SQCPPGHA-9 Extend action to support C, C++, and Objective-C projects (#161)

2024-12-16 10:24:14 +01:00
parent 844ce2710b
commit 00e62e1190
19 changed files with 1118 additions and 22 deletions
--- a/scripts/cert.sh
+++ b/scripts/cert.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+if [[ -n "${SONAR_ROOT_CERT}" ]]; then
+  echo "Adding custom root certificate to java certificate store"
+  rm -f /tmp/tmpcert.pem
+  echo "${SONAR_ROOT_CERT}" > /tmp/tmpcert.pem
+  keytool -keystore /etc/ssl/certs/java/cacerts -storepass changeit -noprompt -trustcacerts -importcert -alias sonarqube -file /tmp/tmpcert.pem
+fi
--- a/scripts/configure_paths.sh
+++ b/scripts/configure_paths.sh
@@ -0,0 +1,71 @@
+#!/bin/bash
+
+if [[ ${ARCH} != "X64" && ! (${ARCH} == "ARM64" && (${OS} == "macOS" || ${OS} == "Linux")) ]]; then
+  echo "::error::Architecture '${ARCH}' is unsupported by build-wrapper"
+  exit 1
+fi
+
+case ${OS} in
+  Windows)
+    SONAR_SCANNER_SUFFIX="windows-x64"
+    BUILD_WRAPPER_SUFFIX="win-x86"
+    SONAR_SCANNER_NAME="sonar-scanner.bat"
+    BUILD_WRAPPER_NAME="build-wrapper-win-x86-64.exe"
+    SONAR_SCANNER_URL="${SONAR_SCANNER_URL_WINDOWS_X64}"
+    SONAR_SCANNER_SHA="${SONAR_SCANNER_SHA_WINDOWS_X64}"
+    ;;
+  Linux)  
+    case ${ARCH} in
+      X64)
+        SONAR_SCANNER_SUFFIX="linux-x64"
+        BUILD_WRAPPER_SUFFIX="linux-x86"
+        BUILD_WRAPPER_NAME="build-wrapper-linux-x86-64"
+        SONAR_SCANNER_URL="${SONAR_SCANNER_URL_LINUX_X64}"
+        SONAR_SCANNER_SHA="${SONAR_SCANNER_SHA_LINUX_X64}"
+        ;;
+      ARM64)
+        SONAR_SCANNER_SUFFIX="linux-aarch64"
+        BUILD_WRAPPER_SUFFIX="linux-aarch64"
+        BUILD_WRAPPER_NAME="build-wrapper-linux-aarch64"
+        SONAR_SCANNER_URL="${SONAR_SCANNER_URL_LINUX_AARCH64}"
+        SONAR_SCANNER_SHA="${SONAR_SCANNER_SHA_LINUX_AARCH64}"
+        ;;
+    esac
+    SONAR_SCANNER_NAME="sonar-scanner"
+    ;;
+  macOS)
+    case ${ARCH} in
+      X64)
+        SONAR_SCANNER_SUFFIX="macosx-x64"
+        SONAR_SCANNER_URL="${SONAR_SCANNER_URL_MACOSX_X64}"
+        SONAR_SCANNER_SHA="${SONAR_SCANNER_SHA_MACOSX_X64}"
+        ;;
+      ARM64)
+        SONAR_SCANNER_SUFFIX="macosx-aarch64"
+        SONAR_SCANNER_URL="${SONAR_SCANNER_URL_MACOSX_AARCH64}"
+        SONAR_SCANNER_SHA="${SONAR_SCANNER_SHA_MACOSX_AARCH64}"
+        ;;
+    esac
+    BUILD_WRAPPER_SUFFIX="macosx-x86"
+    SONAR_SCANNER_NAME="sonar-scanner"
+    BUILD_WRAPPER_NAME="build-wrapper-macosx-x86"
+    ;;
+  *)
+    echo "::error::Unsupported runner OS '${OS}'"
+    exit 1
+    ;;
+esac
+
+
+echo "sonar-scanner-url=${SONAR_SCANNER_URL}"
+echo "sonar-scanner-sha=${SONAR_SCANNER_SHA}"
+
+SONAR_SCANNER_DIR="${INSTALL_PATH}/sonar-scanner-${SONAR_SCANNER_VERSION}-${SONAR_SCANNER_SUFFIX}"
+echo "sonar-scanner-dir=${SONAR_SCANNER_DIR}"
+echo "sonar-scanner-bin=${SONAR_SCANNER_DIR}/bin/${SONAR_SCANNER_NAME}"
+
