mirror of
https://github.com/SonarSource/sonarqube-scan-action.git
synced 2025-12-12 17:31:15 +00:00
91 lines
3 KiB
Bash
Executable file
91 lines
3 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
|
|
set -eo pipefail
|
|
|
|
if [[ "$RUNNER_OS" == "Windows" ]]; then
|
|
SCANNER_BIN="sonar-scanner.bat"
|
|
else
|
|
SCANNER_BIN="sonar-scanner"
|
|
fi
|
|
|
|
scanner_args=()
|
|
if [[ ${SONARCLOUD_URL} ]]; then
|
|
scanner_args+=("-Dsonar.scanner.sonarcloudUrl=${SONARCLOUD_URL}")
|
|
fi
|
|
|
|
if [[ "$RUNNER_DEBUG" == '1' ]]; then
|
|
scanner_args+=('--debug')
|
|
fi
|
|
|
|
if [[ -n "${INPUT_PROJECTBASEDIR}" ]]; then
|
|
scanner_args+=("-Dsonar.projectBaseDir=${INPUT_PROJECTBASEDIR}")
|
|
fi
|
|
|
|
# The SSL folder may exist on an uncleaned self-hosted runner
|
|
SONAR_SSL_FOLDER=~/.sonar/ssl
|
|
# Use keytool for now, as SonarQube 10.6 and below doesn't support openssl generated keystores
|
|
# keytool requires a password > 6 characters, so we won't use the default password 'sonar'
|
|
KEYTOOL_MAIN_CLASS=sun.security.tools.keytool.Main
|
|
SONAR_SSL_TRUSTSTORE_FILE="$SONAR_SSL_FOLDER/truststore.p12"
|
|
SONAR_SSL_TRUSTSTORE_PASSWORD=changeit
|
|
|
|
if [ -f "$SONAR_SSL_TRUSTSTORE_FILE" ]; then
|
|
ALIAS_SONAR_IS_PRESENT=true
|
|
|
|
"$SONAR_SCANNER_JRE/bin/java" "$KEYTOOL_MAIN_CLASS" \
|
|
-storetype PKCS12 \
|
|
-keystore "$SONAR_SSL_TRUSTSTORE_FILE" \
|
|
-storepass "$SONAR_SSL_TRUSTSTORE_PASSWORD" \
|
|
-noprompt \
|
|
-trustcacerts \
|
|
-list -v -alias sonar > /dev/null 2>&1 || {
|
|
ALIAS_SONAR_IS_PRESENT=false
|
|
echo "Existing Scanner truststore $SONAR_SSL_TRUSTSTORE_FILE does not contain 'sonar' alias"
|
|
}
|
|
|
|
if [[ $ALIAS_SONAR_IS_PRESENT == "true" ]]; then
|
|
echo "Removing 'sonar' alias from already existing Scanner truststore: $SONAR_SSL_TRUSTSTORE_FILE"
|
|
"$SONAR_SCANNER_JRE/bin/java" "$KEYTOOL_MAIN_CLASS" \
|
|
-storetype PKCS12 \
|
|
-keystore "$SONAR_SSL_TRUSTSTORE_FILE" \
|
|
-storepass "$SONAR_SSL_TRUSTSTORE_PASSWORD" \
|
|
-noprompt \
|
|
-trustcacerts \
|
|
-delete \
|
|
-alias sonar
|
|
fi
|
|
fi
|
|
|
|
if [[ -n "${SONAR_ROOT_CERT}" ]]; then
|
|
echo "Adding SSL certificate to the Scanner truststore"
|
|
rm -f $RUNNER_TEMP/tmpcert.pem
|
|
echo "${SONAR_ROOT_CERT}" > $RUNNER_TEMP/tmpcert.pem
|
|
mkdir -p "$SONAR_SSL_FOLDER"
|
|
"$SONAR_SCANNER_JRE/bin/java" "$KEYTOOL_MAIN_CLASS" \
|
|
-storetype PKCS12 \
|
|
-keystore "$SONAR_SSL_TRUSTSTORE_FILE" \
|
|
-storepass "$SONAR_SSL_TRUSTSTORE_PASSWORD" \
|
|
-noprompt \
|
|
-trustcacerts \
|
|
-importcert \
|
|
-alias sonar \
|
|
-file "$RUNNER_TEMP/tmpcert.pem"
|
|
scanner_args+=("-Dsonar.scanner.truststorePassword=$SONAR_SSL_TRUSTSTORE_PASSWORD")
|
|
fi
|
|
|
|
# split input args correctly (passed through INPUT_ARGS env var to avoid execution of injected command)
|
|
args=()
|
|
if [[ -n "${INPUT_ARGS}" ]]; then
|
|
# the regex recognizes args with values in single or double quotes (without character escaping), and args without quotes as well
|
|
# more specifically, the following patterns: -Darg="value", -Darg='value', -Darg=value, "-Darg=value" and '-Darg=value'
|
|
IFS=$'\n'; args=($(echo ${INPUT_ARGS} | egrep -o '[^" '\'']+="[^"]*"|[^" '\'']+='\''[^'\'']*'\''|[^" '\'']+|"[^"]+"|'\''[^'\'']+'\'''))
|
|
fi
|
|
|
|
for arg in "${args[@]}"; do
|
|
scanner_args+=("$arg")
|
|
done
|
|
|
|
set -ux
|
|
|
|
$SCANNER_BIN ${scanner_args[@]+"${scanner_args[@]}"}
|
|
|