Merge pull request #774 from NASA-AMMOS/sonarcloud_action

jl-0 · web-flow · commit f25e362e580e · 2025-10-16T14:20:08.000-05:00
Including Updated Security Scan Config
diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
@@ -0,0 +1,57 @@
+name: Security-Scan
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - development
+      - sonarcloud_action
+jobs:
+  sonarqube:
+    name: SonarQube
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+      - name: Extract version from package.json
+        id: package_version
+        run: |
+          VERSION=$(node -p "require('./package.json').version")
+          echo "VERSION=$VERSION" >> $GITHUB_ENV
+          echo "Extracted version: $VERSION"
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          queries: security-and-quality, security-extended
+      - name: CodeQL Scan
+        uses: github/codeql-action/analyze@v3
+      - name: Post-Process CodeQL
+        run: |
+          python3 -m pip install nasa-scrub
+
+          results_dir=`realpath ${{ github.workspace }}/../results`
+          sarif_files=`find $results_dir -name '*.sarif'`
+
+          for sarif_file in $sarif_files
+          do
+            output_file="$results_dir/$(basename $sarif_file .sarif)_stripped.sarif"
+
+            python3 -m scrub.tools.parsers.translate_results $sarif_file $output_file ${{ github.workspace }} sarifv2.1.0
+          done
+
+          echo "RESULTS_DIR=$results_dir" >> $GITHUB_ENV
+          echo "Results generated: "
+          echo $results_dir
+
+          # Create comma-separated list of SARIF files for SonarQube
+          sarif_list=$(find $results_dir -name '*_stripped.sarif' | tr '\n' ',' | sed 's/,$//')
+          echo "SARIF_FILES=$sarif_list" >> $GITHUB_ENV
+      - name: SonarQube Scan
+        uses: SonarSource/sonarqube-scan-action@v6
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+        with:
+          projectBaseDir: .
+          args: >
+            -Dsonar.sarifReportPaths=${{ env.SARIF_FILES }}
+            -Dsonar.projectVersion=${{ env.VERSION }}
diff --git a/sonar-project.properties b/sonar-project.properties
@@ -0,0 +1,163 @@
+# SonarCloud Configuration for MMGIS
+sonar.projectKey=NASA-AMMOS_MMGIS
+sonar.organization=nasa-ammos
+
+# Project metadata - will be overridden by workflow
+sonar.projectName=MMGIS
+sonar.projectVersion=4.1.0
+sonar.projectDescription=Multi-Mission Geographic Information System - A web-based mapping and localization solution for science operation on planetary missions.
+
+# Project links - shown in SonarQube UI
+sonar.links.homepage=https://nasa-ammos.github.io/MMGIS/
+sonar.links.scm=https://github.com/NASA-AMMOS/MMGIS
+sonar.links.issue=https://github.com/NASA-AMMOS/MMGIS/issues
+sonar.links.ci=https://github.com/NASA-AMMOS/MMGIS/actions
+
+# Source directories to analyze
+# Note: 'public' directory excluded from sources to reduce LOC - contains mostly static assets (SVGs, images, config files)
+# Note: 'auxiliary' directory excluded from sources - contains standalone utility scripts, not server code
+sonar.sources=src,API,scripts,views,configure
+# Note: sonar.tests is not set because test files are intermixed with source files.
+# Test files are excluded via sonar.test.exclusions patterns below.
