Skip to content

fix(security): remediate SonarQube vulnerabilities#83

Open
devin-ai-integration[bot] wants to merge 3 commits intomainfrom
devin/1770237118-sonarqube-remediation
Open

fix(security): remediate SonarQube vulnerabilities#83
devin-ai-integration[bot] wants to merge 3 commits intomainfrom
devin/1770237118-sonarqube-remediation

Conversation

@devin-ai-integration
Copy link

@devin-ai-integration devin-ai-integration bot commented Feb 4, 2026
edited
Loading

Closes: N/A (SonarQube remediation task)

Summary

This PR addresses 10 SonarQube issues in pkg/github/actions.go:

S1192 - Duplicated String Literals (5 issues): Defined package-level constants for repeated strings:

  • DescriptionPerPage, DescriptionPage, DescriptionWorkflowRunID for parameter descriptions
  • ErrGetGitHubClient, ErrMarshalResponse for error message formats

S3776 - Cognitive Complexity (5 issues): Extracted parameter parsing into dedicated structs and helper functions for ListWorkflowRuns, RunWorkflow, ListWorkflowJobs, GetJobLogs, and ListWorkflowRunArtifacts.

Updates Since Last Revision

  • Added parseOwnerRepo() and parsePaginationParams() common helper functions to reduce code duplication across parameter parsing functions
  • Fixed stray duplicate comments before struct definitions
  • All parameter parsing functions now use the shared helpers for owner/repo and pagination extraction

Tradeoffs

Complexity vs. Duplication: Reducing cognitive complexity by extracting helper functions introduced some code duplication (parameter parsing patterns). The shared parseOwnerRepo() and parsePaginationParams() helpers mitigate this, but SonarCloud still reports ~5.7% duplication on new code (threshold is 3%). This check is not required and the PR is mergeable. Further reducing duplication would require more invasive changes (e.g., generics) that may reduce readability.

Human Review Checklist

  • GetJobLogs validation logic - The refactoring consolidated validation into validateJobLogsParams(). Verify the logic correctly enforces: run_id required when failed_only=true, job_id required when failed_only=false
  • Error handling preservation - Helper functions now return (nil, err) instead of inline mcp.NewToolResultError(). Verify callers handle this correctly by wrapping in mcp.NewToolResultError(err.Error())
  • Shared helper correctness - parseOwnerRepo() and parsePaginationParams() are used across 5 functions. Verify they correctly extract parameters in all contexts.

Testing

  • All existing tests pass (./script/test)
  • Lint checks pass (./script/lint)

Link to Devin run: https://app.devin.ai/sessions/16ba25ad3f3845348ba565399332fe26
Requested by: parker.duff@codeium.com (@parkerduff)

@devin-ai-integration @parkerduff
fix(security): remediate SonarQube vulnerabilities in actions.go
0a4a320 
- S1192: Define constants for duplicated string literals
  - DescriptionPerPage for 'The number of results per page (max 100)'
  - DescriptionPage for 'The page number of the results to fetch'
  - DescriptionWorkflowRunID for 'The unique identifier of the workflow run'
  - ErrGetGitHubClient for 'failed to get GitHub client: %w'
  - ErrMarshalResponse for 'failed to marshal response: %w'

- S3776: Reduce cognitive complexity by extracting helper functions
  - GetJobLogs: Extract parseJobLogsParams and validateJobLogsParams
  - ListWorkflowRuns: Extract workflowRunsParams and parseWorkflowRunsParams
  - RunWorkflow: Extract runWorkflowParams, parseRunWorkflowParams, dispatchWorkflow
  - ListWorkflowJobs: Extract workflowJobsParams and parseWorkflowJobsParams
  - ListWorkflowRunArtifacts: Extract artifactsParams and parseArtifactsParams

Co-Authored-By: parker.duff@codeium.com <pwjduff@gmail.com>
@devin-ai-integration
Copy link
Author

devin-ai-integration bot commented Feb 4, 2026

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

devin-ai-integration bot and others added 2 commits February 4, 2026 20:40
@devin-ai-integration @parkerduff
fix: remove duplicate comments from parameter struct definitions
bad7661 
Co-Authored-By: parker.duff@codeium.com <pwjduff@gmail.com>
@devin-ai-integration @parkerduff
refactor: extract common parameter parsing helpers to reduce duplication
caf3619 
- Add parseOwnerRepo helper for extracting owner/repo parameters
- Add parsePaginationParams helper for extracting per_page/page parameters
- Update all parameter parsing functions to use these helpers
- Reduces code duplication to address SonarCloud quality gate

Co-Authored-By: parker.duff@codeium.com <pwjduff@gmail.com>
@sonarqubecloud
Copy link

sonarqubecloud bot commented Feb 4, 2026

Quality Gate Failed Quality Gate failed

Failed conditions
5.7% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants