github · sonarqube-mcp-serverHEAD

Network / IO / subprocess call without an explicit timeout. A malicious or hung upstream (HTTP host, socket peer, child process) can pin threads, exhaust connection/process pools, and make the MCP server unresponsive. Always pass a bounded timeout. v2 extends v1 with subprocess coverage (R03 from the legacy readiness audit).

- `q` - Optional search query to filter portfolios by name - _String_

  - `favorite` - Required to be true if 'enterpriseId' parameter is omitted. If true, only returns portfolios favorited by the logged-in user. Cannot be true when 'draft' is true - _Boolean_

  - `draft` - If true, only returns drafts created by the logged-in user. Cannot be true when 'favorite' is true - _Boolean_

  - `pageIndex` - Optional index of the page to fetch (default: 1) - _Integer_

  - `pageSize` - Optional size of t

Network / IO / subprocess call without an explicit timeout. A malicious or hung upstream (HTTP host, socket peer, child process) can pin threads, exhaust connection/process pools, and make the MCP server unresponsive. Always pass a bounded timeout. v2 extends v1 with subprocess coverage (R03 from the legacy readiness audit).

- `favorite` - Required to be true if 'enterpriseId' parameter is omitted. If true, only returns portfolios favorited by the logged-in user. Cannot be true when 'draft' is true - _Boolean_

  - `draft` - If true, only returns drafts created by the logged-in user. Cannot be true when 'favorite' is true - _Boolean_

  - `pageIndex` - Optional index of the page to fetch (default: 1) - _Integer_

  - `pageSize` - Optional size of the page to fetch (default: 50) - _Integer_

### Projects

Network / IO / subprocess call without an explicit timeout. A malicious or hung upstream (HTTP host, socket peer, child process) can pin threads, exhaust connection/process pools, and make the MCP server unresponsive. Always pass a bounded timeout. v2 extends v1 with subprocess coverage (R03 from the legacy readiness audit).

.addBooleanProperty(FAVORITE_PROPERTY, "Required to be true if 'enterpriseId' parameter is omitted. " +

          "If true, only returns portfolios favorited by the logged-in user. Cannot be true when 'draft' is true")

        .addBooleanProperty(DRAFT_PROPERTY, "If true, only returns drafts created by the logged-in user. Cannot be true when 'favorite' is true")

        .addNumberProperty(PAGE_INDEX_PROPERTY, "Index of the page to fetch (default: 1)")

        .addNumberProperty(PAGE_SIZE_PROPERT

Network / IO / subprocess call without an explicit timeout. A malicious or hung upstream (HTTP host, socket peer, child process) can pin threads, exhaust connection/process pools, and make the MCP server unresponsive. Always pass a bounded timeout. v2 extends v1 with subprocess coverage (R03 from the legacy readiness audit).

"If true, only returns portfolios favorited by the logged-in user. Cannot be true when 'draft' is true")

        .addBooleanProperty(DRAFT_PROPERTY, "If true, only returns drafts created by the logged-in user. Cannot be true when 'favorite' is true")

        .addNumberProperty(PAGE_INDEX_PROPERTY, "Index of the page to fetch (default: 1)")

        .addNumberProperty(PAGE_SIZE_PROPERTY, "Size of the page to fetch (default: 50)");

    } else {

      builder.setDescription("List portfolios availabl

GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable — a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.

secrets: |

            development/kv/data/jira user | JIRA_USER;

            development/kv/data/jira token | JIRA_TOKEN;

      - uses: sonarsource/gh-action-lt-backlog/PullRequestClosed@v2

        with:

          github-token: ${{secrets.GITHUB_TOKEN}}

          jira-user:  ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }}

GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable — a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.

development/github/token/{REPO_OWNER_NAME_DASH}-jira token | GITHUB_TOKEN;

            development/kv/data/jira user | JIRA_USER;

            development/kv/data/jira token | JIRA_TOKEN;

      - uses: sonarsource/gh-action-lt-backlog/PullRequestCreated@v2

        with:

          github-token: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }}

          jira-user:    ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }}

GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable — a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.

secrets: |

            development/kv/data/jira user | JIRA_USER;

            development/kv/data/jira token | JIRA_TOKEN;

      - uses: sonarsource/gh-action-lt-backlog/SubmitReview@v2

        with:

          github-token: ${{secrets.GITHUB_TOKEN}}

          jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }}

GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable — a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.

development/github/token/{REPO_OWNER_NAME_DASH}-jira token | GITHUB_TOKEN;

            development/kv/data/jira user | JIRA_USER;

            development/kv/data/jira token | JIRA_TOKEN;

      - uses: sonarsource/gh-action-lt-backlog/RequestReview@v2

        with:

          github-token: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }}

          jira-user:    ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }}