candilize/sonar-project.properties at main · mohsinds/candilize · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# SonarQube / SonarCloud template for vulnerability and code quality validation.
# Used when running: mvn sonar:sonar (or by the CI pipeline when SONAR_TOKEN is set).
#
# Configure a Quality Gate on your SonarQube/SonarCloud server that fails on:
# - Security Hotspots (review required)
# - Vulnerabilities (OWASP, CWE, etc.)
# Then use sonar.qualitygate.wait=true in CI so the build fails if the gate fails.

# Project identification (override with -D if needed)
sonar.projectKey=candilize
sonar.projectName=Candilize

# Wait for Quality Gate result and fail the build if it does not pass (vulnerability / security validation)
sonar.qualitygate.wait=true

# Sources and exclusions (narrow focus to production code for vulnerabilities)
sonar.sources=src/main/java
sonar.tests=src/test/java
sonar.java.binaries=target/classes
sonar.java.libraries=target/*.jar
sonar.java.test.binaries=target/test-classes

# Exclude generated code, DTOs that mirror APIs, and third-party code from duplication/coverage
sonar.exclusions=**/generated/**/*.java,**/proto/**/*.java,**/target/**/*.java,**/*Dto.java,**/*Request.java,**/*Response.java,**/config/**/*.java
sonar.coverage.exclusions=**/config/**/*.java,**/domain/**/*.java,**/*Request.java,**/*Response.java,**/dto/**/*.java

# Encoding
sonar.sourceEncoding=UTF-8

# Optional: OWASP / security-focused (SonarQube 9+ / SonarCloud)
# Enable "Security" and "Security Review" in your Quality Gate conditions for vulnerability validation.