generate a safe password for sonar

.github/workflows/angular.yml

@@ -107,6 +107,7 @@ jobs:
         env:
           JHI_FOLDER_APP: ${{ github.workspace }}/app
           JHIPSTER_DEPENDENCIES_VERSION: ${{ matrix.jhipster-bom-cicd-version }}
+          JHI_SONAR_RECOMMENDATIONS: true
       - run: jhipster.cjs info
       #----------------------------------------------------------------------
       # Detect changes against base commit
@@ -123,6 +124,7 @@ jobs:
           # generate-sample uses JHI_FOLDER_APP to generate the application.
           JHI_FOLDER_APP: ${{ github.workspace }}/base/app
           JHIPSTER_DEPENDENCIES_VERSION: ${{ matrix.jhipster-bom-cicd-version }}
+          JHI_SONAR_RECOMMENDATIONS: true
       #----------------------------------------------------------------------
       # Launch tests
       #----------------------------------------------------------------------

generators/app/__snapshots__/generator.spec.ts.snap

@@ -287,7 +287,7 @@ exports[`generator - app with default config should match snapshot 1`] = `
   "defaultPackaging": "jar",
   "devDatabaseExtraOptions": "",
   "devDatabaseName": "jhipster",
-  "devDatabasePassword": "yourStrong(!)Password",
+  "devDatabasePassword": "password",
   "devDatabaseType": "postgresql",
   "devDatabaseTypeH2Any": false,
   "devDatabaseTypeH2Disk": false,
@@ -741,7 +741,7 @@ exports[`generator - app with default config should match snapshot 1`] = `
   },
   "prodDatabaseExtraOptions": "",
   "prodDatabaseName": "jhipster",
-  "prodDatabasePassword": "yourStrong(!)Password",
+  "prodDatabasePassword": "password",
   "prodDatabaseType": "postgresql",
   "prodDatabaseTypeMariadb": false,
   "prodDatabaseTypeMssql": false,
@@ -901,7 +901,7 @@ exports[`generator - app with gateway should match snapshot 1`] = `
   "defaultPackaging": "jar",
   "devDatabaseExtraOptions": "",
   "devDatabaseName": "jhipster",
-  "devDatabasePassword": "yourStrong(!)Password",
+  "devDatabasePassword": "password",
   "devDatabaseType": "postgresql",
   "devDatabaseTypeH2Any": false,
   "devDatabaseTypeH2Disk": false,
@@ -1351,7 +1351,7 @@ exports[`generator - app with gateway should match snapshot 1`] = `
   },
   "prodDatabaseExtraOptions": "",
   "prodDatabaseName": "jhipster",
-  "prodDatabasePassword": "yourStrong(!)Password",
+  "prodDatabasePassword": "password",
   "prodDatabaseType": "postgresql",
   "prodDatabaseTypeMariadb": false,
   "prodDatabaseTypeMssql": false,
@@ -1510,7 +1510,7 @@ exports[`generator - app with microservice should match snapshot 1`] = `
   "defaultPackaging": "jar",
   "devDatabaseExtraOptions": "",
   "devDatabaseName": "jhipster",
-  "devDatabasePassword": "yourStrong(!)Password",
+  "devDatabasePassword": "password",
   "devDatabaseType": "postgresql",
   "devDatabaseTypeH2Any": false,
   "devDatabaseTypeH2Disk": false,
@@ -1907,7 +1907,7 @@ exports[`generator - app with microservice should match snapshot 1`] = `
   },
   "prodDatabaseExtraOptions": "",
   "prodDatabaseName": "jhipster",
-  "prodDatabasePassword": "yourStrong(!)Password",
+  "prodDatabasePassword": "password",
   "prodDatabaseType": "postgresql",
   "prodDatabaseTypeMariadb": false,
   "prodDatabaseTypeMssql": false,

generators/base/command.ts

@@ -67,6 +67,16 @@ const command = {
       scope: 'generator',
     },
   },
+  configs: {
+    sonarRecommendations: {
+      description: 'Apply SonarQube recommendations like strong passwords',
+      cli: {
+        type: Boolean,
+        env: 'JHI_SONAR_RECOMMENDATIONS',
+      },
+      scope: 'storage',
+    },
+  },
 } as const satisfies JHipsterCommandDefinition;
 
 export default command;

generators/base/support/secret.ts

@@ -52,3 +52,10 @@ export function createBase64Secret(len?: number | boolean, reproducible = false)
   }
   return Buffer.from(createSecret(len)).toString('base64');
 }
+
+/**
+ * Create a strong secret from a timestamp and a base name
+ */
+export function createSafeSecret(timestamp: number, baseName: string) {
+  return Buffer.from(`${timestamp}-${baseName}`).toString('base64');
+}

