Provide lein profile for the specific sensor

[mishadoff]

It would be good to have ability to provide lein profile for the specific sensor.

For example, we encountered a lot of vulnerabilities in nvd sensor, due to some abandoned dependencies in tests. They are good to solve, but they should not fail quality gates, because they are not "vulnerabilities" and not included into deployed app at all.

As one solution to that would be to run lein with-profile release nvd check. But profiles are not customizable. Can we add an option to customize lein profile per sensor or there is better way to do it?

More extensible, but risky approach would be to allow user customize every sensor by providing LEIN_ARGUMENTS, this way we can customize not only profiles but other options to lein plugins (like eastwood and kibit excluded rules, namespaces for cloverage, etc.)

[fsantiag]

Hi @mishadoff, thank you for your contribution and sorry for the late reply.

As per your suggestion, if nvd sensor is reporting a vulnerability (even in the tests), I believe you should try to fix it instead of relaxing/skipping the rules, don't you think? I know sometimes it can generate a false positive, however for those scenarios I think you can change the Quality Gate on Sonarqube to prevent it from failing. Does that make sense? I might have misunderstood something, though. Let me know if you have other thoughts.

[mishadoff]

All those are definitely options, but providing lein profile for specific sensor would still be beloved feature in my opinion.

[fsantiag]

I will see if I can expose a custom attribute in the sonar-project.properties to set the profile. Something like sonar.clojure.lein.profile=dev.