SonarCloud Issue Triage Report¶

Date: 2026-03-12 Project: devgem_forma-3d-connect Branch analyzed: feature/scaling-preparations (PR #535) Total issues: 769 issues + 6 security hotspots + 19.5% code duplication Total effort: ~3,890 min (~65 hours estimated by SonarCloud)

Summary¶

Recommended Actions¶

Configuration Fixes¶

Before addressing individual issues, update sonar-project.properties to exclude test infrastructure files that are incorrectly analyzed as production code:

# Add to sonar.exclusions:
  **/test/mocks/**,\
  **/test/setup.*

This removes ~15–20 issues from apps/web/src/test/mocks/ that are test mock factories, not production code.

BLOCKER Issues (13)¶

S2068 — Hard-coded credentials (12 issues) → FALSE POSITIVE¶

Files: All audit.service.ts files + change-password-modal.tsx + user-form-modal.tsx

SonarCloud flags any variable containing the word "password" as a potential hard-coded credential. In this codebase:

• Audit services use constants like PASSWORD_CHANGED: 'password.changed' and PASSWORD_RESET: 'password.reset' — these are audit event type names, not credentials.
• change-password-modal.tsx and user-form-modal.tsx use password as a form field variable name for validation logic — no actual secrets.

Recommended fix: Add // NOSONAR comments on the flagged lines:

S2699 — Test without assertions (1 issue) → WON'T FIX¶

File: apps/web/src/components/ui/__tests__/pagination.test.tsx:150

This is an intentional crash/smoke test that verifies the <Pagination> component doesn't throw when given undefined props. The test name is "should handle undefined or NaN values gracefully". Not having an explicit assertion is the point — the test passes if no error is thrown.

Recommended fix: Add // NOSONAR to the test function.

BUG Issues (9)¶

S2871 — Array sort without compare function (8 issues) → PROBLEM¶

.sort() without a compare function converts elements to strings and sorts lexicographically. This can produce unexpected results for numbers and locale-sensitive strings.

Note: 7 of 8 are actually fine — SonarCloud flags .sort() on string arrays but lexicographic sorting is correct for these use cases (permission names, HMAC param keys). Add // NOSONAR with explanation.

S3923 — Identical conditional branches (1 issue) → PROBLEM (real bug)¶

File: apps/order-service/src/audit/audit.controller.ts:59

actorUserId: actorEmail ? undefined : undefined,

Both branches return undefined — this conditional is useless. The comment says "We'll filter by email below" suggesting this was a placeholder that was never completed. This should be cleaned up.

Recommended fix: Remove the conditional, just use actorUserId: undefined.

VULNERABILITY Issues (12)¶

All 12 are the same S2068 (hard-coded credentials) already covered in BLOCKER above. They are all false positives — audit event name constants and form field variable names.

CRITICAL Issues (39)¶

S3776 — Cognitive complexity too high (28 issues) → PROBLEM (refactor over time)¶

Functions exceeding the cognitive complexity threshold (default: 15). These are real code quality issues but not urgent bugs.

Top offenders:

Recommendation: Track as tech debt. Refactor the worst offenders (orchestration service, settings page) when touching those files.

S2871 — Array sort (8 issues)¶

Already covered in BUG section above. ⅞ are won't fix, 1 needs review.

S3735 — Void used as value (3 issues) → WON'T FIX¶

Recommended fix: Suppress with // NOSONAR — void expr is a standard TypeScript pattern for acknowledging unused parameters.

MAJOR Issues (132) — All PROBLEM, sorted by auto-fixability¶

Auto-fixable (79 issues)¶

These can likely be fixed with ESLint auto-fix rules or bulk find-and-replace:

Manual refactoring needed (53 issues)¶

S2234 — Arguments in wrong order (1 issue) → REVIEW CAREFULLY¶

File: libs/gridflock-core/src/lib/border-generator.ts:166

off = writeTriangle(buf, off, 0, 0, -1, cx, cy, z0, bx, by, z0, ax, ay, z0);

The function signature is writeTriangle(buf, offset, nx, ny, nz, ax, ay, az, bx, by, bz, cx, cy, cz). SonarCloud suspects ax, ay and bx, by may be swapped. For the bottom face, the reversed winding order (swapping A and B) is intentional to flip the normal direction. This is correct 3D geometry — reversed winding = inverted normal.

Evaluation: False positive — reversed winding order is intentional for the bottom face of a 3D mesh.

MINOR Issues (585) — Bulk Categories¶

Auto-fixable with ESLint rules (~350 issues)¶

Caution with S7773 (143 issues): Changing || to ?? is NOT always safe. || treats "", 0, and false as falsy, while ?? only treats null/undefined. The configuration files (configuration.ts) use || 'default' patterns for env vars where empty string should also fall back — those should stay as ||.

Won't Fix — Stylistic/Low-value (80 issues)¶

Recommended: Suppress at project level in SonarCloud quality profile, or add // NOSONAR selectively.

Needs Manual Review (~55 issues)¶

False Positive — Test Mocks (~15 issues)¶

Files in apps/web/src/test/mocks/ are test infrastructure, not production code. Fix by adding to sonar.exclusions in sonar-project.properties.

Security Hotspots (6)¶

S5852 — Regex vulnerable to backtracking DoS (3 hotspots) → REVIEW¶

Evaluation: The email regex is simple and bounded — no catastrophic backtracking risk in practice. However, for defense-in-depth, consider using a well-tested email validation library.

Recommended: Mark as reviewed/safe in SonarCloud.

S2245 — Pseudorandom number generator (2 hotspots) → WON'T FIX¶

Math.random() is used to add ±10% jitter to retry delays. This is a standard distributed systems pattern — no cryptographic security requirement.

Recommended: Mark as reviewed/safe in SonarCloud, or add // NOSONAR with comment explaining jitter usage.

S5443 — Publicly writable directory (1 hotspot) → WON'T FIX¶

File: apps/gridflock-service/src/gridflock/gridflock.processor.ts:68

Uses /tmp/gridflock-stl as default STL output path, overridable via STL_OUTPUT_PATH env var. In production, this is configured to a secure path. The /tmp fallback is for local development only.

Recommended: Mark as reviewed/safe.

Code Duplication (19.5% / 28,008 lines)¶

Project totals: 66,133 lines of code, 28,008 duplicated lines (33.4% overall, 19.5% on new code), 402 duplicated blocks across 243 files.

The duplication quality gate requires ≤ 3.0% — the project is at 19.5%. This is the single largest quality gate failure.

Root Cause: Cross-Service Code Duplication¶

Nearly all duplication comes from identical files copied across microservices. The architecture has 5 services (gateway, order-service, print-service, shipping-service, gridflock-service) that share common infrastructure code that was copy-pasted rather than extracted into shared libraries.

Duplication by Category¶

1. Observability Infrastructure (~3,100 dup lines) → Extract to libs/service-common¶

These files are nearly identical across all backend services. The business-observability.service.ts alone accounts for 1,832 duplicated lines.

Recommendation: Extract into libs/service-common or a new libs/observability shared library. Each service imports and configures via dependency injection.

2. Authentication & Authorization (~1,100 dup lines) → Extract to libs/service-common¶

Auth logic is duplicated across all 5 services including the gateway.

Recommendation: Extract shared auth service and DTOs into libs/service-common. Service-specific auth customizations can extend the base class.

3. Configuration (~1,300 dup lines) → Extract to libs/config¶

Environment validation and system config management is identical across services.

Recommendation: Extract shared config patterns into libs/config. Each service keeps only its service-specific env vars.

4. Event Log (~1,050 dup lines) → Extract to libs/service-common¶

Event logging is a cross-cutting concern duplicated across all backend services.

Recommendation: Extract into a shared NestJS dynamic module in libs/service-common.

5. Notifications (~1,100 dup lines) → Extract to libs/service-common¶

Email and notification services are duplicated across order, print, and shipping services.

Recommendation: Extract into a shared notifications module.

6. Product Mappings (~1,500 dup lines) → Extract to shared lib or merge¶

Product mapping logic is duplicated between order-service and print-service.

Recommendation: Extract shared DTOs to libs/domain-contracts. Extract repository/service to a shared module, or designate one service as the single owner.

7. Shipments & SendCloud (~1,700 dup lines) → Consolidate ownership¶

Shipment and SendCloud integration code is duplicated between order-service and shipping-service.

Recommendation: Designate shipping-service as the single owner of shipment/SendCloud logic. Other services communicate via events.

8. Print Jobs (~1,070 dup lines) → Consolidate ownership¶

Print job management is duplicated between order-service and print-service.

Recommendation: Designate print-service as the single owner. Extract shared event types and DTOs to libs/domain-contracts.

9. Other Cross-Cutting Concerns (~1,000 dup lines)¶

Recommendation: Extract all infrastructure patterns (audit, retry, webhook idempotency, versioning, tenancy) into libs/service-common. Extract shared DTOs/events to libs/domain-contracts.

Duplication Reduction Strategy¶

Removing ~12,900 of the 28,008 duplicated lines would bring the duplication rate from 33.4% to approximately 16%. Further reductions require domain-level architectural decisions about service boundaries.

Important: Duplication extraction is a significant architectural refactoring effort. Each phase should be treated as a separate PR with thorough testing. Phases D1–D5 and D9 are infrastructure-level changes with low domain risk. Phases D6–D8 involve domain ownership decisions that require architectural review.

Recommended Implementation Order¶

Phase 1: Quick Wins (30 min)¶

1. Update sonar-project.properties to exclude test mocks (~15 issues removed)
2. Add // NOSONAR to 12 false-positive S2068 credential warnings
3. Add // NOSONAR to the S2699 test assertion warning
4. Add // NOSONAR to 3 S3735 void-as-value warnings

Phase 2: Real Bug Fixes (1 hour)¶

1. Fix S3923: Remove useless conditional in audit.controller.ts:59
2. Add // NOSONAR to 7 legitimate S2871 .sort() calls with explanation
3. Verify S2234 argument order in border-generator.ts:166 (likely correct)

Phase 3: Auto-fixable Code Quality (~2 hours)¶

1. Enable ESLint rules matching SonarCloud findings
2. Run eslint --fix across the codebase
3. Review changes (especially || → ?? conversions)
4. This should resolve ~350 minor issues

Phase 4: Manual Refactoring (ongoing)¶

1. Reduce cognitive complexity in top offenders
2. Extract nested ternaries to helper functions/variables
3. Add readonly to constructor-injected NestJS fields
4. Move constant objects outside JSX render functions
5. Replace array index keys with stable identifiers

Phase 5: Won't Fix Suppressions¶

1. Add // NOSONAR to S7763 and S7772 issues (or suppress at quality profile level)
2. Review S1874 deprecated API usage and plan migration

Phase 6: Duplication Reduction (multi-sprint effort)¶

1. D1–D5, D9: Extract shared infrastructure into libs/service-common (observability, auth, config, event-log, notifications, audit, retry, webhook idempotency, versioning, tenancy)
2. D6: Move shared DTOs/events to libs/domain-contracts (product mappings, print jobs, shipments)
3. D7–D8: Consolidate domain ownership (shipping-service owns shipments/SendCloud, print-service owns print jobs)
4. Each phase = separate PR with full test coverage verification