Files

T

koriweb d8a80f6272 chore(wiki): dangling 링크 canonical 정규화 (768파일/1200건)

이름만 다른(표기 변형) [[위키링크]]를 대상 문서의 canonical 제목으로 치환해
끊겼던 1,200개 링크를 연결. 제목/파일명 정규화 일치만 적용하고 별칭 매칭은
과병합 위험으로 제외(애매성 가드). 원본은 _link_reconcile_backup/ 에 백업.
도구: Datacollect/scripts/link_reconcile_apply.mjs

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

2026-06-08 12:24:15 +09:00

6.5 KiB

Raw Blame History

id, title, category, status, canonical_id, aliases, duplicate_of, source_trust_level, confidence_score, verification_status, tags, raw_sources, last_reinforced, github_commit, tech_stack

title

SonarQube

매 한 줄

"매 Clean Code 매 quality gate 의 enforce — bug + vuln + smell + hotspot". SonarQube 매 SonarSource 의 self-hosted/cloud SAST + code quality platform, 30+ language support, 매 PR-decoration + branch-analysis. 매 2026 매 SonarQube Server 10.6 LTA + SonarCloud + AI-fix (CodeFix) integration.

매 핵심

매 4 issue type

Bug: 매 logical defect (NPE, infinite loop).
Vulnerability: 매 security flaw (SQL injection, XSS).
Code Smell: 매 maintainability (cyclomatic, duplication).
Security Hotspot: 매 manual-review-required (sensitive context, e.g., crypto usage).

매 Clean Code attributes (2024+)

Consistent, Intentional, Adaptable, Responsible (4 + 16 sub-attrs).
매 legacy A-E rating 매 still present 의 backward-compat.
매 issue 매 Clean Code attribute 매 always tag.

매 Quality Gate

매 PR/branch 매 pass/fail criteria.
Default ("Sonar way"): 매 new code 매 0 bug, 0 vuln, coverage ≥ 80%, duplication ≤ 3%.
매 "Clean as You Code" 매 philosophy: 매 new code 만 strict, 매 legacy 의 grandfather.

매 deployment

Community Build (free, OSS): 매 limited rules + no branch/PR analysis.
Developer / Enterprise / Data Center (paid).
SonarCloud: SaaS. 매 OSS public repo 매 free.
SonarLint: 매 IDE plugin (VSCode, IntelliJ, Cursor 2026 native).

매 응용

CI quality gate.
PR decoration (GitHub/GitLab/Bitbucket/Azure DevOps).
Compliance reporting (OWASP, CWE, PCI DSS).
Tech-debt SQALE rating.

💻 패턴

sonar-project.properties

sonar.projectKey=acme:web-api
sonar.projectName=ACME Web API
sonar.projectVersion=2.4.0
sonar.sources=src
sonar.tests=tests
sonar.exclusions=**/generated/**,**/node_modules/**
sonar.coverage.exclusions=**/*.test.ts,**/migrations/**
sonar.javascript.lcov.reportPaths=coverage/lcov.info
sonar.python.coverage.reportPaths=coverage.xml
sonar.qualitygate.wait=true

GitHub Actions

# .github/workflows/sonar.yml
name: SonarQube
on:
  push: { branches: [main] }
  pull_request: { types: [opened, synchronize, reopened] }
jobs:
  sonar:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with: { fetch-depth: 0 }  # full history for blame
      - uses: actions/setup-node@v4
        with: { node-version: 20 }
      - run: npm ci && npm test -- --coverage
      - uses: SonarSource/sonarqube-scan-action@v3
        env:
          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
          SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}

Maven scan

mvn verify sonar:sonar \
  -Dsonar.projectKey=acme:api \
  -Dsonar.host.url=https://sonar.acme.com \
  -Dsonar.token=$SONAR_TOKEN \
  -Dsonar.qualitygate.wait=true

Docker self-host (SonarQube Server)

# docker-compose.yml
services:
  sonarqube:
    image: sonarqube:10.6-community
    ports: ["9000:9000"]
    environment:
      - SONAR_JDBC_URL=jdbc:postgresql://db:5432/sonar
      - SONAR_JDBC_USERNAME=sonar
      - SONAR_JDBC_PASSWORD=sonar
    volumes:
      - sonar_data:/opt/sonarqube/data
      - sonar_extensions:/opt/sonarqube/extensions
    depends_on: [db]
  db:
    image: postgres:16
    environment:
      - POSTGRES_USER=sonar
      - POSTGRES_PASSWORD=sonar
      - POSTGRES_DB=sonar
    volumes: [pg_data:/var/lib/postgresql/data]
volumes:
  sonar_data: {}
  sonar_extensions: {}
  pg_data: {}

Custom Quality Profile (API)

# Activate rule
curl -u $TOKEN: -X POST \
  "$SONAR_URL/api/qualityprofiles/activate_rule" \
  --data-urlencode "key=AYxxx" \
  --data-urlencode "rule=javascript:S6418" \
  --data-urlencode "severity=CRITICAL"

# Set as default
curl -u $TOKEN: -X POST \
  "$SONAR_URL/api/qualityprofiles/set_default" \
  --data-urlencode "language=js" \
  --data-urlencode "qualityProfile=Acme JS Strict"

Quality Gate condition (API)

curl -u $TOKEN: -X POST \
  "$SONAR_URL/api/qualitygates/create_condition" \
  -d "gateId=1&metric=new_coverage&op=LT&error=85"

Programmatic gate check

# check_gate.py
import requests, sys, os

r = requests.get(
    f"{os.environ['SONAR_URL']}/api/qualitygates/project_status",
    params={"projectKey": "acme:api", "branch": "main"},
    auth=(os.environ['SONAR_TOKEN'], ''),
)
status = r.json()["projectStatus"]["status"]
print(f"Quality Gate: {status}")
sys.exit(0 if status == "OK" else 1)

매 결정 기준

상황	Edition
OSS public repo	SonarCloud (free)
Self-host, no PR analysis	Community Build
Mid-size team, PR decoration	Developer Edition
Enterprise, multi-branch, security reports	Enterprise Edition
Compliance / data-residency	Data Center / self-host

기본값: SonarCloud 매 OSS, Developer Edition 매 commercial team.

🔗 Graph

부모: Static-Analysis · SAST · Code-Quality
변형: CodeQL · Semgrep
응용: Quality-Gate · CI CD · Tech-Debt
Adjacent: SCA_Fundamentals · OWASP Top 10 · Clean-Code

🤖 LLM 활용

언제: 매 issue triage summary, 매 false-positive review, 매 custom rule draft (Sonar Way deviation), 매 SonarLint + Cursor inline-fix. 언제 X: 매 deterministic rule eval (use scanner), 매 production gate decision (human approve).

❌ 안티패턴

All-code strict: 매 legacy 매 100k issue 의 overwhelm. 매 "Clean as You Code" 의 use.
Coverage-only gate: 매 cov 80% 매 logic untested. 매 mutation testing 의 add.
Ignore hotspots: 매 Security Hotspot 매 review 매 skip. 매 actual vuln 매 hidden.
No blame/SCM: 매 issue ownership 매 unknown. 매 SCM integration 매 must.
Self-host no upgrade: 매 LTA 매 missed → 매 stale rules + CVE on Sonar itself.

🧪 검증 / 중복

Verified (SonarSource docs 10.6 LTA; Clean Code taxonomy 2024; OWASP Top 10 2021 mapping).
Canonical for SonarQube topic.
신뢰도 A.

🕓 Changelog

날짜	변경
2026-05-08	Phase 1
2026-05-10	Manual cleanup — full canonical content (Clean Code + Quality Gate + scanner patterns)

6.5 KiB Raw Blame History