diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index e182dab..8076591 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1 +1 @@ -.github/CODEOWNERS @sonarsource/orchestration-processing-squad +.github/* @sonarsource/orchestration-processing-squad diff --git a/.github/workflows/PullRequestClosed.yml b/.github/workflows/PullRequestClosed.yml index 77bf0e1..dd54f81 100644 --- a/.github/workflows/PullRequestClosed.yml +++ b/.github/workflows/PullRequestClosed.yml @@ -7,7 +7,7 @@ on: jobs: PullRequestClosed_job: name: Pull Request Closed - runs-on: ubuntu-latest + runs-on: ubuntu-latest-large permissions: id-token: write pull-requests: read diff --git a/.github/workflows/PullRequestCreated.yml b/.github/workflows/PullRequestCreated.yml index 895ba78..d532c22 100644 --- a/.github/workflows/PullRequestCreated.yml +++ b/.github/workflows/PullRequestCreated.yml @@ -7,7 +7,7 @@ on: jobs: PullRequestCreated_job: name: Pull Request Created - runs-on: ubuntu-latest + runs-on: ubuntu-latest-large permissions: id-token: write # For external PR, ticket should be created manually diff --git a/.github/workflows/RequestReview.yml b/.github/workflows/RequestReview.yml index 5eac0d5..5e74c2b 100644 --- a/.github/workflows/RequestReview.yml +++ b/.github/workflows/RequestReview.yml @@ -7,7 +7,7 @@ on: jobs: RequestReview_job: name: Request review - runs-on: ubuntu-latest + runs-on: ubuntu-latest-large permissions: id-token: write # For external PR, ticket should be moved manually diff --git a/.github/workflows/SubmitReview.yml b/.github/workflows/SubmitReview.yml index d5f22e6..763ca30 100644 --- a/.github/workflows/SubmitReview.yml +++ b/.github/workflows/SubmitReview.yml @@ -7,7 +7,7 @@ on: jobs: SubmitReview_job: name: Submit Review - runs-on: ubuntu-latest + runs-on: ubuntu-latest-large permissions: id-token: write pull-requests: read diff --git a/.github/workflows/qa-deprecated-c-cpp.yml b/.github/workflows/qa-deprecated-c-cpp.yml index 8ab16d5..356c063 100644 --- a/.github/workflows/qa-deprecated-c-cpp.yml +++ b/.github/workflows/qa-deprecated-c-cpp.yml @@ -12,7 +12,7 @@ jobs: name: Action outputs strategy: matrix: - os: [ubuntu-latest, windows-latest, macos-latest, macos-13] + os: [ubuntu-latest-large, windows-latest-large, macos-latest, macos-13] cache: [true, false] include: - arch: X64 @@ -31,7 +31,7 @@ jobs: exit 1 fi - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis diff --git a/.github/workflows/qa-install-build-wrapper.yml b/.github/workflows/qa-install-build-wrapper.yml index 793ae05..d177888 100644 --- a/.github/workflows/qa-install-build-wrapper.yml +++ b/.github/workflows/qa-install-build-wrapper.yml @@ -12,7 +12,7 @@ jobs: name: Action outputs strategy: matrix: - os: [ubuntu-latest, windows-latest, macos-latest, macos-13] + os: [ubuntu-latest-large, windows-latest-large, macos-latest, macos-13] cache: [true, false] include: - arch: X64 @@ -31,7 +31,7 @@ jobs: exit 1 fi - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis diff --git a/.github/workflows/qa-main.yml b/.github/workflows/qa-main.yml index f49e853..1117256 100644 --- a/.github/workflows/qa-main.yml +++ b/.github/workflows/qa-main.yml @@ -11,12 +11,15 @@ jobs: noInputsTest: name: > No inputs - runs-on: ubuntu-latest + strategy: + matrix: + os: [ ubuntu-latest-large, macos-latest ] + runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: token: ${{ secrets.GITHUB_TOKEN }} - - name: Run action with args + - name: Run action without args uses: ./ env: SONAR_HOST_URL: http://not_actually_used @@ -29,31 +32,144 @@ jobs: 'args' input strategy: matrix: - os: [ ubuntu-latest, windows-latest, macos-latest ] + os: [ ubuntu-latest-large, windows-latest-large, macos-latest ] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: token: ${{ secrets.GITHUB_TOKEN }} - name: Run action with args uses: ./ with: - args: -Dsonar.someArg=aValue -Dsonar.scanner.internal.dumpToFile=./output.properties + args: -Dsonar.someArg=aValue -Dsonar.anotherArgWithSpaces="Another Value" -Dsonar.argWithSingleQuotes='Another Value' env: SONAR_HOST_URL: http://not_actually_used SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}' - name: Assert run: | ./test/assertFileContains ./output.properties "sonar.someArg=aValue" + ./test/assertFileContains ./output.properties 'sonar.anotherArgWithSpaces="Another Value"' + ./test/assertFileContains ./output.properties "sonar.argWithSingleQuotes='Another Value'" + argsInputInjectionTest: + name: > + 'args' input with command injection will fail + strategy: + matrix: + os: [ ubuntu-latest-large, windows-latest-large, macos-latest ] + args: [ -Dsonar.someArg=aValue && echo "Injection", -Dsonar.someArg="value\"; whoami; echo \"" ] + runs-on: ${{ matrix.os }} + steps: + - uses: actions/checkout@v5 + with: + token: ${{ secrets.GITHUB_TOKEN }} + - name: Run action with args + uses: ./ + continue-on-error: true + with: + args: ${{ matrix.args }} + env: + SONAR_HOST_URL: http://not_actually_used + SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}' + - name: Fail if action succeeded + if: steps.runTest.outcome == 'success' + run: exit 1 + - name: Assert the scanner was not called + run: | + ./test/assertFileDoesntExist ./output.properties + backtickCommandInjectionTest: + name: > + 'args' input with backticks injection does not execute command + strategy: + matrix: + os: [ ubuntu-latest-large, windows-latest-large, macos-latest ] + runs-on: ${{ matrix.os }} + steps: + - uses: actions/checkout@v5 + with: + token: ${{ secrets.GITHUB_TOKEN }} + - name: Run action with args + uses: ./ + continue-on-error: true + with: + args: > + -Dsonar.arg1="refs/heads/branch: [workflows] Bump `actions/*`" -Dsonar.arg2="test `echo Command Injection`" -Dsonar.arg3="`id`" -Dsonar.arg4="test'; `echo injection`; echo '" -Dsonar.arg5=" `whoami` " -Dsonar.arg6="test\`echo injection\`test" + env: + SONAR_HOST_URL: http://not_actually_used + SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}' + - name: Assert command in arg is not executed + run: | + ./test/assertFileContains ./output.properties 'sonar.arg1="refs/heads/branch\\: \[workflows\] Bump `actions/\*`"' + ./test/assertFileContains ./output.properties 'sonar.arg2="test `echo Command Injection`"' + ./test/assertFileContains ./output.properties 'sonar.arg3="`id`"' + ./test/assertFileContains ./output.properties "sonar.arg4=\"test'; \`echo injection\`; echo '\"" + ./test/assertFileContains ./output.properties 'sonar.arg5=" `whoami` "' + ./test/assertFileContains ./output.properties 'sonar.arg6="test\\\\`echo injection\\\\`test"' + dollarSymbolCommandInjectionTest: + name: > + 'args' input with dollar command injection does not execute command + strategy: + matrix: + os: [ ubuntu-latest-large, windows-latest-large, macos-latest ] + runs-on: ${{ matrix.os }} + steps: + - uses: actions/checkout@v5 + with: + token: ${{ secrets.GITHUB_TOKEN }} + - name: Run action with args + uses: ./ + continue-on-error: true + with: + args: -Dsonar.arg1="$(whoami)" -Dsonar.arg2="$GITHUB_TOKEN" -Dsonar.arg3="$(echo outer $(echo inner))" -Dsonar.arg4="value\$(whoami)end" -Dsonar.arg5="$(printf 'A%.0s' {1..10000})" -Dsonar.arg6='value"; $(whoami); echo "' + env: + SONAR_HOST_URL: http://not_actually_used + SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}' + - name: Assert command in arg is not executed + run: | + ./test/assertFileContains ./output.properties 'sonar.arg1="$(whoami)"' + ./test/assertFileContains ./output.properties 'sonar.arg2="$GITHUB_TOKEN"' + ./test/assertFileContains ./output.properties 'sonar.arg3="$(echo outer $(echo inner))"' + ./test/assertFileContains ./output.properties 'sonar.arg4="value\\\\$(whoami)end"' + ./test/assertFileContains ./output.properties 'sonar.arg5="$(printf '\''A%.0s'\'' {1..10000})"' + ./test/assertFileContains ./output.properties 'sonar.arg6='\''value"; $(whoami); echo "'\''' + otherCommandInjectionVariantsTest: + name: > + 'args' input with other command injection variants does not execute command + strategy: + matrix: + os: [ ubuntu-latest-large, windows-latest-large, macos-latest ] + runs-on: ${{ matrix.os }} + steps: + - uses: actions/checkout@v5 + with: + token: ${{ secrets.GITHUB_TOKEN }} + - name: Run action with args + uses: ./ + continue-on-error: true + with: + args: -Dsonar.arg1="test | base64" -Dsonar.arg2="value; whoami" -Dsonar.arg3="value && echo test" -Dsonar.arg4="value > /tmp/output.txt" -Dsonar.arg5="< /etc/passwd" -Dsonar.arg6="" -Dsonar.arg7="../../../*" -Dsonar.arg8="*.key" -Dsonar.arg9="test\u0027\u0060whoami\u0060" + env: + SONAR_HOST_URL: http://not_actually_used + SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}' + - name: Assert command in arg is not executed + run: | + ./test/assertFileContains ./output.properties 'sonar.arg1="test | base64"' + ./test/assertFileContains ./output.properties 'sonar.arg2="value; whoami"' + ./test/assertFileContains ./output.properties 'sonar.arg3="value && echo test"' + ./test/assertFileContains ./output.properties 'sonar.arg4="value > /tmp/output.txt"' + ./test/assertFileContains ./output.properties 'sonar.arg5="< /etc/passwd"' + ./test/assertFileContains ./output.properties 'sonar.arg6=""' + ./test/assertFileContains ./output.properties 'sonar.arg7="../../../\*"' + ./test/assertFileContains ./output.properties 'sonar.arg8="\*.key"' + ./test/assertFileContains ./output.properties 'sonar.arg9="test\\\\u0027\\\\u0060whoami\\\\u0060"' projectBaseDirInputTest: name: > 'projectBaseDir' input strategy: matrix: - os: [ ubuntu-latest, windows-latest, macos-latest ] + os: [ ubuntu-latest-large, windows-latest-large, macos-latest ] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: token: ${{ secrets.GITHUB_TOKEN }} - run: mkdir -p ./baseDir @@ -71,9 +187,9 @@ jobs: scannerVersionTest: name: > 'scannerVersion' input - runs-on: ubuntu-latest # assumes default RUNNER_ARCH for linux is X64 + runs-on: ubuntu-latest-large # assumes default RUNNER_ARCH for linux is X64 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: token: ${{ secrets.GITHUB_TOKEN }} - name: Run action with scannerVersion @@ -91,9 +207,9 @@ jobs: scannerBinariesUrlTest: name: > 'scannerBinariesUrl' input with invalid URL - runs-on: ubuntu-latest # assumes default RUNNER_ARCH for linux is X64 + runs-on: ubuntu-latest-large # assumes default RUNNER_ARCH for linux is X64 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: token: ${{ secrets.GITHUB_TOKEN }} - name: Run action with scannerBinariesUrl @@ -119,9 +235,9 @@ jobs: scannerBinariesUrlIsEscapedWithWget: name: > 'scannerBinariesUrl' is escaped with wget so special chars are not injected in the download command - runs-on: ubuntu-latest + runs-on: ubuntu-latest-large steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: token: ${{ secrets.GITHUB_TOKEN }} - name: Run action with scannerBinariesUrl @@ -140,9 +256,9 @@ jobs: scannerBinariesUrlIsEscapedWithCurl: name: > 'scannerBinariesUrl' is escaped with curl so special chars are not injected in the download command - runs-on: ubuntu-latest + runs-on: ubuntu-latest-large steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: token: ${{ secrets.GITHUB_TOKEN }} - name: Remove wget @@ -169,9 +285,9 @@ jobs: dontFailGradleTest: name: > Don't fail on Gradle project - runs-on: ubuntu-latest + runs-on: ubuntu-latest-large steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: token: ${{ secrets.GITHUB_TOKEN }} - name: Run action on Gradle project @@ -190,9 +306,9 @@ jobs: dontFailGradleKotlinTest: name: > Don't fail on Kotlin Gradle project - runs-on: ubuntu-latest + runs-on: ubuntu-latest-large steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: token: ${{ secrets.GITHUB_TOKEN }} - name: Run action on Kotlin Gradle project @@ -211,9 +327,9 @@ jobs: dontFailMavenTest: name: > Don't fail on Maven project - runs-on: ubuntu-latest + runs-on: ubuntu-latest-large steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: token: ${{ secrets.GITHUB_TOKEN }} - name: Run action on Maven project @@ -230,7 +346,7 @@ jobs: run: | ./test/assertFileExists ./output.properties runAnalysisTest: - runs-on: ubuntu-latest + runs-on: ubuntu-latest-large services: sonarqube: image: sonarqube:lts-community @@ -246,7 +362,7 @@ jobs: --health-timeout 5s --health-retries 10 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: token: ${{ secrets.GITHUB_TOKEN }} - name: Run action on sample project @@ -265,10 +381,10 @@ jobs: 'RUNNER_DEBUG' is used strategy: matrix: - os: [ ubuntu-latest, windows-latest, macos-latest ] + os: [ ubuntu-latest-large, windows-latest-large, macos-latest ] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: token: ${{ secrets.GITHUB_TOKEN }} - name: Run action with debug mode @@ -283,7 +399,7 @@ jobs: run: | ./test/assertFileContains ./output.properties "sonar.verbose=true" runAnalysisWithCacheTest: - runs-on: ubuntu-latest + runs-on: ubuntu-latest-large services: sonarqube: image: sonarqube:lts-community @@ -299,7 +415,7 @@ jobs: --health-timeout 5s --health-retries 10 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: token: ${{ secrets.GITHUB_TOKEN }} - name: SonarQube Cache @@ -324,10 +440,10 @@ jobs: 'SONARCLOUD_URL' is used strategy: matrix: - os: [ ubuntu-latest, windows-latest, macos-latest ] + os: [ ubuntu-latest-large, windows-latest-large, macos-latest ] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: token: ${{ secrets.GITHUB_TOKEN }} - name: Run action with SONARCLOUD_URL @@ -343,9 +459,9 @@ jobs: ./test/assertFileContains ./output.properties "sonar.scanner.sonarcloudUrl=mirror.sonarcloud.io" dontFailWhenMissingWgetButCurlAvailable: name: Don't fail when missing wget but curl available - runs-on: ubuntu-latest + runs-on: ubuntu-latest-large steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: token: ${{ secrets.GITHUB_TOKEN }} - name: Remove wget @@ -369,9 +485,9 @@ jobs: ./test/assertFileExists ./output.properties dontFailWhenMissingCurlButWgetAvailable: name: Don't fail when missing curl but wget available - runs-on: ubuntu-latest + runs-on: ubuntu-latest-large steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: token: ${{ secrets.GITHUB_TOKEN }} - name: Remove curl @@ -396,9 +512,9 @@ jobs: ./test/assertFileExists ./output.properties failWhenBothWgetAndCurlMissing: name: Fail when both wget and curl are missing - runs-on: ubuntu-latest + runs-on: ubuntu-latest-large steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: token: ${{ secrets.GITHUB_TOKEN }} - name: Remove wget and curl @@ -429,9 +545,9 @@ jobs: curlPerformsRedirect: name: > curl performs redirect when scannerBinariesUrl returns 3xx - runs-on: ubuntu-latest + runs-on: ubuntu-latest-large steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: token: ${{ secrets.GITHUB_TOKEN }} - name: Remove wget @@ -463,10 +579,10 @@ jobs: 'SONAR_ROOT_CERT' is converted to truststore strategy: matrix: - os: [ ubuntu-latest, windows-latest, macos-latest ] + os: [ ubuntu-latest-large, windows-latest-large, macos-latest ] runs-on: ${{ matrix.os }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: token: ${{ secrets.GITHUB_TOKEN }} - name: Run action with SSL certificate @@ -515,9 +631,9 @@ jobs: analysisWithSslCertificate: name: > Analysis takes into account 'SONAR_ROOT_CERT' - runs-on: ubuntu-latest + runs-on: ubuntu-latest-large steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: token: ${{ secrets.GITHUB_TOKEN }} - name: Generate server certificate @@ -623,9 +739,9 @@ jobs: overridesScannerLocalFolderWhenPresent: # can happen in uncleaned self-hosted runners name: > 'SCANNER_LOCAL_FOLDER' is cleaned with warning when present - runs-on: ubuntu-latest + runs-on: ubuntu-latest-large steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: token: ${{ secrets.GITHUB_TOKEN }} - name: Create a dummy SCANNER_LOCAL_FOLDER with dummy content in it @@ -657,9 +773,9 @@ jobs: updateTruststoreWhenPresent: # can happen in uncleaned self-hosted runners name: > truststore.p12 is updated when present - runs-on: ubuntu-latest + runs-on: ubuntu-latest-large steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: token: ${{ secrets.GITHUB_TOKEN }} - name: Create SONAR_SSL_FOLDER with a file in it (not-truststore.p12) @@ -783,3 +899,26 @@ jobs: [ -f "$SONAR_SSL_FOLDER/truststore.p12" ] || exit 1 TRUSTSTORE_P12_MOD_TIME_T3=$(stat -c %Y "$SONAR_SSL_FOLDER/truststore.p12") [ "$TRUSTSTORE_P12_MOD_TIME_T2" != "$TRUSTSTORE_P12_MOD_TIME_T3" ] || exit 1 + scannerVersionValidationTest: + name: > + 'scannerVersion' input validation + runs-on: ubuntu-latest-large + steps: + - uses: actions/checkout@v5 + with: + token: ${{ secrets.GITHUB_TOKEN }} + - name: Run action with invalid scannerVersion + id: invalid_version + uses: ./ + continue-on-error: true + with: + scannerVersion: "7.1.0-SNAPSHOT" + args: -Dsonar.scanner.internal.dumpToFile=./output.properties + env: + NO_CACHE: true + SONAR_HOST_URL: http://not_actually_used + - name: Assert failure of previous step + if: steps.invalid_version.outcome == 'success' + run: | + echo "Action with invalid scannerVersion should have failed but succeeded" + exit 1 diff --git a/.github/workflows/qa-scripts.yml b/.github/workflows/qa-scripts.yml index 74d8691..f612f46 100644 --- a/.github/workflows/qa-scripts.yml +++ b/.github/workflows/qa-scripts.yml @@ -10,9 +10,9 @@ on: jobs: create-install-dir-test: name: create_install_path.sh - runs-on: ubuntu-latest + runs-on: ubuntu-latest-large steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis @@ -107,7 +107,7 @@ jobs: grep "=== Script failed ===" output setup-script-test: name: configure_paths.sh - runs-on: ubuntu-latest + runs-on: ubuntu-latest-large env: INSTALL_PATH: 'install-directory' SONAR_HOST_URL: 'http://sonar-host.com' @@ -123,7 +123,7 @@ jobs: SONAR_SCANNER_URL_MACOSX_AARCH64: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-macosx-aarch64.zip' SONAR_SCANNER_SHA_MACOSX_AARCH64: 'DOWNLOAD-SHA-MACOSX-AARCH64' steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis @@ -250,9 +250,9 @@ jobs: grep "=== Script failed ===" output download-script-test: name: download.sh - runs-on: ubuntu-latest + runs-on: ubuntu-latest-large steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis @@ -319,9 +319,9 @@ jobs: grep "=== Script failed ===" output fetch-latest-version-test: name: fetch_latest_version.sh - runs-on: ubuntu-latest + runs-on: ubuntu-latest-large steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis - name: Test script diff --git a/.github/workflows/update-tags.yml b/.github/workflows/update-tags.yml index 13953b7..f274841 100644 --- a/.github/workflows/update-tags.yml +++ b/.github/workflows/update-tags.yml @@ -7,16 +7,16 @@ on: jobs: generate: - runs-on: ubuntu-latest + runs-on: ubuntu-latest-large permissions: contents: write steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v5 - name: Parse semver - uses: madhead/semver-utils@v4 + uses: madhead/semver-utils@36d1e0ed361bd7b4b77665de8093092eaeabe6ba # v4.3.0 id: version with: version: ${{ github.ref_name }} diff --git a/.github/workflows/version_update.yml b/.github/workflows/version_update.yml index 87f2019..9be42a6 100644 --- a/.github/workflows/version_update.yml +++ b/.github/workflows/version_update.yml @@ -5,19 +5,17 @@ on: - cron: '15 10 * * *' jobs: - update-version: - name: Prepare pull request for sonar-scanner version update - runs-on: ubuntu-latest - permissions: - contents: write - pull-requests: write + check-version: + name: Check for sonar-scanner version update + runs-on: ubuntu-latest-large + outputs: + should_update: ${{ steps.version-check.outputs.should_update }} + new-version: ${{ steps.latest-version.outputs.sonar-scanner-version }} steps: - run: sudo apt install -y jq - - run: sudo snap install yq - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: ref: master - persist-credentials: true fetch-depth: 0 - name: "Fetch currently used sonar-scanner version" @@ -25,25 +23,50 @@ jobs: shell: bash run: cat sonar-scanner-version >> $GITHUB_OUTPUT - - name: "Fetch lastest sonar-scanner version" + - name: "Fetch latest sonar-scanner version" id: latest-version shell: bash run: | ./scripts/fetch_latest_version.sh > sonar-scanner-version cat sonar-scanner-version >> $GITHUB_OUTPUT - - name: "Update default version" - if: steps.tagged-version.outputs.sonar-scanner-version != steps.latest-version.outputs.sonar-scanner-version + + - name: "Determine if update is needed" + id: version-check shell: bash - env: - NEW_VERSION: ${{ steps.latest-version.outputs.sonar-scanner-version }} run: | - yq -i '.inputs.scannerVersion.default = strenv(NEW_VERSION)' action.yml - - name: "Create Pull Request for version update" - if: steps.tagged-version.outputs.sonar-scanner-version != steps.latest-version.outputs.sonar-scanner-version + if [[ "${{ steps.tagged-version.outputs.sonar-scanner-version }}" != "${{ steps.latest-version.outputs.sonar-scanner-version }}" ]]; then + echo "should_update=true" >> $GITHUB_OUTPUT + else + echo "should_update=false" >> $GITHUB_OUTPUT + fi + + update-version: + name: Prepare pull request for sonar-scanner version update + needs: check-version + runs-on: ubuntu-latest-large + permissions: + contents: write + pull-requests: write + if: needs.check-version.outputs.should_update == 'true' + steps: + - uses: actions/checkout@v5 + with: + ref: master + persist-credentials: true + fetch-depth: 0 + - run: sudo snap install yq + - name: "Update default version" shell: bash env: - UPDATE_BRANCH: update-to-sonar-scanner-${{ steps.latest-version.outputs.sonar-scanner-version }} - TITLE: "Update SonarScanner CLI to ${{ steps.latest-version.outputs.sonar-scanner-version }}" + NEW_VERSION: ${{ needs.check-version.outputs.new-version }} + run: | + yq -i '.inputs.scannerVersion.default = strenv(NEW_VERSION)' action.yml + ./scripts/fetch_latest_version.sh > sonar-scanner-version + - name: "Create Pull Request for version update" + shell: bash + env: + UPDATE_BRANCH: update-to-sonar-scanner-${{ needs.check-version.outputs.new-version }} + TITLE: "Update SonarScanner CLI to ${{ needs.check-version.outputs.new-version }}" GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | git config --global user.name "SonarTech" @@ -56,5 +79,5 @@ jobs: gh pr list if [[ $(gh pr list -H "${UPDATE_BRANCH}" | grep "${UPDATE_BRANCH}" | wc -l) -eq 0 ]]; then - gh pr create -B master -H ${UPDATE_BRANCH} --title "${TITLE}" --body "Automatic updated of sonar-scanner version value. Needs to be tagged for release." + gh pr create -B master -H ${UPDATE_BRANCH} --title "${TITLE}" --body "Automatic update of the sonar-scanner version value. Be sure to trigger the QA workflow by closing and reopening this PR (see https://github.com/orgs/community/discussions/65321)." fi diff --git a/README.md b/README.md index 5edcc96..b4bd8f5 100644 --- a/README.md +++ b/README.md @@ -1,330 +1,14 @@ -# Scan your code with SonarQube [![QA Main](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-main.yml/badge.svg)](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-main.yml) [![QA Install Build Wrapper](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-install-build-wrapper.yml/badge.svg)](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-install-build-wrapper.yml) [![QA Scripts](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-scripts.yml/badge.svg)](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-scripts.yml) [![QA Deprecated C and C++ Action](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-deprecated-c-cpp.yml/badge.svg)](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-deprecated-c-cpp.yml) +# Disclaimer +This is a Zendesk maintained repository cloned from [SonarSource/sonarqube-scan-action](https://github.com/SonarSource/sonarqube-scan-action). This repository is not updated from upstreame master breanch, instead it is updated from the latest tag from the SonarSource/sonarqube-scan-action. -This SonarSource project, available as a GitHub Action, scans your projects with SonarQube [Server](https://www.sonarsource.com/products/sonarqube/) or [Cloud](https://www.sonarsource.com/products/sonarcloud/). - - - - SonarQube Logo - - -SonarQube [Server](https://www.sonarsource.com/products/sonarqube/) and [Cloud](https://www.sonarsource.com/products/sonarcloud/) (formerly SonarQube and SonarCloud) is a widely used static analysis solution for continuous code quality and security inspection. - -It helps developers detect coding issues in 30+ languages, frameworks, and IaC platforms, including Java, JavaScript, TypeScript, C#, Python, C, C++, and [many more](https://www.sonarsource.com/knowledge/languages/). - -The solution also provides fix recommendations leveraging AI with Sonar's AI CodeFix capability. - -> [!NOTE] -> This action now supports and is the official entrypoint for scanning C, C++, Objective-C and Dart projects via GitHub actions. - -## Requirements - -### Server - -To run an analysis on your code, you first need to set up your project on SonarQube Server. Your SonarQube Server instance must be accessible from GitHub, and you will need an access token to run the analysis (more information below under **Environment variables**). - -Read more information on how to analyze your code [here](https://docs.sonarsource.com/sonarqube-server/latest/devops-platform-integration/github-integration/introduction/). - -### Cloud - -* Create your account on SonarQube Cloud. [Sign up for free](https://www.sonarsource.com/products/sonarcloud/signup/?utm_medium=referral&utm_source=github&utm_campaign=sc-signup&utm_content=signup-sonarcloud-listing-x-x&utm_term=ww-psp-x) now if it's not already the case! -* The repository to analyze is set up on SonarQube Cloud. [Set it up](https://sonarcloud.io/projects/create) in just one click. - -## Usage - -Project metadata, including the location of the sources to be analyzed, must be declared in the file `sonar-project.properties` in the base directory: - -### Server - -```properties -sonar.projectKey= - -# relative paths to source directories. More details and properties are described -# at https://docs.sonarsource.com/sonarqube-server/latest/project-administration/analysis-scope/ -sonar.sources=. +# Recommended Use within Zendesk +It is exepected that the Zendesk teams to use `sonarqube-scan-action` like below: +``` + - name: SonarQube Scan + uses: zendesk/sonarqube-scan-action@master + env: + SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }} + SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST }} ``` -In the following cases: -- for projects that don't have C, C++, or Objective-C in them -- for C, C++, Objective-C projects that don't use [Build Wrapper](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/languages/c-family/prerequisites/#using-buildwrapper) - -the workflow, usually declared under `.github/workflows`, looks like the following: - -```yaml -on: - # Trigger analysis when pushing to your main branches, and when creating a pull request. - push: - branches: - - main - - master - - develop - - 'releases/**' - pull_request: - types: [opened, synchronize, reopened] - -name: Main Workflow -jobs: - sonarqube: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - # Disabling shallow clones is recommended for improving the relevancy of reporting - fetch-depth: 0 - - name: SonarQube Scan - uses: SonarSource/sonarqube-scan-action@ # Ex: v4.1.0, See the latest version at https://github.com/marketplace/actions/official-sonarqube-scan - env: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }} -``` - -For C, C++, and Objective-C projects relying on [Build Wrapper](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/languages/c-family/prerequisites/#using-buildwrapper) to generate the compilation database, the workflow requires additional steps to download the Build Wrapper and invoke it: - -```yaml -# Trigger analysis when pushing to your main branches, and when creating a pull request. - push: - branches: - - main - - master - - develop - - 'releases/**' - pull_request: - types: [opened, synchronize, reopened] - -name: Main Workflow -jobs: - sonarqube: - runs-on: ubuntu-latest - env: - BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory # Directory where build-wrapper output will be placed - steps: - - uses: actions/checkout@v4 - with: - # Disabling shallow clone is recommended for improving relevancy of reporting - fetch-depth: 0 - - name: Install Build Wrapper - uses: SonarSource/sonarqube-scan-action/install-build-wrapper@ - env: - SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }} - - name: Run Build Wrapper - run: | - # Here goes your compilation wrapped with Build Wrapper - # For more information, see https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/languages/c-family/prerequisites/#using-buildwrapper - # build-preparation steps - # build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} build-command - - name: SonarQube Scan - uses: SonarSource/sonarqube-scan-action@ - env: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }} - SONAR_ROOT_CERT: ${{ secrets.SONAR_ROOT_CERT }} - with: - # Consult https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner/ for more information and options - args: > - --define sonar.cfamily.compile-commands="${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json" -``` - -If you are using SonarQube Server 10.5 or earlier, use `sonar.cfamily.build-wrapper-output` instead of `sonar.cfamily.compile-commands` in the `args` property of the last step, as Build Wrapper does not generate a `compile_commands.json` file before SonarQube Server 10.6. - -It should look like this: - -```yaml -with: - args: > - --define sonar.cfamily.build-wrapper-output="${{ env.BUILD_WRAPPER_OUT_DIR }}" -``` - -See also [example configurations of C++ projects for SonarQube