actions/sonarqube-scan-action
2
0
Fork 0
mirror of https://github.com/SonarSource/sonarqube-scan-action.git synced 2025-12-12 17:31:15 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

SQSCANGHA-55 Add curl redirect and fix splatting of URL with special chars

Browse source
This commit is contained in:
Antonio Aversa 2024-11-29 13:13:18 +01:00 committed by GitHub
parent f4eddd92b8
commit 1b442ee39a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 143 additions and 32 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
.github/qa-nginx-redirecting/compose.yml vendored Normal file
View file

@ -0,0 +1,13 @@
services:
https-proxy:
image: nginx
ports:
- 8080:8080
volumes:
- $GITHUB_WORKSPACE/.github/qa-nginx-redirecting/nginx.conf:/etc/nginx/nginx.conf:ro
healthcheck:
test: ["CMD", "curl", "--fail", "localhost:8080/health"]
interval: 10s
timeout: 5s
retries: 20
start_period: 2m

32
.github/qa-nginx-redirecting/nginx.conf vendored Normal file
View file

@ -0,0 +1,32 @@
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
include /etc/nginx/conf.d/*.conf;
server {
listen 8080;
location /health {
add_header 'Content-Type' 'text/plain';
return 200 "healthy\n";
}
location ~ /clientRedirectToSonarBinaries/(.*) {
return 301 "https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/$1";
}
}
}

11
.github/qa-sq-behind-ngix/nginx.conf vendored
View file

@ -2,7 +2,6 @@ user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
@ -12,12 +11,6 @@ http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
keepalive_timeout 65;
@ -28,7 +21,6 @@ http {
listen 8080;
location /health {
access_log off;
add_header 'Content-Type' 'text/plain';
return 200 "healthy\n";
}
@ -40,9 +32,6 @@ http {
ssl_protocols TLSv1.1 TLSv1.2;
ssl_certificate /etc/nginx/server.crt;
ssl_certificate_key /etc/nginx/server.key;
access_log /var/log/nginx/localhost;
error_log /var/log/nginx/localhost.error debug;
location / {
proxy_pass http://sonarqube:9000;

81
.github/workflows/qa.yml vendored
View file

@ -116,6 +116,56 @@ jobs:
- name: Assert Sonar Scanner CLI was not executed
run: |
./test/assertFileDoesntExist ./output.properties
scannerBinariesUrlIsEscapedWithWget:
name: >
'scannerBinariesUrl' is escaped with wget so special chars are not injected in the download command
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with scannerBinariesUrl
id: runTest
uses: ./
continue-on-error: true
with:
scannerBinariesUrl: 'http://some_uri;touch file.txt;'
env:
NO_CACHE: true
SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output1.properties"}'
- name: Assert file.txt does not exist
run: |
./test/assertFileDoesntExist "$RUNNER_TEMP/sonarscanner/file.txt"
scannerBinariesUrlIsEscapedWithCurl:
name: >
'scannerBinariesUrl' is escaped with curl so special chars are not injected in the download command
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Remove wget
run: sudo apt-get remove -y wget
- name: Assert wget is not available
run: |
if command -v wget 2>&1 >/dev/null
then
exit 1
fi
- name: Run action with scannerBinariesUrl
id: runTest
uses: ./
continue-on-error: true
with:
scannerBinariesUrl: 'http://some_uri http://another_uri''; touch file.txt;'
env:
NO_CACHE: true
SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output1.properties"}'
- name: Assert file.txt does not exist
run: |
./test/assertFileDoesntExist "$RUNNER_TEMP/sonarscanner/file.txt"
dontFailGradleTest:
name: >
Don't fail on Gradle project
@ -376,6 +426,37 @@ jobs:
- name: Assert failure of previous step
if: steps.runTest.outcome == 'success'
run: exit 1
curlPerformsRedirect:
name: >
curl performs redirect when scannerBinariesUrl returns 3xx
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Remove wget
run: sudo apt-get remove -y wget
- name: Assert wget is not available
run: |
if command -v wget 2>&1 >/dev/null
then
exit 1
fi
- name: Start nginx via Docker Compose
run: docker compose up -d --wait
working-directory: .github/qa-nginx-redirecting
- name: Run action with scannerBinariesUrl
id: runTest
uses: ./
with:
scannerBinariesUrl: http://localhost:8080/clientRedirectToSonarBinaries
env:
NO_CACHE: true
SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output1.properties"}'
- name: Assert Sonar Scanner CLI was downloaded
run: |
./test/assertFileExists "$RUNNER_TEMP/sonarscanner/sonar-scanner-cli-6.2.1.4610-linux-x64.zip"
useSslCertificate:
name: >
'SONAR_ROOT_CERT' is converted to truststore

