PREQ-5794 Fix check-sca Gradle Kotlin DSL projectKey parsing

[SamirM-BE]

Context

Surfaced via PREQ-5794 — Nils, while preparing the SCA check workflow on SonarSource/sonar-php (nw/sca branch), reported that check-sca ignores sonar.projectKey in build.gradle.kts and falls back to a derived key that doesn't match the actual Sonar project key.

Originating action: introduced in BUILD-11091.

Root cause

The Gradle key-extraction regex in check-sca/check-sca.sh:

sonar\.projectKey[^"]*"([^"]+)"

is too loose for Kotlin DSL. On the typical KTS form:

property(\"sonar.projectKey\", \"org.sonarsource.php:php\")

it matches but captures , (the literal \", \" between the two arguments), not the project key. The action then queries the Sonar API with garbage and falls back to SonarSource_<repo> — which does not exist for analyzers using Maven-style keys.

Reproduction:

$ echo '    property(\"sonar.projectKey\", \"org.sonarsource.php:php\")' \
    | perl -ne 'print \"[\$1]\n\" if /sonar\.projectKey[^\"]*\"([^\"]+)\"/'
[, ]

Fix

Tighten the regex to two well-defined shapes:

1. sonar.projectKey = \"value\" / sonar.projectKey: \"value\" (Groovy assignment / KTS map literal).
2. (\"sonar.projectKey\", \"value\") (KTS property(...) / set(...) calls, including single-quoted Groovy form).

Both single (') and double (\") quotes are accepted.

Validation

Manual matrix run on the new pattern:

Input	Captured
property(\"sonar.projectKey\", \"org.sonarsource.php:php\")	org.sonarsource.php:php
set(\"sonar.projectKey\", \"k1\")	k1
sonar.projectKey = \"k3\"	k3
sonar.projectKey: \"k4\"	k4
property('sonar.projectKey', 'k5')	k5
properties[\"sonar.projectKey\"] = \"k2\"	no match (known gap)

Regression test added in spec/check-sca_spec.sh for the property(\"sonar.projectKey\", ...) KTS form.

Known limitations / non-goals

• properties[\"sonar.projectKey\"] = \"...\" indexed-property form still not detected (uncommon in our analyzers, can be added if needed).
• Comments containing sonar.projectKey = \"...\" would still be matched — same behaviour as before, no regression.
• Did not try to parse settings.gradle.kts or composite-build root projects.

Workaround already used downstream

sonar-php nw/sca branch sets the project-key: input explicitly, which is the supported override and unblocks the requester:

- uses: SonarSource/ci-github-actions/check-sca@v1
  with:
    project-key: \"org.sonarsource.php:php\"

So this PR is not urgent — it removes a foot-gun before broad onboarding.

Test plan

• Owner (@sonarsource/platform-eng-xp-squad, ideally Brian as the original author of check-sca) confirms regex shape covers all KTS variants you care about for v1.
• CI check-sca.yml self-test still green.
• Optional: dry-run on sonar-php nw/sca after removing the explicit project-key: input.

[hashicorp-vault-sonar-prod]

PREQ-5794

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 New dependency risks

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonar-review-alpha]

Summary

Fixes check-sca's inability to parse sonar.projectKey from Gradle Kotlin DSL (build.gradle.kts) files. The original regex was too loose and captured the separator between arguments instead of the key value. The fix tightens the pattern to explicitly match two common syntaxes: assignment (sonar.projectKey = "value") and function calls (property("sonar.projectKey", "value")), supporting both single and double quotes. Includes a regression test for the KTS property syntax case.

What reviewers should know

Code changes:

• check-sca/check-sca.sh (lines 119–126): The core regex replacement. Note it now uses an inline Perl script with two alternative patterns and early exit for efficiency.
• spec/check-sca_spec.sh: One new test case for the previously failing KTS property syntax.

Key details for review:

• Both quoted-string patterns use ["\x27] (double and single quotes). The ["\x27]+ means "one or more non-quote characters", anchored correctly at both ends.
• The second pattern matches sonar.projectKey" followed by a comma and separator — this is the specific form that was failing before (it captured , instead of the key).
• Early exit (exit; on first match) prevents overwriting the captured value if there are multiple matches in the file.
• Still does not detect properties["sonar.projectKey"] = ... (indexed form), but this is acknowledged as intentional and rare in the analyzers covered.

Questions for reviewers:

• Does this regex shape cover all KTS/Groovy variants you need for v1?
• The test matrix in the PR description is helpful — if you know of edge cases not listed there, they should be confirmed or added as tests.

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[Copilot]

Pull request overview

Fixes check-sca project-key discovery for Gradle Kotlin DSL by tightening the sonar.projectKey extraction so that build.gradle.kts property("sonar.projectKey", "...") (and similar shapes) is parsed correctly instead of capturing the comma/spacing and falling back to a derived key.

Changes:

• Update Gradle projectKey extraction in check-sca.sh to match well-defined assignment and property(...)/set(...) argument forms (supporting both single and double quotes).
• Add a ShellSpec regression test covering build.gradle.kts property("sonar.projectKey", "...") syntax.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
check-sca/check-sca.sh	Tightens Perl regex logic for Gradle/GKTS sonar.projectKey extraction to correctly capture Kotlin DSL property/set forms.
spec/check-sca_spec.sh	Adds regression coverage for discovering sonar.projectKey from build.gradle.kts via property("sonar.projectKey", "...").

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sonar-review-alpha]

LGTM! ✅

🗣️ Give feedback