SonarCloud

[mmonteiroc]

Duplicates

• I have searched the existing issues

Summary 💡

Need to put in place SonarCloud project so that use it in our pipelines
Free for all open-source projects as stated in their site

Why is good to have sonar cloud ?

• Static analysis with up to date best-practices and vulnerabilities in our code
• Coverage report on new code to ensure all new code generate integrates tests
• Automatic PullRequest decorations to enable / block them

What is expected of this request ?

• A project in sonar cloud is created
• The organization / projectkey / SONAR_TOKEN variables are set as pipeline variables in this github repo

Examples 🌈

No response

Motivation 🔦

Ensuring quality of the code provided matches standards.
Ensuring that new code does not introduce known vulnerabilities.

[iploooox]

SONAR_TOKEN added to repo secrets.

Here is next steps from them:

.github/workflows/build.yml:

name: Build
on:
  push:
    branches:
      - main
  pull_request:
    types: [opened, synchronize, reopened]
jobs:
  sonarcloud:
    name: SonarCloud
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
      - name: SonarCloud Scan
        uses: SonarSource/sonarcloud-github-action@master
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

sonar-project.properties

sonar.projectKey=softflow24_data-river
sonar.organization=softflow24

# This is the name and version displayed in the SonarCloud UI.
#sonar.projectName=data-river
#sonar.projectVersion=1.0


# Path is relative to the sonar-project.properties file. Replace "\" by "/" on Windows.
#sonar.sources=.

# Encoding of the source code. Default is default system encoding
#sonar.sourceEncoding=UTF-8

[mmonteiroc]

I will take care into integrating sonar with the pipelines. Tahnks @iploooox

[c0rtexR]

Seems like this got stuck, also i added the default sonar settings for a bit but that is way to strict settings for me to want it in the pipeline. So this here escalated to first we need to setup rules of scanning as it keep of flagging Math.random as weak security when it's used for animation of landing page.

[mmonteiroc]

@c0rtexR you can maybe disable it from the pipeline ( i didnt know it had a automatic check on github )

In azure devops where i work, you need to set it manually in the pipeline, so i didn't expect to start bothering people until the rules are decided etc ◡̈

[c0rtexR]

You most likely can I just didnt have time for it 🙂