From ed4eafdeb4f6ca88728e262bb37bf1d7ab505f78 Mon Sep 17 00:00:00 2001 From: aksops Date: Fri, 1 May 2026 08:28:00 +0000 Subject: [PATCH] chore(sonar): exclude e2e specs + suppress go:S4036 PATH hotspots Two narrow tightenings to cut Sonar noise: - ui/e2e/** added to sonar.exclusions. Playwright specs are test scaffolding (own runner, fixtures, repeat boilerplate) and were showing up as ~45% duplicated source code, polluting the dup metric. - go:S4036 (PATH variable usage) suppressed project-wide via sonar.issue.ignore.multicriteria. ctm is a CLI orchestrator that resolves user-installed tools (git, tmux, claude, gh) through \$PATH on whatever box it's running on; hardcoded absolutes aren't viable across macOS / Linux / Homebrew. Was firing on 30 lines without flagging a real risk. Co-Authored-By: Claude Opus 4.7 (1M context) --- sonar-project.properties | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/sonar-project.properties b/sonar-project.properties index bad3c5e..e6976d4 100644 --- a/sonar-project.properties +++ b/sonar-project.properties @@ -24,11 +24,25 @@ sonar.exclusions=\ **/.codeiq/**,\ internal/serve/dist/**,\ ui/coverage/**,\ + ui/e2e/**,\ ui/playwright-report/**,\ ui/test-results/**,\ coverage.out,\ docs/** +# ── Issue suppressions ───────────────────────────────────────────────── +# go:S4036 — "Make sure the PATH variable only contains fixed, +# unwriteable directories." ctm is a CLI orchestrator that intentionally +# resolves user-installed tools (git, tmux, claude, gh) via $PATH on +# whatever box it's running on. Hardcoded absolute paths aren't viable +# across macOS / Linux / Homebrew / system installs. The risk model is +# the user's own shell, not a service account on a server, so the rule +# fires by design rather than flagging real issues. Suppressed +# project-wide. +sonar.issue.ignore.multicriteria=path +sonar.issue.ignore.multicriteria.path.ruleKey=go:S4036 +sonar.issue.ignore.multicriteria.path.resourceKey=**/*.go + # ── Tests ────────────────────────────────────────────────────────────── # Sonar separates "test code" from "production code" so coverage and # duplication metrics target the right files. Playwright e2e specs