A demonstration monolith application (Spring Boot + React/TypeScript) designed to showcase SonarCloud's static analysis capabilities.

⚠️ WARNING: This application intentionally contains security vulnerabilities, bugs, and code smells for educational purposes. DO NOT use in production!

This is a dummy/demo application created exclusively for showcasing SonarQube/SonarCloud capabilities.

This application is NOT intended to be a functional e-commerce platform. It is a training and demonstration tool that:

• ✅ Demonstrates how SonarQube detects security vulnerabilities, bugs, and code smells
• ✅ Provides realistic code examples for learning static analysis
• ✅ Showcases SonarQube's ability to identify issues across multiple languages (Java, TypeScript)
• ❌ Should NEVER be deployed to production environments
• ❌ Is NOT a secure or functional application
• ❌ Does NOT follow security or coding best practices (intentionally)

All vulnerabilities, bugs, and poor coding practices in this codebase are intentional and documented for educational purposes.

This is a monolith architecture where:

• Backend: Spring Boot (Java 21) serves both API endpoints and the React frontend
• Frontend: React/TypeScript built with Vite, packaged as static resources in the JAR
• Database: PostgreSQL
• SPA Routing: All non-API requests are forwarded to index.html to enable client-side routing (handled by SpaController)

┌─────────────────────────────────────────────────────────┐
│                   Single JAR Deployment                  │
│  ┌─────────────────────────────────────────────────────┐│
│  │              Spring Boot Application                ││
│  │  ┌─────────────────┐    ┌─────────────────────────┐││
│  │  │   REST API      │    │   Static Resources      │││
│  │  │   /api/v1/*     │    │   (React SPA)           │││
│  │  └─────────────────┘    └─────────────────────────┘││
│  └─────────────────────────────────────────────────────┘│
│                            │                             │
└────────────────────────────┼─────────────────────────────┘
                             ▼
                      ┌─────────────┐
                      │  PostgreSQL │
                      └─────────────┘

sonar-demo/
├── pom.xml                    # Parent Maven POM
├── Dockerfile                 # Multi-stage build for monolith
├── docker-compose.yml         # PostgreSQL + App
├── backend/
│   ├── pom.xml                # Backend module (depends on frontend)
│   └── src/
│       ├── main/java/         # Java source code
│       └── test/java/         # Java tests
├── frontend/
│   ├── pom.xml                # Frontend module (builds React app)
│   ├── package.json
│   ├── vite.config.ts
│   └── src/                   # React/TypeScript source
└── malicious-attic/
    ├── pom.xml                # Test module for supply chain security scanning
    ├── package.json            # Contains malicious npm packages for demo
    └── package-lock.json      # Lockfile with malicious dependencies

• Docker & Docker Compose
• Java 21+ (for local development)
• Node.js 24+ (for local development)
• Maven 3.9+ (for local development)

# Start the full stack (PostgreSQL + Monolith App)
docker-compose up -d

# Wait for services to start (takes 1-2 minutes)
# Application: http://localhost:8080
# API Health:  http://localhost:8080/api/v1/health

1. Start PostgreSQL:

docker-compose up -d postgres

2. Build and run the monolith:

# From the project root
mvn clean install
cd backend
mvn spring-boot:run

3. For frontend development with hot reload:

# In a separate terminal
cd frontend
npm install
npm run dev
# Frontend dev server: http://localhost:3000 (proxies API to :8080)

Running mvn clean install will automatically:

• Build the frontend React application
• Generate TypeDoc documentation for frontend
• Build the backend Spring Boot application
• Generate JavaDoc documentation for backend
• Package everything into JARs

# Build everything from the root
mvn clean package

# The executable JAR is at: backend/target/sonarshowcase-backend-1.2.0-SNAPSHOT.jar

# Build only backend (requires frontend to be pre-built)
mvn clean package -Dfrontend-maven-plugin.skip=true

Analysis is performed against SonarCloud. No local SonarQube instance is needed.

