From b53b81aa5b2f295fe5ca18d1e2d286831fa21bfc Mon Sep 17 00:00:00 2001 From: Moritz Eysholdt Date: Wed, 25 Feb 2026 14:03:16 +0000 Subject: [PATCH 01/10] Add SonarQube MCP server and SonarLint extension - Add .ona/mcp-config.json with SonarQube MCP server configuration - Add SonarLint and Node.js to devcontainer, preserving upstream features - Remove unused Dockerfile in favor of upstream base image - Update README with SonarQube Cloud setup instructions Co-authored-by: Ona --- .devcontainer/Dockerfile | 11 -- .devcontainer/devcontainer.json | 9 +- .ona/mcp-config.json | 21 ++++ README.md | 178 ++------------------------------ 4 files changed, 37 insertions(+), 182 deletions(-) delete mode 100644 .devcontainer/Dockerfile create mode 100644 .ona/mcp-config.json diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile deleted file mode 100644 index f8102bc..0000000 --- a/.devcontainer/Dockerfile +++ /dev/null @@ -1,11 +0,0 @@ -# Not actually used by the devcontainer, but it is used by gitpod -ARG VARIANT=17-bullseye -FROM mcr.microsoft.com/vscode/devcontainers/java:0-${VARIANT} -ARG NODE_VERSION="none" -RUN if [ "${NODE_VERSION}" != "none" ]; then su vscode -c "umask 0002 && . /usr/local/share/nvm/nvm.sh && nvm install ${NODE_VERSION} 2>&1"; fi -ARG USER=vscode -VOLUME /home/$USER/.m2 -VOLUME /home/$USER/.gradle -ARG JAVA_VERSION=17.0.7-ms -RUN sudo mkdir /home/$USER/.m2 /home/$USER/.gradle && sudo chown $USER:$USER /home/$USER/.m2 /home/$USER/.gradle -RUN bash -lc '. /usr/local/sdkman/bin/sdkman-init.sh && sdk install java $JAVA_VERSION && sdk use java $JAVA_VERSION' \ No newline at end of file diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 3aa67af..0c05f20 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -8,16 +8,19 @@ }, "ghcr.io/devcontainers/features/azure-cli:1": {}, "ghcr.io/devcontainers/features/docker-in-docker:2": {}, - "ghcr.io/devcontainers/features/github-cli:1": {} + "ghcr.io/devcontainers/features/github-cli:1": {}, + "ghcr.io/devcontainers/features/node:1": { + "version": "lts" + } }, - "customizations": { "vscode": { "settings": {}, "extensions": [ "redhat.vscode-xml", "visualstudioexptteam.vscodeintellicode", - "vscjava.vscode-java-pack" + "vscjava.vscode-java-pack", + "sonarsource.sonarlint-vscode" ] } }, diff --git a/.ona/mcp-config.json b/.ona/mcp-config.json new file mode 100644 index 0000000..6f6127f --- /dev/null +++ b/.ona/mcp-config.json @@ -0,0 +1,21 @@ +{ + "mcpServers": { + "sonarqube": { + "name": "sonarqube", + "command": "docker", + "args": [ + "run", "-i", "--init", "--pull=always", + "--name", "sonarqube-mcp-server", + "--rm", + "-e", "SONARQUBE_TOKEN", + "-e", "SONARQUBE_ORG", + "mcp/sonarqube" + ], + "env": { + "SONARQUBE_TOKEN": "${exec:printenv SONARQUBE_TOKEN}", + "SONARQUBE_ORG": "${exec:printenv SONARQUBE_ORG}" + }, + "timeout": 30 + } + } +} diff --git a/README.md b/README.md index e8aa6f3..e48dc9e 100644 --- a/README.md +++ b/README.md @@ -1,174 +1,16 @@ -# Spring PetClinic Sample Application [![Build Status](https://github.com/spring-projects/spring-petclinic/actions/workflows/maven-build.yml/badge.svg)](https://github.com/spring-projects/spring-petclinic/actions/workflows/maven-build.yml)[![Build Status](https://github.com/spring-projects/spring-petclinic/actions/workflows/gradle-build.yml/badge.svg)](https://github.com/spring-projects/spring-petclinic/actions/workflows/gradle-build.yml) +# sonarcube -[![Open in Gitpod](https://gitpod.io/button/open-in-gitpod.svg)](https://gitpod.io/#https://github.com/spring-projects/spring-petclinic) [![Open in GitHub Codespaces](https://github.com/codespaces/badge.svg)](https://github.com/codespaces/new?hide_repo_select=true&ref=main&repo=7517918) +## SonarQube MCP Server -## Understanding the Spring Petclinic application with a few diagrams +This devcontainer includes a [SonarQube MCP server](https://docs.sonarsource.com/sonarqube-mcp-server/) that connects Ona to your SonarQube Cloud account. -See the presentation here: -[Spring Petclinic Sample Application (legacy slides)](https://speakerdeck.com/michaelisvy/spring-petclinic-sample-application?slide=20) +### Required environment variables -> **Note:** These slides refer to a legacy, pre–Spring Boot version of Petclinic and may not reflect the current Spring Boot–based implementation. -> For up-to-date information, please refer to this repository and its documentation. +Set these before starting the environment: +| Variable | Description | +|----------|-------------| +| `SONARQUBE_TOKEN` | Your SonarQube Cloud [user token](https://sonarcloud.io/account/security) | +| `SONARQUBE_ORG` | Your SonarQube Cloud [organization key](https://sonarcloud.io/account/organizations) | -## Run Petclinic locally - -Spring Petclinic is a [Spring Boot](https://spring.io/guides/gs/spring-boot) application built using [Maven](https://spring.io/guides/gs/maven/) or [Gradle](https://spring.io/guides/gs/gradle/). -Java 17 or later is required for the build, and the application can run with Java 17 or newer. - -You first need to clone the project locally: - -```bash -git clone https://github.com/spring-projects/spring-petclinic.git -cd spring-petclinic -``` -If you are using Maven, you can start the application on the command-line as follows: - -```bash -./mvnw spring-boot:run -``` -With Gradle, the command is as follows: - -```bash -./gradlew bootRun -``` - -You can then access the Petclinic at . - -petclinic-screenshot - -You can, of course, run Petclinic in your favorite IDE. -See below for more details. - -## Building a Container - -There is no `Dockerfile` in this project. You can build a container image (if you have a docker daemon) using the Spring Boot build plugin: - -```bash -./mvnw spring-boot:build-image -``` - -## In case you find a bug/suggested improvement for Spring Petclinic - -Our issue tracker is available [here](https://github.com/spring-projects/spring-petclinic/issues). - -## Database configuration - -In its default configuration, Petclinic uses an in-memory database (H2) which -gets populated at startup with data. The h2 console is exposed at `http://localhost:8080/h2-console`, -and it is possible to inspect the content of the database using the `jdbc:h2:mem:` URL. The UUID is printed at startup to the console. - -A similar setup is provided for MySQL and PostgreSQL if a persistent database configuration is needed. Note that whenever the database type changes, the app needs to run with a different profile: `spring.profiles.active=mysql` for MySQL or `spring.profiles.active=postgres` for PostgreSQL. See the [Spring Boot documentation](https://docs.spring.io/spring-boot/how-to/properties-and-configuration.html#howto.properties-and-configuration.set-active-spring-profiles) for more detail on how to set the active profile. - -You can start MySQL or PostgreSQL locally with whatever installer works for your OS or use docker: - -```bash -docker run -e MYSQL_USER=petclinic -e MYSQL_PASSWORD=petclinic -e MYSQL_ROOT_PASSWORD=root -e MYSQL_DATABASE=petclinic -p 3306:3306 mysql:9.5 -``` - -or - -```bash -docker run -e POSTGRES_USER=petclinic -e POSTGRES_PASSWORD=petclinic -e POSTGRES_DB=petclinic -p 5432:5432 postgres:18.1 -``` - -Further documentation is provided for [MySQL](https://github.com/spring-projects/spring-petclinic/blob/main/src/main/resources/db/mysql/petclinic_db_setup_mysql.txt) -and [PostgreSQL](https://github.com/spring-projects/spring-petclinic/blob/main/src/main/resources/db/postgres/petclinic_db_setup_postgres.txt). - -Instead of vanilla `docker` you can also use the provided `docker-compose.yml` file to start the database containers. Each one has a service named after the Spring profile: - -```bash -docker compose up mysql -``` - -or - -```bash -docker compose up postgres -``` - -## Test Applications - -At development time we recommend you use the test applications set up as `main()` methods in `PetClinicIntegrationTests` (using the default H2 database and also adding Spring Boot Devtools), `MySqlTestApplication` and `PostgresIntegrationTests`. These are set up so that you can run the apps in your IDE to get fast feedback and also run the same classes as integration tests against the respective database. The MySql integration tests use Testcontainers to start the database in a Docker container, and the Postgres tests use Docker Compose to do the same thing. - -## Compiling the CSS - -There is a `petclinic.css` in `src/main/resources/static/resources/css`. It was generated from the `petclinic.scss` source, combined with the [Bootstrap](https://getbootstrap.com/) library. If you make changes to the `scss`, or upgrade Bootstrap, you will need to re-compile the CSS resources using the Maven profile "css", i.e. `./mvnw package -P css`. There is no build profile for Gradle to compile the CSS. - -## Working with Petclinic in your IDE - -### Prerequisites - -The following items should be installed in your system: - -- Java 17 or newer (full JDK, not a JRE) -- [Git command line tool](https://help.github.com/articles/set-up-git) -- Your preferred IDE - - Eclipse with the m2e plugin. Note: when m2e is available, there is a m2 icon in `Help -> About` dialog. If m2e is - not there, follow the installation process [here](https://www.eclipse.org/m2e/) - - [Spring Tools Suite](https://spring.io/tools) (STS) - - [IntelliJ IDEA](https://www.jetbrains.com/idea/) - - [VS Code](https://code.visualstudio.com) - -### Steps - -1. On the command line run: - - ```bash - git clone https://github.com/spring-projects/spring-petclinic.git - ``` - -1. Inside Eclipse or STS: - - Open the project via `File -> Import -> Maven -> Existing Maven project`, then select the root directory of the cloned repo. - - Then either build on the command line `./mvnw generate-resources` or use the Eclipse launcher (right-click on project and `Run As -> Maven install`) to generate the CSS. Run the application's main method by right-clicking on it and choosing `Run As -> Java Application`. - -1. Inside IntelliJ IDEA: - - In the main menu, choose `File -> Open` and select the Petclinic [pom.xml](pom.xml). Click on the `Open` button. - - - CSS files are generated from the Maven build. You can build them on the command line `./mvnw generate-resources` or right-click on the `spring-petclinic` project then `Maven -> Generates sources and Update Folders`. - - - A run configuration named `PetClinicApplication` should have been created for you if you're using a recent Ultimate version. Otherwise, run the application by right-clicking on the `PetClinicApplication` main class and choosing `Run 'PetClinicApplication'`. - -1. Navigate to the Petclinic - - Visit [http://localhost:8080](http://localhost:8080) in your browser. - -## Looking for something in particular? - -|Spring Boot Configuration | Class or Java property files | -|--------------------------|---| -|The Main Class | [PetClinicApplication](https://github.com/spring-projects/spring-petclinic/blob/main/src/main/java/org/springframework/samples/petclinic/PetClinicApplication.java) | -|Properties Files | [application.properties](https://github.com/spring-projects/spring-petclinic/blob/main/src/main/resources) | -|Caching | [CacheConfiguration](https://github.com/spring-projects/spring-petclinic/blob/main/src/main/java/org/springframework/samples/petclinic/system/CacheConfiguration.java) | - -## Interesting Spring Petclinic branches and forks - -The Spring Petclinic "main" branch in the [spring-projects](https://github.com/spring-projects/spring-petclinic) -GitHub org is the "canonical" implementation based on Spring Boot and Thymeleaf. There are -[quite a few forks](https://spring-petclinic.github.io/docs/forks.html) in the GitHub org -[spring-petclinic](https://github.com/spring-petclinic). If you are interested in using a different technology stack to implement the Pet Clinic, please join the community there. - -## Interaction with other open-source projects - -One of the best parts about working on the Spring Petclinic application is that we have the opportunity to work in direct contact with many Open Source projects. We found bugs/suggested improvements on various topics such as Spring, Spring Data, Bean Validation and even Eclipse! In many cases, they've been fixed/implemented in just a few days. -Here is a list of them: - -| Name | Issue | -|------|-------| -| Spring JDBC: simplify usage of NamedParameterJdbcTemplate | [SPR-10256](https://github.com/spring-projects/spring-framework/issues/14889) and [SPR-10257](https://github.com/spring-projects/spring-framework/issues/14890) | -| Bean Validation / Hibernate Validator: simplify Maven dependencies and backward compatibility |[HV-790](https://hibernate.atlassian.net/browse/HV-790) and [HV-792](https://hibernate.atlassian.net/browse/HV-792) | -| Spring Data: provide more flexibility when working with JPQL queries | [DATAJPA-292](https://github.com/spring-projects/spring-data-jpa/issues/704) | - -## Contributing - -The [issue tracker](https://github.com/spring-projects/spring-petclinic/issues) is the preferred channel for bug reports, feature requests and submitting pull requests. - -For pull requests, editor preferences are available in the [editor config](.editorconfig) for easy use in common text editors. Read more and download plugins at . All commits must include a __Signed-off-by__ trailer at the end of each commit message to indicate that the contributor agrees to the Developer Certificate of Origin. -For additional details, please refer to the blog post [Hello DCO, Goodbye CLA: Simplifying Contributions to Spring](https://spring.io/blog/2025/01/06/hello-dco-goodbye-cla-simplifying-contributions-to-spring). - -## License - -The Spring PetClinic sample application is released under version 2.0 of the [Apache License](https://www.apache.org/licenses/LICENSE-2.0). +Configure them as Ona secrets or environment variables so they're available inside the devcontainer. The MCP server will not start without both values set. \ No newline at end of file From 366388bf9fd415e51604072c08a7415e4c344639 Mon Sep 17 00:00:00 2001 From: Moritz Eysholdt Date: Wed, 25 Feb 2026 15:01:02 +0000 Subject: [PATCH 02/10] Add SonarScanner CLI to devcontainer via Dockerfile Install SonarScanner CLI 6.2.1 in a custom Dockerfile and switch devcontainer.json from image to build. Document CLI and SonarLint usage in README. Co-authored-by: Ona --- .devcontainer/Dockerfile | 9 +++++ .devcontainer/devcontainer.json | 4 +- README.md | 66 ++++++++++++++++++++++++++++++++- 3 files changed, 77 insertions(+), 2 deletions(-) create mode 100644 .devcontainer/Dockerfile diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile new file mode 100644 index 0000000..ad2054a --- /dev/null +++ b/.devcontainer/Dockerfile @@ -0,0 +1,9 @@ +FROM mcr.microsoft.com/devcontainers/base:ubuntu + +ARG SONAR_SCANNER_VERSION=6.2.1.4610 + +RUN curl -sSLo /tmp/sonar-scanner-cli.zip \ + https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-linux-x64.zip \ + && unzip -o /tmp/sonar-scanner-cli.zip -d /opt \ + && ln -sf /opt/sonar-scanner-${SONAR_SCANNER_VERSION}-linux-x64/bin/sonar-scanner /usr/local/bin/sonar-scanner \ + && rm /tmp/sonar-scanner-cli.zip diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 0c05f20..29f456b 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -1,6 +1,8 @@ { "name": "Java", - "image": "mcr.microsoft.com/devcontainers/base:ubuntu", + "build": { + "dockerfile": "Dockerfile" + }, "features": { "ghcr.io/devcontainers/features/java:1": { "version": "21-oracle", diff --git a/README.md b/README.md index e48dc9e..01f33d9 100644 --- a/README.md +++ b/README.md @@ -13,4 +13,68 @@ Set these before starting the environment: | `SONARQUBE_TOKEN` | Your SonarQube Cloud [user token](https://sonarcloud.io/account/security) | | `SONARQUBE_ORG` | Your SonarQube Cloud [organization key](https://sonarcloud.io/account/organizations) | -Configure them as Ona secrets or environment variables so they're available inside the devcontainer. The MCP server will not start without both values set. \ No newline at end of file +Configure them as Ona secrets or environment variables so they're available inside the devcontainer. The MCP server will not start without both values set. + +## Local SonarQube Scanning + +Two options are available for running SonarQube analysis locally. Both sync rules from your SonarQube Cloud project. + +### Option 1: Maven Plugin + +The `sonar-maven-plugin` is configured in `pom.xml`. This is the recommended approach for Java/Maven projects — it integrates with the build lifecycle and automatically picks up compiled classes and JaCoCo coverage reports. + +```bash +# Run analysis and upload results to SonarQube Cloud +./mvnw verify sonar:sonar \ + -Dsonar.host.url=https://sonarcloud.io \ + -Dsonar.organization=$SONARQUBE_ORG \ + -Dsonar.token=$SONARQUBE_TOKEN \ + -Dsonar.projectKey=ona-samples_sonarcube-integration + +# Skip tests if already run separately +./mvnw sonar:sonar \ + -Dsonar.host.url=https://sonarcloud.io \ + -Dsonar.organization=$SONARQUBE_ORG \ + -Dsonar.token=$SONARQUBE_TOKEN \ + -Dsonar.projectKey=ona-samples_sonarcube-integration +``` + +Note: If SonarCloud has Automatic Analysis enabled for this project, disable it in **Administration → Analysis Method** before running manual scans. + +The `verify` phase runs tests and generates the JaCoCo coverage report, which SonarQube then picks up automatically. + +### Option 2: SonarScanner CLI + +The SonarScanner CLI is pre-installed in the devcontainer. It's a standalone scanner useful for quick scans or non-Maven workflows. + +```bash +sonar-scanner \ + -Dsonar.host.url=https://sonarcloud.io \ + -Dsonar.organization=$SONARQUBE_ORG \ + -Dsonar.token=$SONARQUBE_TOKEN \ + -Dsonar.projectKey=ona-samples_sonarcube-integration \ + -Dsonar.sources=src/main/java \ + -Dsonar.tests=src/test/java \ + -Dsonar.java.binaries=target/classes +``` + +Note: The CLI requires compiled classes (`target/classes`). Run `./mvnw compile` first if they don't exist. + +### Which to use? + +| | Maven Plugin | SonarScanner CLI | +|---|---|---| +| **Best for** | Full analysis with coverage | Quick scans, non-Maven projects | +| **Coverage support** | Automatic (via JaCoCo) | Manual configuration required | +| **Setup** | Zero — configured in `pom.xml` | Requires passing project parameters | +| **Uploads results** | Yes | Yes | + +### VS Code: SonarLint Extension + +The devcontainer includes the [SonarLint extension](https://marketplace.visualstudio.com/items?itemName=SonarSource.sonarlint-vscode) for real-time feedback in the editor. To sync rules from SonarQube Cloud, enable Connected Mode in VS Code settings: + +1. Open Command Palette → **SonarLint: Add SonarQube Cloud Connection** +2. Enter your organization key and token +3. Bind the workspace to project `ona-samples_sonarcube-integration` + +SonarLint catches issues as you type. Use the Maven plugin or CLI for full project analysis. \ No newline at end of file From cd2d52e8eda4e52d8574aaf228998ceec323ecc7 Mon Sep 17 00:00:00 2001 From: Moritz Eysholdt Date: Wed, 25 Feb 2026 15:01:09 +0000 Subject: [PATCH 03/10] Add sonar-maven-plugin for local SonarQube analysis Configure sonar-maven-plugin 5.1.0 in pom.xml to enable running scans via ./mvnw sonar:sonar. Co-authored-by: Ona --- pom.xml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/pom.xml b/pom.xml index fb38cc3..5e931ac 100644 --- a/pom.xml +++ b/pom.xml @@ -31,6 +31,7 @@ 3.6.0 0.0.11 0.0.47 + 5.1.0.4751 @@ -226,6 +227,11 @@ + + org.sonarsource.scanner.maven + sonar-maven-plugin + ${sonar-maven-plugin.version} + org.graalvm.buildtools native-maven-plugin From fb6743ad50244c0d70055497c4333270316f52d0 