Issue PET-9252: Uodated the code from tag v5.3.1

2025-12-12 17:31:15 +00:00 · 2025-09-04 12:47:22 +05:30 · 2025-09-04 12:47:22 +05:30 · f07a348728
commit f07a348728
parent 3e30ce1f41
27 changed files with 323 additions and 446 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -1 +1 @@
-.github/CODEOWNERS @sonarsource/orchestration-processing-squad
+.github/* @sonarsource/orchestration-processing-squad
--- a/.github/workflows/PullRequestClosed.yml
+++ b/.github/workflows/PullRequestClosed.yml
@ -7,7 +7,7 @@ on:
 jobs:
  PullRequestClosed_job:
    name: Pull Request Closed
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
    permissions:
      id-token: write
      pull-requests: read
--- a/.github/workflows/PullRequestCreated.yml
+++ b/.github/workflows/PullRequestCreated.yml
@ -7,7 +7,7 @@ on:
 jobs:
  PullRequestCreated_job:
    name: Pull Request Created
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
    permissions:
      id-token: write
    # For external PR, ticket should be created manually
--- a/.github/workflows/RequestReview.yml
+++ b/.github/workflows/RequestReview.yml
@ -7,7 +7,7 @@ on:
 jobs:
  RequestReview_job:
    name: Request review
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
    permissions:
      id-token: write
    # For external PR, ticket should be moved manually
--- a/.github/workflows/SubmitReview.yml
+++ b/.github/workflows/SubmitReview.yml
@ -7,7 +7,7 @@ on:
 jobs:
  SubmitReview_job:
    name: Submit Review
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
    permissions:
      id-token: write
      pull-requests: read
--- a/.github/workflows/qa-deprecated-c-cpp.yml
+++ b/.github/workflows/qa-deprecated-c-cpp.yml
@ -12,7 +12,7 @@ jobs:
    name: Action outputs
    strategy:
      matrix:
-        os: [ubuntu-latest, windows-latest, macos-latest, macos-13]
+        os: [ubuntu-latest-large, windows-latest-large, macos-latest, macos-13]
        cache: [true, false]
        include:
          - arch: X64
@ -31,7 +31,7 @@ jobs:
            exit 1
          fi
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
--- a/.github/workflows/qa-install-build-wrapper.yml
+++ b/.github/workflows/qa-install-build-wrapper.yml
@ -12,7 +12,7 @@ jobs:
    name: Action outputs
    strategy:
      matrix:
-        os: [ubuntu-latest, windows-latest, macos-latest, macos-13]
+        os: [ubuntu-latest-large, windows-latest-large, macos-latest, macos-13]
        cache: [true, false]
        include:
          - arch: X64
@ -31,7 +31,7 @@ jobs:
            exit 1
          fi
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
--- a/.github/workflows/qa-main.yml
+++ b/.github/workflows/qa-main.yml
@ -11,12 +11,15 @@ jobs:
  noInputsTest:
    name: >
      No inputs
-    runs-on: ubuntu-latest
+    strategy:
      matrix:
        os: [ ubuntu-latest-large, macos-latest ]
    runs-on: ${{ matrix.os }}
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
-      - name: Run action with args
+      - name: Run action without args
        uses: ./
        env:
          SONAR_HOST_URL: http://not_actually_used
@ -29,31 +32,144 @@ jobs:
      'args' input
    strategy:
      matrix:
-        os: [ ubuntu-latest, windows-latest, macos-latest ]
+        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
    runs-on: ${{ matrix.os }}
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Run action with args
        uses: ./
        with:
-          args: -Dsonar.someArg=aValue -Dsonar.scanner.internal.dumpToFile=./output.properties
+          args: -Dsonar.someArg=aValue -Dsonar.anotherArgWithSpaces="Another Value" -Dsonar.argWithSingleQuotes='Another Value'
        env:
          SONAR_HOST_URL: http://not_actually_used
          SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
      - name: Assert
        run: |
          ./test/assertFileContains ./output.properties "sonar.someArg=aValue"
          ./test/assertFileContains ./output.properties 'sonar.anotherArgWithSpaces="Another Value"'
          ./test/assertFileContains ./output.properties "sonar.argWithSingleQuotes='Another Value'"
  argsInputInjectionTest:
    name: >
      'args' input with command injection will fail
    strategy:
      matrix:
        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
        args: [ -Dsonar.someArg=aValue && echo "Injection", -Dsonar.someArg="value\"; whoami; echo \"" ]
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Run action with args
        uses: ./
        continue-on-error: true
        with:
          args: ${{ matrix.args }}
        env:
          SONAR_HOST_URL: http://not_actually_used
          SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
      - name: Fail if action succeeded
        if: steps.runTest.outcome == 'success'
        run: exit 1
      - name: Assert the scanner was not called
        run: |
          ./test/assertFileDoesntExist ./output.properties
  backtickCommandInjectionTest:
    name: >
      'args' input with backticks injection does not execute command
    strategy:
      matrix:
        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Run action with args
        uses: ./
        continue-on-error: true
        with:
          args: >
            -Dsonar.arg1="refs/heads/branch: [workflows] Bump `actions/*`" -Dsonar.arg2="test `echo Command Injection`" -Dsonar.arg3="`id`" -Dsonar.arg4="test'; `echo injection`; echo '" -Dsonar.arg5="   `whoami`   " -Dsonar.arg6="test\`echo injection\`test"
        env:
          SONAR_HOST_URL: http://not_actually_used
          SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
      - name: Assert command in arg is not executed
        run: |
          ./test/assertFileContains ./output.properties 'sonar.arg1="refs/heads/branch\\: \[workflows\] Bump `actions/\*`"'
          ./test/assertFileContains ./output.properties 'sonar.arg2="test `echo Command Injection`"'
          ./test/assertFileContains ./output.properties 'sonar.arg3="`id`"'
          ./test/assertFileContains ./output.properties "sonar.arg4=\"test'; \`echo injection\`; echo '\""
          ./test/assertFileContains ./output.properties 'sonar.arg5="   `whoami`   "'
          ./test/assertFileContains ./output.properties 'sonar.arg6="test\\\\`echo injection\\\\`test"'
  dollarSymbolCommandInjectionTest:
    name: >
      'args' input with dollar command injection does not execute command
    strategy:
      matrix:
        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Run action with args
        uses: ./
        continue-on-error: true
        with:
          args: -Dsonar.arg1="$(whoami)" -Dsonar.arg2="$GITHUB_TOKEN" -Dsonar.arg3="$(echo outer $(echo inner))" -Dsonar.arg4="value\$(whoami)end" -Dsonar.arg5="$(printf 'A%.0s' {1..10000})" -Dsonar.arg6='value"; $(whoami); echo "'
        env:
          SONAR_HOST_URL: http://not_actually_used
          SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
      - name: Assert command in arg is not executed
        run: |
          ./test/assertFileContains ./output.properties 'sonar.arg1="$(whoami)"'
          ./test/assertFileContains ./output.properties 'sonar.arg2="$GITHUB_TOKEN"'
          ./test/assertFileContains ./output.properties 'sonar.arg3="$(echo outer $(echo inner))"'
          ./test/assertFileContains ./output.properties 'sonar.arg4="value\\\\$(whoami)end"'
          ./test/assertFileContains ./output.properties 'sonar.arg5="$(printf '\''A%.0s'\'' {1..10000})"'
          ./test/assertFileContains ./output.properties 'sonar.arg6='\''value"; $(whoami); echo "'\'''
  otherCommandInjectionVariantsTest:
    name: >
      'args' input with other command injection variants does not execute command
    strategy:
      matrix:
        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Run action with args
        uses: ./
        continue-on-error: true
        with:
          args: -Dsonar.arg1="test | base64" -Dsonar.arg2="value; whoami" -Dsonar.arg3="value && echo test" -Dsonar.arg4="value > /tmp/output.txt" -Dsonar.arg5="< /etc/passwd" -Dsonar.arg6="" -Dsonar.arg7="../../../*" -Dsonar.arg8="*.key" -Dsonar.arg9="test\u0027\u0060whoami\u0060"
        env:
          SONAR_HOST_URL: http://not_actually_used
          SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
      - name: Assert command in arg is not executed
        run: |
          ./test/assertFileContains ./output.properties 'sonar.arg1="test | base64"'
          ./test/assertFileContains ./output.properties 'sonar.arg2="value; whoami"'
          ./test/assertFileContains ./output.properties 'sonar.arg3="value && echo test"'
          ./test/assertFileContains ./output.properties 'sonar.arg4="value > /tmp/output.txt"'
          ./test/assertFileContains ./output.properties 'sonar.arg5="< /etc/passwd"'
          ./test/assertFileContains ./output.properties 'sonar.arg6=""'
          ./test/assertFileContains ./output.properties 'sonar.arg7="../../../\*"'
          ./test/assertFileContains ./output.properties 'sonar.arg8="\*.key"'
          ./test/assertFileContains ./output.properties 'sonar.arg9="test\\\\u0027\\\\u0060whoami\\\\u0060"'
  projectBaseDirInputTest:
    name: >
      'projectBaseDir' input
    strategy:
      matrix:
-        os: [ ubuntu-latest, windows-latest, macos-latest ]
+        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
    runs-on: ${{ matrix.os }}
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - run: mkdir -p ./baseDir
@ -71,9 +187,9 @@ jobs:
  scannerVersionTest:
    name: >
      'scannerVersion' input
-    runs-on: ubuntu-latest # assumes default RUNNER_ARCH for linux is X64
+    runs-on: ubuntu-latest-large # assumes default RUNNER_ARCH for linux is X64
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Run action with scannerVersion
@ -91,9 +207,9 @@ jobs:
  scannerBinariesUrlTest:
    name: >
      'scannerBinariesUrl' input with invalid URL
-    runs-on: ubuntu-latest # assumes default RUNNER_ARCH for linux is X64
+    runs-on: ubuntu-latest-large # assumes default RUNNER_ARCH for linux is X64
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Run action with scannerBinariesUrl
@ -119,9 +235,9 @@ jobs:
  scannerBinariesUrlIsEscapedWithWget:
    name: >
      'scannerBinariesUrl' is escaped with wget so special chars are not injected in the download command
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Run action with scannerBinariesUrl
@ -140,9 +256,9 @@ jobs:
  scannerBinariesUrlIsEscapedWithCurl:
    name: >
      'scannerBinariesUrl' is escaped with curl so special chars are not injected in the download command
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Remove wget
@ -169,9 +285,9 @@ jobs:
  dontFailGradleTest:
    name: >
      Don't fail on Gradle project
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Run action on Gradle project
@ -190,9 +306,9 @@ jobs:
  dontFailGradleKotlinTest:
    name: >
      Don't fail on Kotlin Gradle project
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Run action on Kotlin Gradle project
@ -211,9 +327,9 @@ jobs:
  dontFailMavenTest:
    name: >
      Don't fail on Maven project
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Run action on Maven project
@ -230,7 +346,7 @@ jobs:
        run: |
          ./test/assertFileExists ./output.properties
  runAnalysisTest:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
    services:
      sonarqube:
        image: sonarqube:lts-community
@ -246,7 +362,7 @@ jobs:
          --health-timeout 5s
          --health-retries 10
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Run action on sample project
@ -265,10 +381,10 @@ jobs:
      'RUNNER_DEBUG' is used
    strategy:
      matrix:
-        os: [ ubuntu-latest, windows-latest, macos-latest ]
+        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
    runs-on: ${{ matrix.os }}
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Run action with debug mode
@ -283,7 +399,7 @@ jobs:
        run: |
          ./test/assertFileContains ./output.properties "sonar.verbose=true"
  runAnalysisWithCacheTest:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
    services:
      sonarqube:
        image: sonarqube:lts-community
@ -299,7 +415,7 @@ jobs:
          --health-timeout 5s
          --health-retries 10
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: SonarQube Cache
@ -324,10 +440,10 @@ jobs:
      'SONARCLOUD_URL' is used
    strategy:
      matrix:
-        os: [ ubuntu-latest, windows-latest, macos-latest ]
+        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
    runs-on: ${{ matrix.os }}
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Run action with SONARCLOUD_URL
@ -343,9 +459,9 @@ jobs:
          ./test/assertFileContains ./output.properties "sonar.scanner.sonarcloudUrl=mirror.sonarcloud.io" 
  dontFailWhenMissingWgetButCurlAvailable:
    name: Don't fail when missing wget but curl available
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Remove wget
@ -369,9 +485,9 @@ jobs:
          ./test/assertFileExists ./output.properties
  dontFailWhenMissingCurlButWgetAvailable:
    name: Don't fail when missing curl but wget available
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Remove curl
@ -396,9 +512,9 @@ jobs:
          ./test/assertFileExists ./output.properties
  failWhenBothWgetAndCurlMissing:
    name: Fail when both wget and curl are missing
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Remove wget and curl
@ -429,9 +545,9 @@ jobs:
  curlPerformsRedirect:
    name: >
      curl performs redirect when scannerBinariesUrl returns 3xx
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Remove wget
@ -463,10 +579,10 @@ jobs:
      'SONAR_ROOT_CERT' is converted to truststore
    strategy:
      matrix:
-        os: [ ubuntu-latest, windows-latest, macos-latest ]
+        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
    runs-on: ${{ matrix.os }}
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Run action with SSL certificate
@ -515,9 +631,9 @@ jobs:
  analysisWithSslCertificate:
    name: >
      Analysis takes into account 'SONAR_ROOT_CERT'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Generate server certificate
@ -623,9 +739,9 @@ jobs:
  overridesScannerLocalFolderWhenPresent: # can happen in uncleaned self-hosted runners
    name: >
      'SCANNER_LOCAL_FOLDER' is cleaned with warning when present
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Create a dummy SCANNER_LOCAL_FOLDER with dummy content in it
@ -657,9 +773,9 @@ jobs:
  updateTruststoreWhenPresent: # can happen in uncleaned self-hosted runners
    name: >
      truststore.p12 is updated when present
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Create SONAR_SSL_FOLDER with a file in it (not-truststore.p12)
@ -783,3 +899,26 @@ jobs:
          [ -f "$SONAR_SSL_FOLDER/truststore.p12" ] || exit 1
          TRUSTSTORE_P12_MOD_TIME_T3=$(stat -c %Y "$SONAR_SSL_FOLDER/truststore.p12")
          [ "$TRUSTSTORE_P12_MOD_TIME_T2" != "$TRUSTSTORE_P12_MOD_TIME_T3" ] || exit 1
  scannerVersionValidationTest:
    name: >
      'scannerVersion' input validation
    runs-on: ubuntu-latest-large
    steps:
      - uses: actions/checkout@v5
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Run action with invalid scannerVersion
        id: invalid_version
        uses: ./
        continue-on-error: true
        with:
          scannerVersion: "7.1.0-SNAPSHOT"
          args: -Dsonar.scanner.internal.dumpToFile=./output.properties
        env:
          NO_CACHE: true
          SONAR_HOST_URL: http://not_actually_used
      - name: Assert failure of previous step
        if: steps.invalid_version.outcome == 'success'
        run: |
          echo "Action with invalid scannerVersion should have failed but succeeded"
          exit 1
--- a/.github/workflows/qa-scripts.yml
+++ b/.github/workflows/qa-scripts.yml
@ -10,9 +10,9 @@ on:
 jobs:
  create-install-dir-test:
    name: create_install_path.sh
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
@ -107,7 +107,7 @@ jobs:
          grep "=== Script failed ===" output
  setup-script-test:
    name: configure_paths.sh
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
    env:
      INSTALL_PATH: 'install-directory'
      SONAR_HOST_URL: 'http://sonar-host.com'
@ -123,7 +123,7 @@ jobs:
      SONAR_SCANNER_URL_MACOSX_AARCH64: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-macosx-aarch64.zip'
      SONAR_SCANNER_SHA_MACOSX_AARCH64: 'DOWNLOAD-SHA-MACOSX-AARCH64'
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
@ -250,9 +250,9 @@ jobs:
          grep "=== Script failed ===" output
  download-script-test:
    name: download.sh
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
@ -319,9 +319,9 @@ jobs:
          grep "=== Script failed ===" output
  fetch-latest-version-test:
    name: fetch_latest_version.sh
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
    steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
        with:
          fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
      - name: Test script
--- a/.github/workflows/update-tags.yml
+++ b/.github/workflows/update-tags.yml
@ -7,16 +7,16 @@ on:
 jobs:
  generate:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
    permissions:
      contents: write
    steps:
      - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Parse semver
-        uses: madhead/semver-utils@v4
+        uses: madhead/semver-utils@36d1e0ed361bd7b4b77665de8093092eaeabe6ba # v4.3.0
        id: version
        with:
          version: ${{ github.ref_name }}
--- a/.github/workflows/version_update.yml
+++ b/.github/workflows/version_update.yml
@ -5,19 +5,17 @@ on:
    - cron: '15 10 * * *'
 jobs:
-  update-version:
+  check-version:
-    name: Prepare pull request for sonar-scanner version update
+    name: Check for sonar-scanner version update
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
-    permissions:
+    outputs:
-      contents: write
+      should_update: ${{ steps.version-check.outputs.should_update }}
-      pull-requests: write
+      new-version: ${{ steps.latest-version.outputs.sonar-scanner-version }}
    steps:
      - run: sudo apt install -y jq
-      - run: sudo snap install yq
+      - uses: actions/checkout@v5
      - uses: actions/checkout@v4
        with:
          ref: master
          persist-credentials: true
          fetch-depth: 0
      - name: "Fetch currently used sonar-scanner version"
@ -25,25 +23,50 @@ jobs:
        shell: bash
        run: cat sonar-scanner-version >> $GITHUB_OUTPUT
-      - name: "Fetch lastest sonar-scanner version"
+      - name: "Fetch latest sonar-scanner version"
        id: latest-version
        shell: bash
        run: |
          ./scripts/fetch_latest_version.sh > sonar-scanner-version
          cat sonar-scanner-version >> $GITHUB_OUTPUT
-      - name: "Update default version"
+
-        if: steps.tagged-version.outputs.sonar-scanner-version != steps.latest-version.outputs.sonar-scanner-version
+      - name: "Determine if update is needed"
        id: version-check
        shell: bash
        env:
          NEW_VERSION: ${{ steps.latest-version.outputs.sonar-scanner-version }}
        run: |
-           yq -i '.inputs.scannerVersion.default = strenv(NEW_VERSION)' action.yml
+          if [[ "${{ steps.tagged-version.outputs.sonar-scanner-version }}" != "${{ steps.latest-version.outputs.sonar-scanner-version }}" ]]; then
-      - name: "Create Pull Request for version update"
+            echo "should_update=true" >> $GITHUB_OUTPUT
-        if: steps.tagged-version.outputs.sonar-scanner-version != steps.latest-version.outputs.sonar-scanner-version
+          else
            echo "should_update=false" >> $GITHUB_OUTPUT
          fi
  update-version:
    name: Prepare pull request for sonar-scanner version update
    needs: check-version
    runs-on: ubuntu-latest-large
    permissions:
      contents: write
      pull-requests: write
    if: needs.check-version.outputs.should_update == 'true'
    steps:
      - uses: actions/checkout@v5
        with:
          ref: master
          persist-credentials: true
          fetch-depth: 0
      - run: sudo snap install yq
      - name: "Update default version"
        shell: bash
        env:
-          UPDATE_BRANCH: update-to-sonar-scanner-${{ steps.latest-version.outputs.sonar-scanner-version }}
+          NEW_VERSION: ${{ needs.check-version.outputs.new-version }}
-          TITLE: "Update SonarScanner CLI to ${{ steps.latest-version.outputs.sonar-scanner-version }}"
+        run: |
          yq -i '.inputs.scannerVersion.default = strenv(NEW_VERSION)' action.yml
          ./scripts/fetch_latest_version.sh > sonar-scanner-version
      - name: "Create Pull Request for version update"
        shell: bash
        env:
          UPDATE_BRANCH: update-to-sonar-scanner-${{ needs.check-version.outputs.new-version }}
          TITLE: "Update SonarScanner CLI to ${{ needs.check-version.outputs.new-version }}"
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          git config --global user.name "SonarTech"
@ -56,5 +79,5 @@ jobs:
          gh pr list
          if [[ $(gh pr list -H "${UPDATE_BRANCH}" | grep "${UPDATE_BRANCH}" | wc -l) -eq 0 ]]; then
-            gh pr create -B master -H ${UPDATE_BRANCH} --title "${TITLE}" --body "Automatic updated of sonar-scanner version value. Needs to be tagged for release."
+            gh pr create -B master -H ${UPDATE_BRANCH} --title "${TITLE}" --body "Automatic update of the sonar-scanner version value. Be sure to trigger the QA workflow by closing and reopening this PR (see https://github.com/orgs/community/discussions/65321)."
          fi
--- a/README.md
+++ b/README.md
@ -1,330 +1,14 @@
-# Scan your code with SonarQube [![QA Main](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-main.yml/badge.svg)](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-main.yml) [![QA Install Build Wrapper](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-install-build-wrapper.yml/badge.svg)](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-install-build-wrapper.yml) [![QA Scripts](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-scripts.yml/badge.svg)](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-scripts.yml) [![QA Deprecated C and C++ Action](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-deprecated-c-cpp.yml/badge.svg)](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-deprecated-c-cpp.yml)
+# Disclaimer
 This is a Zendesk maintained repository cloned from [SonarSource/sonarqube-scan-action](https://github.com/SonarSource/sonarqube-scan-action). This repository is not updated from upstreame master breanch, instead it is updated from the latest tag from the SonarSource/sonarqube-scan-action.
-This SonarSource project, available as a GitHub Action, scans your projects with SonarQube [Server](https://www.sonarsource.com/products/sonarqube/) or [Cloud](https://www.sonarsource.com/products/sonarcloud/).
+# Recommended Use within Zendesk
-
+It is exepected that the Zendesk teams to use `sonarqube-scan-action` like below:
-<picture>
+```
-  <source media="(prefers-color-scheme: dark)" srcset="./images/SQ_Logo_Server_Cloud_Dark_Backgrounds.png">
+ - name: SonarQube Scan
-  <img alt="SonarQube Logo" src="./images/SQ_Logo_Server_Cloud_Light_Backgrounds.png">
+        uses: zendesk/sonarqube-scan-action@master
-</picture>
+        env:
-
+          SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }}
-SonarQube [Server](https://www.sonarsource.com/products/sonarqube/) and [Cloud](https://www.sonarsource.com/products/sonarcloud/) (formerly SonarQube and SonarCloud) is a widely used static analysis solution for continuous code quality and security inspection.
+          SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST }}
 It helps developers detect coding issues in 30+ languages, frameworks, and IaC platforms, including Java, JavaScript, TypeScript, C#, Python, C, C++, and [many more](https://www.sonarsource.com/knowledge/languages/).
 The solution also provides fix recommendations leveraging AI with Sonar's AI CodeFix capability.
 > [!NOTE]  
 > This action now supports and is the official entrypoint for scanning C, C++, Objective-C and Dart projects via GitHub actions.
 ## Requirements
 ### Server
 To run an analysis on your code, you first need to set up your project on SonarQube Server. Your SonarQube Server instance must be accessible from GitHub, and you will need an access token to run the analysis (more information below under **Environment variables**).
 Read more information on how to analyze your code [here](https://docs.sonarsource.com/sonarqube-server/latest/devops-platform-integration/github-integration/introduction/).
 ### Cloud
 * Create your account on SonarQube Cloud. [Sign up for free](https://www.sonarsource.com/products/sonarcloud/signup/?utm_medium=referral&utm_source=github&utm_campaign=sc-signup&utm_content=signup-sonarcloud-listing-x-x&utm_term=ww-psp-x) now if it's not already the case!
 * The repository to analyze is set up on SonarQube Cloud. [Set it up](https://sonarcloud.io/projects/create) in just one click.
 ## Usage
 Project metadata, including the location of the sources to be analyzed, must be declared in the file `sonar-project.properties` in the base directory:
 ### Server
 ```properties
 sonar.projectKey=<replace with the key generated when setting up the project on SonarQube Server>
 # relative paths to source directories. More details and properties are described
 # at https://docs.sonarsource.com/sonarqube-server/latest/project-administration/analysis-scope/ 
 sonar.sources=.
 ```
-In the following cases:
+For details check upstream [README.md](https://github.com/SonarSource/sonarqube-scan-action/blob/master/README.md)
 - for projects that don't have C, C++, or Objective-C in them
 - for C, C++, Objective-C projects that don't use [Build Wrapper](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/languages/c-family/prerequisites/#using-buildwrapper)
 the workflow, usually declared under `.github/workflows`, looks like the following:
 ```yaml
 on:
  # Trigger analysis when pushing to your main branches, and when creating a pull request.
  push:
    branches:
      - main
      - master
      - develop
      - 'releases/**'
  pull_request:
      types: [opened, synchronize, reopened]
 name: Main Workflow
 jobs:
  sonarqube:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
      with:
        # Disabling shallow clones is recommended for improving the relevancy of reporting
        fetch-depth: 0
    - name: SonarQube Scan
      uses: SonarSource/sonarqube-scan-action@<action version> # Ex: v4.1.0, See the latest version at https://github.com/marketplace/actions/official-sonarqube-scan
      env:
        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}
 ```
 For C, C++, and Objective-C projects relying on [Build Wrapper](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/languages/c-family/prerequisites/#using-buildwrapper) to generate the compilation database, the workflow requires additional steps to download the Build Wrapper and invoke it:
 ```yaml
 # Trigger analysis when pushing to your main branches, and when creating a pull request.
  push:
    branches:
      - main
      - master
      - develop
      - 'releases/**'
  pull_request:
      types: [opened, synchronize, reopened]
 name: Main Workflow
 jobs:
  sonarqube:
    runs-on: ubuntu-latest
    env:
      BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory # Directory where build-wrapper output will be placed
    steps:
    - uses: actions/checkout@v4
      with:
        # Disabling shallow clone is recommended for improving relevancy of reporting
        fetch-depth: 0
    - name: Install Build Wrapper
      uses: SonarSource/sonarqube-scan-action/install-build-wrapper@<action version>
      env:
        SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}
    - name: Run Build Wrapper
      run: |
        # Here goes your compilation wrapped with Build Wrapper
        # For more information, see https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/languages/c-family/prerequisites/#using-buildwrapper
        # build-preparation steps
        # build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} build-command
    - name: SonarQube Scan
      uses: SonarSource/sonarqube-scan-action@<action version>
      env:
        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}
        SONAR_ROOT_CERT: ${{ secrets.SONAR_ROOT_CERT }}
      with:
        # Consult https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner/ for more information and options
        args: >
          --define sonar.cfamily.compile-commands="${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json" 
 ```
 If you are using SonarQube Server 10.5 or earlier, use `sonar.cfamily.build-wrapper-output` instead of `sonar.cfamily.compile-commands` in the `args` property of the last step, as Build Wrapper does not generate a `compile_commands.json` file before SonarQube Server 10.6.
 It should look like this:
 ```yaml
 with:  
  args: >
    --define sonar.cfamily.build-wrapper-output="${{ env.BUILD_WRAPPER_OUT_DIR }}"
 ```
 See also [example configurations of C++ projects for SonarQube Server](https://github.com/search?q=org%3Asonarsource-cfamily-examples+gh-actions-sq&type=repositories).
 ### Cloud
 ```properties
 sonar.organization=<replace with your SonarQube Cloud organization key>
 sonar.projectKey=<replace with the key generated when setting up the project on SonarQube Cloud>
 # relative paths to source directories. More details and properties are described
 # at https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/analysis-scope/
 sonar.sources=.
 ```
 In the following cases:
 - for projects that don't have C, C++, or Objective-C in them
 - for C, C++, Objective-C projects that don't use [Build Wrapper](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/languages/c-family/prerequisites/#using-build-wrapper)
 the workflow, usually declared under `.github/workflows`, looks like the following:
 ```yaml
 on:
  # Trigger analysis when pushing to your main branches, and when creating a pull request.
  push:
    branches:
      - main
      - master
      - develop
      - 'releases/**'
  pull_request:
      types: [opened, synchronize, reopened]
 name: Main Workflow
 jobs:
  sonarqube:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
      with:
        # Disabling shallow clones is recommended for improving the relevancy of reporting
        fetch-depth: 0
    - name: SonarQube Scan
      uses: SonarSource/sonarqube-scan-action@<action version> # Ex: v4.1.0, See the latest version at https://github.com/marketplace/actions/official-sonarqube-scan
      env:
        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
 ```
 For C, C++, and Objective-C projects relying on [Build Wrapper](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/languages/c-family/prerequisites/#using-build-wrapper) to generate the compilation database, the workflow requires additional steps to download the Build Wrapper and invoke it:
 ```yaml
 # Trigger analysis when pushing to your main branches, and when creating a pull request.
  push:
    branches:
      - main
      - master
      - develop
      - 'releases/**'
  pull_request:
      types: [opened, synchronize, reopened]
 name: Main Workflow
 jobs:
  sonarqube:
    runs-on: ubuntu-latest
    env:
      BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory # Directory where build-wrapper output will be placed
    steps:
    - uses: actions/checkout@v4
      with:
        # Disabling shallow clone is recommended for improving relevancy of reporting
        fetch-depth: 0
    - name: Install Build Wrapper
      uses: SonarSource/sonarqube-scan-action/install-build-wrapper@<action version>
    - name: Run Build Wrapper
      run: |
        # Here goes your compilation wrapped with Build Wrapper
        # For more information, see https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/languages/c-family/prerequisites/#using-build-wrapper
        # build-preparation steps
        # build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} build-command
    - name: SonarQube Scan
      uses: SonarSource/sonarqube-scan-action@<action version>
      env:
        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        SONAR_ROOT_CERT: ${{ secrets.SONAR_ROOT_CERT }}
      with:
        # Consult https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner/ for more information and options
        args: >
          --define sonar.cfamily.compile-commands="${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json" 
 ```
 See also [example configurations of C++ projects for SonarQube Cloud](https://github.com/search?q=org%3Asonarsource-cfamily-examples+gh-actions-sc&type=repositories).
 ## Action parameters
 You can change the analysis base directory by using the optional input `projectBaseDir` like this:
 ```yaml
 - uses: SonarSource/sonarqube-scan-action@<action version>
  with:
    projectBaseDir: app/src
 ```
 In case you need to specify the version of the Sonar Scanner, you can use the `scannerVersion` option:
 ```yaml
 - uses: SonarSource/sonarqube-scan-action@<action version>
  with:
    scannerVersion: 6.2.0.4584
 ```
 In case you need to add additional analysis parameters, and you do not wish to set them in the `sonar-project.properties` file, you can use the `args` option:
 ```yaml
 - uses: SonarSource/sonarqube-scan-action@<action version>
  with:
    projectBaseDir: app/src
    args: >
      -Dsonar.organization=my-organization # For SonarQube Cloud only
      -Dsonar.projectKey=my-projectkey
      -Dsonar.python.coverage.reportPaths=coverage.xml
      -Dsonar.sources=lib/
      -Dsonar.tests=tests/
      -Dsonar.test.exclusions=tests/**
      -Dsonar.verbose=true
 ```
 You can also specify the URL where to retrieve the SonarScanner CLI from.
 The specified URL overrides the default address: `https://binaries.sonarsource.com/Distribution/sonar-scanner-cli`.
 This can be useful when the runner executing the action is self-hosted and has regulated or no access to the Internet:
 ```yaml
 - uses: SonarSource/sonarqube-scan-action@<action version>
  with:
    scannerBinariesUrl: https://my.custom.binaries.url.com/Distribution/sonar-scanner-cli/
 ```
 More information about possible analysis parameters can be found:
 * in the [Analysis parameters page](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/analysis-parameters/) of the SonarQube Server documentation
 * in the [Analysis parameters page](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/analysis-parameters/) of the SonarQube Cloud documentation
 ### Environment variables
 - `SONAR_TOKEN` – **Required** this is the token used to authenticate access to SonarQube. You can read more about security tokens in the documentation of SonarQube [Server](https://docs.sonarsource.com/sonarqube-server/latest/user-guide/managing-tokens/) and [Cloud](https://docs.sonarsource.com/sonarqube-cloud/managing-your-account/managing-tokens/). You can set the `SONAR_TOKEN` environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended).
 - `SONAR_HOST_URL` – this tells the scanner where SonarQube Server is hosted. You can set the `SONAR_HOST_URL` environment variable in the "Variables" settings page of your repository, or you can add them at the level of your GitHub organization (recommended). Not needed for SonarQube Cloud.
 - `SONAR_ROOT_CERT` – Holds an additional certificate (in PEM format) that is used to validate the certificate of SonarQube Server or of a secured proxy to SonarQube (Server or Cloud). You can set the `SONAR_ROOT_CERT` environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended).
 Here is an example of how you can pass a certificate (in PEM format) to the Scanner truststore:
 ```yaml
 - uses: SonarSource/sonarqube-scan-action@<action version>
  env:
    SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
    SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}
    SONAR_ROOT_CERT: ${{ secrets.SONAR_ROOT_CERT }}
 ```
 If your source code file names contain special characters that are not covered by the locale range of `en_US.UTF-8`, you can configure your desired locale like this:
 ```yaml
 - uses: SonarSource/sonarqube-scan-action@<action version>
  env:
    SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
    SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }} # or https://sonarcloud.io
    LC_ALL: "ru_RU.UTF-8"
 ```
 ## Alternatives for Java and .NET
 This GitHub Action will not work for all technologies. If you are in one of the following situations, you should use the following alternatives:
 * Your code is built with Maven. Read the documentation about our SonarScanner for Maven in SonarQube [Server](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner-for-maven/) and [Cloud](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/ci-based-analysis/sonarscanner-for-maven/).
 * Your code is built with Gradle. Read the documentation about our SonarScanner for Gradle in SonarQube [Server](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner-for-gradle/) and [Cloud](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/ci-based-analysis/sonarscanner-for-gradle/).
 * You want to analyze a .NET solution. Read the documentation about our SonarScanner for .NET in SonarQube [Server](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/dotnet/introduction/) and [Cloud](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/ci-based-analysis/sonarscanner-for-dotnet/introduction/).
 ## Do not use this GitHub action if you are in the following situations
 * You want to run the action on C, C++, or Objective-C projects on a 32-bits system - build wrappers support only 64-bits OS.
 ## Self-hosted runner or container
 When running the action in a self-hosted runner or container, please ensure that the following programs are installed:
 * **curl** or **wget**
 * **unzip**
 ## Additional information
 The `sonarqube-scan-action/install-build-wrapper` action installs `coreutils` if run on macOS.
 ## Have questions or feedback?
 To provide feedback (requesting a feature or reporting a bug) please post on the SonarSource Community Forum page for SonarQube [Server](https://community.sonarsource.com/tags/c/help/sq/github-actions) or [Cloud](https://community.sonarsource.com/tags/c/help/sc/9/github-actions).
 ## License
 Container images built with this project include third-party materials.
--- a/action.yml
+++ b/action.yml
@ -17,7 +17,7 @@ inputs:
    description: Version of the Sonar Scanner CLI to use
    required: false
    # to be kept in sync with sonar-scanner-version
-    default: 7.1.0.4889
+    default: 7.2.0.5079
  scannerBinariesUrl:
    description: URL to download the Sonar Scanner CLI binaries from
    required: false
@ -30,9 +30,10 @@ runs:
      shell: bash
      env:
        INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }}
        INPUT_SCANNERVERSION: ${{ inputs.scannerVersion }}
    - name: Load Sonar Scanner CLI from cache
      id: sonar-scanner-cli
-      uses: actions/cache@v4
+      uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 #v4.2.4
      env:
        # The default value is 60mins. Reaching timeout is treated the same as a cache miss.
        SEGMENT_DOWNLOAD_TIMEOUT_MINS: 1
@ -50,8 +51,9 @@ runs:
      run: echo "${RUNNER_TEMP}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}/bin" >> $GITHUB_PATH
      shell: bash
    - name: Run SonarScanner
-      run: ${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh ${{ inputs.args }}
+      run: ${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner.sh
      shell: bash
      env:
        INPUT_ARGS: ${{ inputs.args }}
        INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }}
        SONAR_SCANNER_JRE: ${{ runner.temp }}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}/jre
--- a/scripts/cert.sh
+++ b/scripts/cert.sh
@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 if [[ -n "${SONAR_ROOT_CERT}" ]]; then
  echo "Adding custom root certificate to java certificate store"
--- a/scripts/configure_paths.sh
+++ b/scripts/configure_paths.sh
@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 if [[ ${ARCH} != "X64" && ! (${ARCH} == "ARM64" && (${OS} == "macOS" || ${OS} == "Linux")) ]]; then
  echo "::error::Architecture '${ARCH}' is unsupported by build-wrapper"
--- a/scripts/create_install_path.sh
+++ b/scripts/create_install_path.sh
@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 source "$(dirname -- "$0")/utils.sh"
--- a/scripts/download.sh
+++ b/scripts/download.sh
@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 source "$(dirname -- "$0")/utils.sh"
@ -28,7 +28,7 @@ parse_arguments() {
 }
 verify_download_correctness() {
-  echo "${EXPECTED_SHA} ${TMP_ZIP_PATH}" | sha256sum -c
+  echo "${EXPECTED_SHA} ${TMP_ZIP_PATH}" | sha256sum -c -
  check_status "Checking sha256 failed"
 }
--- a/scripts/fetch_latest_version.sh
+++ b/scripts/fetch_latest_version.sh
@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 source "$(dirname -- "$0")/utils.sh"
--- a/scripts/install-sonar-scanner-cli.sh
+++ b/scripts/install-sonar-scanner-cli.sh
@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 set -eou pipefail
--- a/scripts/run-sonar-scanner-cli.sh
+++ b/scripts/run-sonar-scanner-cli.sh
@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 set -eo pipefail
@ -73,9 +73,19 @@ if [[ -n "${SONAR_ROOT_CERT}" ]]; then
  scanner_args+=("-Dsonar.scanner.truststorePassword=$SONAR_SSL_TRUSTSTORE_PASSWORD")
 fi
-scanner_args+=("$@")
+# split input args correctly (passed through INPUT_ARGS env var to avoid execution of injected command)
 args=()
 if [[ -n "${INPUT_ARGS}" ]]; then
 #  the regex recognizes args with values in single or double quotes (without character escaping), and args without quotes as well
 #  more specifically, the following patterns: -Darg="value", -Darg='value', -Darg=value, "-Darg=value" and '-Darg=value'
  IFS=$'\n'; args=($(echo ${INPUT_ARGS} | egrep -o '[^" '\'']+="[^"]*"|[^" '\'']+='\''[^'\'']*'\''|[^" '\'']+|"[^"]+"|'\''[^'\'']+'\'''))
 fi
 for arg in "${args[@]}"; do
  scanner_args+=("$arg")
 done
 set -ux
-$SCANNER_BIN "${scanner_args[@]}"
+$SCANNER_BIN ${scanner_args[@]+"${scanner_args[@]}"}
--- a/scripts/run-sonar-scanner.sh
+++ b/scripts/run-sonar-scanner.sh
@ -0,0 +1,6 @@
 #!/usr/bin/env bash
 set -euo pipefail
 # run the sonar scanner cli
 cmd=(${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh "${INPUT_ARGS}")
 "${cmd[@]}"
--- a/scripts/sanity-checks.sh
+++ b/scripts/sanity-checks.sh
@ -1,7 +1,12 @@
-#!/bin/bash
+#!/usr/bin/env bash
 set -eo pipefail
 if [[ ! "${INPUT_SCANNERVERSION}" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
  echo "::error title=SonarScanner::Invalid scannerVersion format. Expected format: x.y.z.w (e.g., 7.1.0.4889)"
  exit 1
 fi
 if [[ -z "${SONAR_TOKEN}" ]]; then
  echo "::warning title=SonarScanner::Running this GitHub Action without SONAR_TOKEN is not recommended"
 fi
--- a/scripts/utils.sh
+++ b/scripts/utils.sh
@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 check_status() {
  exit_status=$?
--- a/22
+++ b/22
@ -1,11 +1,11 @@
-sonar-scanner-version=7.1.0.4889
+sonar-scanner-version=7.2.0.5079
-sonar-scanner-url-windows-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-windows-x64.zip
+sonar-scanner-url-windows-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.2.0.5079-windows-x64.zip
-sonar-scanner-sha-windows-x64=64c5154d3d924eb2e03386f10eecb3ec4132298e2c1bf0b60a0d0195cd51a555
+sonar-scanner-sha-windows-x64=71936f352206b63cb05ffbcd68e366e52d22916148cf4a2418789bc776f733ea
-sonar-scanner-url-linux-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-linux-x64.zip
+sonar-scanner-url-linux-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.2.0.5079-linux-x64.zip
-sonar-scanner-sha-linux-x64=b4d2a001d65b489f9effe1ea8a78495db1b152f124d7f7b058aad8651c7e1484
+sonar-scanner-sha-linux-x64=da9f4e64a3d555f08ce38b5469ebd91fe2b311af473f7001a5ee5c1fd58b004b
-sonar-scanner-url-linux-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-linux-aarch64.zip
+sonar-scanner-url-linux-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.2.0.5079-linux-aarch64.zip
-sonar-scanner-sha-linux-aarch64=7948ccde77843829b87d41815ead669486f681cd38b0b0893006083a9b6f6b5c
+sonar-scanner-sha-linux-aarch64=803ca725d463e95eeb7537515706367bb8e52bf05ac32174daf9773bdb36d1e2
-sonar-scanner-url-macosx-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-macosx-x64.zip
+sonar-scanner-url-macosx-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.2.0.5079-macosx-x64.zip
-sonar-scanner-sha-macosx-x64=08ad1e75994d91a17016ce55248d0827b62a757b263917234ea2d89bee8f136d
+sonar-scanner-sha-macosx-x64=7b9e92248ca740fff41503bfe5459c460bac43c501d80043cc4fbebb72dfc5fa
-sonar-scanner-url-macosx-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-macosx-aarch64.zip
+sonar-scanner-url-macosx-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.2.0.5079-macosx-aarch64.zip
-sonar-scanner-sha-macosx-aarch64=9ad8c5da9e9665c065328b86adb3f33ef43801347ecb3ff1ec27d598ac37b449
+sonar-scanner-sha-macosx-aarch64=c8adb3fbfe5485c17de193a217be765b66cbc10d6540057655afa3c3b5be6f61
--- a/test/assertFileContains
+++ b/test/assertFileContains
@ -1,10 +1,14 @@
-#!/bin/bash
+#!/usr/bin/env bash
 set -eou pipefail
 error() { echo -e "\\e[31m✗ $*\\e[0m"; }
-assertFileExists $1
+scriptDir=$(dirname -- "$(readlink -f -- "${BASH_SOURCE[0]}")")
-if ! grep -q $2 $1; then
+$scriptDir/assertFileExists "$1"
 if ! grep -q "$2" "$1"; then
  error "'$2' not found in '$1'"
  exit 1
 fi
--- a/test/assertFileDoesntExist
+++ b/test/assertFileDoesntExist
@ -1,8 +1,10 @@
-#!/bin/bash
+#!/usr/bin/env bash
 set -eou pipefail
 error() { echo -e "\\e[31m✗ $*\\e[0m"; }
-if [ -f $1 ]; then
+if [ -f "$1" ]; then
  error "File '$1' found"
  exit 1
 fi
--- a/test/assertFileExists
+++ b/test/assertFileExists
@ -1,8 +1,10 @@
-#!/bin/bash
+#!/usr/bin/env bash
 set -eou pipefail
 error() { echo -e "\\e[31m✗ $*\\e[0m"; }
-if [ ! -f $1 ]; then
+if [ ! -f "$1" ]; then
  error "File '$1' not found"
  exit 1
 fi
`@ -1 +1 @@`
	`.github/CODEOWNERS @sonarsource/orchestration-processing-squad`	`.github/* @sonarsource/orchestration-processing-squad`
`@ -1,4 +1,4 @@`
	`#!/bin/bash`	`#!/usr/bin/env bash`

	`source "$(dirname -- "$0")/utils.sh"`	`source "$(dirname -- "$0")/utils.sh"`