Fixes #1285

Author: okorach

doc/sonar-audit.md

@@ -121,6 +121,10 @@ sonar-audit --what projects -f projectsAudit.csv --csvSeparator ';'
     - More than `audit.projects.permissions.maxAdminGroups` groups with project admin permission (default 2)
     - `sonar-users` group with elevated project permissions
     - `Anyone` group with any project permissions
+    - No projectKeyPattern for a template that is not a default
+    - Suspicious projectKeyPattern (a pattern that is likely to not select more than 1 key) for instance:
+      - `my_favorite_project` (no `.` in pattern)
+      - `BUXXXX-*` (Likely confusion between wildcards and regexp)
 - DB Cleaner: (if `audit.globalSettings = yes`, default `yes`)
   - Delay to delete inactive short lived branches (7.9) or branches (8.0+) not between 10 and 60 days
   - Delay to delete closed issues not between 10 and 60 days

sonar/audit/rules.json

@@ -19,6 +19,16 @@
         "type": "OPERATIONS",
         "message": "{} has no user or group with admin permission"
     },
+    "TEMPLATE_WITH_NO_PATTERN": {
+        "severity": "MEDIUM",
+        "type": "OPERATIONS",
+        "message": "{} is not a default and has no projectKetPattern defined, it will never be used"
+    },
+    "TEMPLATE_WITH_SUSPICIOUS_PATTERN": {
+        "severity": "HIGH",
+        "type": "OPERATIONS",
+        "message": "{} has a suspicious projectKeyPattern '{}'. It should be a regexp that may match several keys"
+    },
     "DUBIOUS_GLOBAL_SETTING": {
         "severity": "HIGH",
         "type": "BAD_PRACTICE",

sonar/audit/rules.py

@@ -163,6 +163,9 @@ class RuleId(enum.Enum):
 
     GROUP_EMPTY = 5200
 
+    TEMPLATE_WITH_NO_PATTERN = 5300
+    TEMPLATE_WITH_SUSPICIOUS_PATTERN = 5301
+
     ERROR_IN_LOGS = 6000
     WARNING_IN_LOGS = 6001
     DEPRECATION_WARNINGS = 6002

sonar/permissions/permission_templates.py

@@ -21,13 +21,15 @@
 from __future__ import annotations
 
 import json
+import re
 from requests.exceptions import HTTPError
 
 import sonar.logging as log
 from sonar.util import types
 from sonar import sqobject, utilities
 from sonar.permissions import template_permissions
 import sonar.platform as pf
+from sonar.audit.rules import get_rule, RuleId
 import sonar.audit.problem as pb
 
 _OBJECTS = {}
@@ -176,9 +178,23 @@ def to_json(self, export_settings: types.ConfigSettings = None) -> types.ObjectJ
         json_data["lastUpdate"] = utilities.date_to_string(self.last_update)
         return utilities.remove_nones(utilities.filter_export(json_data, _IMPORTABLE_PROPERTIES, export_settings.get("FULL_EXPORT", False)))
 
+    def _audit_pattern(self, audit_settings: types.ConfigSettings) -> list[pb.Problem]:
+        log.debug("Auditing %s projectKeyPattern ('%s')", str(self.project_key_pattern))
+        if not self.project_key_pattern or self.project_key_pattern == "":
+            if not (self.is_applications_default() or self.is_portfolios_default() or self.is_projects_default()):
+                return [pb.Problem(get_rule(RuleId.TEMPLATE_WITH_NO_PATTERN), self, str(self))]
+        else:
+            # Inspect regexp to detect suspicious pattern - Can't determine all bad cases but do our best
+            # Currently detecting:
+            # - Absence of '.' in the regexp
+            # - '*' not preceded by '.' (confusion between wildcard and regexp)
+            if not re.search(r"(^|[^\\])\.", self.project_key_pattern) or re.search(r"(^|[^.])\*", self.project_key_pattern):
+                return [pb.Problem(get_rule(RuleId.TEMPLATE_WITH_SUSPICIOUS_PATTERN), self, str(self), self.project_key_pattern)]
+        return []
+
     def audit(self, audit_settings: types.ConfigSettings) -> list[pb.Problem]:
         log.debug("Auditing %s", str(self))
-        return self.permissions().audit(audit_settings)
+        return self._audit_pattern(audit_settings) + self.permissions().audit(audit_settings)
 
 
 def get_object(endpoint: pf.Platform, name: str) -> PermissionTemplate: