SQSCANGHA-121 Add vulnerability warning

2025-09-24 17:48:09 +02:00
11 changed files with 49 additions and 64 deletions
--- a/.github/workflows/PullRequestClosed.yml
+++ b/.github/workflows/PullRequestClosed.yml
@@ -7,7 +7,7 @@ on:
 jobs:
  PullRequestClosed_job:
    name: Pull Request Closed
-    runs-on: github-ubuntu-latest-s
+    runs-on: ubuntu-latest-large
    permissions:
      id-token: write
      pull-requests: read
--- a/.github/workflows/PullRequestCreated.yml
+++ b/.github/workflows/PullRequestCreated.yml
@@ -7,7 +7,7 @@ on:
 jobs:
  PullRequestCreated_job:
    name: Pull Request Created
-    runs-on: github-ubuntu-latest-s
+    runs-on: ubuntu-latest-large
    permissions:
      id-token: write
    # For external PR, ticket should be created manually
--- a/.github/workflows/RequestReview.yml
+++ b/.github/workflows/RequestReview.yml
@@ -7,7 +7,7 @@ on:
 jobs:
  RequestReview_job:
    name: Request review
-    runs-on: github-ubuntu-latest-s
+    runs-on: ubuntu-latest-large
    permissions:
      id-token: write
    # For external PR, ticket should be moved manually
--- a/.github/workflows/SubmitReview.yml
+++ b/.github/workflows/SubmitReview.yml
@@ -7,7 +7,7 @@ on:
 jobs:
  SubmitReview_job:
    name: Submit Review
-    runs-on: github-ubuntu-latest-s
+    runs-on: ubuntu-latest-large
    permissions:
      id-token: write
      pull-requests: read
--- a/.github/workflows/qa-deprecated-c-cpp.yml
+++ b/.github/workflows/qa-deprecated-c-cpp.yml
@@ -12,7 +12,7 @@ jobs:
    name: Action outputs
    strategy:
      matrix:
-        os: [github-ubuntu-latest-s, github-windows-latest-s, macos-latest, macos-13]
+        os: [ubuntu-latest-large, windows-latest-large, macos-latest, macos-13]
        cache: [true, false]
        include:
          - arch: X64
--- a/.github/workflows/qa-install-build-wrapper.yml
+++ b/.github/workflows/qa-install-build-wrapper.yml
@@ -12,7 +12,7 @@ jobs:
    name: Action outputs
    strategy:
      matrix:
-        os: [github-ubuntu-latest-s, github-windows-latest-s, macos-latest, macos-13]
+        os: [ubuntu-latest-large, windows-latest-large, macos-latest, macos-13]
        cache: [true, false]
        include:
          - arch: X64
--- a/.github/workflows/qa-main.yml
+++ b/.github/workflows/qa-main.yml
@@ -12,9 +12,8 @@ jobs:
    name: >
      No inputs
    strategy:
-      fail-fast: false
      matrix:
-        os: [ github-ubuntu-latest-s, macos-latest ]
+        os: [ ubuntu-latest-large, macos-latest ]
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@v5
@@ -32,9 +31,8 @@ jobs:
    name: >
      'args' input
    strategy:
-      fail-fast: false
      matrix:
-        os: [ github-ubuntu-latest-s, github-windows-latest-s, macos-latest ]
+        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@v5
@@ -50,15 +48,14 @@ jobs:
      - name: Assert
        run: |
          ./test/assertFileContains ./output.properties "sonar.someArg=aValue"
-          ./test/assertFileContains ./output.properties "sonar.anotherArgWithSpaces=Another Value"
-          ./test/assertFileContains ./output.properties "sonar.argWithSingleQuotes=Another Value"
+          ./test/assertFileContains ./output.properties 'sonar.anotherArgWithSpaces="Another Value"'
+          ./test/assertFileContains ./output.properties "sonar.argWithSingleQuotes='Another Value'"
  argsInputInjectionTest:
    name: >
      'args' input with command injection will fail
    strategy:
-      fail-fast: false
      matrix:
-        os: [ github-ubuntu-latest-s, github-windows-latest-s, macos-latest ]
+        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
        args: [ -Dsonar.someArg=aValue && echo "Injection", -Dsonar.someArg="value\"; whoami; echo \"" ]
    runs-on: ${{ matrix.os }}
    steps:
@@ -66,7 +63,6 @@ jobs:
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Run action with args
-        id: runTest
        uses: ./
        continue-on-error: true
        with:
@@ -84,9 +80,8 @@ jobs:
    name: >
      'args' input with backticks injection does not execute command
    strategy:
-      fail-fast: false
      matrix:
-        os: [ github-ubuntu-latest-s, github-windows-latest-s, macos-latest ]
+        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@v5
@@ -114,7 +109,7 @@ jobs:
      'args' input with dollar command injection does not execute command
    strategy:
      matrix:
-        os: [ github-ubuntu-latest-s, github-windows-latest-s, macos-latest ]
+        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@v5
@@ -141,7 +136,7 @@ jobs:
      'args' input with other command injection variants does not execute command
    strategy:
      matrix:
-        os: [ github-ubuntu-latest-s, github-windows-latest-s, macos-latest ]
+        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@v5
@@ -171,7 +166,7 @@ jobs:
      'projectBaseDir' input
    strategy:
      matrix:
-        os: [ github-ubuntu-latest-s, github-windows-latest-s, macos-latest ]
