feat(scorecard): Add SonarQube metric providers (#2576)

* chore(scorecard): create a new module for sonarqube

Signed-off-by: Christoph Jerolimov <jerolimov+git@redhat.com>

* feat(scorecard): add SonarQube metric providers for quality gate, issues, and security

Add four metric providers to the scorecard-backend-module-sonarqube plugin:
- Quality gate status (boolean)
- Open issues count (number)
- Security rating (number, A=1 to E=5)
- Security issues/vulnerabilities count (number)

Includes SonarQubeClient, config, factory, example catalog entity, and unit tests.
SonarQube baseUrl defaults to https://sonarcloud.io; token is optional for public projects.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Christoph Jerolimov <jerolimov+git@redhat.com>

* feat(scorecard): support multiple SonarQube instances and align with config schema

- Add config.d.ts with typed config schema supporting default + named instances
- Refactor SonarQubeClient to resolve instance by name from sonarqube.instances[]
- Parse sonarqube.org/project-key annotation for optional instance prefix (instance/project-key)
- Use apiKey + authType (Basic/Bearer) from config.d.ts instead of token
- Falls back to default instance when no instance prefix in annotation

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Christoph Jerolimov <jerolimov+git@redhat.com>

* docs(scorecard): add README for sonarqube module

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Christoph Jerolimov <jerolimov+git@redhat.com>

* fix(scorecard): base64-encode Basic auth header for SonarQube API

SonarQube expects Basic auth as base64(apiKey:) with an appended colon.
Bearer auth passes the apiKey directly without encoding.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Christoph Jerolimov <jerolimov+git@redhat.com>

* chore(scorecard): add api report for ci check

Signed-off-by: Christoph Jerolimov <jerolimov+git@redhat.com>

* chore(scorecard): fix publish check ci checks and make the package public

Signed-off-by: Christoph Jerolimov <jerolimov+git@redhat.com>

* feat(scorecard): add 8 additional SonarQube metric providers

Add metrics for code coverage, code duplications, security review rating,
security hotspots, reliability rating/issues, and maintainability rating/issues.

Refactors calculateMetric to use a data-driven API key mapping table instead
of a switch statement, and deduplicates rating thresholds into a shared constant.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Christoph Jerolimov <jerolimov+git@redhat.com>

* fix(scorecard): add missing mockSonarqubeScorecardResponse to e2e apiUtils

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Christoph Jerolimov <jerolimov+git@redhat.com>

* chore(scorecard): try to fix the scorecard e2e tests

Signed-off-by: Christoph Jerolimov <jerolimov+git@redhat.com>

* chore(scorecard): update descriptions and readme

Signed-off-by: Christoph Jerolimov <jerolimov+git@redhat.com>

* chore(scorecard): remove unused externalBaseUrl from sonarqube config

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Christoph Jerolimov <jerolimov+git@redhat.com>

* chore(scorecard): yarn dedupe

Signed-off-by: Christoph Jerolimov <jerolimov+git@redhat.com>

* chore(scorecard): refactore code to fromConfig pattern

Signed-off-by: Christoph Jerolimov <jerolimov+git@redhat.com>

* chore(scorecard): use five thresholds for A-E ratings, use success/error thresholds for security rating

Signed-off-by: Christoph Jerolimov <jerolimov+git@redhat.com>

* feat(scorecard): add sonarqube translations

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Christoph Jerolimov <jerolimov+git@redhat.com>

* feat(scorecard): add tooltip to Scorecard header to show titles that are longer then one line

Signed-off-by: Christoph Jerolimov <jerolimov+git@redhat.com>

* chore(scorecard): fix e2e tests

Signed-off-by: Christoph Jerolimov <jerolimov+git@redhat.com>

* fix(scorecard): e2e tests

Signed-off-by: Ihor Mykhno <imykhno@redhat.com>

* refactor(scorecard): SonarQube providers

Signed-off-by: Ihor Mykhno <imykhno@redhat.com>

* fix(scorecard): update fetch reference and correct expected result in tests

Signed-off-by: Ihor Mykhno <imykhno@redhat.com>

* fix(scorecard): type imports

Signed-off-by: Ihor Mykhno <imykhno@redhat.com>

* fix(scorecard): increase initial delay and refactor logger mocks in tests

Signed-off-by: Ihor Mykhno <imykhno@redhat.com>

* fix(scorecard): make apiKey optional for SonarQube configuration and update README

Signed-off-by: Ihor Mykhno <imykhno@redhat.com>

---------

Signed-off-by: Christoph Jerolimov <jerolimov+git@redhat.com>
Signed-off-by: Ihor Mykhno <imykhno@redhat.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Ihor Mykhno <imykhno@redhat.com>