38
install-sonar-scanner-cli.sh
View file

@ -23,32 +23,28 @@ else
exit 1
fi
SCANNER_FILE_NAME="sonar-scanner-cli-$INPUT_SCANNERVERSION-$FLAVOR.zip"
SCANNER_URI="${INPUT_SCANNERBINARIESURL%/}/$SCANNER_FILE_NAME"
if command -v wget &> /dev/null; then
DOWNLOAD_COMMAND="wget"
DOWNLOAD_ARGS="--no-verbose --user-agent=sonarqube-scan-action $SCANNER_URI"
elif command -v curl &> /dev/null; then
DOWNLOAD_COMMAND="curl"
DOWNLOAD_ARGS="--silent --show-error --user-agent sonarqube-scan-action --output $SCANNER_FILE_NAME $SCANNER_URI"
elif [ "$RUNNER_OS" == "Windows" ] && [ -t "C:\\msys64\\usr\\bin\\wget.exe" ]; then
DOWNLOAD_COMMAND="C:\\msys64\\usr\\bin\\wget.exe"
DOWNLOAD_ARGS="--no-verbose --user-agent=sonarqube-scan-action $SCANNER_URI"
elif [ "$RUNNER_OS" == "Windows" ] && [ -t "C:\\msys64\\usr\\bin\\curl.exe" ]; then
DOWNLOAD_COMMAND="C:\\msys64\\usr\\bin\\curl.exe"
DOWNLOAD_ARGS="--silent --show-error --user-agent sonarqube-scan-action --output $SCANNER_FILE_NAME $SCANNER_URI"
else
echo "::error title=SonarScanner::Neither wget nor curl found on the machine"
exit 1
fi
set -x
mkdir -p $RUNNER_TEMP/sonarscanner
cd $RUNNER_TEMP/sonarscanner
$DOWNLOAD_COMMAND $DOWNLOAD_ARGS
SCANNER_FILE_NAME="sonar-scanner-cli-$INPUT_SCANNERVERSION-$FLAVOR.zip"
SCANNER_URI="${INPUT_SCANNERBINARIESURL%/}/$SCANNER_FILE_NAME"
if command -v wget &> /dev/null; then
wget --no-verbose --user-agent=sonarqube-scan-action "$SCANNER_URI"
elif command -v curl &> /dev/null; then
curl --fail --silent --show-error --user-agent sonarqube-scan-action \
--location --output "$SCANNER_FILE_NAME" "$SCANNER_URI"
elif [ "$RUNNER_OS" == "Windows" ] && [ -t "C:\\msys64\\usr\\bin\\wget.exe" ]; then
"C:\\msys64\\usr\\bin\\wget.exe" --no-verbose --user-agent=sonarqube-scan-action "$SCANNER_URI"
elif [ "$RUNNER_OS" == "Windows" ] && [ -t "C:\\msys64\\usr\\bin\\curl.exe" ]; then
"C:\\msys64\\usr\\bin\\curl.exe" --fail --silent --show-error --user-agent sonarqube-scan-action \
--location --output "$SCANNER_FILE_NAME" "$SCANNER_URI"
else
echo "::error title=SonarScanner::Neither wget nor curl found on the machine"
exit 1
fi
unzip -q $SCANNER_FILE_NAME