| Check | Tool | Result | Evidence |
|---|---|---|---|
| Static analysis quality gate | SonarQube 26.7 | Passed — A ratings across the board | scan notes · dashboard |
| Backend regression suite | Jest | 192/192 suites · 3,986 of 3,987 tests pass | full log |
| Security test baseline | Manual OWASP Top 10 + targeted suites | All 10 categories pass (v1 baseline) | project security verification records |
| Reproducibility | Documented commands | Every artifact regenerable | reproduce.sh |
SonarQube is an independent static-analysis platform: it reads the code (not the team’s claims about it) and scores security, reliability, and maintainability against a fixed rule set (“Sonar way”). The backend was analyzed post-v2: 608 files indexed, with test files included in the analysis and DTO/module boilerplate excluded from coverage and duplication per the documented configuration.
levis-bp-be — bundled screenshot.| Measure | Value | What it means |
|---|---|---|
| Quality gate | Passed | The release clears the platform’s minimum bar for new code quality. |
| Security open issues | 0 | No known code-level security defects. Rating A. |
| Security hotspots | 0 | No code locations flagged for security review. Rating A. |
| Reliability open issues | 0 | No known bug-pattern defects. Rating A. |
| Maintainability open issues | 235 | Code-smell backlog (style/structure improvements, not defects). Rating A — by SonarQube’s definition, remediation cost under 5% of development cost (the “debt ratio”). |
| Coverage | 59.2% | Share of the ~14K coverable lines executed by the test suite. |
| Duplications | 4.1% | Repeated code across the 67K-line duplication basis; under the common 5% threshold. |
| Lines of code | 42K | Backend source analyzed. |
The bundled scan notes record 8 non-blocking warnings: 4 file-encoding notices, 9 unresolved paths in the coverage import (test helpers), and missing git-blame data on one file. None affect the gate; they are hygiene follow-ups.
The full backend suite ran green after the v2 structural changes (npm run test:coverage,
bundled log). What the suite actually exercises:
crypto.timingSafeEqual) is implemented in code, and the skip is annotated for manual security verification.The bundled log records 150+ security and privacy test cases executing and passing, traceable to individual log lines. By category:
| Category | Tests | What the passing tests demonstrate |
|---|---|---|
| Password security | 25+ | bcrypt hashing/validation; SQL-injection payloads in password fields handled safely ('; DROP TABLE users; -- and 5 more); constant-time comparison; minimum-length policy; unicode support; safe concurrent resets. |
| RBAC & authorization | 30+ | JWT and role guards applied at class level; per-endpoint role checks; invalid roles (SUPERUSER, ROOT, GUEST…) rejected; case-variation normalization; privilege-escalation-via-token-manipulation blocked. |
| Access control | 15+ | Store access allowed within franchise, denied outside with a 404 (anti-enumeration), 403 when no franchise configured; admin/superadmin bypass explicit and tested. |
| Data protection | 20+ | Password hashes never in responses; bulk-upload CSVs exclude password columns and values; credential patterns sanitized from error messages; configuration status returned without credentials. |
| JWT & tokens | 8+ | Signed-token verification; tampered/unsigned tokens rejected; 12-hour expiry; no refresh token in login responses; 403 on missing/invalid/expired tokens. |
| OTP & rate limiting | 10+ | Separate rate-limit keys per auth method; 3-attempt lockout for exactly 60 seconds; counters reset on success; inactive users rejected in both methods. |
| Enumeration prevention | 6+ | Same error for wrong password vs unknown user; same 404 for not-found vs no-access; OTP responses shaped to hide account existence. |
| Audit logging | 8+ | Failed authentication attempts logged; access grants and denials logged; logs verified to exclude passwords and full emails (addresses obfuscated, e.g. t***t@e***e.c***m). |
The security audit’s OWASP A06 record (“Vulnerable and Outdated
Components”) ran npm audit with a recorded result of
0 critical / 0 high vulnerabilities. SonarQube’s post-v2 analysis reports 0
security issues and 0 hotspots in the project code itself.