Server](https://github.com/search?q=org%3Asonarsource-cfamily-examples+gh-actions-sq&type=repositories). - -### Cloud - -```properties -sonar.organization= -sonar.projectKey= - -# relative paths to source directories. More details and properties are described -# at https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/analysis-scope/ -sonar.sources=. -``` - -In the following cases: -- for projects that don't have C, C++, or Objective-C in them -- for C, C++, Objective-C projects that don't use [Build Wrapper](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/languages/c-family/prerequisites/#using-build-wrapper) - -the workflow, usually declared under `.github/workflows`, looks like the following: - -```yaml -on: - # Trigger analysis when pushing to your main branches, and when creating a pull request. - push: - branches: - - main - - master - - develop - - 'releases/**' - pull_request: - types: [opened, synchronize, reopened] - -name: Main Workflow -jobs: - sonarqube: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - # Disabling shallow clones is recommended for improving the relevancy of reporting - fetch-depth: 0 - - name: SonarQube Scan - uses: SonarSource/sonarqube-scan-action@ # Ex: v4.1.0, See the latest version at https://github.com/marketplace/actions/official-sonarqube-scan - env: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} -``` - -For C, C++, and Objective-C projects relying on [Build Wrapper](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/languages/c-family/prerequisites/#using-build-wrapper) to generate the compilation database, the workflow requires additional steps to download the Build Wrapper and invoke it: - -```yaml -# Trigger analysis when pushing to your main branches, and when creating a pull request. - push: - branches: - - main - - master - - develop - - 'releases/**' - pull_request: - types: [opened, synchronize, reopened] - -name: Main Workflow -jobs: - sonarqube: - runs-on: ubuntu-latest - env: - BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory # Directory where build-wrapper output will be placed - steps: - - uses: actions/checkout@v4 - with: - # Disabling shallow clone is recommended for improving relevancy of reporting - fetch-depth: 0 - - name: Install Build Wrapper - uses: SonarSource/sonarqube-scan-action/install-build-wrapper@ - - name: Run Build Wrapper - run: | - # Here goes your compilation wrapped with Build Wrapper - # For more information, see https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/languages/c-family/prerequisites/#using-build-wrapper - # build-preparation steps - # build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} build-command - - name: SonarQube Scan - uses: SonarSource/sonarqube-scan-action@ - env: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - SONAR_ROOT_CERT: ${{ secrets.SONAR_ROOT_CERT }} - with: - # Consult https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner/ for more information and options - args: > - --define sonar.cfamily.compile-commands="${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json" -``` - -See also [example configurations of C++ projects for SonarQube Cloud](https://github.com/search?q=org%3Asonarsource-cfamily-examples+gh-actions-sc&type=repositories). - -## Action parameters - -You can change the analysis base directory by using the optional input `projectBaseDir` like this: - -```yaml -- uses: SonarSource/sonarqube-scan-action@ - with: - projectBaseDir: app/src -``` - -In case you need to specify the version of the Sonar Scanner, you can use the `scannerVersion` option: - -```yaml -- uses: SonarSource/sonarqube-scan-action@ - with: - scannerVersion: 6.2.0.4584 -``` - -In case you need to add additional analysis parameters, and you do not wish to set them in the `sonar-project.properties` file, you can use the `args` option: - -```yaml -- uses: SonarSource/sonarqube-scan-action@ - with: - projectBaseDir: app/src - args: > - -Dsonar.organization=my-organization # For SonarQube Cloud only - -Dsonar.projectKey=my-projectkey - -Dsonar.python.coverage.reportPaths=coverage.xml - -Dsonar.sources=lib/ - -Dsonar.tests=tests/ - -Dsonar.test.exclusions=tests/** - -Dsonar.verbose=true -``` - -You can also specify the URL where to retrieve the SonarScanner CLI from. -The specified URL overrides the default address: `https://binaries.sonarsource.com/Distribution/sonar-scanner-cli`. -This can be useful when the runner executing the action is self-hosted and has regulated or no access to the Internet: - -```yaml -- uses: SonarSource/sonarqube-scan-action@ - with: - scannerBinariesUrl: https://my.custom.binaries.url.com/Distribution/sonar-scanner-cli/ -``` - -More information about possible analysis parameters can be found: -* in the [Analysis parameters page](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/analysis-parameters/) of the SonarQube Server documentation -* in the [Analysis parameters page](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/analysis-parameters/) of the SonarQube Cloud documentation - -### Environment variables - -- `SONAR_TOKEN` – **Required** this is the token used to authenticate access to SonarQube. You can read more about security tokens in the documentation of SonarQube [Server](https://docs.sonarsource.com/sonarqube-server/latest/user-guide/managing-tokens/) and [Cloud](https://docs.sonarsource.com/sonarqube-cloud/managing-your-account/managing-tokens/). You can set the `SONAR_TOKEN` environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended). -- `SONAR_HOST_URL` – this tells the scanner where SonarQube Server is hosted. You can set the `SONAR_HOST_URL` environment variable in the "Variables" settings page of your repository, or you can add them at the level of your GitHub organization (recommended). Not needed for SonarQube Cloud. -- `SONAR_ROOT_CERT` – Holds an additional certificate (in PEM format) that is used to validate the certificate of SonarQube Server or of a secured proxy to SonarQube (Server or Cloud). You can set the `SONAR_ROOT_CERT` environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended). - -Here is an example of how you can pass a certificate (in PEM format) to the Scanner truststore: - -```yaml -- uses: SonarSource/sonarqube-scan-action@ - env: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }} - SONAR_ROOT_CERT: ${{ secrets.SONAR_ROOT_CERT }} -``` - -If your source code file names contain special characters that are not covered by the locale range of `en_US.UTF-8`, you can configure your desired locale like this: - -```yaml -- uses: SonarSource/sonarqube-scan-action@ - env: - SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }} # or https://sonarcloud.io - LC_ALL: "ru_RU.UTF-8" -``` - -## Alternatives for Java and .NET - -This GitHub Action will not work for all technologies. If you are in one of the following situations, you should use the following alternatives: - -* Your code is built with Maven. Read the documentation about our SonarScanner for Maven in SonarQube [Server](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner-for-maven/) and [Cloud](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/ci-based-analysis/sonarscanner-for-maven/). -* Your code is built with Gradle. Read the documentation about our SonarScanner for Gradle in SonarQube [Server](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner-for-gradle/) and [Cloud](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/ci-based-analysis/sonarscanner-for-gradle/). -* You want to analyze a .NET solution. Read the documentation about our SonarScanner for .NET in SonarQube [Server](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/dotnet/introduction/) and [Cloud](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/ci-based-analysis/sonarscanner-for-dotnet/introduction/). - -## Do not use this GitHub action if you are in the following situations - -* You want to run the action on C, C++, or Objective-C projects on a 32-bits system - build wrappers support only 64-bits OS. - -## Self-hosted runner or container - -When running the action in a self-hosted runner or container, please ensure that the following programs are installed: - -* **curl** or **wget** -* **unzip** - -## Additional information - -The `sonarqube-scan-action/install-build-wrapper` action installs `coreutils` if run on macOS. - -## Have questions or feedback? - -To provide feedback (requesting a feature or reporting a bug) please post on the SonarSource Community Forum page for SonarQube [Server](https://community.sonarsource.com/tags/c/help/sq/github-actions) or [Cloud](https://community.sonarsource.com/tags/c/help/sc/9/github-actions). - -## License - -Container images built with this project include third-party materials. +For details check upstream [README.md](https://github.com/SonarSource/sonarqube-scan-action/blob/master/README.md) \ No newline at end of file diff --git a/action.yml b/action.yml index 847cec8..1784c4c 100644 --- a/action.yml +++ b/action.yml @@ -17,7 +17,7 @@ inputs: description: Version of the Sonar Scanner CLI to use required: false # to be kept in sync with sonar-scanner-version - default: 7.1.0.4889 + default: 7.2.0.5079 scannerBinariesUrl: description: URL to download the Sonar Scanner CLI binaries from required: false @@ -30,9 +30,10 @@ runs: shell: bash env: INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }} + INPUT_SCANNERVERSION: ${{ inputs.scannerVersion }} - name: Load Sonar Scanner CLI from cache id: sonar-scanner-cli - uses: actions/cache@v4 + uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 #v4.2.4 env: # The default value is 60mins. Reaching timeout is treated the same as a cache miss. SEGMENT_DOWNLOAD_TIMEOUT_MINS: 1 @@ -50,8 +51,9 @@ runs: run: echo "${RUNNER_TEMP}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}/bin" >> $GITHUB_PATH shell: bash - name: Run SonarScanner - run: ${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh ${{ inputs.args }} + run: ${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner.sh shell: bash env: + INPUT_ARGS: ${{ inputs.args }} INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }} SONAR_SCANNER_JRE: ${{ runner.temp }}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}/jre diff --git a/scripts/cert.sh b/scripts/cert.sh index 2c2a2a5..de63a55 100755 --- a/scripts/cert.sh +++ b/scripts/cert.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash if [[ -n "${SONAR_ROOT_CERT}" ]]; then echo "Adding custom root certificate to java certificate store" diff --git a/scripts/configure_paths.sh b/scripts/configure_paths.sh index d1bbfe1..b9f33ac 100755 --- a/scripts/configure_paths.sh +++ b/scripts/configure_paths.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash if [[ ${ARCH} != "X64" && ! (${ARCH} == "ARM64" && (${OS} == "macOS" || ${OS} == "Linux")) ]]; then echo "::error::Architecture '${ARCH}' is unsupported by build-wrapper" diff --git a/scripts/create_install_path.sh b/scripts/create_install_path.sh index 7e35571..3a3618d 100755 --- a/scripts/create_install_path.sh +++ b/scripts/create_install_path.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash source "$(dirname -- "$0")/utils.sh" diff --git a/scripts/download.sh b/scripts/download.sh index 9e1aefa..5303d52 100755 --- a/scripts/download.sh +++ b/scripts/download.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash source "$(dirname -- "$0")/utils.sh" @@ -28,7 +28,7 @@ parse_arguments() { } verify_download_correctness() { - echo "${EXPECTED_SHA} ${TMP_ZIP_PATH}" | sha256sum -c + echo "${EXPECTED_SHA} ${TMP_ZIP_PATH}" | sha256sum -c - check_status "Checking sha256 failed" } diff --git a/scripts/fetch_latest_version.sh b/scripts/fetch_latest_version.sh index 774b035..57c7249 100755 --- a/scripts/fetch_latest_version.sh +++ b/scripts/fetch_latest_version.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash source "$(dirname -- "$0")/utils.sh" diff --git a/scripts/install-sonar-scanner-cli.sh b/scripts/install-sonar-scanner-cli.sh index 6d810e3..10b596c 100755 --- a/scripts/install-sonar-scanner-cli.sh +++ b/scripts/install-sonar-scanner-cli.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash set -eou pipefail diff --git a/scripts/run-sonar-scanner-cli.sh b/scripts/run-sonar-scanner-cli.sh index 1a77f07..d8615e8 100755 --- a/scripts/run-sonar-scanner-cli.sh +++ b/scripts/run-sonar-scanner-cli.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash set -eo pipefail @@ -73,9 +73,19 @@ if [[ -n "${SONAR_ROOT_CERT}" ]]; then scanner_args+=("-Dsonar.scanner.truststorePassword=$SONAR_SSL_TRUSTSTORE_PASSWORD") fi -scanner_args+=("$@") +# split input args correctly (passed through INPUT_ARGS env var to avoid execution of injected command) +args=() +if [[ -n "${INPUT_ARGS}" ]]; then +# the regex recognizes args with values in single or double quotes (without character escaping), and args without quotes as well +# more specifically, the following patterns: -Darg="value", -Darg='value', -Darg=value, "-Darg=value" and '-Darg=value' + IFS=$'\n'; args=($(echo ${INPUT_ARGS} | egrep -o '[^" '\'']+="[^"]*"|[^" '\'']+='\''[^'\'']*'\''|[^" '\'']+|"[^"]+"|'\''[^'\'']+'\''')) +fi + +for arg in "${args[@]}"; do + scanner_args+=("$arg") +done set -ux -$SCANNER_BIN "${scanner_args[@]}" +$SCANNER_BIN ${scanner_args[@]+"${scanner_args[@]}"} diff --git a/scripts/run-sonar-scanner.sh b/scripts/run-sonar-scanner.sh new file mode 100755 index 0000000..87d0c6a --- /dev/null +++ b/scripts/run-sonar-scanner.sh @@ -0,0 +1,6 @@ +#!/usr/bin/env bash +set -euo pipefail + +# run the sonar scanner cli +cmd=(${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh "${INPUT_ARGS}") +"${cmd[@]}" diff --git a/scripts/sanity-checks.sh b/scripts/sanity-checks.sh index 6fd8b97..e23ed67 100755 --- a/scripts/sanity-checks.sh +++ b/scripts/sanity-checks.sh @@ -1,7 +1,12 @@ -#!/bin/bash +#!/usr/bin/env bash set -eo pipefail +if [[ ! "${INPUT_SCANNERVERSION}" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then + echo "::error title=SonarScanner::Invalid scannerVersion format. Expected format: x.y.z.w (e.g., 7.1.0.4889)" + exit 1 +fi + if [[ -z "${SONAR_TOKEN}" ]]; then echo "::warning title=SonarScanner::Running this GitHub Action without SONAR_TOKEN is not recommended" fi diff --git a/scripts/utils.sh b/scripts/utils.sh index a9849bc..cc79029 100755 --- a/scripts/utils.sh +++ b/scripts/utils.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/bin/env bash check_status() { exit_status=$? diff --git a/sonar-scanner-version b/sonar-scanner-version index b52ab0b..79b1835 100644 --- a/sonar-scanner-version +++ b/sonar-scanner-version @@ -1,11 +1,11 @@ -sonar-scanner-version=7.1.0.4889 -sonar-scanner-url-windows-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-windows-x64.zip -sonar-scanner-sha-windows-x64=64c5154d3d924eb2e03386f10eecb3ec4132298e2c1bf0b60a0d0195cd51a555 -sonar-scanner-url-linux-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-linux-x64.zip -sonar-scanner-sha-linux-x64=b4d2a001d65b489f9effe1ea8a78495db1b152f124d7f7b058aad8651c7e1484 -sonar-scanner-url-linux-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-linux-aarch64.zip -sonar-scanner-sha-linux-aarch64=7948ccde77843829b87d41815ead669486f681cd38b0b0893006083a9b6f6b5c -sonar-scanner-url-macosx-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-macosx-x64.zip -sonar-scanner-sha-macosx-x64=08ad1e75994d91a17016ce55248d0827b62a757b263917234ea2d89bee8f136d -sonar-scanner-url-macosx-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-macosx-aarch64.zip -sonar-scanner-sha-macosx-aarch64=9ad8c5da9e9665c065328b86adb3f33ef43801347ecb3ff1ec27d598ac37b449 +sonar-scanner-version=7.2.0.5079 +sonar-scanner-url-windows-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.2.0.5079-windows-x64.zip +sonar-scanner-sha-windows-x64=71936f352206b63cb05ffbcd68e366e52d22916148cf4a2418789bc776f733ea +sonar-scanner-url-linux-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.2.0.5079-linux-x64.zip +sonar-scanner-sha-linux-x64=da9f4e64a3d555f08ce38b5469ebd91fe2b311af473f7001a5ee5c1fd58b004b +sonar-scanner-url-linux-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.2.0.5079-linux-aarch64.zip +sonar-scanner-sha-linux-aarch64=803ca725d463e95eeb7537515706367bb8e52bf05ac32174daf9773bdb36d1e2 +sonar-scanner-url-macosx-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.2.0.5079-macosx-x64.zip +sonar-scanner-sha-macosx-x64=7b9e92248ca740fff41503bfe5459c460bac43c501d80043cc4fbebb72dfc5fa +sonar-scanner-url-macosx-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.2.0.5079-macosx-aarch64.zip +sonar-scanner-sha-macosx-aarch64=c8adb3fbfe5485c17de193a217be765b66cbc10d6540057655afa3c3b5be6f61 diff --git a/test/assertFileContains b/test/assertFileContains index 69380e1..588d845 100755 --- a/test/assertFileContains +++ b/test/assertFileContains @@ -1,10 +1,14 @@ -#!/bin/bash +#!/usr/bin/env bash + +set -eou pipefail error() { echo -e "\\e[31m✗ $*\\e[0m"; } -assertFileExists $1 +scriptDir=$(dirname -- "$(readlink -f -- "${BASH_SOURCE[0]}")") -if ! grep -q $2 $1; then +$scriptDir/assertFileExists "$1" + +if ! grep -q "$2" "$1"; then error "'$2' not found in '$1'" exit 1 fi \ No newline at end of file diff --git a/test/assertFileDoesntExist b/test/assertFileDoesntExist index 032a07c..480b761 100755 --- a/test/assertFileDoesntExist +++ b/test/assertFileDoesntExist @@ -1,8 +1,10 @@ -#!/bin/bash +#!/usr/bin/env bash + +set -eou pipefail error() { echo -e "\\e[31m✗ $*\\e[0m"; } -if [ -f $1 ]; then +if [ -f "$1" ]; then error "File '$1' found" exit 1 fi \ No newline at end of file diff --git a/test/assertFileExists b/test/assertFileExists index 8f04686..e0f2961 100755 --- a/test/assertFileExists +++ b/test/assertFileExists @@ -1,8 +1,10 @@ -#!/bin/bash +#!/usr/bin/env bash + +set -eou pipefail error() { echo -e "\\e[31m✗ $*\\e[0m"; } -if [ ! -f $1 ]; then +if [ ! -f "$1" ]; then error "File '$1' not found" exit 1 fi \ No newline at end of file