SQSCANGHA-113 Migrate scanner run step

2025-09-10 11:28:29 +02:00
parent ed9f3aad50
commit 16df975da5
9 changed files with 448 additions and 137 deletions
--- a/src/run-sonar-scanner.js
+++ b/src/run-sonar-scanner.js
@@ -0,0 +1,140 @@
+import * as exec from "@actions/exec";
+import * as fs from "fs";
+import * as os from "os";
+import * as path from "path";
+import { parseArgsStringToArgv } from "string-argv";
+
+export async function runSonarScanner(
+  inputArgs,
+  projectBaseDir,
+  scannerDir,
+  runnerEnv = {}
+) {
+  const {
+    RUNNER_DEBUG,
+    RUNNER_OS,
+    RUNNER_TEMP,
+    SONAR_ROOT_CERT,
+    SONARCLOUD_URL,
+  } = runnerEnv;
+
+  const scannerBin =
+    RUNNER_OS === "Windows" ? "sonar-scanner.bat" : "sonar-scanner";
+
+  const scannerArgs = [];
+
+  if (SONARCLOUD_URL) {
+    scannerArgs.push(`-Dsonar.scanner.sonarcloudUrl=${SONARCLOUD_URL}`);
+  }
+
+  if (RUNNER_DEBUG === "1") {
+    scannerArgs.push("--debug");
+  }
+
+  if (projectBaseDir) {
+    scannerArgs.push(`-Dsonar.projectBaseDir=${projectBaseDir}`);
+  }
+
+  // The SSL folder may exist on an uncleaned self-hosted runner
+  const sslFolder = path.join(os.homedir(), ".sonar", "ssl");
+  /**
+   * Use keytool for now, as SonarQube 10.6 and below doesn't support openssl generated keystores
+   * keytool requires a password > 6 characters,  so we won't use the default password 'sonar'
+   */
+  const keytoolMainClass = "sun.security.tools.keytool.Main";
+  const truststoreFile = path.join(sslFolder, "truststore.p12");
+  const truststorePassword = "changeit";
+
+  if (fs.existsSync(truststoreFile)) {
+    let aliasSonarIsPresent = true;
+
+    try {
+      await exec.exec(
+        `${scannerDir}/jre/bin/java`,
+        [
+          keytoolMainClass,
+          "-storetype",
+          "PKCS12",
+          "-keystore",
+          truststoreFile,
+          "-storepass",
+          truststorePassword,
+          "-noprompt",
+          "-trustcacerts",
+          "-list",
+          "-v",
+          "-alias",
+          "sonar",
+        ],
+        { silent: true }
+      );
+    } catch (_) {
+      aliasSonarIsPresent = false;
+      console.log(
+        `Existing Scanner truststore ${truststoreFile} does not contain 'sonar' alias`
+      );
+    }
+
+    if (aliasSonarIsPresent) {
+      console.log(
+        `Removing 'sonar' alias from already existing Scanner truststore: ${truststoreFile}`
+      );
+      await exec.exec(`${scannerDir}/jre/bin/java`, [
+        keytoolMainClass,
+        "-storetype",
+        "PKCS12",
+        "-keystore",
+        truststoreFile,
+        "-storepass",
+        truststorePassword,
+        "-noprompt",
+        "-trustcacerts",
+        "-delete",
+        "-alias",
+        "sonar",
+      ]);
+    }
+  }
+
+  if (SONAR_ROOT_CERT) {
+    console.log("Adding SSL certificate to the Scanner truststore");
+    const tempCertPath = path.join(RUNNER_TEMP, "tmpcert.pem");
+
+    try {
+      fs.unlinkSync(tempCertPath);
+    } catch (_) {
+      // File doesn't exist, ignore
+    }
+
+    fs.writeFileSync(tempCertPath, SONAR_ROOT_CERT);
+    fs.mkdirSync(sslFolder, { recursive: true });
+
+    await exec.exec(`${scannerDir}/jre/bin/java`, [
+      keytoolMainClass,
+      "-storetype",
+      "PKCS12",
+      "-keystore",
+      truststoreFile,
+      "-storepass",
+      truststorePassword,
+      "-noprompt",
+      "-trustcacerts",
+      "-importcert",
+      "-alias",
+      "sonar",
+      "-file",
+      tempCertPath,
+    ]);
+
+    scannerArgs.push(
+      `-Dsonar.scanner.truststorePassword=${truststorePassword}`
+    );
+  }
+
+  if (inputArgs) {
+    const args = parseArgsStringToArgv(inputArgs);
+    scannerArgs.push(...args);
+  }
+
+  await exec.exec(scannerBin, scannerArgs);
+}