feat: Add --issueStatuses flag to sonarqube2hdf command

[mikeBoterf]

Summary

Adds a new --issueStatuses (-s) flag to the saf convert sonarqube2hdf
command. This flag allows users to specify a comma-separated list of issue
statuses to include when pulling issues from the SonarQube API.

Changes

• Added issueStatuses flag (short: -s) to the sonarqube2hdf command
• The flag value is passed through to the SonarqubeResults constructor in
  @mitre/hdf-converters

Usage

# Use automatic status discovery (default - no flag needed)
saf convert sonarqube2hdf -n my-project -u https://sonar.example.com -a $TOKEN -o results.json

# Override with specific statuses
saf convert sonarqube2hdf -n my-project -u https://sonar.example.com -a $TOKEN -o results.json \
  -s "OPEN,CONFIRMED,ACCEPTED"

# Include all statuses explicitly
saf convert sonarqube2hdf -n my-project -u https://sonar.example.com -a $TOKEN -o results.json \
  -s "OPEN,CONFIRMED,FALSE_POSITIVE,ACCEPTED,FIXED"

Motivation

The upstream @mitre/hdf-converters library now supports dynamic issue status
discovery and a user-supplied override (see mitre/heimdall2#7791). This change
exposes that capability through the SAF CLI so operators can control which issue
statuses are retrieved without modifying source code.

Related

• fix: Replace hardcoded SonarQube issue statuses with dynamic discovery from server heimdall2#7791 - Upstream library change that adds dynamic status
  discovery and the issueStatuses constructor parameter

[mikeBoterf]

@Amndeep7 @aaronlippold

[mergify]

This pull request has a conflict. Could you fix it @mikeBoterf?

[mikeBoterf]

Recent changes have been pushed to the linked heimdall2 PR (mitre/heimdall2#7791) based on review feedback from @Amndeep7. The --issueStatuses flag has been renamed to --excludeIssueStatuses here to match the updated deny-list approach in the upstream converter. This PR is ready for re-review once the heimdall2 changes are merged and released.

[Amndeep7]

There's a merge conflict that needs to be resolved

[Amndeep7]

Merge conflict needs to be resolved and i would run the linter too just to make sure it picks up everything

[mikeBoterf]

Done — rebased on main, linter came back clean.

[Amndeep7]

Don't forget to update the readme to reflect the new functionality - it's mostly just copy pasting the help block into the readme and then formatting it nicely

[mikeBoterf]

Added — flag description and USAGE line updated in the README.

[mikeBoterf]

@Amndeep7 Rebased on main (merge conflict resolved), ran the linter (clean), and added the new --excludeIssueStatuses flag to the README.

[Amndeep7]

This PR should be good after this fix and once the upstream heimdall monorepo PR is merged.

[Amndeep7]

please add another example (and update the readme accordingly) using this new flag

[mikeBoterf]

Added in 3b6a88f8 — second example showing -s flag with custom exclusions, in both the command and README.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud