Skip to content

fix(security): remediate SonarQube vulnerabilities (S1192, S3776)#84

Open
devin-ai-integration[bot] wants to merge 1 commit intomainfrom
devin/1770237063-sonarqube-remediation
Open

fix(security): remediate SonarQube vulnerabilities (S1192, S3776)#84
devin-ai-integration[bot] wants to merge 1 commit intomainfrom
devin/1770237063-sonarqube-remediation

Conversation

@devin-ai-integration
Copy link

Closes: N/A (SonarQube remediation task)

Summary

This PR addresses 6 SonarQube issues in pkg/github/repositories.go:

S1192 - Duplicated String Literals (4 issues):

  • Added constants for repeated error messages and URI prefix to eliminate duplication

S3776 - Cognitive Complexity (2 issues):

  • Refactored ListCommits by extracting parameter handling into helper functions
  • Refactored GetFileContents (complexity 86 → ~15) by extracting multiple helper functions for parameter extraction, PR ref resolution, URI building, and content handling

Changes

Issue Rule Fix
Line 68 S1192 errMsgGetGitHubClient constant (12 occurrences)
Line 73 S1192 errMsgGetCommit constant (3 occurrences)
Line 550 S1192 resourceURISchemePrefix constant (3 occurrences)
Line 552 S1192 errMsgCreateResourceURI constant (3 occurrences)
Line 98 S3776 Extract extractListCommitsParams, buildListCommitsOptions
Line 450 S3776 Extract 7 helper functions for GetFileContents

Human Review Checklist

  • Verify handleRawContentResponse returning (nil, nil) to signal fallback is handled correctly in the caller
  • Confirm error handling flow in refactored GetFileContents is equivalent to original
  • Check response body closing is properly handled across extracted functions
  • Verify no behavioral changes for edge cases (PR refs, directory paths, binary content)

Tradeoffs

  • Added ~100 lines of code to reduce complexity, but improves maintainability and testability of individual helper functions
  • Helper functions are unexported (lowercase) since they're only used within this file

Link to Devin run: https://app.devin.ai/sessions/c8da3bd78b8e4a9faf853258b9183e82
Requested by: @parkerduff

- Define constants for duplicated string literals (S1192):
  - errMsgGetGitHubClient for 'failed to get GitHub client: %w' (12 occurrences)
  - errMsgGetCommit for 'failed to get commit: %s' (3 occurrences)
  - resourceURISchemePrefix for 'repo://' (3 occurrences)
  - errMsgCreateResourceURI for 'failed to create resource URI: %w' (3 occurrences)

- Refactor ListCommits to reduce cognitive complexity (S3776):
  - Extract listCommitsParams struct for parameter handling
  - Extract extractListCommitsParams helper function
  - Extract buildListCommitsOptions helper function

- Refactor GetFileContents to reduce cognitive complexity from 86 to 15 (S3776):
  - Extract fileContentsParams struct for parameter handling
  - Extract extractFileContentsParams helper function
  - Extract resolvePRRef helper function for PR reference resolution
  - Extract buildResourceURI helper function for URI construction
  - Extract createFileContentResult helper function for content type handling
  - Extract handleRawContentResponse helper function
  - Extract handleDirectoryContent helper function
  - Extract fetchRawFileContent helper function

Affected file: pkg/github/repositories.go

Co-Authored-By: parker.duff@codeium.com <pwjduff@gmail.com>
@devin-ai-integration
Copy link
Author

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@sonarqubecloud
Copy link

sonarqubecloud bot commented Feb 4, 2026

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants