actions/sonarqube-scan-action
2
0
Fork 0
mirror of https://github.com/SonarSource/sonarqube-scan-action.git synced 2025-12-12 17:31:15 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Issue PET-9252: Uodated the code from tag v5.3.1

Browse source
This commit is contained in:
Abhijeet Ghosh 2025-09-04 12:47:22 +05:30
parent 3e30ce1f41
commit f07a348728
27 changed files with 323 additions and 446 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.github/CODEOWNERS vendored
View file

@ -1 +1 @@
.github/CODEOWNERS @sonarsource/orchestration-processing-squad
.github/* @sonarsource/orchestration-processing-squad

2
.github/workflows/PullRequestClosed.yml vendored
View file

@ -7,7 +7,7 @@ on:
jobs:
PullRequestClosed_job:
name: Pull Request Closed
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
permissions:
id-token: write
pull-requests: read

2
.github/workflows/PullRequestCreated.yml vendored
View file

@ -7,7 +7,7 @@ on:
jobs:
PullRequestCreated_job:
name: Pull Request Created
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
permissions:
id-token: write
# For external PR, ticket should be created manually

2
.github/workflows/RequestReview.yml vendored
View file

@ -7,7 +7,7 @@ on:
jobs:
RequestReview_job:
name: Request review
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
permissions:
id-token: write
# For external PR, ticket should be moved manually

2
.github/workflows/SubmitReview.yml vendored
View file

@ -7,7 +7,7 @@ on:
jobs:
SubmitReview_job:
name: Submit Review
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
permissions:
id-token: write
pull-requests: read

4
.github/workflows/qa-deprecated-c-cpp.yml vendored
View file

@ -12,7 +12,7 @@ jobs:
name: Action outputs
strategy:
matrix:
os: [ubuntu-latest, windows-latest, macos-latest, macos-13]
os: [ubuntu-latest-large, windows-latest-large, macos-latest, macos-13]
cache: [true, false]
include:
- arch: X64
@ -31,7 +31,7 @@ jobs:
exit 1
fi
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis

4
.github/workflows/qa-install-build-wrapper.yml vendored
View file

@ -12,7 +12,7 @@ jobs:
name: Action outputs
strategy:
matrix:
os: [ubuntu-latest, windows-latest, macos-latest, macos-13]
os: [ubuntu-latest-large, windows-latest-large, macos-latest, macos-13]
cache: [true, false]
include:
- arch: X64
@ -31,7 +31,7 @@ jobs:
exit 1
fi
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis

231
.github/workflows/qa-main.yml vendored
View file

@ -11,12 +11,15 @@ jobs:
noInputsTest:
name: >
No inputs
runs-on: ubuntu-latest
strategy:
matrix:
os: [ ubuntu-latest-large, macos-latest ]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with args
- name: Run action without args
uses: ./
env:
SONAR_HOST_URL: http://not_actually_used
@ -29,31 +32,144 @@ jobs:
'args' input
strategy:
matrix:
os: [ ubuntu-latest, windows-latest, macos-latest ]
os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with args
uses: ./
with:
args: -Dsonar.someArg=aValue -Dsonar.scanner.internal.dumpToFile=./output.properties
args: -Dsonar.someArg=aValue -Dsonar.anotherArgWithSpaces="Another Value" -Dsonar.argWithSingleQuotes='Another Value'
env:
SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
- name: Assert
run: |
./test/assertFileContains ./output.properties "sonar.someArg=aValue"
./test/assertFileContains ./output.properties 'sonar.anotherArgWithSpaces="Another Value"'
./test/assertFileContains ./output.properties "sonar.argWithSingleQuotes='Another Value'"
argsInputInjectionTest:
name: >
'args' input with command injection will fail
strategy:
matrix:
os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
args: [ -Dsonar.someArg=aValue && echo "Injection", -Dsonar.someArg="value\"; whoami; echo \"" ]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with args
uses: ./
continue-on-error: true
with:
args: ${{ matrix.args }}
env:
SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
- name: Fail if action succeeded
if: steps.runTest.outcome == 'success'
run: exit 1
- name: Assert the scanner was not called
run: |
./test/assertFileDoesntExist ./output.properties
backtickCommandInjectionTest:
name: >
'args' input with backticks injection does not execute command
strategy:
matrix:
os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with args
uses: ./
continue-on-error: true
with:
args: >
-Dsonar.arg1="refs/heads/branch: [workflows] Bump `actions/*`" -Dsonar.arg2="test `echo Command Injection`" -Dsonar.arg3="`id`" -Dsonar.arg4="test'; `echo injection`; echo '" -Dsonar.arg5=" `whoami` " -Dsonar.arg6="test\`echo injection\`test"
env:
SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
- name: Assert command in arg is not executed
run: |
./test/assertFileContains ./output.properties 'sonar.arg1="refs/heads/branch\\: \[workflows\] Bump `actions/\*`"'
./test/assertFileContains ./output.properties 'sonar.arg2="test `echo Command Injection`"'
./test/assertFileContains ./output.properties 'sonar.arg3="`id`"'
./test/assertFileContains ./output.properties "sonar.arg4=\"test'; \`echo injection\`; echo '\""
./test/assertFileContains ./output.properties 'sonar.arg5=" `whoami` "'
./test/assertFileContains ./output.properties 'sonar.arg6="test\\\\`echo injection\\\\`test"'
dollarSymbolCommandInjectionTest:
name: >
'args' input with dollar command injection does not execute command
strategy:
matrix:
os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with args
uses: ./
continue-on-error: true
with:
args: -Dsonar.arg1="$(whoami)" -Dsonar.arg2="$GITHUB_TOKEN" -Dsonar.arg3="$(echo outer $(echo inner))" -Dsonar.arg4="value\$(whoami)end" -Dsonar.arg5="$(printf 'A%.0s' {1..10000})" -Dsonar.arg6='value"; $(whoami); echo "'
env:
SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
- name: Assert command in arg is not executed
run: |
./test/assertFileContains ./output.properties 'sonar.arg1="$(whoami)"'
./test/assertFileContains ./output.properties 'sonar.arg2="$GITHUB_TOKEN"'
./test/assertFileContains ./output.properties 'sonar.arg3="$(echo outer $(echo inner))"'
./test/assertFileContains ./output.properties 'sonar.arg4="value\\\\$(whoami)end"'
./test/assertFileContains ./output.properties 'sonar.arg5="$(printf '\''A%.0s'\'' {1..10000})"'
./test/assertFileContains ./output.properties 'sonar.arg6='\''value"; $(whoami); echo "'\'''
otherCommandInjectionVariantsTest:
name: >
'args' input with other command injection variants does not execute command
strategy:
matrix:
os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with args
uses: ./
continue-on-error: true
with:
args: -Dsonar.arg1="test | base64" -Dsonar.arg2="value; whoami" -Dsonar.arg3="value && echo test" -Dsonar.arg4="value > /tmp/output.txt" -Dsonar.arg5="< /etc/passwd" -Dsonar.arg6="" -Dsonar.arg7="../../../*" -Dsonar.arg8="*.key" -Dsonar.arg9="test\u0027\u0060whoami\u0060"
env:
SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
- name: Assert command in arg is not executed
run: |
./test/assertFileContains ./output.properties 'sonar.arg1="test | base64"'
./test/assertFileContains ./output.properties 'sonar.arg2="value; whoami"'
./test/assertFileContains ./output.properties 'sonar.arg3="value && echo test"'
./test/assertFileContains ./output.properties 'sonar.arg4="value > /tmp/output.txt"'
./test/assertFileContains ./output.properties 'sonar.arg5="< /etc/passwd"'
./test/assertFileContains ./output.properties 'sonar.arg6=""'
./test/assertFileContains ./output.properties 'sonar.arg7="../../../\*"'
./test/assertFileContains ./output.properties 'sonar.arg8="\*.key"'
./test/assertFileContains ./output.properties 'sonar.arg9="test\\\\u0027\\\\u0060whoami\\\\u0060"'
projectBaseDirInputTest:
name: >
'projectBaseDir' input
strategy:
matrix:
os: [ ubuntu-latest, windows-latest, macos-latest ]
os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- run: mkdir -p ./baseDir
@ -71,9 +187,9 @@ jobs:
scannerVersionTest:
name: >
'scannerVersion' input
runs-on: ubuntu-latest # assumes default RUNNER_ARCH for linux is X64
runs-on: ubuntu-latest-large # assumes default RUNNER_ARCH for linux is X64
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with scannerVersion
@ -91,9 +207,9 @@ jobs:
scannerBinariesUrlTest:
name: >
'scannerBinariesUrl' input with invalid URL
runs-on: ubuntu-latest # assumes default RUNNER_ARCH for linux is X64
runs-on: ubuntu-latest-large # assumes default RUNNER_ARCH for linux is X64
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with scannerBinariesUrl
@ -119,9 +235,9 @@ jobs:
scannerBinariesUrlIsEscapedWithWget:
name: >
'scannerBinariesUrl' is escaped with wget so special chars are not injected in the download command
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with scannerBinariesUrl
@ -140,9 +256,9 @@ jobs:
scannerBinariesUrlIsEscapedWithCurl:
name: >
'scannerBinariesUrl' is escaped with curl so special chars are not injected in the download command
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Remove wget
@ -169,9 +285,9 @@ jobs:
dontFailGradleTest:
name: >
Don't fail on Gradle project
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action on Gradle project
@ -190,9 +306,9 @@ jobs:
dontFailGradleKotlinTest:
name: >
Don't fail on Kotlin Gradle project
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action on Kotlin Gradle project
@ -211,9 +327,9 @@ jobs:
dontFailMavenTest:
name: >
Don't fail on Maven project
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action on Maven project
@ -230,7 +346,7 @@ jobs:
run: |
./test/assertFileExists ./output.properties
runAnalysisTest:
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
services:
sonarqube:
image: sonarqube:lts-community
@ -246,7 +362,7 @@ jobs:
--health-timeout 5s
--health-retries 10
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action on sample project
@ -265,10 +381,10 @@ jobs:
'RUNNER_DEBUG' is used
strategy:
matrix:
os: [ ubuntu-latest, windows-latest, macos-latest ]
os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with debug mode
@ -283,7 +399,7 @@ jobs:
run: |
./test/assertFileContains ./output.properties "sonar.verbose=true"
runAnalysisWithCacheTest:
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
services:
sonarqube:
image: sonarqube:lts-community
@ -299,7 +415,7 @@ jobs:
--health-timeout 5s
--health-retries 10
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: SonarQube Cache
@ -324,10 +440,10 @@ jobs:
'SONARCLOUD_URL' is used
strategy:
matrix:
os: [ ubuntu-latest, windows-latest, macos-latest ]
os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with SONARCLOUD_URL
@ -343,9 +459,9 @@ jobs:
./test/assertFileContains ./output.properties "sonar.scanner.sonarcloudUrl=mirror.sonarcloud.io"
dontFailWhenMissingWgetButCurlAvailable:
name: Don't fail when missing wget but curl available
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Remove wget
@ -369,9 +485,9 @@ jobs:
./test/assertFileExists ./output.properties
dontFailWhenMissingCurlButWgetAvailable:
name: Don't fail when missing curl but wget available
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Remove curl
@ -396,9 +512,9 @@ jobs:
./test/assertFileExists ./output.properties
failWhenBothWgetAndCurlMissing:
name: Fail when both wget and curl are missing
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Remove wget and curl
@ -429,9 +545,9 @@ jobs:
curlPerformsRedirect:
name: >
curl performs redirect when scannerBinariesUrl returns 3xx
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Remove wget
@ -463,10 +579,10 @@ jobs:
'SONAR_ROOT_CERT' is converted to truststore
strategy:
matrix:
os: [ ubuntu-latest, windows-latest, macos-latest ]
os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with SSL certificate
@ -515,9 +631,9 @@ jobs:
analysisWithSslCertificate:
name: >
Analysis takes into account 'SONAR_ROOT_CERT'
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Generate server certificate
@ -623,9 +739,9 @@ jobs:
overridesScannerLocalFolderWhenPresent: # can happen in uncleaned self-hosted runners
name: >
'SCANNER_LOCAL_FOLDER' is cleaned with warning when present
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Create a dummy SCANNER_LOCAL_FOLDER with dummy content in it
@ -657,9 +773,9 @@ jobs:
updateTruststoreWhenPresent: # can happen in uncleaned self-hosted runners
name: >
truststore.p12 is updated when present
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Create SONAR_SSL_FOLDER with a file in it (not-truststore.p12)
@ -783,3 +899,26 @@ jobs:
[ -f "$SONAR_SSL_FOLDER/truststore.p12" ] || exit 1
TRUSTSTORE_P12_MOD_TIME_T3=$(stat -c %Y "$SONAR_SSL_FOLDER/truststore.p12")
[ "$TRUSTSTORE_P12_MOD_TIME_T2" != "$TRUSTSTORE_P12_MOD_TIME_T3" ] || exit 1
scannerVersionValidationTest:
name: >
'scannerVersion' input validation
runs-on: ubuntu-latest-large
steps:
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with invalid scannerVersion
id: invalid_version
uses: ./
continue-on-error: true
with:
scannerVersion: "7.1.0-SNAPSHOT"
args: -Dsonar.scanner.internal.dumpToFile=./output.properties
env:
NO_CACHE: true
SONAR_HOST_URL: http://not_actually_used
- name: Assert failure of previous step
if: steps.invalid_version.outcome == 'success'
run: |
echo "Action with invalid scannerVersion should have failed but succeeded"
exit 1

16
.github/workflows/qa-scripts.yml vendored
View file

@ -10,9 +10,9 @@ on:
jobs:
create-install-dir-test:
name: create_install_path.sh
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
@ -107,7 +107,7 @@ jobs:
grep "=== Script failed ===" output
setup-script-test:
name: configure_paths.sh
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
env:
INSTALL_PATH: 'install-directory'
SONAR_HOST_URL: 'http://sonar-host.com'
@ -123,7 +123,7 @@ jobs:
SONAR_SCANNER_URL_MACOSX_AARCH64: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-macosx-aarch64.zip'
SONAR_SCANNER_SHA_MACOSX_AARCH64: 'DOWNLOAD-SHA-MACOSX-AARCH64'
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
@ -250,9 +250,9 @@ jobs:
grep "=== Script failed ===" output
download-script-test:
name: download.sh
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
@ -319,9 +319,9 @@ jobs:
grep "=== Script failed ===" output
fetch-latest-version-test:
name: fetch_latest_version.sh
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Test script

6
.github/workflows/update-tags.yml vendored
View file

@ -7,16 +7,16 @@ on:
jobs:
generate:
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
permissions:
contents: write
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v5
- name: Parse semver
uses: madhead/semver-utils@v4
uses: madhead/semver-utils@36d1e0ed361bd7b4b77665de8093092eaeabe6ba # v4.3.0
id: version
with:
version: ${{ github.ref_name }}

55
.github/workflows/version_update.yml vendored
View file

@ -5,19 +5,17 @@ on:
- cron: '15 10 * * *'
jobs:
update-version:
name: Prepare pull request for sonar-scanner version update
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
check-version:
name: Check for sonar-scanner version update
runs-on: ubuntu-latest-large
outputs:
should_update: ${{ steps.version-check.outputs.should_update }}
new-version: ${{ steps.latest-version.outputs.sonar-scanner-version }}
steps:
- run: sudo apt install -y jq
- run: sudo snap install yq
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
ref: master
persist-credentials: true
fetch-depth: 0
- name: "Fetch currently used sonar-scanner version"
@ -25,25 +23,50 @@ jobs:
shell: bash
run: cat sonar-scanner-version >> $GITHUB_OUTPUT
- name: "Fetch lastest sonar-scanner version"
- name: "Fetch latest sonar-scanner version"
id: latest-version
shell: bash
run: |
./scripts/fetch_latest_version.sh > sonar-scanner-version
cat sonar-scanner-version >> $GITHUB_OUTPUT
- name: "Determine if update is needed"
id: version-check
shell: bash
run: |
if [[ "${{ steps.tagged-version.outputs.sonar-scanner-version }}" != "${{ steps.latest-version.outputs.sonar-scanner-version }}" ]]; then
echo "should_update=true" >> $GITHUB_OUTPUT
else
echo "should_update=false" >> $GITHUB_OUTPUT
fi
update-version:
name: Prepare pull request for sonar-scanner version update
needs: check-version
runs-on: ubuntu-latest-large
permissions:
contents: write
pull-requests: write
if: needs.check-version.outputs.should_update == 'true'
steps:
- uses: actions/checkout@v5
with:
ref: master
persist-credentials: true
fetch-depth: 0
- run: sudo snap install yq
- name: "Update default version"
if: steps.tagged-version.outputs.sonar-scanner-version != steps.latest-version.outputs.sonar-scanner-version
shell: bash
env:
NEW_VERSION: ${{ steps.latest-version.outputs.sonar-scanner-version }}
NEW_VERSION: ${{ needs.check-version.outputs.new-version }}
run: |
yq -i '.inputs.scannerVersion.default = strenv(NEW_VERSION)' action.yml
./scripts/fetch_latest_version.sh > sonar-scanner-version
- name: "Create Pull Request for version update"
if: steps.tagged-version.outputs.sonar-scanner-version != steps.latest-version.outputs.sonar-scanner-version
shell: bash
env:
UPDATE_BRANCH: update-to-sonar-scanner-${{ steps.latest-version.outputs.sonar-scanner-version }}
TITLE: "Update SonarScanner CLI to ${{ steps.latest-version.outputs.sonar-scanner-version }}"
UPDATE_BRANCH: update-to-sonar-scanner-${{ needs.check-version.outputs.new-version }}
TITLE: "Update SonarScanner CLI to ${{ needs.check-version.outputs.new-version }}"
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
git config --global user.name "SonarTech"
@ -56,5 +79,5 @@ jobs:
gh pr list
if [[ $(gh pr list -H "${UPDATE_BRANCH}" | grep "${UPDATE_BRANCH}" | wc -l) -eq 0 ]]; then
gh pr create -B master -H ${UPDATE_BRANCH} --title "${TITLE}" --body "Automatic updated of sonar-scanner version value. Needs to be tagged for release."
gh pr create -B master -H ${UPDATE_BRANCH} --title "${TITLE}" --body "Automatic update of the sonar-scanner version value. Be sure to trigger the QA workflow by closing and reopening this PR (see https://github.com/orgs/community/discussions/65321)."
fi

332
README.md
View file

@ -1,330 +1,14 @@
# Scan your code with SonarQube [![QA Main](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-main.yml/badge.svg)](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-main.yml) [![QA Install Build Wrapper](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-install-build-wrapper.yml/badge.svg)](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-install-build-wrapper.yml) [![QA Scripts](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-scripts.yml/badge.svg)](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-scripts.yml) [![QA Deprecated C and C++ Action](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-deprecated-c-cpp.yml/badge.svg)](https://github.com/SonarSource/sonarqube-scan-action/actions/workflows/qa-deprecated-c-cpp.yml)
# Disclaimer
This is a Zendesk maintained repository cloned from [SonarSource/sonarqube-scan-action](https://github.com/SonarSource/sonarqube-scan-action). This repository is not updated from upstreame master breanch, instead it is updated from the latest tag from the SonarSource/sonarqube-scan-action.
This SonarSource project, available as a GitHub Action, scans your projects with SonarQube [Server](https://www.sonarsource.com/products/sonarqube/) or [Cloud](https://www.sonarsource.com/products/sonarcloud/).
<picture>
<source media="(prefers-color-scheme: dark)" srcset="./images/SQ_Logo_Server_Cloud_Dark_Backgrounds.png">
<img alt="SonarQube Logo" src="./images/SQ_Logo_Server_Cloud_Light_Backgrounds.png">
</picture>
SonarQube [Server](https://www.sonarsource.com/products/sonarqube/) and [Cloud](https://www.sonarsource.com/products/sonarcloud/) (formerly SonarQube and SonarCloud) is a widely used static analysis solution for continuous code quality and security inspection.
It helps developers detect coding issues in 30+ languages, frameworks, and IaC platforms, including Java, JavaScript, TypeScript, C#, Python, C, C++, and [many more](https://www.sonarsource.com/knowledge/languages/).
The solution also provides fix recommendations leveraging AI with Sonar's AI CodeFix capability.
> [!NOTE]
> This action now supports and is the official entrypoint for scanning C, C++, Objective-C and Dart projects via GitHub actions.
## Requirements
### Server
To run an analysis on your code, you first need to set up your project on SonarQube Server. Your SonarQube Server instance must be accessible from GitHub, and you will need an access token to run the analysis (more information below under **Environment variables**).
Read more information on how to analyze your code [here](https://docs.sonarsource.com/sonarqube-server/latest/devops-platform-integration/github-integration/introduction/).
### Cloud
* Create your account on SonarQube Cloud. [Sign up for free](https://www.sonarsource.com/products/sonarcloud/signup/?utm_medium=referral&utm_source=github&utm_campaign=sc-signup&utm_content=signup-sonarcloud-listing-x-x&utm_term=ww-psp-x) now if it's not already the case!
* The repository to analyze is set up on SonarQube Cloud. [Set it up](https://sonarcloud.io/projects/create) in just one click.
## Usage
Project metadata, including the location of the sources to be analyzed, must be declared in the file `sonar-project.properties` in the base directory:
### Server
```properties
sonar.projectKey=<replace with the key generated when setting up the project on SonarQube Server>
# relative paths to source directories. More details and properties are described
# at https://docs.sonarsource.com/sonarqube-server/latest/project-administration/analysis-scope/
sonar.sources=.
# Recommended Use within Zendesk
It is exepected that the Zendesk teams to use `sonarqube-scan-action` like below:
```
In the following cases:
- for projects that don't have C, C++, or Objective-C in them
- for C, C++, Objective-C projects that don't use [Build Wrapper](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/languages/c-family/prerequisites/#using-buildwrapper)
the workflow, usually declared under `.github/workflows`, looks like the following:
```yaml
on:
# Trigger analysis when pushing to your main branches, and when creating a pull request.
push:
branches:
- main
- master
- develop
- 'releases/**'
pull_request:
types: [opened, synchronize, reopened]
name: Main Workflow
jobs:
sonarqube:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
# Disabling shallow clones is recommended for improving the relevancy of reporting
fetch-depth: 0
- name: SonarQube Scan
uses: SonarSource/sonarqube-scan-action@<action version> # Ex: v4.1.0, See the latest version at https://github.com/marketplace/actions/official-sonarqube-scan
uses: zendesk/sonarqube-scan-action@master
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}
SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }}
SONAR_HOST_URL: ${{ secrets.SONARQUBE_HOST }}
```
For C, C++, and Objective-C projects relying on [Build Wrapper](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/languages/c-family/prerequisites/#using-buildwrapper) to generate the compilation database, the workflow requires additional steps to download the Build Wrapper and invoke it:
```yaml
# Trigger analysis when pushing to your main branches, and when creating a pull request.
push:
branches:
- main
- master
- develop
- 'releases/**'
pull_request:
types: [opened, synchronize, reopened]
name: Main Workflow
jobs:
sonarqube:
runs-on: ubuntu-latest
env:
BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory # Directory where build-wrapper output will be placed
steps:
- uses: actions/checkout@v4
with:
# Disabling shallow clone is recommended for improving relevancy of reporting
fetch-depth: 0
- name: Install Build Wrapper
uses: SonarSource/sonarqube-scan-action/install-build-wrapper@<action version>
env:
SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}
- name: Run Build Wrapper
run: |
# Here goes your compilation wrapped with Build Wrapper
# For more information, see https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/languages/c-family/prerequisites/#using-buildwrapper
# build-preparation steps
# build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} build-command
- name: SonarQube Scan
uses: SonarSource/sonarqube-scan-action@<action version>
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}
SONAR_ROOT_CERT: ${{ secrets.SONAR_ROOT_CERT }}
with:
# Consult https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner/ for more information and options
args: >
--define sonar.cfamily.compile-commands="${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json"
```
If you are using SonarQube Server 10.5 or earlier, use `sonar.cfamily.build-wrapper-output` instead of `sonar.cfamily.compile-commands` in the `args` property of the last step, as Build Wrapper does not generate a `compile_commands.json` file before SonarQube Server 10.6.
It should look like this:
```yaml
with:
args: >
--define sonar.cfamily.build-wrapper-output="${{ env.BUILD_WRAPPER_OUT_DIR }}"
```
See also [example configurations of C++ projects for SonarQube Server](https://github.com/search?q=org%3Asonarsource-cfamily-examples+gh-actions-sq&type=repositories).
### Cloud
```properties
sonar.organization=<replace with your SonarQube Cloud organization key>
sonar.projectKey=<replace with the key generated when setting up the project on SonarQube Cloud>
# relative paths to source directories. More details and properties are described
# at https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/analysis-scope/
sonar.sources=.
```
In the following cases:
- for projects that don't have C, C++, or Objective-C in them
- for C, C++, Objective-C projects that don't use [Build Wrapper](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/languages/c-family/prerequisites/#using-build-wrapper)
the workflow, usually declared under `.github/workflows`, looks like the following:
```yaml
on:
# Trigger analysis when pushing to your main branches, and when creating a pull request.
push:
branches:
- main
- master
- develop
- 'releases/**'
pull_request:
types: [opened, synchronize, reopened]
name: Main Workflow
jobs:
sonarqube:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
# Disabling shallow clones is recommended for improving the relevancy of reporting
fetch-depth: 0
- name: SonarQube Scan
uses: SonarSource/sonarqube-scan-action@<action version> # Ex: v4.1.0, See the latest version at https://github.com/marketplace/actions/official-sonarqube-scan
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
```
For C, C++, and Objective-C projects relying on [Build Wrapper](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/languages/c-family/prerequisites/#using-build-wrapper) to generate the compilation database, the workflow requires additional steps to download the Build Wrapper and invoke it:
```yaml
# Trigger analysis when pushing to your main branches, and when creating a pull request.
push:
branches:
- main
- master
- develop
- 'releases/**'
pull_request:
types: [opened, synchronize, reopened]
name: Main Workflow
jobs:
sonarqube:
runs-on: ubuntu-latest
env:
BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory # Directory where build-wrapper output will be placed
steps:
- uses: actions/checkout@v4
with:
# Disabling shallow clone is recommended for improving relevancy of reporting
fetch-depth: 0
- name: Install Build Wrapper
uses: SonarSource/sonarqube-scan-action/install-build-wrapper@<action version>
- name: Run Build Wrapper
run: |
# Here goes your compilation wrapped with Build Wrapper
# For more information, see https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/languages/c-family/prerequisites/#using-build-wrapper
# build-preparation steps
# build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} build-command
- name: SonarQube Scan
uses: SonarSource/sonarqube-scan-action@<action version>
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_ROOT_CERT: ${{ secrets.SONAR_ROOT_CERT }}
with:
# Consult https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner/ for more information and options
args: >
--define sonar.cfamily.compile-commands="${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json"
```
See also [example configurations of C++ projects for SonarQube Cloud](https://github.com/search?q=org%3Asonarsource-cfamily-examples+gh-actions-sc&type=repositories).
## Action parameters
You can change the analysis base directory by using the optional input `projectBaseDir` like this:
```yaml
- uses: SonarSource/sonarqube-scan-action@<action version>
with:
projectBaseDir: app/src
```
In case you need to specify the version of the Sonar Scanner, you can use the `scannerVersion` option:
```yaml
- uses: SonarSource/sonarqube-scan-action@<action version>
with:
scannerVersion: 6.2.0.4584
```
In case you need to add additional analysis parameters, and you do not wish to set them in the `sonar-project.properties` file, you can use the `args` option:
```yaml
- uses: SonarSource/sonarqube-scan-action@<action version>
with:
projectBaseDir: app/src
args: >
-Dsonar.organization=my-organization # For SonarQube Cloud only
-Dsonar.projectKey=my-projectkey
-Dsonar.python.coverage.reportPaths=coverage.xml
-Dsonar.sources=lib/
-Dsonar.tests=tests/
-Dsonar.test.exclusions=tests/**
-Dsonar.verbose=true
```
You can also specify the URL where to retrieve the SonarScanner CLI from.
The specified URL overrides the default address: `https://binaries.sonarsource.com/Distribution/sonar-scanner-cli`.
This can be useful when the runner executing the action is self-hosted and has regulated or no access to the Internet:
```yaml
- uses: SonarSource/sonarqube-scan-action@<action version>
with:
scannerBinariesUrl: https://my.custom.binaries.url.com/Distribution/sonar-scanner-cli/
```
More information about possible analysis parameters can be found:
* in the [Analysis parameters page](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/analysis-parameters/) of the SonarQube Server documentation
* in the [Analysis parameters page](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/analysis-parameters/) of the SonarQube Cloud documentation
### Environment variables
- `SONAR_TOKEN` **Required** this is the token used to authenticate access to SonarQube. You can read more about security tokens in the documentation of SonarQube [Server](https://docs.sonarsource.com/sonarqube-server/latest/user-guide/managing-tokens/) and [Cloud](https://docs.sonarsource.com/sonarqube-cloud/managing-your-account/managing-tokens/). You can set the `SONAR_TOKEN` environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended).
- `SONAR_HOST_URL` this tells the scanner where SonarQube Server is hosted. You can set the `SONAR_HOST_URL` environment variable in the "Variables" settings page of your repository, or you can add them at the level of your GitHub organization (recommended). Not needed for SonarQube Cloud.
- `SONAR_ROOT_CERT` Holds an additional certificate (in PEM format) that is used to validate the certificate of SonarQube Server or of a secured proxy to SonarQube (Server or Cloud). You can set the `SONAR_ROOT_CERT` environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended).
Here is an example of how you can pass a certificate (in PEM format) to the Scanner truststore:
```yaml
- uses: SonarSource/sonarqube-scan-action@<action version>
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}
SONAR_ROOT_CERT: ${{ secrets.SONAR_ROOT_CERT }}
```
If your source code file names contain special characters that are not covered by the locale range of `en_US.UTF-8`, you can configure your desired locale like this:
```yaml
- uses: SonarSource/sonarqube-scan-action@<action version>
env:
SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }} # or https://sonarcloud.io
LC_ALL: "ru_RU.UTF-8"
```
## Alternatives for Java and .NET
This GitHub Action will not work for all technologies. If you are in one of the following situations, you should use the following alternatives:
* Your code is built with Maven. Read the documentation about our SonarScanner for Maven in SonarQube [Server](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner-for-maven/) and [Cloud](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/ci-based-analysis/sonarscanner-for-maven/).
* Your code is built with Gradle. Read the documentation about our SonarScanner for Gradle in SonarQube [Server](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner-for-gradle/) and [Cloud](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/ci-based-analysis/sonarscanner-for-gradle/).
* You want to analyze a .NET solution. Read the documentation about our SonarScanner for .NET in SonarQube [Server](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/dotnet/introduction/) and [Cloud](https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/ci-based-analysis/sonarscanner-for-dotnet/introduction/).
## Do not use this GitHub action if you are in the following situations
* You want to run the action on C, C++, or Objective-C projects on a 32-bits system - build wrappers support only 64-bits OS.
## Self-hosted runner or container
When running the action in a self-hosted runner or container, please ensure that the following programs are installed:
* **curl** or **wget**
* **unzip**
## Additional information
The `sonarqube-scan-action/install-build-wrapper` action installs `coreutils` if run on macOS.
## Have questions or feedback?
To provide feedback (requesting a feature or reporting a bug) please post on the SonarSource Community Forum page for SonarQube [Server](https://community.sonarsource.com/tags/c/help/sq/github-actions) or [Cloud](https://community.sonarsource.com/tags/c/help/sc/9/github-actions).
## License
Container images built with this project include third-party materials.
For details check upstream [README.md](https://github.com/SonarSource/sonarqube-scan-action/blob/master/README.md)

8
action.yml
View file

@ -17,7 +17,7 @@ inputs:
description: Version of the Sonar Scanner CLI to use
required: false
# to be kept in sync with sonar-scanner-version
default: 7.1.0.4889
default: 7.2.0.5079
scannerBinariesUrl:
description: URL to download the Sonar Scanner CLI binaries from
required: false
@ -30,9 +30,10 @@ runs:
shell: bash
env:
INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }}
INPUT_SCANNERVERSION: ${{ inputs.scannerVersion }}
- name: Load Sonar Scanner CLI from cache
id: sonar-scanner-cli
uses: actions/cache@v4
uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 #v4.2.4
env:
# The default value is 60mins. Reaching timeout is treated the same as a cache miss.
SEGMENT_DOWNLOAD_TIMEOUT_MINS: 1
@ -50,8 +51,9 @@ runs:
run: echo "${RUNNER_TEMP}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}/bin" >> $GITHUB_PATH
shell: bash
- name: Run SonarScanner
run: ${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh ${{ inputs.args }}
run: ${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner.sh
shell: bash
env:
INPUT_ARGS: ${{ inputs.args }}
INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }}
SONAR_SCANNER_JRE: ${{ runner.temp }}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}/jre

2
scripts/cert.sh
View file

@ -1,4 +1,4 @@
#!/bin/bash
#!/usr/bin/env bash
if [[ -n "${SONAR_ROOT_CERT}" ]]; then
echo "Adding custom root certificate to java certificate store"

2
scripts/configure_paths.sh
View file

@ -1,4 +1,4 @@
#!/bin/bash
#!/usr/bin/env bash
if [[ ${ARCH} != "X64" && ! (${ARCH} == "ARM64" && (${OS} == "macOS" || ${OS} == "Linux")) ]]; then
echo "::error::Architecture '${ARCH}' is unsupported by build-wrapper"

2
scripts/create_install_path.sh
View file

@ -1,4 +1,4 @@
#!/bin/bash
#!/usr/bin/env bash
source "$(dirname -- "$0")/utils.sh"

4
scripts/download.sh
View file

@ -1,4 +1,4 @@
#!/bin/bash
#!/usr/bin/env bash
source "$(dirname -- "$0")/utils.sh"
@ -28,7 +28,7 @@ parse_arguments() {
}
verify_download_correctness() {
echo "${EXPECTED_SHA} ${TMP_ZIP_PATH}" | sha256sum -c
echo "${EXPECTED_SHA} ${TMP_ZIP_PATH}" | sha256sum -c -
check_status "Checking sha256 failed"
}

2
scripts/fetch_latest_version.sh
View file

@ -1,4 +1,4 @@
#!/bin/bash
#!/usr/bin/env bash
source "$(dirname -- "$0")/utils.sh"

2
scripts/install-sonar-scanner-cli.sh
View file

@ -1,4 +1,4 @@
#!/bin/bash
#!/usr/bin/env bash
set -eou pipefail

16
scripts/run-sonar-scanner-cli.sh
View file

@ -1,4 +1,4 @@
#!/bin/bash
#!/usr/bin/env bash
set -eo pipefail
@ -73,9 +73,19 @@ if [[ -n "${SONAR_ROOT_CERT}" ]]; then
scanner_args+=("-Dsonar.scanner.truststorePassword=$SONAR_SSL_TRUSTSTORE_PASSWORD")
fi
scanner_args+=("$@")
# split input args correctly (passed through INPUT_ARGS env var to avoid execution of injected command)
args=()
if [[ -n "${INPUT_ARGS}" ]]; then
# the regex recognizes args with values in single or double quotes (without character escaping), and args without quotes as well
# more specifically, the following patterns: -Darg="value", -Darg='value', -Darg=value, "-Darg=value" and '-Darg=value'
IFS=$'\n'; args=($(echo ${INPUT_ARGS} | egrep -o '[^" '\'']+="[^"]*"|[^" '\'']+='\''[^'\'']*'\''|[^" '\'']+|"[^"]+"|'\''[^'\'']+'\'''))
fi
for arg in "${args[@]}"; do
scanner_args+=("$arg")
done
set -ux
$SCANNER_BIN "${scanner_args[@]}"
$SCANNER_BIN ${scanner_args[@]+"${scanner_args[@]}"}

6
scripts/run-sonar-scanner.sh Executable file
View file

@ -0,0 +1,6 @@
#!/usr/bin/env bash
set -euo pipefail
# run the sonar scanner cli
cmd=(${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh "${INPUT_ARGS}")
"${cmd[@]}"

7
scripts/sanity-checks.sh
View file

@ -1,7 +1,12 @@
#!/bin/bash
#!/usr/bin/env bash
set -eo pipefail
if [[ ! "${INPUT_SCANNERVERSION}" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "::error title=SonarScanner::Invalid scannerVersion format. Expected format: x.y.z.w (e.g., 7.1.0.4889)"
exit 1
fi
if [[ -z "${SONAR_TOKEN}" ]]; then
echo "::warning title=SonarScanner::Running this GitHub Action without SONAR_TOKEN is not recommended"
fi

2
scripts/utils.sh
View file

@ -1,4 +1,4 @@
#!/bin/bash
#!/usr/bin/env bash
check_status() {
exit_status=$?

22
sonar-scanner-version
View file

@ -1,11 +1,11 @@
sonar-scanner-version=7.1.0.4889
sonar-scanner-url-windows-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-windows-x64.zip
sonar-scanner-sha-windows-x64=64c5154d3d924eb2e03386f10eecb3ec4132298e2c1bf0b60a0d0195cd51a555
sonar-scanner-url-linux-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-linux-x64.zip
sonar-scanner-sha-linux-x64=b4d2a001d65b489f9effe1ea8a78495db1b152f124d7f7b058aad8651c7e1484
sonar-scanner-url-linux-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-linux-aarch64.zip
sonar-scanner-sha-linux-aarch64=7948ccde77843829b87d41815ead669486f681cd38b0b0893006083a9b6f6b5c
sonar-scanner-url-macosx-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-macosx-x64.zip
sonar-scanner-sha-macosx-x64=08ad1e75994d91a17016ce55248d0827b62a757b263917234ea2d89bee8f136d
sonar-scanner-url-macosx-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-macosx-aarch64.zip
sonar-scanner-sha-macosx-aarch64=9ad8c5da9e9665c065328b86adb3f33ef43801347ecb3ff1ec27d598ac37b449
sonar-scanner-version=7.2.0.5079
sonar-scanner-url-windows-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.2.0.5079-windows-x64.zip
sonar-scanner-sha-windows-x64=71936f352206b63cb05ffbcd68e366e52d22916148cf4a2418789bc776f733ea
sonar-scanner-url-linux-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.2.0.5079-linux-x64.zip
sonar-scanner-sha-linux-x64=da9f4e64a3d555f08ce38b5469ebd91fe2b311af473f7001a5ee5c1fd58b004b
sonar-scanner-url-linux-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.2.0.5079-linux-aarch64.zip
sonar-scanner-sha-linux-aarch64=803ca725d463e95eeb7537515706367bb8e52bf05ac32174daf9773bdb36d1e2
sonar-scanner-url-macosx-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.2.0.5079-macosx-x64.zip
sonar-scanner-sha-macosx-x64=7b9e92248ca740fff41503bfe5459c460bac43c501d80043cc4fbebb72dfc5fa
sonar-scanner-url-macosx-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.2.0.5079-macosx-aarch64.zip
sonar-scanner-sha-macosx-aarch64=c8adb3fbfe5485c17de193a217be765b66cbc10d6540057655afa3c3b5be6f61

10
test/assertFileContains
View file

@ -1,10 +1,14 @@
#!/bin/bash
#!/usr/bin/env bash
set -eou pipefail
error() { echo -e "\\e[31m✗ $*\\e[0m"; }
assertFileExists $1
scriptDir=$(dirname -- "$(readlink -f -- "${BASH_SOURCE[0]}")")
if ! grep -q $2 $1; then
$scriptDir/assertFileExists "$1"
if ! grep -q "$2" "$1"; then
error "'$2' not found in '$1'"
exit 1
fi

6
test/assertFileDoesntExist
View file

@ -1,8 +1,10 @@
#!/bin/bash
#!/usr/bin/env bash
set -eou pipefail
error() { echo -e "\\e[31m✗ $*\\e[0m"; }
if [ -f $1 ]; then
if [ -f "$1" ]; then
error "File '$1' found"
exit 1
fi

6
test/assertFileExists
View file

@ -1,8 +1,10 @@
#!/bin/bash
#!/usr/bin/env bash
set -eou pipefail
error() { echo -e "\\e[31m✗ $*\\e[0m"; }
if [ ! -f $1 ]; then
if [ ! -f "$1" ]; then
error "File '$1' not found"
exit 1
fi