Author: 3 people

workspaces/scorecard/.changeset/plain-pigs-agree.md

@@ -0,0 +1,5 @@
+---
+'@red-hat-developer-hub/backstage-plugin-scorecard': patch
+---
+
+Add translations for new sonarqube module.

workspaces/scorecard/.changeset/seven-tips-watch.md

@@ -0,0 +1,5 @@
+---
+'@red-hat-developer-hub/backstage-plugin-scorecard': patch
+---
+
+Add tooltip to Scorecard header to show titles that are longer then one line

workspaces/scorecard/.changeset/sonarqube-additional-metrics.md

@@ -0,0 +1,5 @@
+---
+'@red-hat-developer-hub/backstage-plugin-scorecard-backend-module-sonarqube': minor
+---
+
+Add metric providers for code coverage, code duplications, security review rating, security hotspots, reliability rating, reliability issues, maintainability rating, and maintainability issues

workspaces/scorecard/.changeset/sonarqube-basic-auth-encoding.md

@@ -0,0 +1,5 @@
+---
+'@red-hat-developer-hub/backstage-plugin-scorecard-backend-module-sonarqube': patch
+---
+
+Fix Basic auth to base64-encode apiKey with appended colon, matching the SonarQube API expectation

workspaces/scorecard/.changeset/sonarqube-metric-providers.md

@@ -0,0 +1,5 @@
+---
+'@red-hat-developer-hub/backstage-plugin-scorecard-backend-module-sonarqube': minor
+---
+
+Add SonarQube metric providers for quality gate status, open issues, security rating, and security issues

workspaces/scorecard/.prettierignore

@@ -1,7 +1,10 @@
+.eslintrc.js
+.vscode
+coverage
 dist
 dist-types
-coverage
-.vscode
-.eslintrc.js
+e2e-test-report
+e2e-test-report-legacy
+knip-report.md
 report-alpha.api.md
 report.api.md

workspaces/scorecard/app-config.yaml

@@ -204,6 +204,18 @@ permission:
       users:
         - name: user:development/guest
 
+# SonarQube configuration (optional - defaults to https://sonarcloud.io, no auth for public projects)
+sonarqube:
+  baseUrl: https://sonarcloud.io
+  apiKey: ${SONARQUBE_TOKEN}
+  instances:
+    - name: internal
+      baseUrl: https://sonarcloud.io
+      apiKey: ${SONARQUBE_INTERNAL_KEY}
+      authType: Basic # optional, defaults to Basic
+    - name: cloud
+      baseUrl: https://sonarcloud.io
+
 # Scorecard development configuration
 scorecard:
   aggregationKPIs:
@@ -249,18 +261,18 @@ scorecard:
         schedule:
           frequency: { minutes: 5 }
           timeout: { minutes: 10 }
-          initialDelay: { seconds: 5 }
+          initialDelay: { seconds: 10 }
     github:
       open_prs:
         schedule:
           frequency: { minutes: 5 }
           timeout: { minutes: 10 }
-          initialDelay: { seconds: 5 }
+          initialDelay: { seconds: 10 }
     filecheck:
       files:
         license: 'LICENSE'
         codeowners: 'CODEOWNERS'
       schedule:
         frequency: { minutes: 5 }
         timeout: { minutes: 10 }
-        initialDelay: { seconds: 5 }
+        initialDelay: { seconds: 10 }

workspaces/scorecard/examples/all-scorecards-location.yaml

@@ -10,5 +10,6 @@ spec:
     - ./components/github-scorecard-only.yaml
     - ./components/jira-scorecard-only.yaml
     - ./components/openssf-scorecard-only.yaml
+    - ./components/sonarqube-scorecard-only.yaml
     - ./components/all-scorecards.yaml
     - ./components/no-scorecards.yaml

workspaces/scorecard/examples/components/sonarqube-scorecard-only.yaml

@@ -0,0 +1,12 @@
+---
+# Component with SonarQube Scorecard only
+apiVersion: backstage.io/v1alpha1
+kind: Component
+metadata:
+  name: sonarqube-scorecard-only
+  annotations:
+    sonarqube.org/project-key: redhat-developer_rhdh-plugins
+spec:
+  type: service
+  owner: group:development/guests
+  lifecycle: experimental

workspaces/scorecard/packages/app-legacy/e2e-tests/scorecard.test.ts

@@ -22,6 +22,7 @@ import {
   mockJiraDrillDownMissingPermission,
   mockMetricsApi,
   mockApiResponse,
+  mockSonarqubeScorecardResponse,
 } from './utils/apiUtils';
 import { CatalogPage } from './pages/CatalogPage';
 import { ScorecardPage } from './pages/ScorecardPage';
@@ -46,6 +47,8 @@ import {
   jiraEntitiesDrillDownResponse,
   jiraEntitiesDrillDownNoDataResponse,
   jiraMetricMetadataResponse,
+  sonarqubeScorecardResponse,
+  sonarqubeFailedQualityGateResponse,
   fileCheckScorecardResponse,
 } from './utils/scorecardResponseUtils';
 import {
@@ -333,6 +336,113 @@ test.describe('Scorecard Plugin Tests', () => {
     });
   });
 
