test: expand migration assessor coverage + SonarCloud config

[LucasSantana-Dev]

Summary

Two improvements in one PR:

1. Comprehensive test expansion for all migration assessor collectors
2. SonarCloud configuration to fix the advisory CI failure

Migration Assessor Tests: 40 → 81 (+41 new tests)

collectSecurityFindings

• eval() usage detection (high)
• dangerouslySetInnerHTML XSS risk (high)
• innerHTML assignment XSS risk (high)
• SQL string concatenation injection (high)
• Unrestricted cors() (medium)
• AWS access key pattern AKIA... (critical)
• child_process.exec() command injection (high)
• Private key in source (critical)
• .env present but no .gitignore (critical)
• Missing SECURITY.md (low)
• Clean project scores 100/A

collectQualityFindings

• Missing linter (medium)
• Missing type checking (medium)
• Missing code formatter (low)
• No CI pipeline (high)
• High empty-catch count >5 files (high severity vs medium for ≤5)
• TODO/FIXME flood >10 occurrences (low)
• Low test ratio <10% (medium)
• Well-configured project scores 100/A

collectArchitectureFindings

• God file >1000 lines (critical, vs >500 = high)
• High coupling >15 imports (medium)
• Function sprawl >20 functions (medium)
• Flat project structure with many files in ≤2 directories (low)
• High average file size >200 lines with >5 files (medium)
• Clean small project scores 100

collectReadinessFindings

• JavaScript project without TypeScript (medium)
• Non-JS languages skip TS check
• Missing documentation (medium)
• docs/ directory satisfies doc check
• Global state pollution via window./global. (high)
• Missing CI pipeline (high)
• Missing test framework (critical)
• Well-configured project with README scores 100/A

collectDependencyFindings

• No package.json returns 100 (graceful)
• Excessive deps 50-100 (medium)
• Excessive deps >100 (high)
• No engine constraint (low)
• No devDependencies (medium)
• yarn.lock accepted as valid lockfile
• pnpm-lock.yaml accepted as valid lockfile
• Multiple legacy packages all flagged

SonarCloud

Add sonar-project.properties:

• Project key, org, sources/tests configuration
• Exclusions for dist, ESM-only modules, logger infrastructure
• LCOV coverage path for Jest reports
• Resolves the advisory SonarCloud failure on PRs

Metrics

Metric	Before	After
Migration assessor tests	40	81
Total tests	558	599
SonarCloud config	❌ Missing	✅ Added

[coderabbitai]

Warning

Rate limit exceeded

@LucasSantana-Dev has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 2 minutes and 0 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6600c1e8-c658-45a5-8392-dcc6c4a3ac9a

📥 Commits

Reviewing files that changed from the base of the PR and between 417f5a9 and 21b0fc3.

📒 Files selected for processing (2)

• patterns/idp/__tests__/migration-assessor.test.ts
• sonar-project.properties

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch test/migration-assessor-coverage

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Project Scorecard

Scorecard: 84/100 (B)
────────────────────────────────────────
  security: 100/100 (A)
  quality: 80/100 (B) — 1 violations
  performance: 67/100 (D) — 1 violations
  compliance: 75/100 (C) — 1 violations
  dependency: 100/100 (A)

Recommendations:
  - Increase test coverage to meet the 80% threshold
  - Extend log retention to at least 90 days for compliance

[sonarqubecloud]

Quality Gate failed

Failed conditions
30.9% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud