-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathsonar-project.properties
More file actions
42 lines (38 loc) · 2.38 KB
/
Copy pathsonar-project.properties
File metadata and controls
42 lines (38 loc) · 2.38 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# SonarCloud configuration for libredb-database.
#
# NOT active until the repo is on GitHub. Activation (post-push fine-tuning):
# 1. Bind this GitHub repo to the SonarCloud "libredb" organization.
# 2. Add a SONAR_TOKEN repository secret (Settings -> Secrets -> Actions).
# 3. DISABLE SonarCloud automatic analysis - CI-based analysis is required to
# ingest LCOV coverage. See docs/TOOLCHAIN.md.
sonar.projectKey=libredb_libredb-database
sonar.organization=libredb
sonar.projectName=libredb-database
# Production sources vs test code. The DST harness in src/sim/ is test-only
# (never shipped), so it is treated as test code, not analyzed as production.
sonar.sources=src
sonar.tests=src
sonar.test.inclusions=src/**/*.test.ts,src/sim/**
# TypeScript coverage in LCOV. sonar.typescript.lcov.reportPaths is deprecated;
# sonar.javascript.lcov.reportPaths now covers both JS and TS. The report is
# produced by `bun test --coverage` (lcov reporter set in bunfig.toml) into coverage/.
sonar.javascript.lcov.reportPaths=coverage/lcov.info
# The bin shim (cli/main.ts) is pure process glue (shebang, process.argv,
# stdout/stderr, exit code) with all behaviour in cli/run.ts. It is excluded from
# line coverage in bunfig.toml and so never appears in lcov.info; mirror that here
# so Sonar does not read its absence as 0% coverage. It is still analyzed for
# issues - only coverage is waived. It is validated end-to-end by cli/main.test.ts.
sonar.coverage.exclusions=src/cli/main.ts
# Suppress tssecurity:S8707 ("CLI argument can escape filesystem restrictions")
# in the storage adapters and the CLI. This is not a vulnerability here by design:
# LibreDB is an embedded, single-process database and `libredb` is its local CLI,
# both of which exist to open the file path their caller names — exactly like
# `sqlite3 <file>` or `cat <file>`. There is no privilege boundary to cross (the
# operator and the "attacker" are the same local user), and confining access to a
# base directory would defeat the tool's purpose. Scoped to the filesystem-facing
# layers only, so the rule still applies everywhere else.
sonar.issue.ignore.multicriteria=fsadapter,fscli
sonar.issue.ignore.multicriteria.fsadapter.ruleKey=tssecurity:S8707
sonar.issue.ignore.multicriteria.fsadapter.resourceKey=src/adapter/**
sonar.issue.ignore.multicriteria.fscli.ruleKey=tssecurity:S8707
sonar.issue.ignore.multicriteria.fscli.resourceKey=src/cli/**