+BUILD_WRAPPER_DIR="${INSTALL_PATH}/build-wrapper-${BUILD_WRAPPER_SUFFIX}"
+echo "build-wrapper-url=${SONAR_HOST_URL%/}/static/cpp/build-wrapper-${BUILD_WRAPPER_SUFFIX}.zip"
+echo "build-wrapper-dir=${BUILD_WRAPPER_DIR}"
+echo "build-wrapper-bin=${BUILD_WRAPPER_DIR}/${BUILD_WRAPPER_NAME}"
+
--- a/scripts/create_install_path.sh
+++ b/scripts/create_install_path.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+source "$(dirname -- "$0")/utils.sh"
+
+echo "Installation path is '${INSTALL_PATH}'"
+
+test ! -z "${INSTALL_PATH}"
+check_status "Empty installation path specified"
+
+if [[ ! -e "${INSTALL_PATH}" ]]; then
+  mkdir -p "${INSTALL_PATH}"
+  check_status "Failed to create non-existing installation path '${INSTALL_PATH}'"
+fi  
+
+ABSOLUTE_INSTALL_PATH=$(realpath "${INSTALL_PATH}")
+echo "Absolute installation path is '${ABSOLUTE_INSTALL_PATH}'"
+
+test -d "${INSTALL_PATH}"
+check_status "Installation path '${INSTALL_PATH}' is not a directory (absolute path is '${ABSOLUTE_INSTALL_PATH}')"
+
+test -r "${INSTALL_PATH}"
+check_status "Installation path '${INSTALL_PATH}' is not readable (absolute path is '${ABSOLUTE_INSTALL_PATH}')"
+
+test -w "${INSTALL_PATH}"
+check_status "Installation path '${INSTALL_PATH}' is not writeable (absolute path is '${ABSOLUTE_INSTALL_PATH}')"
+
--- a/scripts/download.sh
+++ b/scripts/download.sh
@@ -0,0 +1,58 @@
+#!/bin/bash
+
+source "$(dirname -- "$0")/utils.sh"
+
+VERIFY_CORRECTNESS=false
+
+help() {
+  cat <<EOF
+Usage: ./download [-v]
+-h              Display help
+-v              Verify correctness of a download with SHA256 checksum; Optional
+EOF
+}
+
+parse_arguments() {
+  while getopts "hv" arg; do
+    case $arg in
+    v)
+      VERIFY_CORRECTNESS=true
+      echo "Verify correctness is set to true"
+      ;;
+    ?)
+      help
+      exit 0
+      ;;
+    esac
+  done
+}
+
+verify_download_correctness() {
+  echo "${EXPECTED_SHA} ${TMP_ZIP_PATH}" | sha256sum -c
+  check_status "Checking sha256 failed"
+}
+
+download() {
+  echo "Downloading '${DOWNLOAD_URL}'"
+  mkdir -p "${INSTALL_PATH}"
+  check_status "Failed to create ${INSTALL_PATH}"
+  curl -sSLo "${TMP_ZIP_PATH}" "${DOWNLOAD_URL}"
+  check_status "Failed to download '${DOWNLOAD_URL}'"
+}
+
+decompress() {
+  echo "Decompressing"
+  unzip -o -d "${INSTALL_PATH}" "${TMP_ZIP_PATH}"
+  check_status "Failed to unzip the archive into '${INSTALL_PATH}'"
+}
+
+####################################################################################
+
+echo "::group::Download ${DOWNLOAD_URL}"
+parse_arguments $@
+download
+if [ "$VERIFY_CORRECTNESS" = true ]; then
+  verify_download_correctness
+fi
+decompress
+echo "::endgroup::"
--- a/scripts/fetch_latest_version.sh
+++ b/scripts/fetch_latest_version.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+source "$(dirname -- "$0")/utils.sh"
+
+SONAR_SCANNER_VERSION=$(curl -sSL -H "Accept: application/vnd.github+json" \
+  https://api.github.com/repos/SonarSource/sonar-scanner-cli/releases/latest | jq -r '.tag_name')
+check_status "Failed to fetch latest sonar-scanner version from GitHub API"
+
+echo "sonar-scanner-version=${SONAR_SCANNER_VERSION}"
+
+for OS in windows linux macosx; do
+  if [[ "$OS" == "windows" ]]; then
+    ARCHS=("x64")
+  else
+    ARCHS=("x64" "aarch64")
+  fi
+  for ARCH in "${ARCHS[@]}"; do
+    SONAR_SCANNER_URL="https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-${OS}-${ARCH}.zip"
+    SONAR_SCANNER_SHA=$(curl -sSL "${SONAR_SCANNER_URL}.sha256")
+    check_status "Failed to download ${OS} ${ARCH} sonar-scanner checksum from '${SONAR_SCANNER_URL}'"
+
+    echo "sonar-scanner-url-${OS}-${ARCH}=${SONAR_SCANNER_URL}"
+    echo "sonar-scanner-sha-${OS}-${ARCH}=${SONAR_SCANNER_SHA}"
+  done
+done
--- a/scripts/install-sonar-scanner-cli.sh
+++ b/scripts/install-sonar-scanner-cli.sh
@@ -0,0 +1,52 @@
+#!/bin/bash
+
+set -eou pipefail
+
+# See https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables#default-environment-variables
+#
+# Script-specific variables required:
+# - INPUT_SCANNERVERSION: e.g. 6.2.1.4610
+# - INPUT_SCANNERBINARIESURL: e.g. https://github.com/me/my-repo/raw/refs/heads/main/binaries
+
+if [[ "$RUNNER_OS" == "Linux" && "$RUNNER_ARCH" == "X64" ]]; then
+     FLAVOR="linux-x64"
+elif [[ "$RUNNER_OS" == "Linux" && "$RUNNER_ARCH" == "ARM64" ]]; then
+     FLAVOR="linux-aarch64"
+elif [[ "$RUNNER_OS" == "Windows" && "$RUNNER_ARCH" == "X64" ]]; then
+     FLAVOR="windows-x64"
+elif [[ "$RUNNER_OS" == "macOS" && "$RUNNER_ARCH" == "X64" ]]; then
+     FLAVOR="macosx-x64"
+elif [[ "$RUNNER_OS" == "macOS" && "$RUNNER_ARCH" == "ARM64" ]]; then
+     FLAVOR="macosx-aarch64"
+else
+     echo "::error title=SonarScanner::$RUNNER_OS $RUNNER_ARCH not supported"
+     exit 1
+fi
+
+set -x
+
+mkdir -p $RUNNER_TEMP/sonarscanner
+cd $RUNNER_TEMP/sonarscanner
+
+SCANNER_FILE_NAME="sonar-scanner-cli-$INPUT_SCANNERVERSION-$FLAVOR.zip"
+SCANNER_URI="${INPUT_SCANNERBINARIESURL%/}/$SCANNER_FILE_NAME"
+
+if command -v wget &> /dev/null; then
+    wget --no-verbose --user-agent=sonarqube-scan-action "$SCANNER_URI"
+elif command -v curl &> /dev/null; then
+    curl --fail --silent --show-error --user-agent sonarqube-scan-action \
+         --location --output "$SCANNER_FILE_NAME" "$SCANNER_URI"
+elif [ "$RUNNER_OS" == "Windows" ] && [ -t "C:\\msys64\\usr\\bin\\wget.exe" ]; then
+    "C:\\msys64\\usr\\bin\\wget.exe" --no-verbose --user-agent=sonarqube-scan-action "$SCANNER_URI"
+elif [ "$RUNNER_OS" == "Windows" ] && [ -t "C:\\msys64\\usr\\bin\\curl.exe" ]; then
+    "C:\\msys64\\usr\\bin\\curl.exe" --fail --silent --show-error --user-agent sonarqube-scan-action \
+         --location --output "$SCANNER_FILE_NAME" "$SCANNER_URI"
+else
+    echo "::error title=SonarScanner::Neither wget nor curl found on the machine"
+    exit 1
+fi
+
+unzip -q $SCANNER_FILE_NAME
+
+# Folder name should correspond to the directory cached by the actions/cache
+mv sonar-scanner-$INPUT_SCANNERVERSION-$FLAVOR $RUNNER_TEMP/sonar-scanner-cli-$INPUT_SCANNERVERSION-$RUNNER_OS-$RUNNER_ARCH
--- a/scripts/run-sonar-scanner-cli.sh
+++ b/scripts/run-sonar-scanner-cli.sh
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+set -eo pipefail
+
+if [[ "$RUNNER_OS" == "Windows" ]]; then
+  SCANNER_BIN="sonar-scanner.bat"
+else
+  SCANNER_BIN="sonar-scanner"
+fi
+
+scanner_args=()
+if [[ ${SONARCLOUD_URL} ]]; then
+  scanner_args+=("-Dsonar.scanner.sonarcloudUrl=${SONARCLOUD_URL}")
+fi
+
+if [[ "$RUNNER_DEBUG" == '1' ]]; then
+  scanner_args+=('--debug')
+fi
+
+if [[ -n "${INPUT_PROJECTBASEDIR}" ]]; then
+  scanner_args+=("-Dsonar.projectBaseDir=${INPUT_PROJECTBASEDIR}")
+fi
+
+if [[ -n "${SONAR_ROOT_CERT}" ]]; then
+  echo "Adding SSL certificate to the Scanner truststore"
+  rm -f $RUNNER_TEMP/tmpcert.pem
+  echo "${SONAR_ROOT_CERT}" > $RUNNER_TEMP/tmpcert.pem
+  # Use keytool for now, as SonarQube 10.6 and below doesn't support openssl generated keystores
+  # keytool require a password > 6 characters, so we wan't use the default password 'sonar'
+  store_pass=changeit
+  mkdir -p ~/.sonar/ssl
+  $SONAR_SCANNER_JRE/bin/java sun.security.tools.keytool.Main -storetype PKCS12 -keystore ~/.sonar/ssl/truststore.p12 -storepass $store_pass -noprompt -trustcacerts -importcert -alias sonar -file $RUNNER_TEMP/tmpcert.pem
+  scanner_args+=("-Dsonar.scanner.truststorePassword=$store_pass")
+fi
+
+scanner_args+=("$@")
+
+set -ux
+
+$SCANNER_BIN "${scanner_args[@]}"
+
--- a/scripts/sanity-checks.sh
+++ b/scripts/sanity-checks.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+set -eo pipefail
+
+if [[ -z "${SONAR_TOKEN}" ]]; then
+  echo "::warning title=SonarScanner::Running this GitHub Action without SONAR_TOKEN is not recommended"
+fi
+
+if [[ -f "${INPUT_PROJECTBASEDIR%/}/pom.xml" ]]; then
+  echo "::warning title=SonarScanner::Maven project detected. Sonar recommends running the 'org.sonarsource.scanner.maven:sonar-maven-plugin:sonar' goal during the build process instead of using this GitHub Action
+  to get more accurate results."
+fi
+
+if [[ -f "${INPUT_PROJECTBASEDIR%/}/build.gradle"  || -f "${INPUT_PROJECTBASEDIR%/}/build.gradle.kts" ]]; then
+  echo "::warning title=SonarScanner::Gradle project detected. Sonar recommends using the SonarQube plugin for Gradle during the build process instead of using this GitHub Action
+  to get more accurate results."
+fi
+
--- a/scripts/utils.sh
+++ b/scripts/utils.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+check_status() {
+  exit_status=$?
+  if [ $exit_status -ne 0 ]; then
+    echo "::error::$1"
+    exit $exit_status
+  fi
+}
+
+realpath() {
+  case ${RUNNER_OS} in
+    Windows)
+      cygpath --absolute --windows "$1"
+    ;;
+    Linux)
+      readlink -f "$1"
+    ;;
+    macOS)
+      # installed by coreutils package
+      greadlink -f "$1"
+    ;;
+  esac
+}
+