fix(sonar): use sonar.issue.ignore.allfile for test files and fix code smells

leifj · leifj · commit a22229af4006 · 2026-03-04T17:42:35.000+01:00
- Use sonar.issue.ignore.allfile with fileRegexp to ignore all issues in test
  files and config.yaml (secrets false positives)
- Mark test files as test sources using sonar.tests/sonar.test.inclusions
- Fix code smell: remove unnecessary err variable in bcrypt check
- Fix code smell: group consecutive []string parameters in getOrDefault
diff --git a/internal/verifier/apiv1/client.go b/internal/verifier/apiv1/client.go
@@ -232,7 +232,7 @@ func (c *Client) authenticateClient(ctx context.Context, clientID, clientSecret
 		}
 	} else {
 		// DB clients have bcrypt-hashed secrets
-		if err := bcrypt.CompareHashAndPassword([]byte(client.ClientSecretHash), []byte(clientSecret)); err != nil {
+		if bcrypt.CompareHashAndPassword([]byte(client.ClientSecretHash), []byte(clientSecret)) != nil {
 			return nil, ErrInvalidClient
 		}
 	}
@@ -241,7 +241,7 @@ func (c *Client) authenticateClient(ctx context.Context, clientID, clientSecret
 }
 
 // getOrDefault returns the slice if non-empty, otherwise returns the default value
-func getOrDefault(s []string, defaultVal []string) []string {
+func getOrDefault(s, defaultVal []string) []string {
 	if len(s) > 0 {
 		return s
 	}
diff --git a/sonar-project.properties b/sonar-project.properties
@@ -9,6 +9,18 @@ sonar.organization=sunet
 sonar.sources=.
 sonar.exclusions=vendor/**,**/testdata/**
 
+# Mark test files as test sources (not main sources)
+sonar.tests=.
+sonar.test.inclusions=**/*_test.go
+
+# Exclude test files and config from security hotspot detection
+sonar.security.hotspots.exclusions=**/*_test.go,**/config.yaml
+
+# Ignore ALL issues in test files (test code contains expected test credentials)
+sonar.issue.ignore.allfile=f1,f2
+sonar.issue.ignore.allfile.f1.fileRegexp=.*_test\\.go$
+sonar.issue.ignore.allfile.f2.fileRegexp=config\\.yaml$
+
 # Go-specific settings
 sonar.go.coverage.reportPaths=coverage.out,didcomm_coverage.out
 
@@ -29,51 +41,16 @@ sonar.go.coverage.reportPaths=coverage.out,didcomm_coverage.out
 #    - This is a key-wrapping primitive, not general-purpose encryption
 #
 # These patterns are required for standards compliance and interoperability.
-sonar.issue.ignore.multicriteria=e1,e2,e3,e4,e5,e6,e7,e8,e9,e10,e11,e12
+sonar.issue.ignore.multicriteria=e1,e2,e3
 
 # Exclude S5542 from JWE crypto implementation (AES-CBC for content encryption, AES Key Wrap)
 sonar.issue.ignore.multicriteria.e1.ruleKey=go:S5542
 sonar.issue.ignore.multicriteria.e1.resourceKey=**/didcomm/crypto/jwe.go
 
-# Exclude from test files (test code uses same crypto primitives)
-sonar.issue.ignore.multicriteria.e2.ruleKey=go:S5542
-sonar.issue.ignore.multicriteria.e2.resourceKey=**/*_test.go
-
 # Exclude S5542 from PKI signers (RSA-PKCS1v15 SIGNATURE, not encryption)
 # SonarCloud incorrectly flags rsa.SignPKCS1v15 as encryption when it's a signature scheme
-sonar.issue.ignore.multicriteria.e3.ruleKey=go:S5542
-sonar.issue.ignore.multicriteria.e3.resourceKey=**/pki/keymaterial_signer.go
-
-sonar.issue.ignore.multicriteria.e4.ruleKey=go:S5542
-sonar.issue.ignore.multicriteria.e4.resourceKey=**/pki/software.go
-
-# S6418 (go:S6418) - "Credentials should not be hard-coded"
-# Exclude from test files - test code necessarily contains test credentials
-# for authentication testing. These are not production secrets.
-sonar.issue.ignore.multicriteria.e5.ruleKey=go:S6418
-sonar.issue.ignore.multicriteria.e5.resourceKey=**/*_test.go
-
-# Exclude from example config - commented examples show format, not real credentials
-sonar.issue.ignore.multicriteria.e6.ruleKey=go:S6418
-sonar.issue.ignore.multicriteria.e6.resourceKey=**/config.yaml
-
-# S2068 (go:S2068) - "Credentials should not be hard-coded"
-# Same rationale as S6418 above
-sonar.issue.ignore.multicriteria.e7.ruleKey=go:S2068
-sonar.issue.ignore.multicriteria.e7.resourceKey=**/*_test.go
-
-sonar.issue.ignore.multicriteria.e8.ruleKey=go:S2068
-sonar.issue.ignore.multicriteria.e8.resourceKey=**/config.yaml
-
-# Secrets analyzer rules (may use different prefix)
-sonar.issue.ignore.multicriteria.e9.ruleKey=secrets:S6418
-sonar.issue.ignore.multicriteria.e9.resourceKey=**/*_test.go
-
-sonar.issue.ignore.multicriteria.e10.ruleKey=secrets:S6418
-sonar.issue.ignore.multicriteria.e10.resourceKey=**/config.yaml
-
-sonar.issue.ignore.multicriteria.e11.ruleKey=secrets:S2068
-sonar.issue.ignore.multicriteria.e11.resourceKey=**/*_test.go
+sonar.issue.ignore.multicriteria.e2.ruleKey=go:S5542
+sonar.issue.ignore.multicriteria.e2.resourceKey=**/pki/keymaterial_signer.go
 
-sonar.issue.ignore.multicriteria.e12.ruleKey=secrets:S2068
-sonar.issue.ignore.multicriteria.e12.resourceKey=**/config.yaml
+sonar.issue.ignore.multicriteria.e3.ruleKey=go:S5542
+sonar.issue.ignore.multicriteria.e3.resourceKey=**/pki/software.go

Original file line number	Diff line number	Diff line change
`@@ -232,7 +232,7 @@ func (c *Client) authenticateClient(ctx context.Context, clientID, clientSecret`
`232`	`232`	`}`
`233`	`233`	`} else {`
`234`	`234`	`// DB clients have bcrypt-hashed secrets`
`235`		`- if err := bcrypt.CompareHashAndPassword([]byte(client.ClientSecretHash), []byte(clientSecret)); err != nil {`
	`235`	`+ if bcrypt.CompareHashAndPassword([]byte(client.ClientSecretHash), []byte(clientSecret)) != nil {`
`236`	`236`	`return nil, ErrInvalidClient`
`237`	`237`	`}`
`238`	`238`	`}`
`@@ -241,7 +241,7 @@ func (c *Client) authenticateClient(ctx context.Context, clientID, clientSecret`
`241`	`241`	`}`
`242`	`242`
`243`	`243`	`// getOrDefault returns the slice if non-empty, otherwise returns the default value`
`244`		`-func getOrDefault(s []string, defaultVal []string) []string {`
	`244`	`+func getOrDefault(s, defaultVal []string) []string {`
`245`	`245`	`if len(s) > 0 {`
`246`	`246`	`return s`
`247`	`247`	`}`