-
Notifications
You must be signed in to change notification settings - Fork 9
Expand file tree
/
Copy pathsonar-project.properties
More file actions
133 lines (107 loc) · 6.8 KB
/
sonar-project.properties
File metadata and controls
133 lines (107 loc) · 6.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
# SonarCloud configuration for AI DevOps Framework
# Project identification
sonar.projectKey=marcusquinn_aidevops
sonar.organization=marcusquinn
# This is the name and version displayed in the SonarCloud UI
sonar.projectName=AI DevOps Framework
sonar.projectVersion=3.1.0
# Path is relative to the sonar-project.properties file
sonar.sources=.agents,configs,templates
# Encoding of the source code. Default is default system encoding
sonar.sourceEncoding=UTF-8
# Exclusions - files and directories to exclude from analysis
# Archived code is versioned for reference but not actively maintained
sonar.exclusions=**/*.txt,**/tmp/**,**/logs/**,.git/**,**/*.json,**/archived/**,**/supervisor-archived/**
# Coverage exclusions (shell scripts, docs, and example files don't have traditional coverage)
sonar.coverage.exclusions=**/*.sh,**/*.md,**/*.json,**/*.yml,**/*.yaml,configs/**/*.py,**/example*.py,**/*-example.py
# Duplication exclusions for configuration templates and documentation
sonar.cpd.exclusions=configs/**/*.txt,.agents/**/*.md,templates/**/*.md
# Security hotspot exclusions for DevOps framework patterns
# These are intentional behaviors required for CLI tool installation and local development
#
# RATIONALE FOR BLANKET EXCLUSIONS:
# This is a DevOps automation framework where these patterns are fundamental:
# - npm install without --ignore-scripts: Required for CLI binaries with native dependencies
# (e.g., playwright, puppeteer, esbuild). Using --ignore-scripts breaks these tools.
# - HTTP localhost: All http:// URLs in this codebase are either:
# 1. localhost/127.0.0.1 references for local dev servers (safe internal traffic)
# 2. Protocol detection code checking for insecure URLs (not using them)
# 3. XML namespace declarations (e.g., sitemaps.org schema)
# - curl without --proto: All curl commands either:
# 1. Use explicit https:// URLs (already secure)
# 2. Target localhost (no TLS needed for loopback)
# 3. Are official installers from verified HTTPS sources (bun.sh, homebrew)
#
# Individual file patterns were tried but 22 scripts don't match *-helper.sh/*-setup.sh/*-cli.sh
# patterns. Maintaining per-file exclusions is unsustainable for a 70k+ line codebase.
sonar.issue.ignore.multicriteria=e1,e2,e3,e4,e6,e7,e8,e9,e10,e11,e12,e13,e14,e15,e16,e17
# Ignore "npm install without --ignore-scripts" (shelldre:S6505) - all shell scripts
# Required for CLI tool installation with native dependencies
sonar.issue.ignore.multicriteria.e1.ruleKey=shelldre:S6505
sonar.issue.ignore.multicriteria.e1.resourceKey=**/*.sh
# Ignore "clear-text protocol" (shelldre:S5332) - all shell scripts
# All HTTP URLs are localhost, protocol detection, or XML namespaces
sonar.issue.ignore.multicriteria.e2.ruleKey=shelldre:S5332
sonar.issue.ignore.multicriteria.e2.resourceKey=**/*.sh
# Ignore "HTTPS not enforced" (shelldre:S6506) - all shell scripts
# All curl commands use HTTPS URLs, localhost, or verified official installers
sonar.issue.ignore.multicriteria.e3.ruleKey=shelldre:S6506
sonar.issue.ignore.multicriteria.e3.resourceKey=**/*.sh
# SonarCloud uses both "shelldre:" and "shell:" rule prefixes for the same rules.
# Duplicate the security hotspot exclusions under the "shell:" prefix to catch both.
sonar.issue.ignore.multicriteria.e11.ruleKey=shell:S6505
sonar.issue.ignore.multicriteria.e11.resourceKey=**/*.sh
sonar.issue.ignore.multicriteria.e12.ruleKey=shell:S5332
sonar.issue.ignore.multicriteria.e12.resourceKey=**/*.sh
sonar.issue.ignore.multicriteria.e13.ruleKey=shell:S6506
sonar.issue.ignore.multicriteria.e13.resourceKey=**/*.sh
# Code smell exclusions for shell scripts
# These are stylistic preferences that would require massive refactoring of 70k+ lines
# The codebase follows consistent patterns that work well for this DevOps framework
# S7679: Positional parameters - Standard shell argument parsing pattern used consistently
# The while/case pattern for argument parsing is idiomatic and readable
sonar.issue.ignore.multicriteria.e4.ruleKey=shelldre:S7679
sonar.issue.ignore.multicriteria.e4.resourceKey=**/*.sh
# S7677: Error messages to stderr - Many "errors" are actually user-facing status messages
# The framework uses colored output for UX, not traditional stderr separation
sonar.issue.ignore.multicriteria.e6.ruleKey=shelldre:S7677
sonar.issue.ignore.multicriteria.e6.resourceKey=**/*.sh
# S1135: TODO comments - These are tracked intentionally for future work
sonar.issue.ignore.multicriteria.e7.ruleKey=shelldre:S1135
sonar.issue.ignore.multicriteria.e7.resourceKey=**/*.sh
# Note: S1481 (unused variables) and S1066 (collapsible ifs) are NOT excluded
# These rules catch real issues and should be fixed in new code
# S131: Missing default case - Many case statements intentionally skip unknown options
# The framework handles unknown commands at the main dispatch level
sonar.issue.ignore.multicriteria.e8.ruleKey=shelldre:S131
sonar.issue.ignore.multicriteria.e8.resourceKey=**/*.sh
# S7682: Explicit return statements - Functions use implicit returns where appropriate
# Shell convention allows implicit return 0 for successful functions
sonar.issue.ignore.multicriteria.e9.ruleKey=shelldre:S7682
sonar.issue.ignore.multicriteria.e9.resourceKey=**/*.sh
# S2148: Underscores in numeric literals - Shell doesn't support this syntax
# This rule is for languages like Java/Python, not applicable to shell
sonar.issue.ignore.multicriteria.e10.ruleKey=shelldre:S2148
sonar.issue.ignore.multicriteria.e10.resourceKey=**/*.sh
# S2076/S4721: OS Command Injection hotspot - all shell scripts
# This framework is a DevOps automation tool that intentionally constructs CLI commands
# from validated inputs (numeric IDs, ISO dates from date(1), repo slugs from config).
# All external data is validated before use (regex [0-9]+, date format, allowlist checks).
sonar.issue.ignore.multicriteria.e14.ruleKey=shelldre:S2076
sonar.issue.ignore.multicriteria.e14.resourceKey=**/*.sh
sonar.issue.ignore.multicriteria.e15.ruleKey=shell:S2076
sonar.issue.ignore.multicriteria.e15.resourceKey=**/*.sh
# S7688: Use [[ instead of [ - Bash-specific convention preference
# The codebase uses both [ and [[ intentionally. [ is POSIX-compatible and
# used in functions that may be sourced by sh-compatible shells. [[ is used
# in bash-specific code. Both are correct; this is a style preference, not a bug.
sonar.issue.ignore.multicriteria.e16.ruleKey=shelldre:S7688
sonar.issue.ignore.multicriteria.e16.resourceKey=**/*.sh
# S7684: Various shell patterns - Stylistic preferences that don't affect correctness
sonar.issue.ignore.multicriteria.e17.ruleKey=shelldre:S7684
sonar.issue.ignore.multicriteria.e17.resourceKey=**/*.sh
# Project metadata
sonar.links.homepage=https://github.com/marcusquinn/aidevops
sonar.links.ci=https://github.com/marcusquinn/aidevops/actions
sonar.links.scm=https://github.com/marcusquinn/aidevops
sonar.links.issue=https://github.com/marcusquinn/aidevops/issues