git-repo-analyzer-test 1.0.0

package/src/sonarcloud/client.js

@@ -0,0 +1,365 @@
+/**
+ * SonarCloud API Client (free plan compatible).
+ *
+ * SonarCloud free plan does NOT expose a single "Overall Code" dashboard API.
+ * We use only what is available:
+ *   1. GET api/qualitygates/project_status?projectKey=...  → overall PASS/FAIL + conditions
+ *   2. GET api/measures/component?component=...&metricKeys=...  → individual metrics
+ *   3. GET api/issues/search (optional) → issues list
+ *
+ * We combine (1) + (2) into our own "Overall Summary" for the UI.
+ * Base URL from SONARCLOUD_HOST env.
+ * @see https://docs.sonarsource.com/sonarcloud/advanced-setup/web-api/
+ */
+
+import axios from 'axios';
+import { config } from '../config.js';
+
+const SONARCLOUD_BASE = config.sonarcloudHost || 'https://sonarcloud.io';
+
+/** Metric keys documented as accessible on SonarCloud free plan (for measures/component). */
+export const FREE_TIER_METRIC_KEYS = [
+  'ncloc',
+  'bugs',
+  'vulnerabilities',
+  'code_smells',
+  'coverage',
+  'duplicated_lines_density',
+];
+
+/** True if value looks like a token/hash (don't use as project key or org). */
+function looksLikeToken(value) {
+  if (!value || typeof value !== 'string') return true;
+  const s = value.trim();
+  if (s.length < 10) return false;
+  if (/^[a-f0-9]{32,64}$/i.test(s)) return true; // hex token/hash
+  if (/^[a-zA-Z0-9_-]{40,}$/.test(s) && !s.includes('_') && !/^[a-z0-9]+_[a-z0-9-]+$/i.test(s)) return true; // long token, not org_repo
+  return false;
+}
+
+function normalizeToken(val) {
+  if (val == null || typeof val !== 'string') return '';
+  return val.replace(/^["'\s]+|["'\s]+$/g, '').trim();
+}
+
+export class SonarCloudClient {
+  constructor(token) {
+    this.token = normalizeToken(token || config.sonarToken);
+    const useBasicAuth = /^(true|1|yes)$/i.test((process.env.SONAR_USE_BASIC_AUTH || '').trim());
+    const headers = { 'Content-Type': 'application/json' };
+    if (this.token) {
+      if (useBasicAuth) {
+        headers.Authorization = 'Basic ' + Buffer.from(this.token + ':', 'utf8').toString('base64');
+      } else {
+        headers.Authorization = 'Bearer ' + this.token;
+      }
+    }
+    this.client = axios.create({
+      baseURL: SONARCLOUD_BASE,
+      headers,
+      timeout: 15000,
+    });
+  }
+
+  /**
+   * Derive SonarCloud project key from SONAR_ORGANIZATION + repo (from Git URL).
+   * No need to set SONAR_PROJECT_KEY in .env when org and repo are known.
+   * Format: {organization}_{repo} (e.g. jitendra1608-rws_vulnerable-node).
+   */
+  getDerivedProjectKey(owner, repo) {
+    const org = (config.sonarOrgKey && !looksLikeToken(config.sonarOrgKey))
+      ? config.sonarOrgKey
+      : owner;
+    const organization = org.trim().toLowerCase();
+    const repoSafe = (repo || '').replace(/\//g, '-').trim();
+    return `${organization}_${repoSafe}` || organization;
+  }
+
+  /**
+   * Get list of project key candidates to try (for fallback when one 404s).
+   * Puts derived key (SONAR_ORGANIZATION + repo) first so no SONAR_PROJECT_KEY is required.
+   */
+  getProjectKeyCandidates(owner, repo) {
+    const derived = this.getDerivedProjectKey(owner, repo);
+    const org = (config.sonarOrgKey && !looksLikeToken(config.sonarOrgKey))
+      ? config.sonarOrgKey
+      : owner;
+    const orgLower = org.trim().toLowerCase();
+    const ownerSafe = owner.replace(/\//g, '-');
+    const repoSafe = repo.replace(/\//g, '-');
+    const fullSlug = `${ownerSafe}_${repoSafe}`.replace(/-/g, '_');
+    const fullSlugHyphen = `${ownerSafe}-${repoSafe}`;
+    const candidates = [
+      derived,
+      `${orgLower}_${repoSafe}`,
+      `${orgLower}-${repoSafe}`,
+      `${orgLower}_${fullSlug}`,
+      `${orgLower}_${fullSlugHyphen}`,
+      `${orgLower}_${ownerSafe}_${repoSafe}`,
+      `${orgLower}_${ownerSafe}-${repoSafe}`,
+      `${owner}_${repo}`.replace(/\//g, '-'),
+      `${owner}-${repo}`.replace(/\//g, '-'),
+    ];
+    const explicitKey = config.sonarProjectKey || process.env.SONAR_PROJECT_KEY;
+    if (explicitKey && !looksLikeToken(explicitKey) && !candidates.includes(explicitKey)) {
+      candidates.unshift(explicitKey);
+    }
+    return [...new Set(candidates)];
+  }
+
+  /**
+   * Resolve SonarCloud project key from GitHub owner/repo.
+   * Uses SONAR_ORGANIZATION + repo to derive key (no SONAR_PROJECT_KEY required). Falls back to search API if needed.
+   */
+  async resolveProjectKey(owner, repo) {
+    if (config.sonarOrgKey && !looksLikeToken(config.sonarOrgKey)) {
+      return this.getDerivedProjectKey(owner, repo);
+    }
+    const explicitKey = config.sonarProjectKey || process.env.SONAR_PROJECT_KEY;
+    if (explicitKey && !looksLikeToken(explicitKey)) return explicitKey;
+
+    const org = (config.sonarOrgKey && !looksLikeToken(config.sonarOrgKey))
+      ? config.sonarOrgKey
+      : owner;
+    const orgLower = org.trim().toLowerCase();
+    const candidateKeys = this.getProjectKeyCandidates(owner, repo);
+
+    if (!this.token) return candidateKeys[0];
+
+    const ownerRepoSlug = `${owner}/${repo}`.toLowerCase();
+    const repoLower = repo.toLowerCase();
+    const ownerLower = owner.toLowerCase();
+    const findMatch = (projects) =>
+      projects.find(
+        (p) =>
+          p.key === `${orgLower}_${repo}`.replace(/\//g, '-') ||
+          p.key === `${orgLower}-${repo}`.replace(/\//g, '-') ||
+          p.name?.toLowerCase() === repoLower ||
+          p.key?.toLowerCase().endsWith(repoLower.replace(/\//g, '-')) ||
+          p.key?.toLowerCase().endsWith(repoLower.replace(/\//g, '_'))
+      ) ||
+      projects.find(
+        (p) =>
+          (p.name && p.name.toLowerCase().includes(ownerRepoSlug)) ||
+          (p.name && p.name.toLowerCase().includes(ownerLower) && p.name.toLowerCase().includes(repoLower)) ||
+          (p.key && p.key.toLowerCase().includes(ownerLower) && p.key.toLowerCase().includes(repoLower.replace(/\//g, '-')))
+      );
+
+    for (const orgParam of [org.trim(), orgLower].filter((v, i, a) => a.indexOf(v) === i)) {
+      try {
+        const { data } = await this.client.get('/api/projects/search', {
+          params: { organization: orgParam },
+        });
+        const projects = data?.components || [];
+        const match = findMatch(projects);
+        if (match) return match.key;
+      } catch (_) {}
+    }
+
+    // Try each candidate with a lightweight API call; return first that exists
+    for (const key of candidateKeys) {
+      try {
+        await this.client.get('/api/measures/component', {
+          params: { component: key, metricKeys: 'ncloc' },
+        });
+        return key;
+      } catch (_) {
+        // 404 or other – try next
+      }
+    }
+    return candidateKeys[0];
+  }
+
+  /**
+   * Search projects in an organization (to find exact key after a scan).
+   * @param {string} organization - SonarCloud organization key
+   * @returns {Promise<Array<{key: string, name: string}>>}
+   */
+  async searchProjects(organization) {
+    try {
+      const { data } = await this.client.get('/api/projects/search', {
+        params: { organization },
+      });
+      return data?.components || [];
+    } catch (_) {
+      return [];
+    }
+  }
+
+  /**
+   * Fetch component measures (metrics) for a project.
+   * @param {string} projectKey - SonarCloud project key
+   * @param {string[]} metricKeys - e.g. ncloc, bugs, vulnerabilities, code_smells, quality_gate_status
+   * @param {string|null} [branch] - Optional branch (e.g. main, master); required for many SonarCloud projects
+   * @throws Error with response status on err.response.status (e.g. 401, 404) for caller to handle
+   */
+  async getMeasures(projectKey, metricKeys, branch = null) {
+    const keys = metricKeys.join(',');
+    const params = { component: projectKey, metricKeys: keys };
+    if (branch) params.branch = branch;
+    try {
+      const { data } = await this.client.get('/api/measures/component', { params });
+      return data;
+    } catch (err) {
+      const status = err.response?.status;
+      const message = err.response?.data?.message || err.message;
+      const e = new Error(message || `Request failed with status ${status}`);
+      e.responseStatus = status;
+      e.responseData = err.response?.data;
+      throw e;
+    }
+  }
+
+  /**
+   * Fetch measures without authentication (for public projects). Optionally pass branch.
+   */
+  async getMeasuresWithoutAuth(projectKey, metricKeys, branch = null) {
+    const keys = metricKeys.join(',');
+    const params = { component: projectKey, metricKeys: keys };
+    if (branch) params.branch = branch;
+    try {
+      const { data } = await axios.get(SONARCLOUD_BASE + '/api/measures/component', {
+        params,
+        headers: { 'Content-Type': 'application/json' },
+        timeout: 15000,
+      });
+      return data;
+    } catch (err) {
+      const e = new Error(err.response?.data?.message || err.message);
+      e.responseStatus = err.response?.status;
+      throw e;
+    }
+  }
+
+  /**
+   * Try getMeasures with a specific auth type (Bearer or Basic). Optionally pass branch (e.g. main, master).
+   */
+  async getMeasuresWithAuth(projectKey, metricKeys, useBasic, branch = null) {
+    const keys = metricKeys.join(',');
+    const headers = { 'Content-Type': 'application/json' };
+    if (this.token) {
+      headers.Authorization = useBasic
+        ? 'Basic ' + Buffer.from(this.token + ':', 'utf8').toString('base64')
+        : 'Bearer ' + this.token;
+    }
+    const params = { component: projectKey, metricKeys: keys };
+    if (branch) params.branch = branch;
+    try {
+      const { data } = await axios.get(SONARCLOUD_BASE + '/api/measures/component', {
+        params,
+        headers,
+        timeout: 15000,
+      });
+      return data;
+    } catch (err) {
+      const status = err.response?.status;
+      const message = err.response?.data?.message || err.message;
+      const e = new Error(message || `Request failed with status ${status}`);
+      e.responseStatus = status;
+      throw e;
+    }
+  }
+
+  /**
+   * Fetch quality gate status for a project. Optional branch (e.g. main, master).
+   */
+  async getQualityGateStatus(projectKey, branch = null) {
+    try {
+      const params = { projectKey };
+      if (branch) params.branch = branch;
+      const { data } = await this.client.get('/api/qualitygates/project_status', { params });
+      return data;
+    } catch (err) {
+      if (err.response?.status === 404) return null;
+      throw err;
+    }
+  }
+
+  /**
+   * Free-plan compatible: fetch Quality Gate status + core metrics only.
+   * Combines api/qualitygates/project_status and api/measures/component (FREE_TIER_METRIC_KEYS).
+   * Use this to build our own "Overall Summary" for the UI (no "Overall Code" API on free plan).
+   * @param {string} projectKey
+   * @param {string|null} [branch] - e.g. 'master', 'main'
+   * @returns {{ qualityGate: object|null, measures: object|null }} Raw API responses or null on failure
+   */
+  async fetchQualityGateAndMeasures(projectKey, branch = null) {
+    const params = { projectKey };
+    if (branch) params.branch = branch;
+    const metricKeys = FREE_TIER_METRIC_KEYS.join(',');
+    const measureParams = { component: projectKey, metricKeys };
+    if (branch) measureParams.branch = branch;
+    try {
+      const [qgRes, measuresRes] = await Promise.all([
+        this.client.get('/api/qualitygates/project_status', { params }).catch(() => ({ data: null })),
+        this.client.get('/api/measures/component', { params: measureParams }).catch(() => ({ data: null })),
+      ]);
+      return {
+        qualityGate: qgRes.data?.projectStatus ? qgRes.data : null,
+        measures: measuresRes.data?.component?.measures || [],
+      };
+    } catch (_) {
+      return { qualityGate: null, measures: null };
+    }
+  }
+
+  /**
+   * Fetch issues (bugs, vulnerabilities, code smells) for a project. Optional branch. ps: page size (default 100).
+   */
+  async getIssues(projectKey, options = {}) {
+    const { ps = 100, types = 'BUG,VULNERABILITY,CODE_SMELL', branch = null } = options;
+    try {
+      const params = {
+        componentKeys: projectKey,
+        ps,
+        types,
+        resolved: 'false',
+      };
+      if (branch) params.branch = branch;
+      const { data } = await this.client.get('/api/issues/search', { params });
+      return data;
+    } catch (err) {
+      if (err.response?.status === 404) return { issues: [], total: 0 };
+      throw err;
+    }
+  }
+
+  /**
+   * Set project visibility to public so the report can be viewed without login and API can fetch metrics.
+   * Call after a scan so newly created projects are public by default.
+   */
+  async updateProjectVisibility(projectKey, visibility = 'public') {
+    if (!this.token) return;
+    try {
+      await this.client.post(
+        '/api/projects/update_visibility',
+        new URLSearchParams({ project: projectKey, visibility }).toString(),
+        { headers: { 'Content-Type': 'application/x-www-form-urlencoded' } }
+      );
+    } catch (_) {
+      // Ignore (e.g. project not found yet, or no permission)
+    }
+  }
+
+  /**
+   * Create SonarCloud project via REST API if it doesn't exist.
+   */
+  async createProject(projectKey, name, organization) {
+    if (!this.token) return;
+    try {
+      await this.client.post(
+        '/api/projects/create',
+        new URLSearchParams({
+          project: projectKey,
+          name: name || projectKey,
+          organization: (organization || config.sonarOrgKey || '').trim().toLowerCase(),
+        }).toString(),
+        { headers: { 'Content-Type': 'application/x-www-form-urlencoded' } }
+      );
+    } catch (err) {
+      if (err.response?.status !== 400 && !/already exists/i.test(String(err.response?.data || err.message))) throw err;
+    }
+  }
+}
+
+export default SonarCloudClient;

package/src/sonarcloud/scanner.js

@@ -0,0 +1,171 @@
+/**
+ * SonarCloud Scanner – clone a Git repo and run SonarScanner (@sonar/scan) to analyze it on SonarCloud.
+ * Uses a persistent clone cache: if repo already cloned, pull latest and run scan; otherwise clone then scan.
+ * Runs the scanner via child_process so we can capture the real error output from SonarCloud.
