From 8a015c83dec757ca6d10314899e1dafb2913bed6 Mon Sep 17 00:00:00 2001 From: Moritz Eysholdt Date: Thu, 26 Feb 2026 11:40:19 +0000 Subject: [PATCH 1/8] Add Ona devcontainer and automations config Co-authored-by: Ona --- .devcontainer/Dockerfile | 11 ----------- .devcontainer/devcontainer.json | 10 +++++++++- .gitpod/automations.yaml | 17 +++++++++++++++++ 3 files changed, 26 insertions(+), 12 deletions(-) delete mode 100644 .devcontainer/Dockerfile create mode 100755 .gitpod/automations.yaml diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile deleted file mode 100644 index f8102bc..0000000 --- a/.devcontainer/Dockerfile +++ /dev/null @@ -1,11 +0,0 @@ -# Not actually used by the devcontainer, but it is used by gitpod -ARG VARIANT=17-bullseye -FROM mcr.microsoft.com/vscode/devcontainers/java:0-${VARIANT} -ARG NODE_VERSION="none" -RUN if [ "${NODE_VERSION}" != "none" ]; then su vscode -c "umask 0002 && . /usr/local/share/nvm/nvm.sh && nvm install ${NODE_VERSION} 2>&1"; fi -ARG USER=vscode -VOLUME /home/$USER/.m2 -VOLUME /home/$USER/.gradle -ARG JAVA_VERSION=17.0.7-ms -RUN sudo mkdir /home/$USER/.m2 /home/$USER/.gradle && sudo chown $USER:$USER /home/$USER/.m2 /home/$USER/.gradle -RUN bash -lc '. /usr/local/sdkman/bin/sdkman-init.sh && sdk install java $JAVA_VERSION && sdk use java $JAVA_VERSION' \ No newline at end of file diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index 3aa67af..fcab68d 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -21,5 +21,13 @@ ] } }, - "remoteUser": "vscode" + "remoteUser": "vscode", + "forwardPorts": [8080], + "portsAttributes": { + "8080": { + "label": "Port 8080", + "onAutoForward": "openPreview", + "elevateIfNeeded": true + } + } } diff --git a/.gitpod/automations.yaml b/.gitpod/automations.yaml new file mode 100755 index 0000000..78bb67d --- /dev/null +++ b/.gitpod/automations.yaml @@ -0,0 +1,17 @@ +tasks: + run: + command: | + ./mvnw spring-boot:run + dependsOn: + - init + name: "Run PetClinic App" + triggeredBy: + - postDevcontainerStart + - manual + init: + command: | + ./mvnw clean install -U -DskipTests + name: "Build" + triggeredBy: + - manual + - prebuild From f9de31a802bf3c585f9a6342bf19c6ccb03d047b Mon Sep 17 00:00:00 2001 From: Moritz Eysholdt Date: Thu, 26 Feb 2026 12:04:30 +0000 Subject: [PATCH 2/8] Add SonarQube MCP server and SonarLint extension Co-authored-by: Ona --- .devcontainer/devcontainer.json | 9 ++++++--- .ona/mcp-config.json | 21 +++++++++++++++++++++ 2 files changed, 27 insertions(+), 3 deletions(-) create mode 100644 .ona/mcp-config.json diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json index fcab68d..9df6d2a 100644 --- a/.devcontainer/devcontainer.json +++ b/.devcontainer/devcontainer.json @@ -8,16 +8,19 @@ }, "ghcr.io/devcontainers/features/azure-cli:1": {}, "ghcr.io/devcontainers/features/docker-in-docker:2": {}, - "ghcr.io/devcontainers/features/github-cli:1": {} + "ghcr.io/devcontainers/features/github-cli:1": {}, + "ghcr.io/devcontainers/features/node:1": { + "version": "lts" + } }, - "customizations": { "vscode": { "settings": {}, "extensions": [ "redhat.vscode-xml", "visualstudioexptteam.vscodeintellicode", - "vscjava.vscode-java-pack" + "vscjava.vscode-java-pack", + "sonarsource.sonarlint-vscode" ] } }, diff --git a/.ona/mcp-config.json b/.ona/mcp-config.json new file mode 100644 index 0000000..6f6127f --- /dev/null +++ b/.ona/mcp-config.json @@ -0,0 +1,21 @@ +{ + "mcpServers": { + "sonarqube": { + "name": "sonarqube", + "command": "docker", + "args": [ + "run", "-i", "--init", "--pull=always", + "--name", "sonarqube-mcp-server", + "--rm", + "-e", "SONARQUBE_TOKEN", + "-e", "SONARQUBE_ORG", + "mcp/sonarqube" + ], + "env": { + "SONARQUBE_TOKEN": "${exec:printenv SONARQUBE_TOKEN}", + "SONARQUBE_ORG": "${exec:printenv SONARQUBE_ORG}" + }, + "timeout": 30 + } + } +} From 368585d63f5703da9fec03acb0ef3217b8daac52 Mon Sep 17 00:00:00 2001 From: Moritz Eysholdt Date: Thu, 26 Feb 2026 12:04:33 +0000 Subject: [PATCH 3/8] Add SonarQube issue fix automation Co-authored-by: Ona --- .ona/deploy-to-SE-demo.sh | 3 ++ .ona/fix-sonar-issue.yaml | 74 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 77 insertions(+) create mode 100755 .ona/deploy-to-SE-demo.sh create mode 100644 .ona/fix-sonar-issue.yaml diff --git a/.ona/deploy-to-SE-demo.sh b/.ona/deploy-to-SE-demo.sh new file mode 100755 index 0000000..ef1f50c --- /dev/null +++ b/.ona/deploy-to-SE-demo.sh @@ -0,0 +1,3 @@ +#!