Feature #521 develop sonarqube_properties

[JohnHalleyGotway]

Pull Request Testing

This PR updates the sonarqube.xml workflow slightly. While the existing setup does produce a successful scan, it has fewer findings than the METviewer-6.0.0-beta3 scan run through ant. This updates sonar-project.properties settings and also copies the build directory out of the image rather than the dist directory.

• Describe testing already performed for these changes:
  

Manually ran GHA to scan this feature branch and inspected the findings here. The findings increase from 18 bugs, 2 vulnerabilities, 1.2K smells, and 25 security hotspots on develop to 23 bugs, 14 vulnerabilities, 1.4K smells, and 26 security hotspots on this feature branch.

So the result is changed. However, it does not match the ant-based scan of METviewer-6.0.0-beta3 with its 19 bugs, 90 vulnerabilities, 1.3k smells, and 25 hotspots.

I discussed with @TatianaBurek on Slack and she's happy with these property settings for now.

• Recommend testing for the reviewer(s) to perform, including the location of input datasets, and any additional instructions:
  
  Confirm the GHA sonarqube.yml workflow produces the results described above.

• Do these changes include sufficient documentation updates, ensuring that no errors or warnings exist in the build of the documentation? [Yes]
  None needed.

• Do these changes include sufficient testing updates? [Yes]
  None needed.

• Will this PR result in changes to the test suite? [No]
  
  If yes, describe the new output and/or changes to the existing output:
  

• Do these changes introduce new SonarQube findings? [Yes]
  
  If yes, please describe:
  As expected, and described above.

• Please complete this pull request review by [Wed 4/24/24].
  

Pull Request Checklist

See the METplus Workflow for details.

• Review the source issue metadata (required labels, projects, and milestone).
• Complete the PR definition above.
• Ensure the PR title matches the feature or bugfix branch name.
• Define the PR metadata, as permissions allow.
  Select: Reviewer(s)
  Select: Organization level software support Project or Repository level development cycle Project
  Select: Milestone as the version that will include these changes
• After submitting the PR, select the ⚙️ icon in the Development section of the right hand sidebar. Search for the issue that this PR will close and select it, if it is not already selected.
• After the PR is approved, merge your changes. If permissions do not allow this, request that the reviewer do the merge.
• Close the linked issue and delete your feature or bugfix branch from GitHub.

[TatianaBurek]

The old ant build file for sonar has a property 'sonar.exclusions' that excludes the test classes from the test.
I checked the issues on SonarCube GUI and see that the latest scan includes tests:
https://needham.rap.ucar.edu/project/issues?resolved=false&branch=feature_521_develop_sonarqube_gha&id=METviewer&open=AY739zyz24y5hV7HeGfD

https://needham.rap.ucar.edu/code?id=METviewer&branch=feature_521_develop_sonarqube_gha&selected=METviewer%3Ajava%2Fedu%2Fucar%2Fmetviewer%2Ftest

Is there a way to add 'sonar.exclusions' to the new workflow?

[JohnHalleyGotway]

@TatianaBurek, FYI, I updated the properties file to exclude the test files with these lines:

sonar.exclusions=java/edu/ucar/metviewer/test/*,java/edu/ucar/metviewer/test/**/*
sonar.coverage.exclusions=java/edu/ucar/metviewer/test/*,java/edu/ucar/metviewer/test/**/*

That reduces the resulting findings for this PR...
FROM: 23/14/1.4k/26 bugs/vulnerabilities/smells/hotspots
TO: 19/14/1.3k/25 bugs/vulnerabilities/smells/hotspots