totara
diff --git a/‎.idea/php.xml‎
Lines changed: 1 addition & 0 deletions b/‎.idea/php.xml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎README.md‎
Lines changed: 76 additions & 0 deletions b/‎README.md‎
Lines changed: 76 additions & 0 deletions
diff --git a/‎src/Standards/Totara/ruleset.xml‎
Lines changed: 99 additions & 0 deletions b/‎src/Standards/Totara/ruleset.xml‎
Lines changed: 99 additions & 0 deletions
@@ -152,3 +152,79 @@ vendor/bin/phpunit
 There is also a pre-commit hook for git to run Code Sniffer on commit.
 
 Check out the [instructions](git-hook) on how to use it.
+
+### SonarQube rule sync
+
+The `tools/` folder contains two files that keep the Totara PHPCS ruleset aligned with the "Totara standards" SonarQube quality profiles:
+
+| File | Purpose |
+|---|---|
+| `tools/sonarqube-phpcs-map.json` | Translation table: every active Sonar rule key → its PHPCS sniff equivalent (or `[]` if no PHPCS equivalent exists). Covers all 4 profiles: PHP (228 rules), JS (403), CSS (27), Web/HTML (53). |
+| `tools/sync-sonarqube-rules.php` | CLI script that reads a Sonar profile export, cross-references the map, and reports which rules are covered, missing, or unmapped. |
+
+These files are **not needed to run PHPCS** — the ruleset works independently. They are maintenance tools: use them when the Sonar profile changes or when you want to audit coverage.
+
+#### Step 1 — Export the SonarQube profile
+
+1. In SonarQube Server, go to **Quality Profiles** (top menu).
+2. Select language **PHP** (or JS / CSS / HTML as needed).
+3. Open the **"Totara standards"** profile.
+4. Click **Actions** (top-right `...`) → **Back up**.
+5. Save the downloaded `.xml` file locally.
+
+#### Step 2 — Run the sync checker
+
+```bash
+cd /path/to/code-sniffer
+
+# Check PHP profile
+php tools/sync-sonarqube-rules.php --profile=/path/to/Totara_standards_php.xml
+
+# Check with explicit map and ruleset paths (all defaults shown)
+php tools/sync-sonarqube-rules.php \
+  --profile=/path/to/Totara_standards_php.xml \
+  --map=tools/sonarqube-phpcs-map.json \
+  --ruleset=src/Standards/Totara/ruleset.xml
+
+# Show help
+php tools/sync-sonarqube-rules.php --help
+```
+
+#### Step 3 — Interpret the output
+
+```
+Sonar rules in profile: 228
+Covered in Totara ruleset: 46       ← enforced by an active PHPCS sniff
+Mapped but missing in ruleset: 2    ← mapped in the JSON but sniff not added to ruleset.xml yet
+Unmapped Sonar rules: 183           ← no PHPCS equivalent exists (security taint, runtime checks, etc.)
+
+Mapped but missing in ruleset:
+  - php:S1234 => Generic.Some.Sniff
+
+Unmapped Sonar rules:
+  - php:S2068
+  - phpsecurity:S2076
+  ...
+```
+
+| Output line | What to do |
+|---|---|
+| **Covered** | Nothing — already enforced by PHPCS. |
+| **Mapped but missing in ruleset** | Add the listed PHPCS sniff ref to `src/Standards/Totara/ruleset.xml`. |
+| **Unmapped** | Either add a mapping in `tools/sonarqube-phpcs-map.json` if a PHPCS sniff exists, or leave as `[]` — these are rules PHPCS architecturally cannot check (security taint analysis, JS/CSS/HTML, deep flow analysis). |
+
+#### Step 4 — Update the map and ruleset
+
+If you find a Sonar rule that has a PHPCS equivalent but is not yet mapped:
+
+1. Open `tools/sonarqube-phpcs-map.json`.
+2. Find the Sonar rule key and replace `[]` with the PHPCS sniff ref string, e.g.:
+   ```json
+   "php:S1234": "Generic.Some.Sniff"
+   ```
+3. Add the sniff to `src/Standards/Totara/ruleset.xml`:
+   ```xml
+   <!-- SonarQube rule coverage (php:S1234) -->
+   <rule ref="Generic.Some.Sniff"/>
+   ```
+4. Re-run the sync script to confirm the rule moves from **Unmapped** to **Covered**.