+ * Uses the local node_modules scanner (not npx) to avoid ENOENT on missing %AppData%\npm.
+ */
+
+import { spawn } from 'child_process';
+import path from 'path';
+import fs from 'fs';
+import os from 'os';
+import { createRequire } from 'module';
+import { simpleGit } from 'simple-git';
+
+const require = createRequire(import.meta.url);
+/** Resolved path to @sonar/scan bin script, or null if not installed. */
+let scannerScriptPath = null;
+try {
+  scannerScriptPath = require.resolve('@sonar/scan/bin/sonar-scanner.js');
+} catch (_) {}
+
+const SONARCLOUD_URL = 'https://sonarcloud.io';
+const CLONE_DEPTH = 1; // shallow clone for speed
+
+/** Cache root for cloned repos. WORK_DIR or SONAR_REPO_CACHE, else platform temp. */
+export function getCacheRoot() {
+  const base = (process.env.WORK_DIR || process.env.SONAR_REPO_CACHE || '').trim()
+    || path.join(os.tmpdir(), 'scans');
+  return path.resolve(base);
+}
+
+/**
+ * Derive a filesystem-safe cache key from repo URL (e.g. owner_repo).
+ * @param {string} repoUrl - e.g. https://github.com/owner/repo
+ * @returns {string}
+ */
+export function getCacheKeyFromUrl(repoUrl) {
+  const normalized = repoUrl.replace(/\.git$/i, '').trim().replace(/^https?:\/\//, '');
+  const parts = normalized.split('/').filter(Boolean);
+  const lastTwo = parts.slice(-2);
+  if (lastTwo.length < 2) return normalized.replace(/[^a-zA-Z0-9._-]/g, '_');
+  return lastTwo.join('_').replace(/[^a-zA-Z0-9._-]/g, '_');
+}
+
+/**
+ * Get existing clone or clone repo into cache. If already cloned, pull latest.
+ * @param {string} repoUrl - e.g. https://github.com/owner/repo or https://github.com/owner/repo.git
+ * @param {string} [cacheKey] - optional, otherwise derived from repoUrl
+ * @returns {Promise<string>} Path to the repo directory (cached)
+ */
+export async function getOrCloneRepository(repoUrl, cacheKey) {
+  const normalized = repoUrl.replace(/\.git$/i, '').trim();
+  if (!normalized.includes('github.com') && !normalized.includes('gitlab.com') && !normalized.includes('bitbucket')) {
+    throw new Error('Only GitHub/GitLab/Bitbucket URLs are supported for clone.');
+  }
+  const key = (cacheKey || getCacheKeyFromUrl(repoUrl)).replace(/[^a-zA-Z0-9._-]/g, '_');
+  const cacheRoot = getCacheRoot();
+  const dir = path.join(cacheRoot, key);
+  fs.mkdirSync(cacheRoot, { recursive: true });
+
+  const gitDir = path.join(dir, '.git');
+  if (fs.existsSync(dir) && fs.existsSync(gitDir)) {
+    const git = simpleGit(dir);
+    try {
+      await git.pull();
+    } catch (e) {
+      console.warn('SonarCloud cache: git pull failed (using existing clone):', e?.message || e);
+    }
+    return dir;
+  }
+
+  if (fs.existsSync(dir)) {
+    try {
+      fs.rmSync(dir, { recursive: true, force: true });
+    } catch (_) {}
+  }
+  fs.mkdirSync(dir, { recursive: true });
+  const git = simpleGit();
+  await git.clone(normalized + '.git', dir, ['--depth', String(CLONE_DEPTH)]);
+  return dir;
+}
+
+/**
+ * Clone a public Git repo to a temporary directory (one-off, not cached).