generators/docker-compose/__snapshots__/docker-compose.spec.ts.snap

@@ -647,7 +647,7 @@ jhipster:
     image: postgresql-placeholder
     environment:
       - POSTGRES_USER=mspsql
-      - POSTGRES_PASSWORD=yourStrong(!)Password
+      - POSTGRES_PASSWORD=password
       - POSTGRES_HOST_AUTH_METHOD=trust
     healthcheck:
       test:
@@ -1041,7 +1041,7 @@ jhipster:
     image: postgresql-placeholder
     environment:
       - POSTGRES_USER=mspsql
-      - POSTGRES_PASSWORD=yourStrong(!)Password
+      - POSTGRES_PASSWORD=password
       - POSTGRES_HOST_AUTH_METHOD=trust
     healthcheck:
       test:
@@ -1459,7 +1459,7 @@ jhipster:
     image: postgresql-placeholder
     environment:
       - POSTGRES_USER=mspsql
-      - POSTGRES_PASSWORD=yourStrong(!)Password
+      - POSTGRES_PASSWORD=password
       - POSTGRES_HOST_AUTH_METHOD=trust
     healthcheck:
       test:
@@ -1794,7 +1794,7 @@ jhipster:
     image: postgresql-placeholder
     environment:
       - POSTGRES_USER=mspsql
-      - POSTGRES_PASSWORD=yourStrong(!)Password
+      - POSTGRES_PASSWORD=password
       - POSTGRES_HOST_AUTH_METHOD=trust
     healthcheck:
       test:

generators/spring-data-relational/support/application-properties.ts

@@ -18,6 +18,7 @@
  */
 
 import { databaseTypes } from '../../../lib/jhipster/index.js';
+import { createSafeSecret } from '../../base/support/secret.js';
 import { getDatabaseData } from './database-data.js';
 import { getJdbcUrl, getR2dbcUrl } from './database-url.js';
 
@@ -46,11 +47,13 @@ export default function prepareSqlApplicationProperties({ application }: { appli
   }
 
   const prodDatabaseData = getDatabaseData(application.prodDatabaseType);
-  const { defaultPassword } = prodDatabaseData;
   application.prodHibernateDialect = prodDatabaseData.hibernateDialect;
   application.prodJdbcDriver = prodDatabaseData.jdbcDriver;
   application.prodDatabaseUsername = prodDatabaseData.defaultUsername ?? application.baseName;
-  application.prodDatabasePassword = defaultPassword === '<baseName>' ? application.baseName : (defaultPassword ?? '');
+  application.prodDatabasePassword = prodDatabaseData.defaultPassword ?? '';
+  if (application.sonarRecomendations && application.prodDatabasePassword) {
+    application.prodDatabasePassword = createSafeSecret(application.creationTimestamp, application.prodDatabasePassword);
+  }
   application.prodDatabaseName = prodDatabaseData.defaultDatabaseName ?? application.baseName;
 
   const prodDatabaseOptions = {
@@ -70,11 +73,13 @@ export default function prepareSqlApplicationProperties({ application }: { appli
   if (application.devDatabaseTypeH2Any) {
     try {
       const devDatabaseData = getDatabaseData(application.devDatabaseType);
-      const { defaultPassword } = devDatabaseData;
       application.devHibernateDialect = devDatabaseData.hibernateDialect;
       application.devJdbcDriver = devDatabaseData.jdbcDriver;
       application.devDatabaseUsername = devDatabaseData.defaultUsername ?? application.baseName;
-      application.devDatabasePassword = defaultPassword === '<baseName>' ? application.baseName : (defaultPassword ?? '');
+      application.devDatabasePassword = devDatabaseData.defaultPassword ?? '';
+      if (application.sonarRecomendations && application.devDatabasePassword) {
+        application.devDatabasePassword = createSafeSecret(application.creationTimestamp, application.devDatabasePassword);
+      }
       application.devDatabaseName = devDatabaseData.defaultDatabaseName ?? application.baseName;
 
       const devDatabaseOptions = {

generators/spring-data-relational/support/database-data.ts

@@ -153,7 +153,7 @@ const databaseData: Record<string, DatabaseDataSpec> = {
     port: ':5432/',
     // Password is required by Spring Boot v3.3.x, can be removed for v3.4.x, see https://github.com/spring-projects/spring-boot/pull/41511
     // Use a strong password to avoid being flagged by SonarQube
-    defaultPassword: 'yourStrong(!)Password',
+    defaultPassword: 'password',
 
     constraintNameMaxLength: 63,
     tableNameMaxLength: 63,