From 884b79409bbd464b2a59edc326a4b77dc56b2195 Mon Sep 17 00:00:00 2001
From: Julien HENRY <julien.henry@sonarsource.com>
Date: Tue, 24 Sep 2024 11:59:38 +0200
Subject: [PATCH] SQSCANGHA-42 Update Scanner CLI Docker to 11.1

---
 .github/workflows/qa.yml | 80 ++++++++++++++++++++++++++++++++++++----
 Dockerfile               |  4 +-
 entrypoint.sh            | 21 ++++++++---
 3 files changed, 90 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/qa.yml b/.github/workflows/qa.yml
index 350a7b1..f2be5a2 100644
--- a/.github/workflows/qa.yml
+++ b/.github/workflows/qa.yml
@@ -8,6 +8,22 @@ on:
     types: [opened, synchronize, reopened]
 
 jobs:
+  noInputsTest:
+    name: >
+      No inputs
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Run action with args
+        uses: ./
+        env:
+          SONAR_HOST_URL: http://not_actually_used
+          SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
+      - name: Assert
+        run: |
+          ./test/assertFileContains ./output.properties "sonar.projectBaseDir=."
   argsInputTest:
     name: >
       'args' input
@@ -19,9 +35,10 @@ jobs:
       - name: Run action with args
         uses: ./
         with:
-          args: -Dsonar.someArg=aValue -Dsonar.scanner.dumpToFile=./output.properties
+          args: -Dsonar.someArg=aValue
         env:
           SONAR_HOST_URL: http://not_actually_used
+          SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
       - name: Assert
         run: |
           ./test/assertFileContains ./output.properties "sonar.someArg=aValue"
@@ -37,10 +54,10 @@ jobs:
       - name: Run action with projectBaseDir
         uses: ./
         with:
-          args: -Dsonar.scanner.dumpToFile=./output.properties
           projectBaseDir: ./baseDir
         env:
           SONAR_HOST_URL: http://not_actually_used
+          SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
       - name: Assert
         run: |
           ./test/assertFileContains ./output.properties "sonar.projectBaseDir=.*/baseDir"
@@ -58,9 +75,9 @@ jobs:
         continue-on-error: true
         env:
           SONAR_HOST_URL: http://not_actually_used
+          SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
         with:
           projectBaseDir: ./test/gradle-project
-          args: -Dsonar.scanner.dumpToFile=./output.properties
       - name: Assert
         run: |
           ./test/assertFileExists ./output.properties
@@ -78,9 +95,9 @@ jobs:
         continue-on-error: true
         env:
           SONAR_HOST_URL: http://not_actually_used
+          SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
         with:
           projectBaseDir: ./test/gradle-project
-          args: -Dsonar.scanner.dumpToFile=./output.properties
       - name: Assert
         run: |
           ./test/assertFileExists ./output.properties
@@ -98,9 +115,9 @@ jobs:
         continue-on-error: true
         env:
           SONAR_HOST_URL: http://not_actually_used
+          SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
         with:
           projectBaseDir: ./test/maven-project
-          args: -Dsonar.scanner.dumpToFile=./output.properties
       - name: Assert
         run: |
           ./test/assertFileExists ./output.properties
@@ -145,11 +162,10 @@ jobs:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Run action with debug mode
         uses: ./
-        with:
-          args: -Dsonar.scanner.dumpToFile=./output.properties
         env:
           RUNNER_DEBUG: 1
           SONAR_HOST_URL: http://not_actually_used
+          SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
       - name: Assert
         run: |
           ./test/assertFileContains ./output.properties "sonar.verbose=true"
@@ -190,3 +206,53 @@ jobs:
       - name: Assert
         run: |
           ./test/assertFileExists ./test/example-project/.scannerwork/report-task.txt
+  useSslCertificate:
+    name: >
+      'SONAR_ROOT_CERT' is converted to truststore
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Run action with SSL certificate
+        uses: ./
+        env:
+          SONAR_ROOT_CERT: |
+            -----BEGIN CERTIFICATE-----
+            MIIFtjCCA56gAwIBAgIULroxFuPWyNOiQtAVPS/XFFMXp6owDQYJKoZIhvcNAQEL
+            BQAwXDELMAkGA1UEBhMCQ0gxDzANBgNVBAgMBkdlbmV2YTEPMA0GA1UEBwwGR2Vu
+            ZXZhMRcwFQYDVQQKDA5Tb25hclNvdXJjZSBTQTESMBAGA1UEAwwJbG9jYWxob3N0
+            MB4XDTI0MDQxNjA4NDUyMVoXDTM0MDQxNDA4NDUyMVowXDELMAkGA1UEBhMCQ0gx
+            DzANBgNVBAgMBkdlbmV2YTEPMA0GA1UEBwwGR2VuZXZhMRcwFQYDVQQKDA5Tb25h
+            clNvdXJjZSBTQTESMBAGA1UEAwwJbG9jYWxob3N0MIICIjANBgkqhkiG9w0BAQEF
+            AAOCAg8AMIICCgKCAgEArRRQF25E5NCgXdoEBU2SWyAoyOWMGVT1Ioltnr3sJP6L
+            MjjfozK5YgaRn504291lwlG+k6tvzTSR9HB8q3ITa8AdnwMiL7jzbveYKWIlLQ7k
+            dHKXWbiaIjTaZCyfnWUlDFIuR7BHwOXVwyLrBQfhoyDVaaoyowQEsUro3okIR/kB
+            sqM+KH8bcdl06DMMppZ8Qy1DYvPodhnNRyOSSpfbIoodE1fju+5U0OKzvGIc9WpG
+            5pKIysaW3whOa/ieb02SXrgoiHnYPpmmGzm4u/Wn8jGwhYQJSQT10yjMacGHwmBE
+            q7FUr854cVd+eend056P6pwUukdNeVHCFjYRkmWCNzIxV+sS9PPtDs77/bLFIItr
+            nBMHVsId38tPoru/z1S1p2dzCX3Nq09aJFF/vH2u9Sg5aerHJ7xnRroR1jIrAZtc
+            jBkJHEiTlG+WaavP4j6oym+lvHvgHHL3Qwhh8emg0JiLYExVV7ma70aRDh8yoQtS
+            zAUDMVfhVPKd92MS+7DC2pv2KviUNKqbHDFadl01JN3t+17/gstUNSk1jpoUfUhK
+            BeUQxVEdVUy2p0HeD/TYpRvF2FEsWneq3+ZbnRp17I/uEQOck0LP2tkzAd4tmRgH
+            +95yyB8MgbAfvyKWkB4+3BhtdfoYDe1asqR6z43mejDHHqgBXn+u3UKjPypKfPEC
+            AwEAAaNwMG4wHwYDVR0jBBgwFoAUINXfg3fn6/RUenW3EobpMoP8wDQwCQYDVR0T
+            BAIwADALBgNVHQ8EBAMCBPAwFAYDVR0RBA0wC4IJbG9jYWxob3N0MB0GA1UdDgQW
+            BBRX4bsny+8GQcFpM10jtAfFxzNxzzANBgkqhkiG9w0BAQsFAAOCAgEAa+Myw6li
+            Fme95cPpINTite/9LXk+TlHHnXiV5Z+Um3NTLSllX3zPuRFiOE71OKFrWQPqH2N/
+            85l6h19G9xQsaqkkVFyQENkNzykZpJL/jU4+wgRtwcEDkaRGGURZacz3vfLTc1HX
+            tPDNv/JsZ5HE2d7cF5YhN4UahtxS2lvarrSujaOBpFZTT6PbEYX9EnwCdapORHOh
+            wKMc3OGGOiGWvRlVaWu/Huq2HvXXcK0pmaYWWKX3u21evthSYOu9U4Rk0z1y7m3/
+            CIYaIrvSbkzq2KKXMn7lr26bv2cthAQrPAjb2ILPUoyzKa3wEK3lkhanM6PN9CMH
+            y5KRTpqwV45Qr6BAVY1bP67pEkay2T31chIVKds6dkx9b2/bWpW9PWuymsbWX2vO
+            Q1MiaPkXKSTgCRwQUR0SNbPHw3X+VhrKKJB+beX8Bh2fcKw3jGGM8oHiA1hpdnbg
+            Y5fW7EupF5gabf2jNB1XJ4gowlpB3nTooKFgbcgsvi68MRdBno2TWUhsZ3zCVyaH
+            KFdDV0f78Fg7oL79K3kBL/iqr+jsb8sFHKIS4Dyyz2rDJrE0q0xAPes+Bu75R3/5
+            M/s2H7KuLqLdDYsCsMeMqOVuIcAyPp2MFWInYPyi0zY4fwKwm8f/Kv8Lzb+moxqI
+            Fct6d1S08JAosVnZcP2P7Yz+TbmDRtsqCgk=
+            -----END CERTIFICATE-----
+          SONAR_HOST_URL: http://not_actually_used
+          SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
+      - name: Assert
+        run: |
+          ./test/assertFileContains ./output.properties "sonar.scanner.truststorePassword=changeit"
diff --git a/Dockerfile b/Dockerfile
index a38bed0..cf151b3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,6 @@
-FROM sonarsource/sonar-scanner-cli:10.0
+FROM sonarsource/sonar-scanner-cli:11.1
 
-LABEL version="2.1.0" \
+LABEL version="3.0.0" \
       repository="https://github.com/sonarsource/sonarqube-scan-action" \
       homepage="https://github.com/sonarsource/sonarqube-scan-action" \
       maintainer="SonarSource" \
diff --git a/entrypoint.sh b/entrypoint.sh
index a687be7..790ab2a 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -1,6 +1,8 @@
 #!/bin/bash
 
-set -e
+set -eo pipefail
+
+declare -a args=()
 
 if [[ -z "${SONAR_TOKEN}" ]]; then
   echo "============================ WARNING ============================"
@@ -9,10 +11,15 @@ if [[ -z "${SONAR_TOKEN}" ]]; then
 fi
 
 if [[ -n "${SONAR_ROOT_CERT}" ]]; then
-  echo "Adding custom root certificate to java certificate store"
+  echo "Adding custom root certificate to the scanner truststore"
   rm -f /tmp/tmpcert.pem
   echo "${SONAR_ROOT_CERT}" > /tmp/tmpcert.pem
-  keytool -keystore /etc/ssl/certs/java/cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias sonarqube -file /tmp/tmpcert.pem
+  # we can't use the default "sonar" password as keytool requires a password with at least 6 characters
+  args+=("-Dsonar.scanner.truststorePassword=changeit")
+  mkdir -p $SONAR_USER_HOME/ssl
+  keytool -storetype PKCS12 -keystore $SONAR_USER_HOME/ssl/truststore.p12 -storepass changeit -noprompt -trustcacerts -importcert -alias sonarqube -file /tmp/tmpcert.pem
+  # for older SQ versions < 10.6
+  export SONAR_SCANNER_OPTS="${SONAR_SCANNER_OPTS:-} -Djavax.net.ssl.trustStore=$SONAR_USER_HOME/ssl/truststore.p12 -Djavax.net.ssl.trustStorePassword=changeit"
 fi
 
 if [[ -f "${INPUT_PROJECTBASEDIR%/}/pom.xml" ]]; then
@@ -25,12 +32,14 @@ if [[ -f "${INPUT_PROJECTBASEDIR%/}/build.gradle"  || -f "${INPUT_PROJECTBASEDIR
   to get more accurate results."
 fi
 
-debug_flag=''
+
 if [[ "$RUNNER_DEBUG" == '1' ]]; then
-  debug_flag='--debug'
+  args+=("--debug")
 fi
 
 unset JAVA_HOME
 
-sonar-scanner $debug_flag -Dsonar.projectBaseDir=${INPUT_PROJECTBASEDIR} ${INPUT_ARGS}
+args+=("-Dsonar.projectBaseDir=${INPUT_PROJECTBASEDIR}")
+
+sonar-scanner "${args[@]}" ${INPUT_ARGS}