project.properties
File metadata and controls
101 lines (90 loc) · 5.16 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
# SonarQube / SonarCloud configuration
# Exclude from ALL analysis:
# - Generated schema files (auto-generated by ts-xsd codegen, duplication + http URI false positives)
# - AI agent skills/rules/workflows (documentation with embedded code examples, not application code)
sonar.exclusions=\
**/generated/**,\
.agents/**,\
.windsurf/**,\
.claude/**,\
.skills/**
# Exclude from copy-paste detection (CPD):
# - Generated schema files (auto-generated)
# - Test files (test data & assertions are intentionally repetitive)
sonar.cpd.exclusions=\
**/generated/**,\
**/*.test.ts,\
**/*.spec.ts,\
**/tests/**,\
**/fixtures/**
# ── Security-hotspot scoping ──────────────────────────────────────────
# Some rules fire hard on patterns that are structurally safe in this
# repo (XML namespace URIs masquerading as http:// URLs, test harnesses
# that spawn child processes with constant argv, PATH env manipulation
# in test scripts, etc.). Rather than marking hundreds of hotspots SAFE
# one by one in the UI, pin the rules to the contexts where they
# actually provide signal.
sonar.issue.ignore.multicriteria=h1,h2,h3,h4,h5,h6,h7,h8,h9,h10,h11,h12,h13
# S5332 "clear-text http protocol" — the overwhelming majority of these
# are XML namespace URIs (http://www.sap.com/…) which are identifiers,
# not network endpoints. Scope the rule to runtime code only.
sonar.issue.ignore.multicriteria.h1.ruleKey=typescript:S5332
sonar.issue.ignore.multicriteria.h1.resourceKey=**/tests/**
sonar.issue.ignore.multicriteria.h2.ruleKey=typescript:S5332
sonar.issue.ignore.multicriteria.h2.resourceKey=**/*.test.ts
sonar.issue.ignore.multicriteria.h3.ruleKey=typescript:S5332
sonar.issue.ignore.multicriteria.h3.resourceKey=**/*.spec.ts
sonar.issue.ignore.multicriteria.h4.ruleKey=typescript:S5332
sonar.issue.ignore.multicriteria.h4.resourceKey=.github/**
# S4721 "executing this OS command" — test harnesses, internal tools,
# and CI scripts invoke child processes with constant argv (git, npm,
# bun, etc.); the attack surface of user-controlled command injection
# is runtime code, not our dev-tooling. `tools/**` is the set of
# in-repo Nx plugins + scaffolding that never runs in production.
sonar.issue.ignore.multicriteria.h5.ruleKey=typescript:S4721
sonar.issue.ignore.multicriteria.h5.resourceKey=**/tests/**
sonar.issue.ignore.multicriteria.h6.ruleKey=typescript:S4721
sonar.issue.ignore.multicriteria.h6.resourceKey=scripts/**
sonar.issue.ignore.multicriteria.h7.ruleKey=typescript:S4721
sonar.issue.ignore.multicriteria.h7.resourceKey=tools/**
# S4036 "PATH variable manipulation" — only triggered from test
# harnesses, repo-local scripts, and in-repo tools (nx-npm-trust sets
# PATH for scoped `npm trust` invocations).
sonar.issue.ignore.multicriteria.h8.ruleKey=typescript:S4036
sonar.issue.ignore.multicriteria.h8.resourceKey=**/tests/**
sonar.issue.ignore.multicriteria.h9.ruleKey=typescript:S4036
sonar.issue.ignore.multicriteria.h9.resourceKey=scripts/**
sonar.issue.ignore.multicriteria.h10.ruleKey=typescript:S4036
sonar.issue.ignore.multicriteria.h10.resourceKey=tools/**
# S5852 "regex vulnerable to super-linear runtime" — in the codegen /
# schema-generation path (@abapify/adt-codegen, tools/nx-npm-trust).
# Inputs are OpenAPI specs, XSDs, and npm CLI output — none of which
# is attacker-controlled. Scoped to codegen paths; runtime code
# continues to be checked.
sonar.issue.ignore.multicriteria.h11.ruleKey=typescript:S5852
sonar.issue.ignore.multicriteria.h11.resourceKey=packages/adt-codegen/**
sonar.issue.ignore.multicriteria.h12.ruleKey=typescript:S5852
sonar.issue.ignore.multicriteria.h12.resourceKey=tools/**
# githubactions:S7637 "use full commit SHA for action dependency" —
# correct best-practice, but the org policy here is to trust verified
# actions (actions/checkout, actions/setup-node, etc.) by version tag.
# Disabling until we decide to switch the whole org to SHA pinning.
sonar.issue.ignore.multicriteria.h13.ruleKey=githubactions:S7637
sonar.issue.ignore.multicriteria.h13.resourceKey=.github/workflows/**
sonar.organization=abapify
sonar.projectKey=abapify_adt-cli
# ── Test coverage ──────────────────────────────────────────────────────
# TypeScript coverage for this monorepo (generated by `bunx nx test`
# when a reporter writes out lcov / jacoco). Adjust the path if you
# integrate a TS coverage reporter.
sonar.coverage.jacoco.xmlReportPaths=coverage/jacoco.xml
# ── Downstream ABAP projects ───────────────────────────────────────────
# Projects that use this CLI to run AUnit tests on a SAP system and
# produce JaCoCo coverage via `adt aunit --coverage --coverage-format jacoco`
# should point Sonar at the emitted report, for example:
#
# sonar.coverage.jacoco.xmlReportPaths=build/aunit-coverage.xml
#
# The <sourcefile name="..."/> entries in the JaCoCo report use the
# abapGit on-disk filename convention (e.g. `zcl_foo.clas.abap`) so
# they match a standard abapGit checkout under `src/`.