/bin/bash + +ona ai automation update 019c95af-e354-7d00-a5ed-5856f50e5957 fix-sonar-issue.yaml \ No newline at end of file diff --git a/.ona/fix-sonar-issue.yaml b/.ona/fix-sonar-issue.yaml new file mode 100644 index 0000000..e180564 --- /dev/null +++ b/.ona/fix-sonar-issue.yaml @@ -0,0 +1,74 @@ +name: fix-sonar-issue +description: >- + Picks the highest-severity open SonarQube issue, applies a fix, + verifies tests pass, and opens a pull request. +triggers: + - context: + projects: {} + manual: {} +action: + limits: + maxParallel: 1 + maxTotal: 10 + steps: + - agent: + prompt: | + You have access to SonarQube tools via MCP. Use them to query the project + "ona-samples_sonarcube-integration" for open issues with BLOCKER or HIGH severity. + + Pick the single highest-severity issue (BLOCKER > HIGH). If there are ties, + pick the one in production code (src/main) over test code (src/test). + + For the selected issue: + 1. Read the SonarQube rule details to understand what the rule requires. + 2. Read the affected source file and surrounding context. + 3. Note the rule key, severity, file path, line number, and the rule's message. + + Do NOT make any code changes yet. + - agent: + prompt: | + Using the issue identified in the previous step: + + 1. Create a new git branch named "sonar-fix/" (e.g. sonar-fix/java-S2699). + 2. Apply the minimal fix that resolves the SonarQube issue while preserving + existing behavior. Follow the project's code style and conventions. + + Do NOT commit or run tests yet. + - agent: + prompt: | + Verify the fix from the previous step: + + 1. Run `./mvnw compile test` to compile and run all tests. + 2. If compilation or tests fail: + a. Read the error output carefully. + b. Identify whether the failure is caused by the fix or a pre-existing issue. + c. If caused by the fix, adjust the code and amend the commit. + d. Rerun `./mvnw compile test`. + e. Repeat until all tests pass. + 3. Once tests pass, confirm the fix is complete. + - agent: + prompt: | + Commit the fix with message: "Fix SonarQube : " + Add co-author: "Co-authored-by: Ona " + - pullRequest: + branch: sonar-fix/ + title: 'Sonar-Fix: ' + description: | + ## SonarQube Issue + + | Field | Value | + |-------|-------| + | **Issue** | [View in SonarQube Cloud](https://sonarcloud.io/project/issues?id=ona-samples_sonarcube-integration&issues=<issue-key>&open=<issue-key>) | + | **Rule** | `<rule-key>` — [View rule](https://sonarcloud.io/organizations/ona-samples/rules?open=<rule-key>&rule_key=<rule-key>) | + | **Severity** | <severity> | + | **Type** | <clean-code-attribute-category> | + | **Message** | <sonar-message> | + + ## What changed + + <one-or-two-sentence explanation of the fix and why it resolves the issue> + + ## Verification + + - [x] `./mvnw compile test` passes + - [x] Fix is minimal and preserves existing behavior From 019e88defd627cd810aad2af8c723f3a4d1aeb50 Mon Sep 17 00:00:00 2001 From: Moritz Eysholdt <moritz@ona.com> Date: Thu, 26 Feb 2026 12:04:36 +0000 Subject: [PATCH 4/8] Update README with SonarQube setup instructions Co-authored-by: Ona <no-reply@ona.com> --- README.md | 200 +++++++++++++++--------------------------------------- 1 file changed, 53 insertions(+), 147 deletions(-) diff --git a/README.md b/README.md index e8aa6f3..79077a7 100644 --- a/README.md +++ b/README.md @@ -1,174 +1,80 @@ -# Spring PetClinic Sample Application [![Build Status](https://github.com/spring-projects/spring-petclinic/actions/workflows/maven-build.yml/badge.svg)](https://github.com/spring-projects/spring-petclinic/actions/workflows/maven-build.yml)[![Build Status](https://github.com/spring-projects/spring-petclinic/actions/workflows/gradle-build.yml/badge.svg)](https://github.com/spring-projects/spring-petclinic/actions/workflows/gradle-build.yml) +# SonarQube -[![Open in Gitpod](https://gitpod.io/button/open-in-gitpod.svg)](https://gitpod.io/#https://github.com/spring-projects/spring-petclinic) [![Open in GitHub Codespaces](https://github.com/codespaces/badge.svg)](https://github.com/codespaces/new?hide_repo_select=true&ref=main&repo=7517918) +## SonarQube MCP Server -## Understanding the Spring Petclinic application with a few diagrams +This devcontainer includes a [SonarQube MCP server](https://docs.sonarsource.com/sonarqube-mcp-server/) that connects Ona to your SonarQube Cloud account. -See the presentation here: -[Spring Petclinic Sample Application (legacy slides)](https://speakerdeck.com/michaelisvy/spring-petclinic-sample-application?slide=20) +### Required environment variables -> **Note:** These slides refer to a legacy, pre–Spring Boot version of Petclinic and may not reflect the current Spring Boot–based implementation. -> For up-to-date information, please refer to this repository and its documentation. +Set these before starting the environment: +| Variable | Description | +|----------|-------------| +| `SONARQUBE_TOKEN` | Your SonarQube Cloud [user token](https://sonarcloud.io/account/security) | +| `SONARQUBE_ORG` | Your SonarQube Cloud [organization key](https://sonarcloud.io/account/organizations) | -## Run Petclinic locally +Configure them as Ona secrets or environment variables so they're available inside the devcontainer. The MCP server will not start without both values set. -Spring Petclinic is a [Spring Boot](https://spring.io/guides/gs/spring-boot) application built using [Maven](https://spring.io/guides/gs/maven/) or [Gradle](https://spring.io/guides/gs/gradle/). -Java 17 or later is required for the build, and the application can run with Java 17 or newer. +## Local SonarQube Scanning -You first need to clone the project locally: +Two options are available for running SonarQube analysis locally. Both sync rules from your SonarQube Cloud project. -```bash -git clone https://github.com/spring-projects/spring-petclinic.git -cd spring-petclinic -``` -If you are using Maven, you can start the application on the command-line as follows: - -```bash -./mvnw spring-boot:run -``` -With Gradle, the command is as follows: - -```bash -./gradlew bootRun -``` - -You can then access the Petclinic at <http://localhost:8080/>. - -<img width="1042" alt="petclinic-screenshot" src="https://cloud.githubusercontent.com/assets/838318/19727082/2aee6d6c-9b8e-11e6-81fe-e889a5ddfded.png"> - -You can, of course, run Petclinic in your favorite IDE. -See below for more details. - -## Building a Container - -There is no `Dockerfile` in this project. You can build a container image (if you have a docker daemon) using the Spring Boot build plugin: +### Option 1: Maven Plugin -```bash -./mvnw spring-boot:build-image -``` - -## In case you find a bug/suggested improvement for Spring Petclinic - -Our issue tracker is available [here](https://github.com/spring-projects/spring-petclinic/issues). - -## Database configuration - -In its default configuration, Petclinic uses an in-memory database (H2) which -gets populated at startup with data. The h2 console is exposed at `http://localhost:8080/h2-console`, -and it is possible to inspect the content of the database using the `jdbc:h2:mem:<uuid>` URL. The UUID is printed at startup to the console. - -A similar setup is provided for MySQL and PostgreSQL if a persistent database configuration is needed. Note that whenever the database type changes, the app needs to run with a different profile: `spring.profiles.active=mysql` for MySQL or `spring.profiles.active=postgres` for PostgreSQL. See the [Spring Boot documentation](https://docs.spring.io/spring-boot/how-to/properties-and-configuration.html#howto.properties-and-configuration.set-active-spring-profiles) for more detail on how to set the active profile. - -You can start MySQL or PostgreSQL locally with whatever installer works for your OS or use docker: - -```bash -docker run -e MYSQL_USER=petclinic -e MYSQL_PASSWORD=petclinic -e MYSQL_ROOT_PASSWORD=root -e MYSQL_DATABASE=petclinic -p 3306:3306 mysql:9.5 -``` - -or +The `sonar-maven-plugin` is configured in `pom.xml`. This is the recommended approach for Java/Maven projects — it integrates with the build lifecycle and automatically picks up compiled classes and JaCoCo coverage reports. ```bash -docker run -e POSTGRES_USER=petclinic -e POSTGRES_PASSWORD=petclinic -e POSTGRES_DB=petclinic -p 5432:5432 postgres:18.1 +# Run analysis and upload results to SonarQube Cloud +./mvnw verify sonar:sonar \ + -Dsonar.host.url=https://sonarcloud.io \ + -Dsonar.organization=$SONARQUBE_ORG \ + -Dsonar.token=$SONARQUBE_TOKEN \ + -Dsonar.projectKey=ona-samples_sonarcube-integration + +# Skip tests if already run separately +./mvnw sonar:sonar \ + -Dsonar.host.url=https://sonarcloud.io \ + -Dsonar.organization=$SONARQUBE_ORG \ + -Dsonar.token=$SONARQUBE_TOKEN \ + -Dsonar.projectKey=ona-samples_sonarcube-integration ``` -Further documentation is provided for [MySQL](https://github.com/spring-projects/spring-petclinic/blob/main/src/main/resources/db/mysql/petclinic_db_setup_mysql.txt) -and [PostgreSQL](https://github.com/spring-projects/spring-petclinic/blob/main/src/main/resources/db/postgres/petclinic_db_setup_postgres.txt). +Note: If SonarCloud has Automatic Analysis enabled for this project, disable it in **Administration → Analysis Method** before running manual scans. -Instead of vanilla `docker` you can also use the provided `docker-compose.yml` file to start the database containers. Each one has a service named after the Spring profile: +The `verify` phase runs tests and generates the JaCoCo coverage report, which SonarQube then picks up automatically. -```bash -docker compose up mysql -``` +### Option 2: SonarScanner CLI -or +The SonarScanner CLI is pre-installed in the devcontainer. It's a standalone scanner useful for quick scans or non-Maven workflows. ```bash -docker compose up postgres +sonar-scanner \ + -Dsonar.host.url=https://sonarcloud.io \ + -Dsonar.organization=$SONARQUBE_ORG \ + -Dsonar.token=$SONARQUBE_TOKEN \ + -Dsonar.projectKey=ona-samples_sonarcube-integration \ + -Dsonar.sources=src/main/java \ + -Dsonar.tests=src/test/java \ + -Dsonar.java.binaries=target/classes ``` -## Test Applications - -At development time we recommend you use the test applications set up as `main()` methods in `PetClinicIntegrationTests` (using the default H2 database and also adding Spring Boot Devtools), `MySqlTestApplication` and `PostgresIntegrationTests`. These are set up so that you can run the apps in your IDE to get fast feedback and also run the same classes as integration tests against the respective database. The MySql integration tests use Testcontainers to start the database in a Docker container, and the Postgres tests use Docker Compose to do the same thing. - -## Compiling the CSS - -There is a `petclinic.css` in `src/main/resources/static/resources/css`. It was generated from the `petclinic.scss` source, combined with the [Bootstrap](https://getbootstrap.com/) library. If you make changes to the `scss`, or upgrade Bootstrap, you will need to re-compile the CSS resources using the Maven profile "css", i.e. `./mvnw package -P css`. There is no build profile for Gradle to compile the CSS. - -## Working with Petclinic in your IDE - -### Prerequisites - -The following items should be installed in your system: - -- Java 17 or newer (full JDK, not a JRE) -- [Git command line tool](https://help.github.com/articles/set-up-git) -- Your preferred IDE - - Eclipse with the m2e plugin. Note: when m2e is available, there is a m2 icon in `Help -> About` dialog. If m2e is - not there, follow the installation process [here](https://www.eclipse.org/m2e/) - - [Spring Tools Suite](https://spring.io/tools) (STS) - - [IntelliJ IDEA](https://www.jetbrains.com/idea/) - - [VS Code](https://code.visualstudio.com) - -### Steps - -1. On the command line run: - - ```bash - git clone https://github.com/spring-projects/spring-petclinic.git - ``` - -1. Inside Eclipse or STS: - - Open the project via `File -> Import -> Maven -> Existing Maven project`, then select the root directory of the cloned repo. - - Then either build on the command line `./mvnw generate-resources` or use the Eclipse launcher (right-click on project and `Run As -> Maven install`) to generate the CSS. Run the application's main method by right-clicking on it and choosing `Run As -> Java Application`. - -1. Inside IntelliJ IDEA: - - In the main menu, choose `File -> Open` and select the Petclinic [pom.xml](pom.xml). Click on the `Open` button. - - - CSS files are generated from the Maven build. You can build them on the command line `./mvnw generate-resources` or right-click on the `spring-petclinic` project then `Maven -> Generates sources and Update Folders`. - - - A run configuration named `PetClinicApplication` should have been created for you if you're using a recent Ultimate version. Otherwise, run the application by right-clicking on the `PetClinicApplication` main class and choosing `Run 'PetClinicApplication'`. - -1. Navigate to the Petclinic - - Visit [http://localhost:8080](http://localhost:8080) in your browser. - -## Looking for something in particular? - -|Spring Boot Configuration | Class or Java property files | -|--------------------------|---| -|The Main Class | [PetClinicApplication](https://github.com/spring-projects/spring-petclinic/blob/main/src/main/java/org/springframework/samples/petclinic/PetClinicApplication.java) | -|Properties Files | [application.properties](https://github.com/spring-projects/spring-petclinic/blob/main/src/main/resources) | -|Caching | [CacheConfiguration](https://github.com/spring-projects/spring-petclinic/blob/main/src/main/java/org/springframework/samples/petclinic/system/CacheConfiguration.java) | - -## Interesting Spring Petclinic branches and forks - -The Spring Petclinic "main" branch in the [spring-projects](https://github.com/spring-projects/spring-petclinic) -GitHub org is the "canonical" implementation based on Spring Boot and Thymeleaf. There are -[quite a few forks](https://spring-petclinic.github.io/docs/forks.html) in the GitHub org -[spring-petclinic](https://github.com/spring-petclinic). If you are interested in using a different technology stack to implement the Pet Clinic, please join the community there. - -## Interaction with other open-source projects - -One of the best parts about working on the Spring Petclinic application is that we have the opportunity to work in direct contact with many Open Source projects. We found bugs/suggested improvements on various topics such as Spring, Spring Data, Bean Validation and even Eclipse! In many cases, they've been fixed/implemented in just a few days. -Here is a list of them: +Note: The CLI requires compiled classes (`target/classes`). Run `./mvnw compile` first if they don't exist. -| Name | Issue | -|------|-------| -| Spring JDBC: simplify usage of NamedParameterJdbcTemplate | [SPR-10256](https://github.com/spring-projects/spring-framework/issues/14889) and [SPR-10257](https://github.com/spring-projects/spring-framework/issues/14890) | -| Bean Validation / Hibernate Validator: simplify Maven dependencies and backward compatibility |[HV-790](https://hibernate.atlassian.net/browse/HV-790) and [HV-792](https://hibernate.atlassian.net/browse/HV-792) | -| Spring Data: provide more flexibility when working with JPQL queries | [DATAJPA-292](https://github.com/spring-projects/spring-data-jpa/issues/704) | +### Which to use? -## Contributing +| | Maven Plugin | SonarScanner CLI | +|---|---|---| +| **Best for** | Full analysis with coverage | Quick scans, non-Maven projects | +| **Coverage support** | Automatic (via JaCoCo) | Manual configuration required | +| **Setup** | Zero — configured in `pom.xml` | Requires passing project parameters | +| **Uploads results** | Yes | Yes | -The [issue tracker](https://github.com/spring-projects/spring-petclinic/issues) is the preferred channel for bug reports, feature requests and submitting pull requests. +### VS Code: SonarLint Extension -For pull requests, editor preferences are available in the [editor config](.editorconfig) for easy use in common text editors. Read more and download plugins at <https://editorconfig.org>. All commits must include a __Signed-off-by__ trailer at the end of each commit message to indicate that the contributor agrees to the Developer