opencode-sonarqube 2.0.3 → 2.1.0

package/dist/index.js

@@ -1,5 +1,20 @@
 import { createRequire } from "node:module";
+var __create = Object.create;
+var __getProtoOf = Object.getPrototypeOf;
 var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __toESM = (mod, isNodeMode, target) => {
+  target = mod != null ? __create(__getProtoOf(mod)) : {};
+  const to = isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target;
+  for (let key of __getOwnPropNames(mod))
+    if (!__hasOwnProp.call(to, key))
+      __defProp(to, key, {
+        get: () => mod[key],
+        enumerable: true
+      });
+  return to;
+};
 var __export = (target, all) => {
   for (var name in all)
     __defProp(target, name, {
@@ -17808,6 +17823,36 @@ class IssuesAPI extends BaseAPI {
     const hotspots = await this.getSecurityHotspots(projectKey);
     return hotspots.filter((h) => h.status === "TO_REVIEW");
   }
+  async reviewHotspot(hotspotKey, status, resolution, comment) {
+    this.logger.info(`Reviewing hotspot ${hotspotKey}: status=${status}, resolution=${resolution}`);
+    const body = {
+      hotspot: hotspotKey,
+      status
+    };
+    if (resolution && status === "REVIEWED") {
+      body.resolution = resolution;
+    }
+    if (comment) {
+      body.comment = comment;
+    }
+    await this.client.post("/api/hotspots/change_status", body);
+    this.logger.info(`Hotspot ${hotspotKey} reviewed successfully`);
+  }
+  async bulkReviewHotspots(hotspotKeys, resolution, comment) {
+    let success2 = 0;
+    let failed = 0;
+    const errors4 = [];
+    for (const key of hotspotKeys) {
+      try {
+        await this.reviewHotspot(key, "REVIEWED", resolution, comment);
+        success2++;
+      } catch (error45) {
+        failed++;
+        errors4.push(`${key}: ${error45 instanceof Error ? error45.message : String(error45)}`);
+      }
+    }
+    return { success: success2, failed, errors: errors4 };
+  }
 }
 // src/api/quality-gate/api.ts
 init_types2();
@@ -20338,38 +20383,103 @@ async function handleHotspots(ctx) {
     output += `### Hotspots Requiring Review
 
 `;
-    output += `| Risk | File | Line | Issue |
+    output += `| # | Risk | Key | File | Line | Issue |
 `;
-    output += `|------|------|------|-------|
+    output += `|---|------|-----|------|------|-------|
 `;
-    for (const hotspot of toReview.slice(0, 20)) {
+    for (let i = 0;i < Math.min(toReview.length, 50); i++) {
+      const hotspot = toReview[i];
       const risk = hotspot.vulnerabilityProbability;
       const file2 = hotspot.component.split(":").pop() ?? hotspot.component;
       const line = hotspot.line ?? "?";
-      const msg = hotspot.message.length > 60 ? hotspot.message.substring(0, 57) + "..." : hotspot.message;
-      output += `| ${risk} | ${file2} | ${line} | ${msg} |
+      const msg = hotspot.message.length > 50 ? hotspot.message.substring(0, 47) + "..." : hotspot.message;
+      output += `| ${i + 1} | ${risk} | \`${hotspot.key.substring(0, 8)}\` | ${file2} | ${line} | ${msg} |
 `;
     }
-    if (toReview.length > 20) {
+    if (toReview.length > 50) {
       output += `
-*... and ${toReview.length - 20} more hotspots*
+*... and ${toReview.length - 50} more hotspots*
 `;
     }
     output += `
-### Review Guidelines
+### How to Review Hotspots
+
+You can review hotspots directly using this tool:
+
+**Review a single hotspot:**
+\`\`\`
+sonarqube({ action: "reviewhotspot", hotspotKey: "<key>", resolution: "SAFE", comment: "Reviewed: no security risk because..." })
+\`\`\`
 
-1. **HIGH risk**: Review immediately - potential security vulnerability
-2. **MEDIUM risk**: Review soon - possible security concern
-3. **LOW risk**: Review when convenient - minor security consideration
+**Review ALL pending hotspots as SAFE:**
+\`\`\`
+sonarqube({ action: "reviewhotspot", resolution: "SAFE", comment: "Bulk review: all hotspots verified safe" })
+\`\`\`
 