1. Create a project on SonarCloud
2. Generate a token: Account → Security → Generate Tokens
3. Set the token as an environment variable:

export SONAR_TOKEN=your_token_here

# Build with tests and coverage, then analyze
mvn clean verify org.sonarsource.scanner.maven:sonar-maven-plugin:sonar

# Or analyze without rebuilding
mvn sonar:sonar

# Install sonar-scanner if not already installed
# npm install -g sonar-scanner

# Run from project root
sonar-scanner -Dsonar.token=$SONAR_TOKEN

Open your project on SonarCloud to explore the analysis results.

Documentation is automatically generated during the Maven build:

• JavaDoc (Backend): Generated during build → backend/target/site/apidocs/
• TypeDoc (Frontend): Generated during build → frontend/target/site/typedoc/

Simply run:

mvn clean install

Both documentation sets will be created automatically.

View documentation:

# Backend JavaDoc
open backend/target/site/apidocs/index.html

# Frontend TypeDoc
open frontend/target/site/typedoc/index.html

See docs/AUTOMATED_DOCUMENTATION.md for details on how documentation is generated.

The application includes automatically generated API documentation using SpringDoc OpenAPI:

• Swagger UI: http://localhost:8080/swagger-ui.html
• OpenAPI JSON: http://localhost:8080/v3/api-docs
• OpenAPI YAML: http://localhost:8080/v3/api-docs.yaml

The documentation is automatically generated from the code and includes:

• All REST API endpoints (43 endpoints across 11 controllers)
• Request/response schemas
• Parameter descriptions with examples
• Security warnings for vulnerable endpoints
• Response codes and descriptions

Controllers: HealthController, UserController, OrderController, ActivityLogController, FileController, AuthController, XmlController, ProxyController, SystemController, DataImportController, ValidationController

Note: The documentation is generated at runtime. Start the application to access it.

Testing Guide: See docs/SWAGGER_TESTING.md for detailed instructions on testing Swagger UI and verifying all endpoints.

For detailed specifications and requirements:

• Application Specification: docs/SPECIFICATION.md - Complete specification of application behavior
• SonarQube Rules Mapping: docs/SONARQUBE_RULES_MAPPING.md - Central mapping of all 300+ issues to SonarQube rules
• How to Fix Guide: docs/HOW_TO_FIX.md - Before/after code examples showing how to fix vulnerabilities
• API Reference Card: docs/API_REFERENCE_CARD.md - Quick reference for all endpoints
• Business Logic: docs/business-logic.md - Business flows and rules
• Automated Documentation: docs/AUTOMATED_DOCUMENTATION.md - How JavaDoc/TypeDoc are generated during build
• Local Development: docs/LOCAL_DEVELOPMENT.md - Development setup guide
• AI Assistant Guide: docs/AI_ASSISTANT_GUIDE.md - Guide for AI assistants working on this codebase

This project uses a hybrid configuration approach for SonarQube scanning:

1. Maven Auto-Detection (sonar.maven.scanAll=True in parent pom.xml):

   • SonarQube automatically detects Maven modules (backend, frontend, and malicious-attic)
   • Module-specific properties are defined in each module's pom.xml under <properties>

2. Module-Specific Properties:

   • Backend (backend/pom.xml): Uses standard Maven Java structure

     • Sources: src/main/java
     • Tests: src/test/java
     • Coverage: JaCoCo XML report at target/site/jacoco/jacoco.xml

   • Frontend (frontend/pom.xml): Custom TypeScript/JavaScript configuration

     • Sources: src (TypeScript/JavaScript files)
     • Tests: test directory
     • Test inclusions: **/*.test.ts, **/*.test.tsx
     • Exclusions: **/node_modules/**, **/dist/**, **/build/**, config files
     • Coverage: LCOV report at coverage/lcov.info

   • Malicious Attic (malicious-attic/pom.xml): Test module for supply chain security scanning

