mirror of
https://github.com/diegosouzapw/OmniRoute.git
synced 2026-07-09 17:28:51 +00:00
Release v3.8.24 — see CHANGELOG.md [3.8.24] for the full notes and the PR description for the contributors hall. Integration of release/v3.8.24 into main.
67 lines
4 KiB
Properties
67 lines
4 KiB
Properties
sonar.projectKey=diegosouzapw_OmniRoute
|
||
sonar.organization=diegosouzapw
|
||
sonar.sourceEncoding=UTF-8
|
||
sonar.sources=src,open-sse,scripts,bin,next.config.mjs,Dockerfile
|
||
sonar.tests=tests
|
||
sonar.test.inclusions=tests/**/*.test.ts,tests/**/*.spec.ts
|
||
sonar.exclusions=tests/**,src/i18n/messages/**,docs/**,coverage/**,.next/**,dist/**,build/**,node_modules/**
|
||
sonar.javascript.lcov.reportPaths=coverage/lcov.info
|
||
|
||
# ── "Clean as You Code" — new-code quality gate ───────────────────────────
|
||
# New code must not introduce any bug, vulnerability, hotspot or code smell.
|
||
# Legacy code is grandfathered (sonar.newCode.referenceBranch baseline).
|
||
#
|
||
# OPERATIONAL PRE-REQUISITES (owner action required before the gate is live):
|
||
# 1. Set repository secret SONAR_TOKEN (user/project token from SonarQube UI).
|
||
# 2. Set repository secret SONAR_HOST_URL (e.g. https://sonar.example.com for
|
||
# a self-hosted Community Build instance, or https://sonarcloud.io for the
|
||
# cloud plan).
|
||
# 3. Ensure the `sonarqube` job in `.github/workflows/ci.yml` passes both
|
||
# secrets to the SonarScanner step as environment variables; without them
|
||
# the step is a no-op (secrets-gated).
|
||
# 4. Configure the "Clean as You Code" Quality Gate in the SonarQube project
|
||
# settings (Conditions → New Code: Bugs=0, Vulnerabilities=0,
|
||
# Security Hotspots Reviewed=100%, Code Smells=0 or bounded).
|
||
#
|
||
# sonar.qualitygate.wait=true causes the scanner to poll until the gate
|
||
# result is available and fail the CI step when the gate is RED.
|
||
# Without it the step always exits 0 even when the gate fails.
|
||
sonar.qualitygate.wait=true
|
||
|
||
# New-code baseline: compare against the tip of the release branch so that
|
||
# every PR against release/* is judged as "new code vs release baseline".
|
||
# Override with sonar.newCode.referenceBranch on a per-branch basis if needed.
|
||
sonar.newCode.referenceBranch=main
|
||
|
||
# ── Hotspot suppressions ───────────────────────────────────────────────────
|
||
# The following rules surface "review this" hotspots that are bounded /
|
||
# non-security contexts in this codebase:
|
||
# S5852 – Regex with super-linear backtracking. All matched call sites
|
||
# use bounded character classes (e.g. `[^\]]+`) — no catastrophic
|
||
# backtracking is possible.
|
||
# S2245 – pseudo-random `Math.random()`. The few remaining call sites are
|
||
# for non-security purposes (request IDs / jitter), never for
|
||
# tokens, secrets, or session material.
|
||
# S4036 – PATH lookups via `command -v` / `which`. The CLI helper resolves
|
||
# tooling on the user's own machine; running with their PATH is
|
||
# intentional and matches the behaviour of every other CLI on the
|
||
# system.
|
||
# S1523 – Dynamic code execution. SCOPED to src/lib/plugins/pluginWorker.ts
|
||
# only: running plugin source IS the worker's purpose, and it does so
|
||
# inside a hardened Node `vm` sandbox (vm.createContext, a require
|
||
# allow-list of just `crypto`, and a 10s execution timeout). Not
|
||
# `eval`/`new Function` (Hard Rule #3). S1523 stays active everywhere
|
||
# else so a genuine dynamic-exec elsewhere is still flagged.
|
||
sonar.issue.ignore.multicriteria=h1,h2,h3,h4,h5,h6
|
||
sonar.issue.ignore.multicriteria.h1.ruleKey=javascript:S5852
|
||
sonar.issue.ignore.multicriteria.h1.resourceKey=**/*
|
||
sonar.issue.ignore.multicriteria.h2.ruleKey=typescript:S5852
|
||
sonar.issue.ignore.multicriteria.h2.resourceKey=**/*
|
||
sonar.issue.ignore.multicriteria.h3.ruleKey=typescript:S2245
|
||
sonar.issue.ignore.multicriteria.h3.resourceKey=**/*
|
||
sonar.issue.ignore.multicriteria.h4.ruleKey=javascript:S4036
|
||
sonar.issue.ignore.multicriteria.h4.resourceKey=**/*
|
||
sonar.issue.ignore.multicriteria.h5.ruleKey=typescript:S4036
|
||
sonar.issue.ignore.multicriteria.h5.resourceKey=**/*
|
||
sonar.issue.ignore.multicriteria.h6.ruleKey=typescript:S1523
|
||
sonar.issue.ignore.multicriteria.h6.resourceKey=**/pluginWorker.ts
|