+  test.describe('SonarQube Entity Scorecards', () => {
+    test('Verify all SonarQube metrics display correctly', async ({
+      browser,
+    }, testInfo) => {
+      const sonarqubeMetrics = Object.entries(translations.metric)
+        .filter(([key]) => key.startsWith('sonarqube.'))
+        .map(
+          ([_key, value]) => value as { title: string; description: string },
+        );
+
+      await mockSonarqubeScorecardResponse(page, sonarqubeScorecardResponse);
+
+      await catalogPage.openCatalog();
+      await catalogPage.openComponent('sonarqube-scorecard-only');
+      await page.getByText('Scorecard', { exact: true }).click();
+
+      for (const sonarqubeMetric of sonarqubeMetrics) {
+        await expect(
+          page.getByText(sonarqubeMetric.title, { exact: true }),
+        ).toBeVisible({
+          timeout: 10000,
+        });
+      }
+
+      await runAccessibilityTests(page, testInfo);
+    });
+
+    test('Verify SonarQube metric values', async () => {
+      await mockSonarqubeScorecardResponse(page, sonarqubeScorecardResponse);
+
+      await catalogPage.openCatalog();
+      await catalogPage.openComponent('sonarqube-scorecard-only');
+      await page.getByText('Scorecard', { exact: true }).click();
+
+      await expect(
+        page.getByText(translations.metric['sonarqube.quality_gate'].title),
+      ).toBeVisible({ timeout: 10000 });
+
+      const expectedValues: Record<string, string> = {
+        [translations.metric['sonarqube.open_issues'].title]: '3',
+        [translations.metric['sonarqube.security_rating'].title]: '1',
+        [translations.metric['sonarqube.security_issues'].title]: '0',
+        [translations.metric['sonarqube.security_review_rating'].title]: '1',
+        [translations.metric['sonarqube.security_hotspots'].title]: '2',
+        [translations.metric['sonarqube.reliability_rating'].title]: '1',
+        [translations.metric['sonarqube.reliability_issues'].title]: '0',
+        [translations.metric['sonarqube.maintainability_rating'].title]: '1',
+        [translations.metric['sonarqube.maintainability_issues'].title]: '12',
+        [translations.metric['sonarqube.code_coverage'].title]: '82.5',
+        [translations.metric['sonarqube.code_duplications'].title]: '3.2',
+      };
+
+      for (const [title, value] of Object.entries(expectedValues)) {
+        const card = page
+          .locator('[role="article"]')
+          .filter({ hasText: title })
+          .first();
+        await expect(card).toContainText(value);
+      }
+
+      const qualityGateCard = page
+        .locator('[role="article"]')
+        .filter({
+          hasText: translations.metric['sonarqube.quality_gate'].title,
+        })
+        .first();
+      await expect(
+        qualityGateCard.getByTestId('CheckCircleOutlineIcon'),
+      ).toBeVisible();
+    });
+
+    test('Verify SonarQube quality gate failure state', async () => {
+      await mockSonarqubeScorecardResponse(
+        page,
+        sonarqubeFailedQualityGateResponse,
+      );
+
+      await catalogPage.openCatalog();
+      await catalogPage.openComponent('sonarqube-scorecard-only');
+      await page.getByText('Scorecard', { exact: true }).click();
+
+      await expect(
+        page.getByText(translations.metric['sonarqube.quality_gate'].title),
+      ).toBeVisible({ timeout: 10000 });
+
+      const qualityGateCard = page
+        .locator('[role="article"]')
+        .filter({
+          hasText: translations.metric['sonarqube.quality_gate'].description,
+        })
+        .first();
+      await expect(
+        qualityGateCard.getByTestId('DangerousOutlinedIcon'),
+      ).toBeVisible();
+    });
+
+    test('Verify empty state for sonarqube entity with no metrics', async () => {
+      await mockSonarqubeScorecardResponse(page, emptyScorecardResponse);
+
+      await catalogPage.openCatalog();
+      await catalogPage.openComponent('sonarqube-scorecard-only');
+      await page.getByText('Scorecard', { exact: true }).click();
+
+      await expect(page.getByText(translations.emptyState.title)).toBeVisible();
+    });
+  });
+
   test.describe('Homepage aggregated scorecards', () => {
     test('Verify missing permission on all default homepage scorecard widgets', async () => {
       await mockHomepageAggregationsPermissionDenied(page);