     • Packaging: pom (not built by Maven, exists only for SonarQube scanning)
     • Sources: . (package.json and package-lock.json)
     • Contains malicious npm packages for supply chain vulnerability detection
     • Exclusions: **/node_modules/**, **/dist/**, **/build/**, config files

3. Global Configuration (Optional):

   • If not using Maven, you can create a sonar-project.properties file with:
     • Project identification (key, name, organization)
     • Module definitions
   • Note: Maven auto-detection is the primary method and takes precedence (all configuration is in pom.xml)

Key Point: The frontend module's source paths are explicitly configured in frontend/pom.xml because it doesn't follow Maven's standard Java directory structure. Without these properties, SonarQube would only index pom.xml instead of the TypeScript/JavaScript source files.

# Health check
curl http://localhost:8080/api/v1/health

# Get all users
curl http://localhost:8080/api/v1/users

# Create a user
curl -X POST http://localhost:8080/api/v1/users \
  -H "Content-Type: application/json" \
  -d '{"username": "johndoe", "email": "[email protected]", "password": "password123"}'

This application contains 300+ intentional issues across three categories to demonstrate SonarQube's comprehensive analysis capabilities:

Vulnerability Categories:

• 🔴 SQL Injection - 10+ instances across UserController, ActivityLogController, and repository implementations
• 🔴 Path Traversal - 8 endpoints in FileController allowing arbitrary file access
• 🔴 XXE Injection - 2 endpoints processing unsafe XML
• 🔴 SSRF - 3 endpoints allowing server-side request forgery
• 🔴 Command Injection - 3 endpoints with OS command injection
• 🔴 Insecure Deserialization - 2 endpoints vulnerable to RCE
• 🔴 ReDoS - 3 endpoints with catastrophic backtracking patterns
• 🔴 JWT Vulnerabilities - Weak secrets, no expiration, accepts "none" algorithm
• 🔴 LDAP Injection - Unsafe LDAP queries
• 🔴 Supply Chain - 4 malicious npm packages + vulnerable dependencies
• 🔴 Other - Hardcoded credentials, XSS, weak crypto, CORS wildcard

Malicious Packages (npm):

Vulnerable Dependencies (npm):

Vulnerable Dependencies (Maven):

The malicious-attic module contains intentionally malicious packages and vulnerable dependencies for demonstrating SonarQube's supply chain security analysis capabilities. These packages are flagged in security databases and should trigger security alerts during scanning.

• Hardcoded credentials throughout (PaymentService, DatabaseConfig)
• XSS via dangerouslySetInnerHTML (CommentDisplay.tsx)
• Weak cryptography using MD5 (PasswordUtil)
• CORS wildcard configuration (WebConfig)
• JWT stored in localStorage (api.ts)

• Null pointer risks
• Resource leaks
• Swallowed exceptions
• Race conditions
• Stale closure in useEffect

• God class (DataManager.java - 820 lines in util/ package)
• Extreme cognitive complexity (processComplexBusinessLogic - complexity > 50)
• Long parameter list (createDetailedReport - 12 parameters)
• Magic numbers everywhere
• 'any' type abuse in TypeScript
• Duplicated validation code
• Poor naming conventions
• Console.log spam
• TODO/FIXME comments
• Skeleton tests with no assertions
• Dead code (unreachable statements, unused methods)
• React anti-patterns (BadPractices.tsx):
  • Missing dependencies in useEffect
  • Array index as key
  • Missing accessibility attributes
  • Poor color contrast
  • Inline functions in JSX

cd backend
./mvnw spring-boot:run

cd frontend
npm install
npm run dev          # Start dev server with hot reload
npm run test         # Run tests
npm run test:coverage # Run tests with coverage
npm run build        # Production build

# Run all tests
mvn test

# Run only backend tests
mvn test -pl backend

# Run only frontend tests
cd frontend && npm test

MIT License

This application is intentionally flawed for educational purposes.