feat: integrate SonarQube for technical debt management#50
Open
feat: integrate SonarQube for technical debt management#50
Conversation
…a for visualization - Add docker-compose.yml for SonarQube and PostgreSQL. - Add sonar-project.properties for project analysis. - Add GitHub Actions workflow for automated SonarQube scanning. - Define canonical technical debt JSON schema and extraction script. - Document metrics-based Definition of Done for refactors. - Add CodeCharta integration for architectural visualization. - Update README.md with setup and usage instructions.
- Fix ReDoS vulnerability in extract-tech-debt.js parseEffort function * Add input validation and length limits to prevent regex backtracking attacks * Sanitize effort string parsing with proper type checking - Pin GitHub Actions to specific commit SHAs instead of @master * SonarSource/sonarqube-scan-action@e2acbd9 * SonarSource/sonarqube-quality-gate-action@b878bb0 - Add --ignore-scripts flag to npm install commands in CI/CD workflows * Prevents execution of potentially malicious lifecycle scripts * Applied to ci.yml, release.yml, and sonarqube.yml workflows Security improvements address all 6 identified hotspots: - 3 high priority ReDoS vulnerabilities (DENIAL_OF_SERVICE) - 2 low priority dependency pinning issues - 1 low priority script execution security issue Resolves SonarCloud security analysis findings for PR #50
- sonarsource/sonarqube-scan-action@v7.0 (latest) - sonarsource/sonarqube-quality-gate-action@v1.2 (latest) Uses latest stable versions for security updates while maintaining stability. Better approach than brittle commit hashes.
- sonarsource/sonarqube-scan-action@v7.0.0 (latest) - sonarsource/sonarqube-quality-gate-action@v1.2.0 (latest) Uses complete semantic version tags to ensure proper action resolution and satisfy SonarCloud security requirements.
…s (S2819) - Add origin verification in bootstrap.ts message handler - Add origin verification in test-bridge.ts message handler - Create comprehensive tests for origin verification security - Fix SonarQube security issue: Verify the origin of the received message - Only accept messages from trusted vscode-webview:// origins - Log warnings when rejecting untrusted messages Resolves SonarQube rule S2819 security vulnerability in: - vscode-extension/src/webview/bootstrap.ts (line 76) - vscode-extension/src/webview/test-utils/test-bridge.ts (line 238)
- Delete scripts/generate-codecharta.sh script file - Remove CodeCharta Visualization section from README.md - Clean up all CodeChart references from the codebase
bitkojine
changed the title
- Add ESLint strict console rules with test file exclusions - Create custom debug log detection script with pattern matching - Update CI pipeline to check for debug logs before merge - Add npm scripts for lint:strict and check-debug-logs - Implement defense-in-depth against debug log creep
- Add husky for git hook management - Create staged-only debug log detection script - Configure pre-commit hook to check only staged files - Add npm scripts for pre-commit debug log checking - Implement fast, sub-100ms performance for typical commits - Block commits with console.log violations before CI - Allow console.error() and console.warn() for legitimate use - Add comprehensive error handling and user feedback
- Remove console.log from extension.ts (activation/deactivation) - Remove console.log from test-discovery-service.ts (Jest stderr) - Remove console.log from perf-tracker.ts (performance reporting) - Remove console.log from bootstrap.ts (message router handling) - Remove console.log from webview-message-handler.ts (unknown messages) - Add TODO comment for future proper logging implementation All debug logging issues cleared, CI step now passes.
- Remove console.log from test fixtures (simple-workspace, layer-violation) - Remove console.group/groupEnd from perf-tracker.ts - Remove debug console.log from context-menu-interaction.test.ts - Remove console wrapping and security warning from bootstrap.ts - Add TODO comments for proper logging infrastructure Fixes 8 console statement violations that were causing CI failure. Remaining 76 warnings are non-blocking curly brace issues.
- Replace execSync with spawnSync to eliminate shell spawning - Use array arguments instead of string interpolation - Add explicit shell: false for OWASP compliance - Prevents command injection (CWE-78) in git command execution
…guration - Remove duplicate SonarQube scan from ci.yml pipeline - Standardize Node.js version to 22.x across all workflows - Fix test coverage command in sonarqube.yml to use npm script - Remove inline SonarQube args, rely on sonar-project.properties - Optimize pipeline architecture for faster builds and maintainability
- Adds docs/ANTI_MOCK_TRAP.md with guidelines - Implements scripts/check-mock-usage.js for diagnostic checks - Updates SonarQube workflows to import mock trap detection as code smells - Adds CI enforcement to prevent high-risk mocking patterns
- Adds 'vscode-extension/' prefix to mock check report paths - Explicitly separates sources and tests in sonar-project.properties - Ensures test files are excluded from main sources list to avoid SonarQube ignoring them
…ersistenceService and CodebaseLayoutEngine
… ESLint rules to error
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add CodeCharta integration for architectural visualization.(Removed from this PR)