+ * @param {string} repoUrl - e.g. https://github.com/owner/repo or https://github.com/owner/repo.git
+ * @returns {Promise<string>} Path to the cloned repo
+ */
+export async function cloneRepository(repoUrl) {
+  const normalized = repoUrl.replace(/\.git$/i, '').trim();
+  if (!normalized.includes('github.com') && !normalized.includes('gitlab.com') && !normalized.includes('bitbucket')) {
+    throw new Error('Only GitHub/GitLab/Bitbucket URLs are supported for clone.');
+  }
+  const dir = path.join(os.tmpdir(), `sonar-scan-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`);
+  fs.mkdirSync(dir, { recursive: true });
+  const git = simpleGit();
+  await git.clone(normalized + '.git', dir, ['--depth', String(CLONE_DEPTH)]);
+  return dir;
+}
+
+/**
+ * Run SonarScanner via npx so we capture real stderr/stdout from SonarCloud.
+ * Writes sonar-project.properties and runs npx @sonar/scan with SONAR_TOKEN in env.
+ */
+export function runSonarScan(projectDir, { projectKey, projectName, organization, token }) {
+  const propsPath = path.join(projectDir, 'sonar-project.properties');
+  const props = [
+    `sonar.host.url=${SONARCLOUD_URL}`,
+    `sonar.organization=${organization}`,
+    `sonar.projectKey=${projectKey}`,
+    `sonar.projectName=${projectName || projectKey}`,
+    'sonar.sources=.',
+  ].join('\n');
+  fs.writeFileSync(propsPath, props, 'utf8');
+
+  const env = {
+    ...process.env,
+    SONAR_TOKEN: token || '',
+    SONAR_ORGANIZATION: organization,
+  };
+
+  // Run the scanner from local node_modules with Node (avoids npx and missing %AppData%\npm on Windows).
+  const useLocalScanner = !!scannerScriptPath;
+  const cmd = useLocalScanner ? process.execPath : 'npx';
+  const args = useLocalScanner ? [scannerScriptPath] : ['@sonar/scan'];
+  const spawnOpts = {
+    cwd: projectDir,
+    env,
+    stdio: ['ignore', 'pipe', 'pipe'],
+  };
+  if (!useLocalScanner && process.platform === 'win32') {
+    spawnOpts.shell = true; // so npx.cmd is found on Windows
+  }
+
+  return new Promise((resolve, reject) => {
+    const child = spawn(cmd, args, spawnOpts);
+    let stdout = '';
+    let stderr = '';
+    child.stdout?.on('data', (chunk) => { stdout += chunk.toString(); });
+    child.stderr?.on('data', (chunk) => { stderr += chunk.toString(); });
+    child.on('error', (err) => {
+      reject(new Error(`Failed to start scanner: ${err.message}. Run: npm install @sonar/scan`));
+    });
+    child.on('close', (code) => {
+      if (code === 0) {
+        resolve();
+        return;
+      }
+      const out = [stderr.trim(), stdout.trim()].filter(Boolean).join('\n');
+      const lastLines = out.split('\n').slice(-15).join('\n');
+      const msg = out.length > 500 ? lastLines : out;
+      reject(new Error(msg || `Scanner exited with code ${code}`));
+    });
+  });
+}
+
+/**
+ * Get or clone repo (cache), run SonarScanner for SonarCloud. Does not delete the clone (kept for next run).
+ * @param {string} repoUrl - Full Git repo URL (e.g. https://github.com/owner/repo)
+ * @param {string} projectKey - SonarCloud project key
+ * @param {string} projectName - Display name for the project
+ * @param {string} organization - SonarCloud organization
+ * @param {string} token - SonarCloud token
+ * @returns {Promise<void>}
+ */
+export async function cloneAndScan(repoUrl, projectKey, projectName, organization, token) {
+  const cacheKey = getCacheKeyFromUrl(repoUrl);
+  const dir = await getOrCloneRepository(repoUrl, cacheKey);
+  await runSonarScan(dir, { projectKey, projectName, organization, token });
+}
+
+export default { getCacheRoot, getCacheKeyFromUrl, getOrCloneRepository, cloneRepository, runSonarScan, cloneAndScan };