fix: use glob patterns in sonar exclusion rules

leifj · leifj · commit 5e12066a3076 · 2026-02-24T13:04:22.000+01:00
diff --git a/pkg/pki/keymaterial_signer.go b/pkg/pki/keymaterial_signer.go
@@ -73,7 +73,7 @@ func (s *KeyMaterialSigner) SignDigest(ctx context.Context, digest []byte) ([]by
 		// widely used in JWT RS256/RS384/RS512. It's distinct from RSA-PKCS1v15 encryption
 		// which has known vulnerabilities. The signature scheme is secure.
 		hash := getHashForAlgorithm(s.km.SigningMethod.Alg())
-		return rsa.SignPKCS1v15(rand.Reader, key, hash, digest) //nolint:gosec //NOSONAR
+		return rsa.SignPKCS1v15(rand.Reader, key, hash, digest) //nolint:gosec // NOSONAR
 	default:
 		return nil, fmt.Errorf("unsupported key type: %T", s.km.PrivateKey)
 	}
diff --git a/pkg/pki/software.go b/pkg/pki/software.go
@@ -79,7 +79,7 @@ func (s *SoftwareSigner) SignDigest(ctx context.Context, digest []byte) ([]byte,
 		// widely used in JWT RS256/RS384/RS512. It's distinct from RSA-PKCS1v15 encryption
 		// which has known vulnerabilities. The signature scheme is secure.
 		hash := getHashForAlgorithm(s.algorithm)
-		return rsa.SignPKCS1v15(rand.Reader, key, hash, digest) //nolint:gosec //NOSONAR
+		return rsa.SignPKCS1v15(rand.Reader, key, hash, digest) //nolint:gosec // NOSONAR
 	case *ecdsa.PrivateKey:
 		// Sign the digest directly using ECDSA
 		r, sigS, err := ecdsa.Sign(rand.Reader, key, digest)
diff --git a/sonar-project.properties b/sonar-project.properties
@@ -33,7 +33,7 @@ sonar.issue.ignore.multicriteria=e1,e2,e3,e4
 
 # Exclude S5542 from JWE crypto implementation (AES-CBC for content encryption, AES Key Wrap)
 sonar.issue.ignore.multicriteria.e1.ruleKey=go:S5542
-sonar.issue.ignore.multicriteria.e1.resourceKey=pkg/didcomm/crypto/jwe.go
+sonar.issue.ignore.multicriteria.e1.resourceKey=**/didcomm/crypto/jwe.go
 
 # Exclude from test files (test code uses same crypto primitives)
 sonar.issue.ignore.multicriteria.e2.ruleKey=go:S5542
@@ -42,7 +42,7 @@ sonar.issue.ignore.multicriteria.e2.resourceKey=**/*_test.go
 # Exclude S5542 from PKI signers (RSA-PKCS1v15 SIGNATURE, not encryption)
 # SonarCloud incorrectly flags rsa.SignPKCS1v15 as encryption when it's a signature scheme
 sonar.issue.ignore.multicriteria.e3.ruleKey=go:S5542
-sonar.issue.ignore.multicriteria.e3.resourceKey=pkg/pki/keymaterial_signer.go
+sonar.issue.ignore.multicriteria.e3.resourceKey=**/pki/keymaterial_signer.go
 
 sonar.issue.ignore.multicriteria.e4.ruleKey=go:S5542
-sonar.issue.ignore.multicriteria.e4.resourceKey=pkg/pki/software.go
+sonar.issue.ignore.multicriteria.e4.resourceKey=**/pki/software.go

Original file line number	Diff line number	Diff line change
`@@ -73,7 +73,7 @@ func (s *KeyMaterialSigner) SignDigest(ctx context.Context, digest []byte) ([]by`
`73`	`73`	`// widely used in JWT RS256/RS384/RS512. It's distinct from RSA-PKCS1v15 encryption`
`74`	`74`	`// which has known vulnerabilities. The signature scheme is secure.`
`75`	`75`	`hash := getHashForAlgorithm(s.km.SigningMethod.Alg())`
`76`		`- return rsa.SignPKCS1v15(rand.Reader, key, hash, digest) //nolint:gosec //NOSONAR`
	`76`	`+ return rsa.SignPKCS1v15(rand.Reader, key, hash, digest) //nolint:gosec // NOSONAR`
`77`	`77`	`default:`
`78`	`78`	`return nil, fmt.Errorf("unsupported key type: %T", s.km.PrivateKey)`
`79`	`79`	`}`