Skip to content

fix: oar017, oar020, oar021, oar037, oar038, oar066, oar073 rules#114

Merged
SebastianDT1 merged 5 commits into
developfrom
fix/168/rules
Jun 1, 2026
Merged

fix: oar017, oar020, oar021, oar037, oar038, oar066, oar073 rules#114
SebastianDT1 merged 5 commits into
developfrom
fix/168/rules

Conversation

@mels-h

@mels-h mels-h commented May 30, 2026

Copy link
Copy Markdown
Contributor

Aligning Sonar rules with Spectral for identical functionality.

Pull request type

Please check the type of change your PR introduces:

  • Bugfix
  • Feature
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes, no api changes)
  • Build related changes
  • Documentation content changes
  • Other (please describe):

Changes

OAR017 — Alternate Paths

  • Detects when a path has a segment that could collide with another existing path.
  • Fixed a false positive: the first segment is now checked against the exceptions list before entering the validation loop.

OAR020 — $expand Parameter

  • Checks that collection GET operations have the $expand query parameter defined.
  • Applies to all collection endpoints except: paths containing /me, health-check paths (/status, /health, /ping) and detail endpoints (with a path parameter).
  • Now also detects GET operations where the parameters block is entirely absent (previously unreported).

OAR021 — $exclude Parameter

  • Same as OAR020 but for the $exclude query parameter.
  • Same exclusions and same fix applied for operations missing the parameters block.

OAR037 — String Format

  • String-type schemas must have a valid format defined (e.g. date, date-time, email, uuid…).
  • Now fires both when the format is invalid and when it is completely absent (previously only detected incorrect formats, not missing ones).

OAR038 — POST 201 Response Structure

  • POST endpoints must return a 201 response whose schema properties are named data or error.
  • Each of those properties must have at least one sub-property defined (cannot be empty).
  • Reports distinct messages depending on whether the issue is an invalid property name or missing sub-properties.

OAR066 — snake_case Property Naming Convention

  • Schema properties in request bodies, responses and parameters must follow the snake_case naming convention.
  • Fixed false positives: the prefixes _ (_links, _embedded), @ (@context, @type, @id) and x- (x-internal) are industry-standard conventions and no longer trigger the rule.

OAR073 — Mandatory 429 Response

  • All operations must define a 429 Too Many Requests response to indicate rate limiting is in place.
  • Health-check paths are excluded from this requirement: /status, /health, /health-check, /ping, /liveness and /readiness.
  • Fixed a false positive where /status without a 429 response was incorrectly triggering the rule.

@mels-h mels-h changed the title fix: oar017, oar020 and oar021 rules fix: oar017, oar020, oar021, oar037, oar038, oar066, oar073 rules May 31, 2026
@SebastianDT1
SebastianDT1 merged commit 5ac440b into develop Jun 1, 2026
@SebastianDT1
SebastianDT1 deleted the fix/168/rules branch June 1, 2026 02:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants