CLI-356 Fetch analysis properties for SCA analysis

[georgii-borovinskikh-sonarsource]

No description provided.

[hashicorp-vault-sonar-prod]

CLI-356

[sonar-review-alpha]

Summary

This PR implements CLI-356: fetching SCA analysis properties from SonarQube project settings.

What changed:

• New parseAnalysisProperties() function routes settings into three categories: SCA-prefixed properties, exclusion patterns, and a Git-ignore flag
• New getProjectSettings() API method fetches settings via /api/settings/values scoped to a project
• analyzeDependencyRisks() now fetches and parses these properties, logging them for debugging (actual forwarding to SCA scanner is deferred to CLI-352)
• Refactored SonarQubeClient.get() to use a new non-throwing getSafe() variant, needed because settings endpoints return 404 for missing projects

Why it matters:
The SCA dependency risk analysis needs project-specific configuration (exclusions, SCA properties, SCM settings). This PR lays the foundation by fetching and parsing them from the API. The properties aren't yet forwarded to the scanner—that's planned in CLI-352—but this PR ensures they're available and validated (project existence is checked via 404 handling).

What reviewers should know

Where to focus:

• parseAnalysisProperties.ts — the core parsing logic; handles both comma-separated and array-based settings, merges multiple exclusion keys
• client.ts — the API layer changes; getSafe() is the new non-throwing variant, getProjectSettings() wraps it with project-not-found error handling
• Integration test changes — verify that settings are fetched, that missing projects are detected (404), and that the API calls happen in the right order

Key decisions:

• getSafe() returns { response, value } instead of throwing, allowing callers to differentiate 404 (project not found) from other errors
• Settings are parsed separately in parseAnalysisProperties, not mixed into the API layer—clean separation of concerns
• The parsing handles missing or mixed value formats (arrays, comma-separated strings) gracefully

What to watch:

• The refactoring of get() to use getSafe() is subtle; verify that error handling still works correctly (check the raiseForStatus logic)
• getValueAsList() trims and filters empty strings—confirm this is the intended behavior for all setting types
• The properties are currently logged but not used; this is expected (awaiting CLI-352 to forward them to the scanner)

---

• Generate Walkthrough
• Generate Diagram

🗣️ Give feedback

[damien-urruty-sonarsource]

LGTM, one suggestion to improve performance

[damien-urruty-sonarsource]

Could we avoid this extra round-trip? Do we receive a 404 when we try to get settings for a non-existing project in the call below, and could we rely on that?

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 New dependency risks

Measures
0 Security Hotspots
94.5% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[sonar-review-alpha]

LGTM! ✅

Clean commit that removes the explicit checkComponent round-trip and instead surfaces a missing project via the 404 from getProjectSettings. The refactoring is correct and the tests were properly updated to match the new behavior.

🗣️ Give feedback