Skip to content

PREQ-5738: Adds maven-style project key extraction to check-sca#255

Merged
bwalsh434 merged 2 commits into
masterfrom
feat/bwalsh/PREQ-5738-adds-maven-style-project-key-extraction-check-sca
May 15, 2026
Merged

PREQ-5738: Adds maven-style project key extraction to check-sca#255
bwalsh434 merged 2 commits into
masterfrom
feat/bwalsh/PREQ-5738-adds-maven-style-project-key-extraction-check-sca

Conversation

@bwalsh434
Copy link
Copy Markdown
Contributor

@bwalsh434 bwalsh434 commented May 14, 2026
edited
Loading

Summary

  • Enhanced discover_project_keys() to extract Maven-style groupId:artifactId
    project keys from pom.xml, in addition to the existing <sonar.projectKey>
    property extraction
  • This fixes check-sca failures for repos analyzed on SonarQube Next whose
    project keys follow the Maven default convention (e.g.,
    org.sonarsource.plugins.cayc:sonar-cayc-plugin) rather than the
    SonarSource_<repo-name> convention
  • Additionally, as part of BUILD-11387, removed the "Required" verbiage from the check name

Context

Two repos (sonar-cayc-stats-plugin and sonar-scanner-jenkins) fail the
check-sca action because they don't define an explicit <sonar.projectKey>
in their pom.xml. SonarQube generates their project keys from Maven coordinates
(groupId:artifactId), but the action couldn't discover these keys and fell
back to the GITHUB_REPOSITORY-derived key which doesn't match anything.

See: PREQ-5738

How it works

After checking for an explicit <sonar.projectKey> property (step 4a), the
script now also extracts the project-level <groupId> and <artifactId> from
pom.xml (step 4b). It handles:

  • Project-level groupId: uses the project's own <groupId> when present
  • Inherited groupId: falls back to the parent's <groupId> when the
    project doesn't define its own (standard Maven inheritance)
  • Dependency/build noise: strips <parent>, <dependencyManagement>,
    <dependencies>, <build>, <profiles>, <reporting>, and <modules>
    blocks before extracting, so dependency groupIds aren't matched

Both keys are emitted as candidates (deduplication handles overlap), so the
polling loop tries all of them against all platforms.

Test plan

  • derives groupId:artifactId from pom.xml with project-level groupId
    pom with parent + its own groupId → org.sonarsource.plugins.cayc:sonar-cayc-plugin
  • derives groupId:artifactId from pom.xml with inherited parent groupId
    pom with no project-level groupId → org.jenkins-ci.plugins:sonar
  • prefers sonar.projectKey over groupId:artifactId from pom.xml
    both explicit key and Maven key appear as candidates
  • does not derive Maven key when pom.xml has only parent block
    no project-level artifactId → no key emitted
  • Verified extraction against actual pom.xml files from both affected repos via gh api
  • All 21 ShellSpec tests pass (16 existing + 5 new including the existing sonar.projectKey test)

@hashicorp-vault-sonar-prod
Copy link
Copy Markdown

hashicorp-vault-sonar-prod Bot commented May 14, 2026
edited by atlassian Bot
Loading

PREQ-5738

@bwalsh434 bwalsh434 force-pushed the feat/bwalsh/PREQ-5738-adds-maven-style-project-key-extraction-check-sca branch from 4cd197a to 51eb5cb Compare May 14, 2026 20:53
@bwalsh434 bwalsh434 marked this pull request as ready for review May 14, 2026 21:03
@bwalsh434 bwalsh434 requested a review from a team as a code owner May 14, 2026 21:03
Copilot AI review requested due to automatic review settings May 14, 2026 21:03
@sonar-review-alpha
Copy link
Copy Markdown
Contributor

sonar-review-alpha Bot commented May 14, 2026
edited
Loading

Summary

This PR enhances the check-sca action to discover Maven-style project keys (groupId:artifactId) from pom.xml files, fixing check failures for repositories using Maven's default key convention. The change is isolated to the discover_project_keys() function in check-sca.sh, which now:

  1. Improved the existing explicit sonar.projectKey extraction to handle multiline XML values with proper whitespace trimming
  2. Added new logic (step 4b) to derive Maven keys from pom.xml by extracting project-level or inherited groupId and artifactId, while filtering out dependency/build noise blocks

The PR also removes "Required" from the workflow name (BUILD-11387) and updates documentation accordingly. All 21 tests pass (16 existing + 5 new).

What reviewers should know

Where to start:

  • Focus on the Perl regex logic in check-sca.sh lines 71-110 — this is where the complexity lives
  • The new 5 test cases (lines 92-138 in spec file) directly demonstrate each scenario and are worth reading first to understand the expected behavior

Key things to verify:

  1. Perl multiline matching approach: The code uses -0777 flag to slurp entire file, enabling /s flag for . to match newlines. This is the right approach for XML parsing with multiline elements, but verify the regex patterns correctly identify groupId/artifactId positions relative to parent and dependency blocks.

  2. Noise filtering order: The logic strips <parent>, <dependencyManagement>, <dependencies>, <build>, <profiles>, <reporting>, <modules> blocks before extracting, ensuring dependency groupIds aren't matched. Verify all relevant blocks are stripped.

  3. Fallback chain: First attempts project-level <groupId>, falls back to parent's <groupId>, then extracts <artifactId>. Only emits key if both are present (important edge case: pom with only parent block should emit nothing).

  4. Whitespace handling: Both old (sonar.projectKey) and new (Maven key) logic now trim whitespace. This matters for multiline XML values — see test case "trims whitespace when reading pom.xml project keys".

  5. Key ordering/deduplication: Both explicit and Maven keys are added to the keys array and later deduplicated by the polling loop. Verify the test "prefers sonar.projectKey" confirms both appear when present.

Tests cover all paths:

  • Project-level groupId (org.sonarsource.plugins.cayc scenario)
  • Inherited groupId (org.jenkins-ci.plugins scenario)
  • Preference/coexistence of both key types
  • Whitespace trimming
  • Edge case: no key when only parent present
  • Generate Walkthrough
  • Generate Diagram

🗣️ Give feedback

Copilot AI reviewed May 14, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds Maven-style SonarQube project key discovery (groupId:artifactId) to the check-sca action so repositories relying on SonarQube’s Maven-default key derivation can be validated without requiring an explicit <sonar.projectKey> in pom.xml. Also renames the check/workflow display name to remove “Required”.

Changes:

  • Extend discover_project_keys() to emit a Maven-derived groupId:artifactId key candidate from pom.xml (while still preferring an explicit <sonar.projectKey>).
  • Add ShellSpec coverage for Maven key derivation scenarios (project-level groupId, inherited parent groupId, precedence, and negative case).
  • Update README + workflow name from “Required SCA Check” to “SCA Check”.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File Description
check-sca/check-sca.sh Adds Maven groupId:artifactId extraction logic to project key discovery.
spec/check-sca_spec.sh Adds tests validating the new Maven key extraction behavior.
README.md Updates the documented check name in the example workflow snippet.
.github/workflows/check-sca.yml Renames the workflow to “SCA Check”.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread check-sca/check-sca.sh
Comment thread README.md
sonar-review-alpha[bot]

This comment was marked as resolved.

Sign in to view

@bwalsh434 bwalsh434 force-pushed the feat/bwalsh/PREQ-5738-adds-maven-style-project-key-extraction-check-sca branch from 51eb5cb to 3d3b95a Compare May 14, 2026 21:22
sonar-review-alpha[bot]

This comment was marked as outdated.

Sign in to view

@bwalsh434 bwalsh434 force-pushed the feat/bwalsh/PREQ-5738-adds-maven-style-project-key-extraction-check-sca branch from 3d3b95a to 5b5ad37 Compare May 15, 2026 13:18
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 15, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 New dependency risks

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

sonar-review-alpha[bot]
sonar-review-alpha Bot reviewed May 15, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@sonar-review-alpha sonar-review-alpha Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! ✅

🗣️ Give feedback

@bwalsh434 bwalsh434 merged commit c817b92 into master May 15, 2026
14 checks passed
@bwalsh434 bwalsh434 deleted the feat/bwalsh/PREQ-5738-adds-maven-style-project-key-extraction-check-sca branch May 15, 2026 13:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jayadeep-km-sonarsource jayadeep-km-sonarsource jayadeep-km-sonarsource approved these changes

+1 more reviewer

@sonar-review-alpha sonar-review-alpha[bot] sonar-review-alpha[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bwalsh434 @jayadeep-km-sonarsource