+
+# Exclude patterns to reduce lines of code analyzed
+sonar.exclusions=\
+  **/node_modules/**,\
+  **/build/**,\
+  **/dist/**,\
+  **/coverage/**,\
+  **/playwright-report/**,\
+  **/test-results/**,\
+  **/*.min.js,\
+  **/*.min.css,\
+  **/config/js/jquery*.js,\
+  **/config/js/materialize.min.js,\
+  **/config/js/papaparse.min.js,\
+  **/config/js/codemirror/**,\
+  **/vendor/**,\
+  **/vendors/**,\
+  **/third_party/**,\
+  **/Missions/**,\
+  **/__pycache__/**,\
+  **/sessions/**,\
+  **/.venv*/**,\
+  **/data/**,\
+  **/logs/**,\
+  **/*.log,\
+  **/*.svg,\
+  **/*.json,\
+  **/.DS_Store,\
+  **/.vscode/**,\
+  **/.git/**,\
+  **/documentation/**,\
+  **/docs/**,\
+  **/public/**,\
+  **/auxiliary/**,\
+  **/config/**,\
+  **/images/**,\
+  **/fonts/**
+
+# Test exclusions
+sonar.test.exclusions=\
+  **/*.spec.js,\
+  **/*.test.js,\
+  **/*.spec.jsx,\
+  **/*.test.jsx,\
+  **/*.spec.ts,\
+  **/*.test.ts,\
+  **/*.spec.tsx,\
+  **/*.test.tsx,\
+  **/test/**,\
+  **/tests/**,\
+  **/__tests__/**,\
+  **/playwright-report/**,\
+  **/test-results/**
+
+# Coverage exclusions - don't analyze coverage for these
+sonar.coverage.exclusions=\
+  **/*.spec.js,\
+  **/*.test.js,\
+  **/*.spec.jsx,\
+  **/*.test.jsx,\
+  **/test/**,\
+  **/tests/**,\
+  **/__tests__/**,\
+  **/configuration/**,\
+  **/*.config.js,\
+  **/*.config.ts,\
+  **/scripts/**
+
+# Duplication exclusions - ignore generated or vendor code
+sonar.cpd.exclusions=\
+  **/*.min.js,\
+  **/config/js/**,\
+  **/vendor/**
+
+# Language-specific settings
+sonar.javascript.file.suffixes=.js,.jsx
+sonar.typescript.file.suffixes=.ts,.tsx
+sonar.python.version=3.8,3.9,3.10,3.11
+
+# Code analysis settings
+sonar.sourceEncoding=UTF-8
+
+# Component tags for categorization and filtering in SonarQube UI
+sonar.tags=gis,mapping,planetary,nasa,web-app,geospatial,react,nodejs,postgres
+
+# New Code definition - consider code new if added in last 30 days
+sonar.leak.period=30
+
+# Import external reports - will be set by workflow
+# sonar.sarifReportPaths will be provided by GitHub Actions workflow
+
+# ==========================================
+# LOC Optimization Notes
+# ==========================================
+# To stay within SonarCloud organization LOC limits, this configuration excludes:
+# - public/ directory: ~130k LOC of SVG patterns, static assets, and config files
+# - auxiliary/ directory: Standalone utility scripts for users (GDAL tiling, etc.) - not server code
+# - All SVG files: Geologic patterns and icons (not meaningful for code analysis)
+# - All JSON files: Configuration and data files (not executable code)
+# - Image and font directories: Binary/generated assets
+#
+# Estimated LOC after exclusions: ~273k (down from ~475k total)
+# This focuses analysis on MMGIS application code: src/, API/, scripts/, views/, configure/
+
+# ==========================================
+# Component Organization for Issue Attribution
+# ==========================================
+# While SonarQube/SonarCloud no longer uses sonar.modules for multi-module projects,
+# issues are automatically organized by file path. The structure below documents
+# the logical organization of MMGIS for reference:
+#
+# FRONTEND COMPONENTS (src/)
+#   - src/essence/         : Core frontend engine (map, globe, tools, UI framework)
+#   - src/essence/Tools/   : Interactive tools (Draw, Measure, Chemistry, etc.)
+#   - src/essence/Basics/  : Core UI components and utilities
+#   - src/essence/Ancillary: Supporting UI modules
+#   - src/pre/             : Pre-initialization scripts
+#   - src/external/        : Third-party integrations
+#
+# BACKEND COMPONENTS (API/)
+#   - API/Backend/Config/  : Mission configuration management
+#   - API/Backend/Draw/    : Multi-user vector drawing backend
+#   - API/Backend/Geodatasets/: Geospatial dataset management
+#   - API/Backend/Users/   : User authentication and authorization
+#   - API/Backend/Webhooks/: External service integrations
+#   - API/Backend/Stac/    : SpatioTemporal Asset Catalog integration
+#
+# CONFIGURATION SITE (configure/)
+#   - configure/src/       : Admin configuration interface (React app)
+#
+# BUILD & DEPLOYMENT (scripts/)
+#   - scripts/             : Build tools, server initialization, database setup
+#
+# VIEWS & TEMPLATES (views/)
+#   - views/              : Server-side Pug templates
+#
+# EXCLUDED FROM ANALYSIS:
+#   - auxiliary/          : Standalone Python utilities (not server code)
+#   - public/             : Static assets (SVGs, images, fonts)
+#
+# Issues in SonarQube will be automatically grouped by these directory paths,
+# making it easy to identify which component needs attention.
