Leakwatch/sonar-project.properties at main · HodeTech/Leakwatch · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
# ============================================================================
# IMPORTANT — Read this before editing
# ============================================================================
# This file is the canonical source of truth for Leakwatch's SonarCloud
# configuration, but be aware:
#
#   SonarCloud Automatic Analysis (the GitHub App-driven analysis that runs
#   today on this project) does NOT read sonar-project.properties.
#   It reads only project settings stored in SonarCloud itself.
#
# The settings below have been mirrored to the SonarCloud project via the
# Settings API so Automatic Analysis honors them. If you change anything
# here, also update it via:
#
#   curl -u "$SONAR_TOKEN:" -X POST \
#     "https://sonarcloud.io/api/settings/set" \
#     -d "component=hodetech_Leakwatch" \
#     --data-urlencode "key=sonar.cpd.exclusions" \
#     --data-urlencode "values=<path1>" \
#     --data-urlencode "values=<path2>"
#
# If we ever migrate to CI Based Analysis (sonarqube-scan-action in a
# GitHub workflow + SONAR_TOKEN repo secret), THIS file automatically
# becomes the source of truth and the API mirror is no longer required.
# See ROADMAP "Known Gaps & Follow-up Work → P1 — SonarCloud Project Hygiene".
# ============================================================================

sonar.projectKey=hodetech_Leakwatch
sonar.organization=hodetech
sonar.host.url=https://sonarcloud.io

sonar.projectName=Leakwatch
sonar.sources=.
sonar.sourceEncoding=UTF-8

# Test source roots
sonar.tests=.
sonar.test.inclusions=**/*_test.go,vscode/src/**/*.test.ts

# Path exclusions — files that should not be analyzed at all.
sonar.exclusions=\
  **/vendor/**,\
  **/testdata/**,\
  Formula/**,\
  docs/**,\
  vscode/dist/**,\
  vscode/out/**,\
  vscode/node_modules/**,\
  bin/**,\
  dist/**,\
  coverage.out,\
  coverage.html

# Coverage report paths (Go) — populated by the CI test step.
sonar.go.coverage.reportPaths=coverage.out
sonar.go.tests.reportPaths=test-report.json

# Coverage exclusions — files where coverage is not meaningful or not measured.
sonar.coverage.exclusions=\
  cmd/imports.go,\
  **/*_test.go,\
  vscode/**

# Duplication exclusions.
#
# - internal/remediation/guidance.go
#     50+ provider-remediation Register() calls that share the same struct
#     literal shape (Title / Steps / DocURL / ConsoleURL / Urgency /
#     Checklist). The most repeated step/checklist strings have already been
#     extracted to constants (see commit 541199a, "refactor(remediation):
#     extract common step and checklist strings to constants"), but the
#     struct envelope itself is intentionally repeated — collapsing it
#     further into a builder DSL would obscure the data table.
#
# - cmd/imports.go
#     ~110 blank imports for compile-time plugin registration (see ADR-0004).
#     Every line is structurally `_ "github.com/HodeTech/leakwatch/internal/<kind>/<name>"`
#     by design. The duplication is the registration mechanism.
#
# - **/*_test.go
#     Go table-driven tests legitimately share `for _, tt := range tests { t.Run(...) }`
#     scaffolding. Counting this as duplication penalizes the idiom Go
#     itself encourages.
sonar.cpd.exclusions=\
  internal/remediation/guidance.go,\
  cmd/imports.go,\
  **/*_test.go