opencode-sonarqube 2.1.0 → 2.1.2

package/README.md

@@ -4,16 +4,17 @@ OpenCode Plugin for SonarQube integration - Enterprise-level code quality from t
 
 [![Coverage](https://img.shields.io/badge/coverage-100%25-brightgreen)](https://sonarqube.example.com)
 [![Quality Gate](https://img.shields.io/badge/quality%20gate-passed-brightgreen)](https://sonarqube.example.com)
-[![Tests](https://img.shields.io/badge/tests-612%20passing-brightgreen)](https://sonarqube.example.com)
+[![Tests](https://img.shields.io/badge/tests-722%20passing-brightgreen)](https://sonarqube.example.com)
 [![License](https://img.shields.io/badge/license-MIT-blue)](./LICENSE)
+[![npm version](https://img.shields.io/npm/v/opencode-sonarqube)](https://www.npmjs.com/package/opencode-sonarqube)
 
 ## Features
 
 - **Automatic Analysis**: Triggers SonarQube analysis when the AI agent becomes idle
-- **15 Tool Actions**: Comprehensive SonarQube integration for AI agents
+- **16 Tool Actions**: Comprehensive SonarQube integration for AI agents
 - **Clean as You Code**: Focus on new code issues with `newissues` action
 - **Custom Command**: Use `/sonarqube` command for quick analysis
-- **Security Hotspots**: Review and track security hotspots requiring manual review
+- **Security Hotspots**: Review, resolve, and bulk-dismiss security hotspots directly via API
 - **Quality Gate Integration**: Shows pass/fail status with detailed metrics
 - **Git Integration**: Detects git operations and suggests quality checks
 - **System Prompt Injection**: AI always knows current quality status
@@ -100,6 +101,44 @@ Add these to your `~/.zshrc` or `~/.bashrc` to make them permanent.
    - Tell the AI: "Setup SonarQube for this project"
    - Or use: `sonarqube({ action: "setup" })`
 
+## Updating
+
+The plugin is installed per project via `package.json`. To update to the latest version:
+
+```bash
+# Update in the current project
+bun add opencode-sonarqube@latest
+
+# Or with npm
+npm install opencode-sonarqube@latest
+```
+
+Then restart OpenCode to load the new version.
+
+**Tip — Always get the latest version automatically:**
+
+By default, `bun add` pins a specific version (e.g., `"^2.1.0"`). To always pull the newest release on every OpenCode restart, change your `package.json` dependency to:
+
+```json
+{
+  "dependencies": {
+    "opencode-sonarqube": "latest"
+  }
+}
+```
+
+This ensures you always run the most recent version without manual updates.
+
+**Update all projects at once:**
+
+```bash
+# Run this from any directory to update all projects that use the plugin
+for dir in $(grep -rl '"opencode-sonarqube"' ~/Projekte/*/package.json 2>/dev/null | xargs -I{} dirname {}); do
+  echo "Updating: $dir"
+  (cd "$dir" && bun add opencode-sonarqube@latest)
+done
+```
+
 ## Configuration
 
 ### Environment Variables (Required)
@@ -192,6 +231,7 @@ The plugin adds a `sonarqube` tool with these actions:
 | `newissues` | Get only issues in NEW code (Clean as You Code) |
 | `worstfiles` | Show files with most issues (prioritize refactoring) |
 | `hotspots` | Get security hotspots that need manual review |
+| `reviewhotspot` | Review/resolve hotspots as SAFE, FIXED, or ACKNOWLEDGED |
 | `duplications` | Find code duplications across the project |
 
 ### Status & Validation
@@ -216,15 +256,18 @@ The plugin adds a `sonarqube` tool with these actions:
 ```typescript
 sonarqube({
   action: "analyze" | "issues" | "newissues" | "worstfiles" | "status" | 
-          "validate" | "hotspots" | "duplications" | "rule" | "history" |
-          "profile" | "branches" | "metrics" | "setup",
+          "validate" | "hotspots" | "reviewhotspot" | "duplications" | "rule" |
+          "history" | "profile" | "branches" | "metrics" | "setup",
   scope: "all" | "new" | "changed",     // What to analyze
   severity: "blocker" | "critical" | "major" | "minor" | "info" | "all",
   fix: true | false,                     // Include fix suggestions
   projectKey: "override-key",            // Optional override
   force: true | false,                   // Force re-initialization
   ruleKey: "typescript:S1234",           // For "rule" action
-  branch: "feature-branch"               // For multi-branch analysis
+  branch: "feature-branch",             // For multi-branch analysis
+  hotspotKey: "uuid-of-hotspot",        // For "reviewhotspot" action (omit for bulk review)
+  resolution: "SAFE" | "FIXED" | "ACKNOWLEDGED",  // Hotspot review resolution
+  comment: "Reason for the decision"     // Optional review comment
 })
 ```
 
@@ -316,6 +359,15 @@ sonarqube({ action: "rule", ruleKey: "typescript:S3776" })
 
 // Enterprise validation before release
 sonarqube({ action: "validate" })
+
+// List security hotspots
+sonarqube({ action: "hotspots" })
+
+// Review a single hotspot as safe
+sonarqube({ action: "reviewhotspot", hotspotKey: "abc-123", resolution: "SAFE", comment: "Form field name, not a password" })
+
+// Bulk-review ALL pending hotspots as safe
+sonarqube({ action: "reviewhotspot", resolution: "SAFE" })
 ```
 
 ## CLI Usage
@@ -477,7 +529,7 @@ This project maintains enterprise-level quality:
 | Metric | Value |
 |--------|-------|
 | Test Coverage | 96% |
-| Tests | 612 |
+| Tests | 722 |
 | Bugs | 0 |
 | Vulnerabilities | 0 |
 | Code Smells | 0 |

package/dist/index.js

@@ -1,20 +1,5 @@
 import { createRequire } from "node:module";
-var __create = Object.create;
-var __getProtoOf = Object.getPrototypeOf;
 var __defProp = Object.defineProperty;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __toESM = (mod, isNodeMode, target) => {
-  target = mod != null ? __create(__getProtoOf(mod)) : {};
-  const to = isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target;
-  for (let key of __getOwnPropNames(mod))
-    if (!__hasOwnProp.call(to, key))
-      __defProp(to, key, {
-        get: () => mod[key],
-        enumerable: true
-      });
-  return to;
-};
 var __export = (target, all) => {
   for (var name in all)
     __defProp(target, name, {
@@ -19328,6 +19313,10 @@ class SonarQubeAPI {
     };
   }
 }
+function createSonarQubeAPIWithCredentials(url2, user, password, logger4) {
+  const client = createClientWithCredentials(url2, user, password, logger4?.child("client"));
+  return new SonarQubeAPI(client, logger4);
+}
 function createSonarQubeAPIWithToken(url2, token, logger4) {
   const client = createClientWithToken(url2, token, logger4?.child("client"));
   return new SonarQubeAPI(client, logger4);
@@ -19394,6 +19383,20 @@ function groupIssuesBySeverity(issues) {
 }
 function formatIssuesForAgent(issues, qualityGateStatus) {
   if (issues.length === 0) {
+    if (qualityGateStatus !== "OK") {
+      return `## SonarQube Analysis Results
+
+**Quality Gate: ${qualityGateStatus}**
+
+No code issues found, but the Quality Gate is not passing.
+This is typically caused by **unreviewed security hotspots** or **code duplication thresholds**.
+
+**To fix:**
+- \`sonarqube({ action: "hotspots" })\` — List security hotspots
+- \`sonarqube({ action: "reviewhotspot", resolution: "SAFE" })\` — Bulk-review all hotspots as safe
+- \`sonarqube({ action: "status" })\` — See which conditions are failing
+- \`sonarqube({ action: "duplications" })\` — Check code duplication`;
+    }
     return `## SonarQube Analysis Results
 
 **Quality Gate: ${qualityGateStatus}**
@@ -20333,8 +20336,20 @@ async function handleStatus(ctx) {
     output += `
 ### Failed Conditions
 `;
+    const hasHotspotCondition = failedConditions.some((c) => c.metricKey.includes("security_hotspots") || c.metricKey.includes("hotspot"));
     for (const condition of failedConditions) {
       output += `- **${condition.metricKey}**: ${condition.actualValue} (threshold: ${condition.errorThreshold})
+`;
+    }
+    if (hasHotspotCondition) {
+      output += `
+### How to Fix Security Hotspot Condition
+The Quality Gate is failing because unreviewed security hotspots exist.
+You can review them directly:
+
+1. **List hotspots:** \`sonarqube({ action: "hotspots" })\`
+2. **Bulk-review all as safe:** \`sonarqube({ action: "reviewhotspot", resolution: "SAFE" })\`
+3. **Review individually:** \`sonarqube({ action: "reviewhotspot", hotspotKey: "<key>", resolution: "SAFE", comment: "reason" })\`
 `;
     }
   }
@@ -20363,6 +20378,9 @@ Please fix the failed checks before proceeding.`;
   return output;
 }
 // src/tools/handlers/security.ts
+function createAdminAPI(ctx) {
+  return createSonarQubeAPIWithCredentials(ctx.config.url, ctx.config.user, ctx.config.password);
+}
 async function handleHotspots(ctx) {
   const { api: api2, projectKey } = ctx;
   const hotspots = await api2.issues.getSecurityHotspots(projectKey);
@@ -20437,12 +20455,13 @@ async function handleReviewHotspot(ctx, hotspotKey, resolution, comment) {
   if (!validResolutions.includes(res)) {
     return `**Error:** Invalid resolution "${resolution}". Must be one of: SAFE, FIXED, ACKNOWLEDGED`;
   }
+  const adminApi = createAdminAPI(ctx);
   if (!hotspotKey) {
     const toReview = await api2.issues.getSecurityHotspotsToReview(projectKey);
     if (toReview.length === 0) {
       return formatSuccess("Review Hotspots", "No pending hotspots to review. All hotspots have already been reviewed.");
     }
