fix: skip closed/fixed issues during migration (#133)#141
Conversation
Closed and fixed issues from SonarQube were being recreated on the SonarCloud destination with imaginary line numbers (sometimes beyond the files actual length). They should not be migrated at all. Filter at three layers across all pipeline versions (sq-9.9, sq-10.0, sq-10.4, sq-2025): - API search: drop FIXED from issueStatuses so closed issues are not fetched - Protobuf build: skip closed/fixed issues when building the migration payload - Issue sync: skip closed/fixed issues so transitions are not propagated Centralized the predicate in src/shared/utils/issue-filters/is-closed-or-fixed.js covering both modern (CLOSED/FIXED) and classic (RESOLVED + resolution=FIXED) lifecycles. Also fix syncIssues so the closed/fixed filter is preserved when sqClient is provided (the manual-changes pre-filter branch was reusing the unfiltered sqIssues). Update the syncIssues CLOSED-status test to assert no transition is propagated. Closes #133 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
SummaryCore fix: Prevents closed/fixed SonarQube issues from being migrated to SonarCloud by filtering them at three independent layers (API fetch, protobuf serialization, issue sync). Centralized predicate: All filtering uses a shared Pre-filter bug fix: The sync functions were passing the unfiltered Applied consistently: Changes replicated across all four pipeline versions (sq-9.9, sq-10.0, sq-10.4, sq-2025) with appropriate API parameter adjustments for each SQ version's lifecycle model. Test update: The CLOSED status test now verifies that no transition is called (the correct behavior) instead of expecting a resolve transition. What reviewers should knowStart here: Review Check the pre-filter bug fix in each pipeline's API changes are version-specific: Each pipeline removes CLOSED and/or FIXED from its issue status query parameter based on what that SQ version supports. Comments explain why RESOLVED is kept (it carries FALSE_POSITIVE and WONTFIX resolutions that should migrate).
|
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 397bab4. Configure here.
| export function createSonarQubeClient(config) { | ||
| const baseURL = config.url.replace(/\/$/, ''); | ||
| const client = createHttpClient(baseURL, config.token); | ||
| logger.info(`OKO Created SonarQube client for ${baseURL} with token: ${client.token}`); |
There was a problem hiding this comment.
Debug log leaks authentication token to logs
High Severity
An accidentally committed debug statement logs the SonarQube authentication token in plaintext via logger.info. The "OKO" prefix is a clear debug marker. This exposes sensitive credentials in application logs, which could end up in log aggregation systems, CI output, or shared log files.
Reviewed by Cursor Bugbot for commit 397bab4. Configure here.
| const { status, data, config } = error.response; | ||
| if (status === 401 || status === 403) { | ||
| throw new AuthenticationError(`Authentication failed for SonarQube: ${data.errors?.[0]?.msg || 'Invalid credentials'}`, 'SonarQube'); | ||
| throw new AuthenticationError(`Authentication failed for SonarQube: DATA = ${data} - ${data.errors?.[0]?.msg || 'Invalid credentials I believe'}`, 'SonarQube'); |
There was a problem hiding this comment.
Debug text in authentication error message
Medium Severity
The authentication error message was changed to include debug artifacts: raw DATA = ${data} dump and the informal fallback string 'Invalid credentials I believe'. This produces unprofessional, potentially confusing error messages for users and may leak raw response data.
Reviewed by Cursor Bugbot for commit 397bab4. Configure here.


Summary
Closes #133.
Closed and fixed SonarQube issues were being migrated to SonarCloud with imaginary line numbers (e.g. line 656 on a 648-line file). They should not be migrated at all.
The fix filters at three layers across all four pipeline versions (sq-9.9, sq-10.0, sq-10.4, sq-2025):
FIXEDfrom theissueStatusesparameter so closed issues are never fetched in the first place.syncIssues, so transitions are not propagated to SonarCloud either.The closed/fixed predicate is centralized in
src/shared/utils/issue-filters/is-closed-or-fixed.jsand covers both lifecycle conventions:statusisCLOSEDorFIXEDstatusisRESOLVEDandresolutionisFIXEDAdditional fix
syncIssueshad a latent issue where the manual-changes pre-filter branch (if (sqClient)) calledapplyManualChangesPreFilter(sqIssues, ...)on the unfiltered input, undoing the closed/fixed filter when ansqClientwas provided. Fixed in all four pipelines to passissuesToSyncinstead.Test changes
test/sonarcloud/migrators/migrators.test.js—syncIssues handles CLOSED statuspreviously asserted that a CLOSED SQ issue propagated as aresolvetransition on the matching SC issue. With the new design closed issues do not flow throughsyncIssuesat all, so the test is updated to assert no transition is called.Test plan
npm test—syncIssues filters out CLOSED issues (no transition propagation)passesmainin unrelated test failures (existing flakes around portfolios, auth, and logger directories are pre-existing)🤖 Generated with Claude Code
Note
High Risk
Behavioral change to migration filtering is moderate risk, but
sq-10.4now logs SonarQube tokens and auth error details, which is security-sensitive and may leak credentials in logs.Overview
Prevents closed/fixed SonarQube issues from being migrated to SonarCloud by introducing a shared predicate
isClosedOrFixedand applying it across all pipelines (sq-9.9,sq-10.0,sq-10.4,sq-2025) during API search, protobuf issue message building, andsyncIssuesorchestration (including ensuring the manual-changes prefilter runs on the already-filtered set).Updates issue search status filters to exclude
CLOSED/FIXED, adjusts tests to assert that CLOSED issues no longer trigger transitions, and adds extra SonarQube client/auth error logging in thesq-10.4API client (including logging token/error payloads).Reviewed by Cursor Bugbot for commit 397bab4. Bugbot is set up for automated code reviews on this repo. Configure here.