-For each hotspot, determine if it's:
-- **Safe**: The code is secure despite the warning
-- **Fixed**: The vulnerability has been remediated
-- **At Risk**: Requires code changes to fix
+**Resolutions:**
+- \`SAFE\` — The code is secure despite the warning (most common)
+- \`FIXED\` — The vulnerability has been remediated
+- \`ACKNOWLEDGED\` — Known risk, accepted
+
+### Review Guidelines
+
+1. **HIGH risk**: Review the code carefully — potential security vulnerability
+2. **MEDIUM risk**: Check regex patterns, randomness, protocol usage
+3. **LOW risk**: Usually informational — hardcoded IPs, HTTP URLs in non-production code
 `;
   }
   return output;
 }
+async function handleReviewHotspot(ctx, hotspotKey, resolution, comment) {
+  const { api: api2, projectKey } = ctx;
+  const validResolutions = ["SAFE", "FIXED", "ACKNOWLEDGED"];
+  const res = resolution?.toUpperCase() ?? "SAFE";
+  if (!validResolutions.includes(res)) {
+    return `**Error:** Invalid resolution "${resolution}". Must be one of: SAFE, FIXED, ACKNOWLEDGED`;
+  }
+  if (!hotspotKey) {
+    const toReview = await api2.issues.getSecurityHotspotsToReview(projectKey);
+    if (toReview.length === 0) {
+      return formatSuccess("Review Hotspots", "No pending hotspots to review. All hotspots have already been reviewed.");
+    }
+    const result = await api2.issues.bulkReviewHotspots(toReview.map((h) => h.key), res, comment ?? `Bulk reviewed as ${res} via opencode-sonarqube plugin`);
+    let output = `## Hotspot Bulk Review Complete
+
+**Project:** \`${projectKey}\`
+**Resolution:** ${res}
+**Reviewed:** ${result.success} hotspots
+**Failed:** ${result.failed} hotspots
+`;
+    if (result.errors.length > 0) {
+      output += `
+### Errors
+`;
+      for (const err of result.errors.slice(0, 10)) {
+        output += `- ${err}
+`;
+      }
+    }
+    output += `
+> Run \`sonarqube({ action: "status" })\` to check the updated Quality Gate.`;
+    return output;
+  }
+  try {
+    await api2.issues.reviewHotspot(hotspotKey, "REVIEWED", res, comment ?? `Reviewed as ${res} via opencode-sonarqube plugin`);
+    return `## Hotspot Reviewed
+
+**Hotspot:** \`${hotspotKey}\`
+**Status:** REVIEWED
+**Resolution:** ${res}
+${comment ? `**Comment:** ${comment}` : ""}
+
+> Run \`sonarqube({ action: "hotspots" })\` to see remaining hotspots.`;
+  } catch (error45) {
+    const msg = error45 instanceof Error ? error45.message : String(error45);
+    return `**Error reviewing hotspot:** ${msg}
+
+Make sure the hotspot key is correct. Use \`sonarqube({ action: "hotspots" })\` to list hotspot keys.`;
+  }
+}
 // src/tools/handlers/duplications.ts
 async function handleDuplications(ctx) {
   const { api: api2, projectKey } = ctx;
@@ -20496,14 +20606,17 @@ Run \`sonarqube({ action: "analyze" })\` to generate metrics.`));
 // src/tools/sonarqube.ts
 var logger10 = new Logger("sonarqube-tool");
 var SonarQubeToolArgsSchema = exports_external2.object({
-  action: exports_external2.enum(["analyze", "issues", "newissues", "status", "init", "setup", "validate", "hotspots", "duplications", "rule", "history", "profile", "branches", "metrics", "worstfiles"]).describe("Action to perform: analyze (run scanner), issues (all issues), newissues (only new code issues), status (quality gate), init/setup (initialize), validate (enterprise check), hotspots (security review), duplications (code duplicates), rule (explain rule), history (past analyses), profile (quality profile), branches (branch status), metrics (detailed metrics), worstfiles (files with most issues)"),
+  action: exports_external2.enum(["analyze", "issues", "newissues", "status", "init", "setup", "validate", "hotspots", "reviewhotspot", "duplications", "rule", "history", "profile", "branches", "metrics", "worstfiles"]).describe("Action to perform: analyze (run scanner), issues (all issues), newissues (only new code issues), status (quality gate), init/setup (initialize), validate (enterprise check), hotspots (security review), duplications (code duplicates), rule (explain rule), history (past analyses), profile (quality profile), branches (branch status), metrics (detailed metrics), worstfiles (files with most issues)"),
   scope: exports_external2.enum(["all", "new", "changed"]).optional().default("all").describe("Scope of analysis: all files, only new code, or changed files"),
   severity: exports_external2.enum(["blocker", "critical", "major", "minor", "info", "all"]).optional().default("all").describe("Filter issues by minimum severity level"),
   fix: exports_external2.boolean().optional().default(false).describe("If true, include fix suggestions in the response"),
   projectKey: exports_external2.string().optional().describe("Override the project key (usually auto-detected)"),
   force: exports_external2.boolean().optional().default(false).describe("Force re-initialization even if already set up"),
   ruleKey: exports_external2.string().optional().describe("Rule key to explain (e.g., 'typescript:S1234') - required for 'rule' action"),
-  branch: exports_external2.string().optional().describe("Branch name for multi-branch analysis (default: main branch)")
+  branch: exports_external2.string().optional().describe("Branch name for multi-branch analysis (default: main branch)"),
+  hotspotKey: exports_external2.string().optional().describe("Hotspot key to review (UUID). If omitted with 'reviewhotspot' action, all TO_REVIEW hotspots are bulk-reviewed."),
+  resolution: exports_external2.enum(["SAFE", "FIXED", "ACKNOWLEDGED"]).optional().describe("Hotspot review resolution: SAFE (no risk), FIXED (remediated), ACKNOWLEDGED (accepted risk)"),
+  comment: exports_external2.string().optional().describe("Review comment explaining the decision")
 });
 async function executeSonarQubeTool(args, context) {
   const directory = context.directory ?? process.cwd();
@@ -20556,6 +20669,8 @@ ${setupResult.message}`);
         return await handleValidate(ctx);
       case "hotspots":
         return await handleHotspots(ctx);
+      case "reviewhotspot":
+        return await handleReviewHotspot(ctx, args.hotspotKey, args.resolution, args.comment);
       case "duplications":
         return await handleDuplications(ctx);
       case "rule":
@@ -21263,6 +21378,7 @@ Actions:
 - status: Get quality gate status and metrics
 - validate: Check if project meets enterprise quality standards
 - hotspots: Get security hotspots that need review
+- reviewhotspot: Review/resolve security hotspots (mark as SAFE, FIXED, or ACKNOWLEDGED)
 - duplications: Find code duplications across the project
 - rule: Explain a specific SonarQube rule
 - history: Show past analysis history
@@ -21276,16 +21392,22 @@ Example usage:
 - sonarqube({ action: "newissues" }) - Issues only in your recent changes
 - sonarqube({ action: "worstfiles" }) - Files needing most attention
 - sonarqube({ action: "issues", severity: "critical" }) - Get critical+ issues
-- sonarqube({ action: "status" }) - Check quality gate status`,
+- sonarqube({ action: "status" }) - Check quality gate status
+- sonarqube({ action: "hotspots" }) - List security hotspots
+- sonarqube({ action: "reviewhotspot", resolution: "SAFE" }) - Bulk-review all hotspots as SAFE
+- sonarqube({ action: "reviewhotspot", hotspotKey: "abc123", resolution: "SAFE", comment: "No risk" }) - Review single hotspot`,
         args: {
-          action: tool.schema.enum(["analyze", "issues", "newissues", "status", "init", "setup", "validate", "hotspots", "duplications", "rule", "history", "profile", "branches", "metrics", "worstfiles"]).describe("Action to perform"),
+          action: tool.schema.enum(["analyze", "issues", "newissues", "status", "init", "setup", "validate", "hotspots", "reviewhotspot", "duplications", "rule", "history", "profile", "branches", "metrics", "worstfiles"]).describe("Action to perform"),
           scope: tool.schema.enum(["all", "new", "changed"]).optional().describe("Scope of analysis"),
           severity: tool.schema.enum(["blocker", "critical", "major", "minor", "info", "all"]).optional().describe("Filter issues by minimum severity"),
           fix: tool.schema.boolean().optional().describe("Include fix suggestions in response"),
           projectKey: tool.schema.string().optional().describe("Override project key"),
           force: tool.schema.boolean().optional().describe("Force re-initialization"),
           ruleKey: tool.schema.string().optional().describe("Rule key to explain (e.g., 'typescript:S1234')"),
-          branch: tool.schema.string().optional().describe("Branch name for multi-branch projects")
+          branch: tool.schema.string().optional().describe("Branch name for multi-branch projects"),
+          hotspotKey: tool.schema.string().optional().describe("Hotspot key (UUID) to review. If omitted with reviewhotspot action, all pending hotspots are bulk-reviewed."),
+          resolution: tool.schema.string().optional().describe("Hotspot review resolution: SAFE, FIXED, or ACKNOWLEDGED"),
+          comment: tool.schema.string().optional().describe("Review comment explaining the decision")
         },
         async execute(args, _ctx) {
           const result = await executeSonarQubeTool({
@@ -21296,7 +21418,10 @@ Example usage:
             projectKey: args.projectKey,
             force: args.force ?? false,
             ruleKey: args.ruleKey,
-            branch: args.branch
+            branch: args.branch,
+            hotspotKey: args.hotspotKey,
+            resolution: args.resolution,
+            comment: args.comment
           }, {
             directory: getDirectory(),
             config: pluginConfig

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-sonarqube",
-  "version": "2.0.3",
+  "version": "2.1.0",
   "description": "OpenCode Plugin for SonarQube integration - Enterprise-level code quality from the start",
   "type": "module",
   "main": "dist/index.js",