-    const result = await api2.issues.bulkReviewHotspots(toReview.map((h) => h.key), res, comment ?? `Bulk reviewed as ${res} via opencode-sonarqube plugin`);
+    const result = await adminApi.issues.bulkReviewHotspots(toReview.map((h) => h.key), res, comment ?? `Bulk reviewed as ${res} via opencode-sonarqube plugin`);
     let output = `## Hotspot Bulk Review Complete
 
 **Project:** \`${projectKey}\`
@@ -20464,7 +20483,7 @@ async function handleReviewHotspot(ctx, hotspotKey, resolution, comment) {
     return output;
   }
   try {
-    await api2.issues.reviewHotspot(hotspotKey, "REVIEWED", res, comment ?? `Reviewed as ${res} via opencode-sonarqube plugin`);
+    await adminApi.issues.reviewHotspot(hotspotKey, "REVIEWED", res, comment ?? `Reviewed as ${res} via opencode-sonarqube plugin`);
     return `## Hotspot Reviewed
 
 **Hotspot:** \`${hotspotKey}\`
@@ -21263,6 +21282,90 @@ Git operation completed with changes. Consider running:
       }
     };
   };
+  const buildSystemTransformContext = async (_input) => {
+    safeLog(`=== system.transform ENTERED ===`);
+    const inputAny = _input;
+    const sessionID = inputAny?.sessionID;
+    const sessionDir = sessionID ? getDirectoryForSession(sessionID) : undefined;
+    const dir = sessionDir || effectiveDirectory;
+    safeLog(`  dir used: "${dir}"`);
+    const now = Date.now();
+    const cachedEntry = transformCacheMap.get(dir);
+    if (cachedEntry && now - cachedEntry.timestamp < TRANSFORM_CACHE_TTL_MS) {
+      return cachedEntry.data;
+    }
+    await loadPluginConfig();
+    const sonarConfig = pluginConfig?.["sonarqube"];
+    const config3 = loadConfig(sonarConfig);
+    if (!config3 || config3.level === "off") {
+      transformCacheMap.set(dir, { data: undefined, timestamp: now });
+      return;
+    }
+    const state = await getProjectState(dir);
+    if (!state?.projectKey) {
+      transformCacheMap.set(dir, { data: undefined, timestamp: now });
+      return;
+    }
+    const api2 = createSonarQubeAPI(config3, state);
+    const [qgStatus, counts, newCodeResponse] = await Promise.all([
+      api2.qualityGate.getStatus(state.projectKey),
+      api2.issues.getCounts(state.projectKey),
+      api2.issues.search({
+        projectKey: state.projectKey,
+        inNewCode: true,
+        resolved: false,
+        pageSize: 1
+      }).catch(() => ({ paging: { total: 0 } }))
+    ]);
+    const qgFailed = qgStatus.projectStatus.status !== "OK";
+    const newCodeIssues = newCodeResponse.paging.total;
+    const hasIssues = counts.blocker > 0 || counts.critical > 0;
+    if (!hasIssues && !qgFailed && newCodeIssues === 0) {
+      transformCacheMap.set(dir, { data: undefined, timestamp: now });
+      return;
+    }
+    const hotspotInfo = await buildHotspotInfo(api2, state.projectKey);
+    const systemContext = formatSystemContext(qgStatus.projectStatus.status, qgFailed, counts, newCodeIssues, hotspotInfo, config3.level);
+    transformCacheMap.set(dir, { data: systemContext, timestamp: now });
+    return systemContext;
+  };
+  const buildHotspotInfo = async (api2, projectKey) => {
+    try {
+      const hotspotsToReview = await api2.issues.getSecurityHotspotsToReview(projectKey);
+      if (hotspotsToReview.length > 0) {
+        return `**Security Hotspots:** ${hotspotsToReview.length} unreviewed hotspots (may cause Quality Gate to fail)
+**To fix:** \`sonarqube({ action: "hotspots" })\` to list, then \`sonarqube({ action: "reviewhotspot", resolution: "SAFE" })\` to bulk-review
+`;
+      }
+    } catch {}
+    return "";
+  };
+  const formatSystemContext = (qgStatusText, qgFailed, counts, newCodeIssues, hotspotInfo, level) => {
+    const lines = [
+      "## SonarQube Code Quality Status",
+      "",
+      `**Quality Gate:** ${qgStatusText}${qgFailed ? " (FAILED)" : ""}`,
+      `**Outstanding Issues:** ${counts.blocker} blockers, ${counts.critical} critical, ${counts.major} major`
+    ];
+    if (newCodeIssues > 0) {
+      lines.push(`**New Code Issues:** ${newCodeIssues} issues in recent changes`);
+    }
+    if (hotspotInfo) {
+      lines.push(hotspotInfo);
+    }
+    if (counts.blocker > 0) {
+      lines.push("**IMPORTANT:** There are BLOCKER issues that must be fixed before shipping code.");
+    }
+    if (level === "enterprise") {
+      lines.push("This project follows enterprise-level quality standards (zero tolerance for issues).");
+    }
+    lines.push("", "**Recommended Actions:**", '- `sonarqube({ action: "newissues" })` - See issues in your recent changes (Clean as You Code)', '- `sonarqube({ action: "worstfiles" })` - Find files needing most attention', '- `sonarqube({ action: "issues" })` - See all issues');
+    if (hotspotInfo) {
+      lines.push('- `sonarqube({ action: "reviewhotspot", resolution: "SAFE" })` - Bulk-review all security hotspots as safe');
+    }
+    return lines.join(`
+`);
+  };
   safeLog(`=== PLUGIN INIT COMPLETE, returning hooks ===`);
   safeLog(`  This instance's pluginImportUrl: "${pluginImportUrl}"`);
   safeLog(`  This instance's effectiveDirectory: "${effectiveDirectory}"`);
@@ -21297,73 +21400,10 @@ Git operation completed with changes. Consider running:
       }
     }, "experimental.session.compacting"),
     "experimental.chat.system.transform": safeAsync(async (_input, output) => {
-      safeLog(`=== system.transform ENTERED ===`);
-      const inputAny = _input;
-      const sessionID = inputAny?.sessionID;
-      safeLog(`  sessionID: "${sessionID}"`);
-      const sharedState = readSharedState();
-      safeLog(`  sharedState sessions: ${JSON.stringify(sharedState.sessionToDirectory)}`);
-      safeLog(`  sharedState directories: ${JSON.stringify(sharedState.registeredDirectories)}`);
-      const sessionDir = sessionID ? getDirectoryForSession(sessionID) : undefined;
-      safeLog(`  sessionDir from shared state: "${sessionDir}"`);
-      safeLog(`  effectiveDirectory (fallback): "${effectiveDirectory}"`);
-      const dir = sessionDir || effectiveDirectory;
-      safeLog(`  FINAL dir used: "${dir}"`);
-      const now = Date.now();
-      const cachedEntry = transformCacheMap.get(dir);
-      if (cachedEntry && now - cachedEntry.timestamp < TRANSFORM_CACHE_TTL_MS) {
-        if (cachedEntry.data) {
-          output.system.push(cachedEntry.data);
-        }
-        return;
+      const systemContext = await buildSystemTransformContext(_input);
+      if (systemContext) {
+        output.system.push(systemContext);
       }
-      await loadPluginConfig();
-      const sonarConfig = pluginConfig?.["sonarqube"];
-      const config3 = loadConfig(sonarConfig);
-      if (!config3 || config3.level === "off") {
-        safeLog(`  config level is off or null, returning early`);
-        transformCacheMap.set(dir, { data: undefined, timestamp: now });
-        return;
-      }
-      const state = await getProjectState(dir);
-      if (!state?.projectKey) {
-        transformCacheMap.set(dir, { data: undefined, timestamp: now });
-        return;
-      }
-      const api2 = createSonarQubeAPI(config3, state);
-      const [qgStatus, counts, newCodeResponse] = await Promise.all([
-        api2.qualityGate.getStatus(state.projectKey),
-        api2.issues.getCounts(state.projectKey),
-        api2.issues.search({
-          projectKey: state.projectKey,
-          inNewCode: true,
-          resolved: false,
-          pageSize: 1
-        }).catch(() => ({ paging: { total: 0 } }))
-      ]);
-      const hasIssues = counts.blocker > 0 || counts.critical > 0;
-      const qgFailed = qgStatus.projectStatus.status !== "OK";
-      const newCodeIssues = newCodeResponse.paging.total;
-      if (!hasIssues && !qgFailed && newCodeIssues === 0) {
-        transformCacheMap.set(dir, { data: undefined, timestamp: now });
-        return;
-      }
-      const systemContext = `## SonarQube Code Quality Status
-
-**Quality Gate:** ${qgStatus.projectStatus.status}${qgFailed ? " (FAILED)" : ""}
-**Outstanding Issues:** ${counts.blocker} blockers, ${counts.critical} critical, ${counts.major} major
-${newCodeIssues > 0 ? `**New Code Issues:** ${newCodeIssues} issues in recent changes
-` : ""}
-${counts.blocker > 0 ? `**IMPORTANT:** There are BLOCKER issues that must be fixed before shipping code.
-` : ""}
-${config3.level === "enterprise" ? `This project follows enterprise-level quality standards (zero tolerance for issues).
-` : ""}
-**Recommended Actions:**
-- \`sonarqube({ action: "newissues" })\` - See issues in your recent changes (Clean as You Code)
-- \`sonarqube({ action: "worstfiles" })\` - Find files needing most attention
-- \`sonarqube({ action: "issues" })\` - See all issues`;
-      transformCacheMap.set(dir, { data: systemContext, timestamp: now });
-      output.system.push(systemContext);
     }, "experimental.chat.system.transform"),
     tool: {
       sonarqube: tool({

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "opencode-sonarqube",
-  "version": "2.1.0",
+  "version": "2.1.2",
   "description": "OpenCode Plugin for SonarQube integration - Enterprise-level code quality from the start",
   "type": "module",
   "main": "dist/index.js",
@@ -38,7 +38,7 @@
   "homepage": "https://github.com/mguttmann/opencode-sonarqube#readme",
   "dependencies": {
     "@opencode-ai/plugin": "^1.1.34",
-    "opencode-sonarqube": "^1.2.45",
+    "opencode-sonarqube": "latest",
     "zod": "^3.24.0"
   },
   "devDependencies": {