Mon Sep 17 00:00:00 2001 From: Moritz Eysholdt Date: Wed, 25 Feb 2026 15:01:15 +0000 Subject: [PATCH 04/10] Add .gitpod/automations.yaml for build and run tasks Define init (build) and run (spring-boot:run) automation tasks matching the spring-petclinic reference configuration. Co-authored-by: Ona --- .gitpod/automations.yaml | 46 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 46 insertions(+) create mode 100644 .gitpod/automations.yaml diff --git a/.gitpod/automations.yaml b/.gitpod/automations.yaml new file mode 100644 index 0000000..eba18b8 --- /dev/null +++ b/.gitpod/automations.yaml @@ -0,0 +1,46 @@ +tasks: + run: + command: | + ./mvnw spring-boot:run + dependsOn: + - init + name: "Run PetClinic App" + triggeredBy: + - postDevcontainerStart + - manual + init: + command: | + ./mvnw clean install -U -DskipTests + name: "Build" + triggeredBy: + - manual + - prebuild + sonar-maven: + command: | + ./mvnw verify sonar:sonar \ + -Dsonar.host.url=https://sonarcloud.io \ + -Dsonar.organization=$SONARQUBE_ORG \ + -Dsonar.token=$SONARQUBE_TOKEN \ + -Dsonar.projectKey=ona-samples_sonarcube-integration + dependsOn: + - init + name: "SonarQube Scan (Maven)" + triggeredBy: + - manual + - prebuild + sonar-cli: + command: | + ./mvnw compile -q && \ + sonar-scanner \ + -Dsonar.host.url=https://sonarcloud.io \ + -Dsonar.organization=$SONARQUBE_ORG \ + -Dsonar.token=$SONARQUBE_TOKEN \ + -Dsonar.projectKey=ona-samples_sonarcube-integration \ + -Dsonar.sources=src/main/java \ + -Dsonar.tests=src/test/java \ + -Dsonar.java.binaries=target/classes + dependsOn: + - init + name: "SonarQube Scan (CLI)" + triggeredBy: + - manual From 8d9c729d3204c4eedb7b2b08245fae61ad9fd527 Mon Sep 17 00:00:00 2001 From: Moritz Eysholdt Date: Wed, 25 Feb 2026 16:20:43 +0000 Subject: [PATCH 05/10] ignore scannerwork Co-authored-by: Ona --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 76cb65f..1d4b5dd 100644 --- a/.gitignore +++ b/.gitignore @@ -46,3 +46,4 @@ out/ _site/ *.css !petclinic.css +.scannerwork From a458a4f093e301621cc3f1a7854cbff3428c15ad Mon Sep 17 00:00:00 2001 From: Moritz Eysholdt Date: Wed, 25 Feb 2026 16:57:58 +0000 Subject: [PATCH 06/10] added automation Co-authored-by: Ona --- .ona/deploy-to-SE-demo.sh | 3 ++ .ona/fix-sonar-issue.yaml | 78 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 81 insertions(+) create mode 100755 .ona/deploy-to-SE-demo.sh create mode 100644 .ona/fix-sonar-issue.yaml diff --git a/.ona/deploy-to-SE-demo.sh b/.ona/deploy-to-SE-demo.sh new file mode 100755 index 0000000..ef1f50c --- /dev/null +++ b/.ona/deploy-to-SE-demo.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +ona ai automation update 019c95af-e354-7d00-a5ed-5856f50e5957 fix-sonar-issue.yaml \ No newline at end of file diff --git a/.ona/fix-sonar-issue.yaml b/.ona/fix-sonar-issue.yaml new file mode 100644 index 0000000..ace9be4 --- /dev/null +++ b/.ona/fix-sonar-issue.yaml @@ -0,0 +1,78 @@ +action: + limits: + maxParallel: 1 + maxTotal: 10 + steps: + - agent: + prompt: | + You have access to SonarQube tools via MCP. Use them to query the project + "ona-samples_sonarcube-integration" for open issues with BLOCKER or HIGH severity. + + Pick the single highest-severity issue (BLOCKER > HIGH). If there are ties, + pick the one in production code (src/main) over test code (src/test). + + For the selected issue: + 1. Read the SonarQube rule details to understand what the rule requires. + 2. Read the affected source file and surrounding context. + 3. Note the rule key, severity, file path, line number, and the rule's message. + + Do NOT make any code changes yet. + - agent: + prompt: | + Using the issue identified in the previous step: + + 1. Create a new git branch named "sonar-fix/" (e.g. sonar-fix/java-S2699). + 2. Apply the minimal fix that resolves the SonarQube issue while preserving + existing behavior. Follow the project's code style and conventions. + 3. Commit the fix with message: "Fix SonarQube : " + Add co-author: "Co-authored-by: Ona " + + Do NOT run tests yet. + - agent: + prompt: | + Verify the fix from the previous step: + + 1. Run `./mvnw compile test` to compile and run all tests. + 2. If compilation or tests fail: + a. Read the error output carefully. + b. Identify whether the failure is caused by the fix or a pre-existing issue. + c. If caused by the fix, adjust the code and amend the commit. + d. Rerun `./mvnw compile test`. + e. Repeat until all tests pass. + 3. Once tests pass, confirm the fix is complete. + - pullRequest: + branch: sonar-fix/ + title: 'Sonar-Fix: ' + description: | + ## SonarQube Issue + + | Field | Value | + |-------|-------| + | **Rule** | `<rule-key>` — [View rule](https://rules.sonarsource.com/java/RSPEC-<rule-number>) | + | **Severity** | <severity> | + | **Type** | <clean-code-attribute-category> | + | **Message** | <sonar-message> | + + ## Affected Code + + | Field | Value | + |-------|-------| + | **File** | `<file-path>` | + | **Line** | <line-number> | + + ## What changed + + <one-or-two-sentence explanation of the fix and why it resolves the issue> + + ## Verification + + - [x] `./mvnw compile test` passes + - [x] Fix is minimal and preserves existing behavior +description: >- + Picks the highest-severity open SonarQube issue, applies a fix, + verifies tests pass, and opens a pull request. +name: fix-sonar-issue +triggers: + - context: + projects: {} + manual: {} From da1935c735aaefecaae4e809e329c88bd0a5f643 Mon Sep 17 00:00:00 2001 From: Moritz Eysholdt <moritz@ona.com> Date: Thu, 26 Feb 2026 07:32:40 +0000 Subject: [PATCH 07/10] updated automation Co-authored-by: Ona <no-reply@ona.com> --- .ona/fix-sonar-issue.yaml | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/.ona/fix-sonar-issue.yaml b/.ona/fix-sonar-issue.yaml index ace9be4..b81198a 100644 --- a/.ona/fix-sonar-issue.yaml +++ b/.ona/fix-sonar-issue.yaml @@ -1,3 +1,11 @@ +name: fix-sonar-issue +description: >- + Picks the highest-severity open SonarQube issue, applies a fix, + verifies tests pass, and opens a pull request. +triggers: + - context: + projects: {} + manual: {} action: limits: maxParallel: 1 @@ -24,10 +32,8 @@ action: 1. Create a new git branch named "sonar-fix/<rule-key>" (e.g. sonar-fix/java-S2699). 2. Apply the minimal fix that resolves the SonarQube issue while preserving existing behavior. Follow the project's code style and conventions. - 3. Commit the fix with message: "Fix SonarQube <rule-key>: <short description>" - Add co-author: "Co-authored-by: Ona <no-reply@ona.com>" - Do NOT run tests yet. + Do NOT commit or run tests yet. - agent: prompt: | Verify the fix from the previous step: @@ -40,6 +46,10 @@ action: d. Rerun `./mvnw compile test`. e. Repeat until all tests pass. 3. Once tests pass, confirm the fix is complete. + - agent: + prompt: | + Commit the fix with message: "Fix SonarQube <rule-key>: <short description>" + Add co-author: "Co-authored-by: Ona <no-reply@ona.com>" - pullRequest: branch: sonar-fix/<issue> title: 'Sonar-Fix: <title>' @@ -68,11 +78,3 @@ action: - [x] `./mvnw compile test` passes - [x] Fix is minimal and preserves existing behavior -description: >- - Picks the highest-severity open SonarQube issue, applies a fix, - verifies tests pass, and opens a pull request. -name: fix-sonar-issue -triggers: - - context: - projects: {} - manual: {} From ffa62248c81df1c7ab92a0cf970cd5898443769b Mon Sep 17 00:00:00 2001 From: Moritz Eysholdt <moritz@ona.com> Date: Thu, 26 Feb 2026 07:38:37 +0000 Subject: [PATCH 08/10] updated automation --- .ona/fix-sonar-issue.yaml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/.ona/fix-sonar-issue.yaml b/.ona/fix-sonar-issue.yaml index b81198a..166cb68 100644 --- a/.ona/fix-sonar-issue.yaml +++ b/.ona/fix-sonar-issue.yaml @@ -58,18 +58,12 @@ action: | Field | Value | |-------|-------| + | **Issue** | [View in SonarQube Cloud](https://sonarcloud.io/project/issues?id=ona-samples_sonarcube-integration&issues=<issue-key>&open=<issue-key>) | | **Rule** | `<rule-key>` — [View rule](https://rules.sonarsource.com/java/RSPEC-<rule-number>) | | **Severity** | <severity> | | **Type** | <clean-code-attribute-category> | | **Message** | <sonar-message> | - ## Affected Code - - | Field | Value | - |-------|-------| - | **File** | `<file-path>` | - | **Line** | <line-number> | - ## What changed <one-or-two-sentence explanation of the fix and why it resolves the issue> From 9464a7278ed50b7ed1756239617d4b971a94a42d Mon Sep 17 00:00:00 2001 From: Moritz Eysholdt <moritz@ona.com> Date: Thu, 26 Feb 2026 07:54:04 +0000 Subject: [PATCH 09/10] Fix rule link in automation PR template to use sonarcloud.io Co-authored-by: Ona <no-reply@ona.com> --- .ona/fix-sonar-issue.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.ona/fix-sonar-issue.yaml b/.ona/fix-sonar-issue.yaml index 166cb68..e180564 100644 --- a/.ona/fix-sonar-issue.yaml +++ b/.ona/fix-sonar-issue.yaml @@ -59,7 +59,7 @@ action: | Field | Value | |-------|-------| | **Issue** | [View in SonarQube Cloud](https://sonarcloud.io/project/issues?id=ona-samples_sonarcube-integration&issues=<issue-key>&open=<issue-key>) | - | **Rule** | `<rule-key>` — [View rule](https://rules.sonarsource.com/java/RSPEC-<rule-number>) | + | **Rule** | `<rule-key>` — [View rule](https://sonarcloud.io/organizations/ona-samples/rules?open=<rule-key>&rule_key=<rule-key>) | | **Severity** | <severity> | | **Type** | <clean-code-attribute-category> | | **Message** | <sonar-message> | From 58695ef36b32d9f510571274c321c9dfb29b94b7 Mon Sep 17 00:00:00 2001 From: Moritz Eysholdt <moritz@ona.com> Date: Thu, 26 Feb 2026 07:59:27 +0000 Subject: [PATCH 10/10] Fix SonarQube java:S1192: Extract duplicated "error" string literal into constant Co-authored-by: Ona <no-reply@ona.com> --- .../samples/petclinic/owner/OwnerController.java | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/main/java/org/springframework/samples/petclinic/owner/OwnerController.java b/src/main/java/org/springframework/samples/petclinic/owner/OwnerController.java index 199ca36..eb04aab 100644 --- a/src/main/java/org/springframework/samples/petclinic/owner/OwnerController.java +++ b/src/main/java/org/springframework/samples/petclinic/owner/OwnerController.java @@ -50,6 +50,8 @@ class OwnerController { private static final String VIEWS_OWNER_CREATE_OR_UPDATE_FORM = "owners/createOrUpdateOwnerForm"; + private static final String FLASH_ATTR_ERROR = "error"; + private final OwnerRepository owners; public OwnerController(OwnerRepository owners) { @@ -77,7 +79,7 @@ public String initCreationForm() { @PostMapping("/owners/new") public String processCreationForm(@Valid Owner owner, BindingResult result, RedirectAttributes redirectAttributes) { if (result.hasErrors()) { - redirectAttributes.addFlashAttribute("error", "There was an error in creating the owner."); + redirectAttributes.addFlashAttribute(FLASH_ATTR_ERROR, "There was an error in creating the owner."); return VIEWS_OWNER_CREATE_OR_UPDATE_FORM; } @@ -142,13 +144,13 @@ public String initUpdateOwnerForm() { public String processUpdateOwnerForm(@Valid Owner owner, BindingResult result, @PathVariable("ownerId") int ownerId, RedirectAttributes redirectAttributes) { if (result.hasErrors()) { - redirectAttributes.addFlashAttribute("error", "There was an error in updating the owner."); + redirectAttributes.addFlashAttribute(FLASH_ATTR_ERROR, "There was an error in updating the owner."); return VIEWS_OWNER_CREATE_OR_UPDATE_FORM; } if (!Objects.equals(owner.getId(), ownerId)) { result.rejectValue("id", "mismatch", "The owner ID in the form does not match the URL."); - redirectAttributes.addFlashAttribute("error", "Owner ID mismatch. Please try again."); + redirectAttributes.addFlashAttribute(FLASH_ATTR_ERROR, "Owner ID mismatch. Please try again."); return "redirect:/owners/{ownerId}/edit"; }