Certificate of Origin. -For additional details, please refer to the blog post [Hello DCO, Goodbye CLA: Simplifying Contributions to Spring](https://spring.io/blog/2025/01/06/hello-dco-goodbye-cla-simplifying-contributions-to-spring). +The devcontainer includes the [SonarLint extension](https://marketplace.visualstudio.com/items?itemName=SonarSource.sonarlint-vscode) for real-time feedback in the editor. To sync rules from SonarQube Cloud, enable Connected Mode in VS Code settings: -## License +1. Open Command Palette → **SonarLint: Add SonarQube Cloud Connection** +2. Enter your organization key and token +3. Bind the workspace to project `ona-samples_sonarcube-integration` -The Spring PetClinic sample application is released under version 2.0 of the [Apache License](https://www.apache.org/licenses/LICENSE-2.0). +SonarLint catches issues as you type. Use the Maven plugin or CLI for full project analysis. \ No newline at end of file From 6c2a133f368223d36172e0b8bef06454bad71040 Mon Sep 17 00:00:00 2001 From: Moritz Eysholdt <moritz@ona.com> Date: Thu, 26 Feb 2026 13:34:03 +0000 Subject: [PATCH 5/8] add connected mode Co-authored-by: Ona <no-reply@ona.com> --- .sonarlint/connectedMode.json | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 .sonarlint/connectedMode.json diff --git a/.sonarlint/connectedMode.json b/.sonarlint/connectedMode.json new file mode 100644 index 0000000..3a660bf --- /dev/null +++ b/.sonarlint/connectedMode.json @@ -0,0 +1,5 @@ +{ + "sonarCloudOrganization": "ona-samples", + "projectKey": "ona-samples_sonarqube-cloud", + "region": "EU" +} \ No newline at end of file From 9f9f1215aa852590c07f03a0877a11ef0592d25b Mon Sep 17 00:00:00 2001 From: Moritz Eysholdt <moritz@ona.com> Date: Thu, 26 Feb 2026 15:26:59 +0000 Subject: [PATCH 6/8] added file with issues --- .../owner/OwnerStatisticsService.java.txt | 287 ++++++++++++++++++ 1 file changed, 287 insertions(+) create mode 100644 src/main/java/org/springframework/samples/petclinic/owner/OwnerStatisticsService.java.txt diff --git a/src/main/java/org/springframework/samples/petclinic/owner/OwnerStatisticsService.java.txt b/src/main/java/org/springframework/samples/petclinic/owner/OwnerStatisticsService.java.txt new file mode 100644 index 0000000..188520b --- /dev/null +++ b/src/main/java/org/springframework/samples/petclinic/owner/OwnerStatisticsService.java.txt @@ -0,0 +1,287 @@ +/* + * Copyright 2012-2025 the original author or authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * https://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.springframework.samples.petclinic.owner; + +import java.io.File; +import java.io.FileInputStream; +import java.io.FileOutputStream; +import java.io.IOException; +import java.net.HttpURLConnection; +import java.net.URL; +import java.security.MessageDigest; +import java.security.NoSuchAlgorithmException; +import java.sql.Connection; +import java.sql.DriverManager; +import java.sql.ResultSet; +import java.sql.Statement; +import java.util.ArrayList; +import java.util.HashMap; +import java.util.List; +import java.util.Map; +import java.util.Random; + +import org.springframework.stereotype.Service; + +/** + * Service for computing owner statistics and reports. + */ +@Service +public class OwnerStatisticsService { + + // Violation: S1068 - unused private field + private String unusedField = "never read"; + + // Violation: S2386 - mutable public field + public static List<String> SHARED_OWNER_NAMES = new ArrayList<>(); + + private final OwnerRepository ownerRepository; + + public OwnerStatisticsService(OwnerRepository ownerRepository) { + this.ownerRepository = ownerRepository; + } + + /** + * Generate a report of owner statistics. Violation: S3776 - Cognitive complexity too + * high Violation: S106 - System.out instead of logger Violation: S1192 - Duplicated + * string literals Violation: S2259 - Null pointer dereference Violation: S2147 - + * Collapsible if statements + */ + public Map<String, Object> generateOwnerReport(String filterCity) { + Map<String, Object> report = new HashMap<>(); + List<Owner> allOwners = ownerRepository.findAll(); + + // Violation: S1481 - unused local variable + int unusedCounter = 0; + + // Violation: S1854 - dead store, value overwritten before read + String status = "initializing"; + status = "processing"; + + // Violation: S106 - Standard outputs should not be used directly to log anything + System.out.println("Starting owner report generation"); + System.out.println("Processing owners for city: " + filterCity); + System.out.println("Total owners found: " + allOwners.size()); + + int totalPets = 0; + int ownersWithPets = 0; + int ownersWithoutPets = 0; + + for (Owner owner : allOwners) { + // Violation: S2259 - potential null dereference (filterCity could be null) + if (filterCity.equals(owner.getCity())) { + // Violation: S2147 - collapsible if statements + if (owner.getPets() != null) { + if (owner.getPets().size() > 0) { + totalPets += owner.getPets().size(); + ownersWithPets++; + // Violation: S106 + System.out + .println("Owner " + owner.getFirstName() + " has " + owner.getPets().size() + " pets"); + } + else { + ownersWithoutPets++; + } + } + } + } + + // Violation: S1192 - duplicated string literal "owner_report" + report.put("owner_report", "generated"); + report.put("owner_report_status", "complete"); + report.put("owner_report_version", "1.0"); + report.put("owner_report_type", "summary"); + report.put("owner_report_format", "map"); + + report.put("totalPets", totalPets); + report.put("ownersWithPets", ownersWithPets); + report.put("ownersWithoutPets", ownersWithoutPets); + + // Violation: S106 + System.out.println("Report generation complete"); + + return report; + } + + /** + * Violation: S4790 - Using weak cryptographic hash function (MD5) Violation: S2070 - + * SHA-1 is also weak + */ + public String hashOwnerData(String data) throws NoSuchAlgorithmException { + // Violation: S4790 - MD5 is a weak hash + MessageDigest md5 = MessageDigest.getInstance("MD5"); + byte[] md5Hash = md5.digest(data.getBytes()); + + // Violation: S4790 - SHA-1 is also weak + MessageDigest sha1 = MessageDigest.getInstance("SHA-1"); + byte[] sha1Hash = sha1.digest(data.getBytes()); + + StringBuilder hexString = new StringBuilder(); + for (byte b : md5Hash) { + String hex = Integer.toHexString(0xff & b); + if (hex.length() == 1) { + hexString.append('0'); + } + hexString.append(hex); + } + + // Violation: S106 + System.out.println("Hashed owner data with MD5: " + hexString.toString()); + + return hexString.toString(); + } + + /** + * Violation: S2095 - Resources should be closed Violation: S2093 - Try-with-resources + * should be used Violation: S00108 - Empty catch block + */ + public void exportOwnerData(String filePath) { + FileOutputStream fos = null; + try { + // Violation: S2095 - resource not properly closed + fos = new FileOutputStream(new File(filePath)); + List<Owner> owners = ownerRepository.findAll(); + for (Owner owner : owners) { + String line = owner.getFirstName() + "," + owner.getLastName() + "," + owner.getCity() + "\n"; + fos.write(line.getBytes()); + } + } + catch (IOException e) { + // Violation: S00108 - empty catch block + } + // fos is never closed in a finally block - resource leak + } + + /** + * Violation: S2077 - SQL injection via string concatenation Violation: S2095 - JDBC + * resources not closed + */ + public List<String> searchOwnersByName(String name) { + List<String> results = new ArrayList<>(); + try { + // Violation: S2095 - Connection not closed with try-with-resources + Connection conn = DriverManager.getConnection("jdbc:h2:mem:testdb", "sa", ""); + Statement stmt = conn.createStatement(); + + // Violation: S2077 - SQL injection: user input concatenated into query + String query = "SELECT * FROM owners WHERE last_name = '" + name + "'"; + ResultSet rs = stmt.executeQuery(query); + + while (rs.next()) { + results.add(rs.getString("first_name") + " " + rs.getString("last_name")); + } + + // Violation: S106 + System.out.println("Found " + results.size() + " owners matching: " + name); + } + catch (Exception e) { + // Violation: S00108 - empty catch block + // Violation: S2221 - catching generic Exception + } + return results; + } + + /** + * Violation: S2245 - Using Random instead of SecureRandom for security-sensitive + * context Violation: S1135 - TODO comment + */ + public String generateOwnerToken(Owner owner) { + // TODO: fix this to use SecureRandom before going to production + // Violation: S2245 - pseudorandom number generator used in security context + Random random = new Random(); + long token = random.nextLong(); + + // Violation: S1481 - unused local variable + String debugInfo = "token-gen-" + System.currentTimeMillis(); + + // Violation: S106 + System.out.println("Generated token for owner: " + owner.getFirstName()); + + return Long.toHexString(token); + } + + /** + * Violation: S1186 - Empty method body + */ + public void cleanupExpiredData() { + // Violation: S1186 - methods should not be empty + } + + /** + * Violation: S2699 - Hardcoded credentials Violation: S1313 - Hardcoded IP address + */ + public boolean connectToExternalService() { + // Violation: S2068 - hardcoded credentials + String password = "admin123"; + String apiKey = "sk-1234567890abcdef"; + + // Violation: S1313 - hardcoded IP address + String serverUrl = "https://192.168.1.100:8080/api"; + + try { + URL url = new URL(serverUrl); + HttpURLConnection connection = (HttpURLConnection) url.openConnection(); + connection.setRequestProperty("Authorization", "Bearer " + apiKey); + connection.setRequestProperty("X-Password", password); + + int responseCode = connection.getResponseCode(); + // Violation: S106 + System.out.println("External service response: " + responseCode); + + return responseCode == 200; + } + catch (Exception e) { + // Violation: S00108 - empty catch block + return false; + } + } + + /** + * Violation: S1871 - identical branches in if/else Violation: S3358 - nested ternary + */ + public String categorizeOwner(Owner owner) { + int petCount = owner.getPets().size(); + + // Violation: S1871 - two branches have identical implementation + if (petCount == 0) { + return "no-pets"; + } + else if (petCount == 1) { + return "single-pet-owner"; + } + else if (petCount == 2) { + return "single-pet-owner"; + } + else { + // Violation: S3358 - nested ternary operator + return petCount > 10 ? "collector" : petCount > 5 ? "enthusiast" : "multi-pet-owner"; + } + } + + /** + * Violation: S1144 - unused private method + */ + private String formatOwnerName(Owner owner) { + return owner.getLastName() + ", " + owner.getFirstName(); + } + + /** + * Violation: S1144 - another unused private method + */ + private int calculateOwnerScore(Owner owner) { + return owner.getPets().size() * 10; + } + +} From 6009d78e460467184ba5af7a1d8f2d98dc72a2c0 Mon Sep 17 00:00:00 2001 From: Moritz Eysholdt <moritz@ona.com> Date: Thu, 26 Feb 2026 15:38:59 +0000 Subject: [PATCH 7/8] Remove --pull=always from MCP docker config Co-authored-by: Ona <no-reply@ona.com> --- .ona/mcp-config.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.ona/mcp-config.json b/.ona/mcp-config.json index 6f6127f..898001b 100644 --- a/.ona/mcp-config.json +++ b/.ona/mcp-config.json @@ -4,7 +4,7 @@ "name": "sonarqube", "command": "docker", "args": [ - "run", "-i", "--init", "--pull=always", + "run", "-i", "--init", "--name", "sonarqube-mcp-server", "--rm", "-e", "SONARQUBE_TOKEN", From f42e554ea16599d3a6583f7d8f0c30411c98f62e Mon Sep 17 00:00:00 2001 From: Moritz Eysholdt <moritz@ona.com> Date: Fri, 27 Feb 2026 09:19:01 +0000 Subject: [PATCH 8/8] Fix SonarQube java:S2699: Add assertion to testFindAll() Co-authored-by: Ona <no-reply@ona.com> --- .../samples/petclinic/PostgresIntegrationTests.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/test/java/org/springframework/samples/petclinic/PostgresIntegrationTests.java b/src/test/java/org/springframework/samples/petclinic/PostgresIntegrationTests.java index f3c5181..1e28980 100644 --- a/src/test/java/org/springframework/samples/petclinic/PostgresIntegrationTests.java +++ b/src/test/java/org/springframework/samples/petclinic/PostgresIntegrationTests.java @@ -80,7 +80,7 @@ public static void main(String[] args) { @Test void testFindAll() throws Exception { - vets.findAll(); + assertThat(vets.findAll()).isNotEmpty(); vets.findAll(); // served from cache }