@@ -189,4 +189,103 @@
     <!-- Other operators are left undefined. -->
     <rule ref="Totara.Operators.OperatorSpacing"/>
 
+    <!-- SonarQube rule coverage (php:S107, php:S110, php:S134, php:S2004) -->
+    <!-- Nesting depth and complexity checks -->
+    <rule ref="Generic.Metrics.NestingLevel">
+        <properties>
+            <property name="nestingLevel" value="5"/>
+            <property name="absoluteNestingLevel" value="10"/>
+        </properties>
+    </rule>
+    <rule ref="Generic.Metrics.CyclomaticComplexity">
+        <!-- php:S3776 Cognitive/cyclomatic complexity -->
+        <properties>
+            <property name="complexity" value="15"/>
+            <property name="absoluteComplexity" value="30"/>
+        </properties>
+    </rule>
+
+    <!-- SonarQube rule coverage (php:S1068, php:S1172) -->
+    <!-- Unused parameters -->
+    <rule ref="Generic.CodeAnalysis.UnusedFunctionParameter"/>
+
+    <!-- SonarQube rule coverage (php:S1116) -->
+    <!-- Empty PHP statements (;;) -->
+    <rule ref="Generic.CodeAnalysis.EmptyPHPStatement"/>
+
+    <!-- SonarQube rule coverage (php:S1186, php:S905) -->
+    <!-- Empty catch/if/else bodies -->
+    <rule ref="Generic.CodeAnalysis.EmptyStatement"/>
+
+    <!-- SonarQube rule coverage (php:S1121) -->
+    <!-- Assignment in condition -->
+    <rule ref="Generic.CodeAnalysis.AssignmentInCondition"/>
+
+    <!-- SonarQube rule coverage (php:S1145) -->
+    <!-- if (true) / if (false) unconditional -->
+    <rule ref="Generic.CodeAnalysis.UnconditionalIfStatement"/>
+
+    <!-- SonarQube rule coverage (php:S1185) -->
+    <!-- Useless overriding methods that just call parent -->
+    <rule ref="Generic.CodeAnalysis.UselessOverridingMethod"/>
+
+    <!-- SonarQube rule coverage (php:S1110) -->
+    <!-- Unnecessary parentheses -->
+    <rule ref="Generic.WhiteSpace.ArbitraryParenthesesSpacing"/>
+
+    <!-- SonarQube rule coverage (php:S1134) -->
+    <!-- FIXME comments -->
+    <rule ref="Generic.Commenting.Fixme"/>
+
+    <!-- SonarQube rule coverage (php:S1135) -->
+    <!-- TODO comments -->
+    <rule ref="Generic.Commenting.Todo"/>
+
+    <!-- SonarQube rule coverage (php:S125) -->
+    <!-- Commented-out code -->
+    <rule ref="Squiz.PHP.CommentedOutCode">
+        <properties>
+            <property name="maxPercentage" value="35"/>
+        </properties>
+    </rule>
+
+    <!-- SonarQube rule coverage (php:S1763, php:S881) -->
+    <!-- Dead/non-executable code after return/throw/etc -->
+    <rule ref="Squiz.PHP.NonExecutableCode"/>
+
+    <!-- SonarQube rule coverage (php:S139) -->
+    <!-- Inline comments after statements -->
+    <rule ref="Squiz.Commenting.PostStatementComment"/>
+
+    <!-- SonarQube rule coverage (php:S1788) -->
+    <!-- Default parameter values must not follow non-default params -->
+    <rule ref="PEAR.Functions.ValidDefaultValue"/>
+
+    <!-- SonarQube rule coverage (php:S907) -->
+    <!-- Discourage goto -->
+    <rule ref="Generic.PHP.DiscourageGoto"/>
+
+    <!-- SonarQube rule coverage (php:S2068) -->
+    <!-- No hardcoded credentials / passwords in code -->
+    <rule ref="Generic.PHP.ForbiddenFunctions"/>
+
+    <!-- SonarQube rule coverage (php:S1192) -->
+    <!-- Unnecessary string concatenation -->
+    <rule ref="Generic.Strings.UnnecessaryStringConcat"/>
+
+    <!-- SonarQube rule coverage (php:S1301) -->
+    <!-- Single-case switch statements -->
+    <rule ref="Generic.CodeAnalysis.JumbledIncrementer"/>
+
+    <!-- SonarQube rule coverage (php:S1155, php:S3699) -->
+    <!-- Duplicate class names -->
+    <rule ref="Generic.Classes.DuplicateClassName"/>
+
+    <!-- SonarQube rule coverage (php:S2612) -->
+    <!-- No silenced errors (@) -->
+    <rule ref="Generic.PHP.NoSilencedErrors"/>
+
+    <!-- Git merge conflicts left in code -->
+    <rule ref="Generic.VersionControl.GitMergeConflict"/>
+
 </ruleset>