+        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@v5
@@ -192,7 +187,7 @@ jobs:
  scannerVersionTest:
    name: >
      'scannerVersion' input
-    runs-on: github-ubuntu-latest-s # assumes default RUNNER_ARCH for linux is X64
+    runs-on: ubuntu-latest-large # assumes default RUNNER_ARCH for linux is X64
    steps:
      - uses: actions/checkout@v5
        with:
@@ -212,7 +207,7 @@ jobs:
  scannerBinariesUrlTest:
    name: >
      'scannerBinariesUrl' input with invalid URL
-    runs-on: github-ubuntu-latest-s # assumes default RUNNER_ARCH for linux is X64
+    runs-on: ubuntu-latest-large # assumes default RUNNER_ARCH for linux is X64
    steps:
      - uses: actions/checkout@v5
        with:
@@ -240,7 +235,7 @@ jobs:
  scannerBinariesUrlIsEscapedWithWget:
    name: >
      'scannerBinariesUrl' is escaped with wget so special chars are not injected in the download command
-    runs-on: github-ubuntu-latest-s
+    runs-on: ubuntu-latest-large
    steps:
      - uses: actions/checkout@v5
        with:
@@ -261,7 +256,7 @@ jobs:
  scannerBinariesUrlIsEscapedWithCurl:
    name: >
      'scannerBinariesUrl' is escaped with curl so special chars are not injected in the download command
-    runs-on: github-ubuntu-latest-s
+    runs-on: ubuntu-latest-large
    steps:
      - uses: actions/checkout@v5
        with:
@@ -290,7 +285,7 @@ jobs:
  dontFailGradleTest:
    name: >
      Don't fail on Gradle project
-    runs-on: github-ubuntu-latest-s
+    runs-on: ubuntu-latest-large
    steps:
      - uses: actions/checkout@v5
        with:
@@ -311,7 +306,7 @@ jobs:
  dontFailGradleKotlinTest:
    name: >
      Don't fail on Kotlin Gradle project
-    runs-on: github-ubuntu-latest-s
+    runs-on: ubuntu-latest-large
    steps:
      - uses: actions/checkout@v5
        with:
@@ -332,7 +327,7 @@ jobs:
  dontFailMavenTest:
    name: >
      Don't fail on Maven project
-    runs-on: github-ubuntu-latest-s
+    runs-on: ubuntu-latest-large
    steps:
      - uses: actions/checkout@v5
        with:
@@ -351,7 +346,7 @@ jobs:
        run: |
          ./test/assertFileExists ./output.properties
  runAnalysisTest:
-    runs-on: github-ubuntu-latest-s
+    runs-on: ubuntu-latest-large
    services:
      sonarqube:
        image: sonarqube:lts-community
@@ -385,9 +380,8 @@ jobs:
    name: >
      'RUNNER_DEBUG' is used
    strategy:
-      fail-fast: false
      matrix:
-        os: [ github-ubuntu-latest-s, github-windows-latest-s, macos-latest ]
+        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@v5
@@ -405,7 +399,7 @@ jobs:
        run: |
          ./test/assertFileContains ./output.properties "sonar.verbose=true"
  runAnalysisWithCacheTest:
-    runs-on: github-ubuntu-latest-s
+    runs-on: ubuntu-latest-large
    services:
      sonarqube:
        image: sonarqube:lts-community
@@ -445,9 +439,8 @@ jobs:
    name: >
      'SONARCLOUD_URL' is used
    strategy:
-      fail-fast: false
      matrix:
-        os: [ github-ubuntu-latest-s, github-windows-latest-s, macos-latest ]
+        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@v5
@@ -466,7 +459,7 @@ jobs:
          ./test/assertFileContains ./output.properties "sonar.scanner.sonarcloudUrl=mirror.sonarcloud.io" 
  dontFailWhenMissingWgetButCurlAvailable:
    name: Don't fail when missing wget but curl available
-    runs-on: github-ubuntu-latest-s
+    runs-on: ubuntu-latest-large
    steps:
      - uses: actions/checkout@v5
        with:
@@ -492,7 +485,7 @@ jobs:
          ./test/assertFileExists ./output.properties
  dontFailWhenMissingCurlButWgetAvailable:
    name: Don't fail when missing curl but wget available
-    runs-on: github-ubuntu-latest-s
+    runs-on: ubuntu-latest-large
    steps:
      - uses: actions/checkout@v5
        with:
@@ -519,7 +512,7 @@ jobs:
          ./test/assertFileExists ./output.properties
  failWhenBothWgetAndCurlMissing:
    name: Fail when both wget and curl are missing
-    runs-on: github-ubuntu-latest-s
+    runs-on: ubuntu-latest-large
    steps:
      - uses: actions/checkout@v5
        with:
@@ -552,7 +545,7 @@ jobs:
  curlPerformsRedirect:
    name: >
      curl performs redirect when scannerBinariesUrl returns 3xx
-    runs-on: github-ubuntu-latest-s
+    runs-on: ubuntu-latest-large
    steps:
      - uses: actions/checkout@v5
        with:
@@ -585,9 +578,8 @@ jobs:
    name: >
      'SONAR_ROOT_CERT' is converted to truststore
    strategy:
-      fail-fast: false
      matrix:
-        os: [ github-ubuntu-latest-s, github-windows-latest-s, macos-latest ]
+        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@v5
@@ -639,7 +631,7 @@ jobs:
  analysisWithSslCertificate:
    name: >
      Analysis takes into account 'SONAR_ROOT_CERT'
-    runs-on: github-ubuntu-latest-s
+    runs-on: ubuntu-latest-large
    steps:
      - uses: actions/checkout@v5
        with:
@@ -747,7 +739,7 @@ jobs:
  overridesScannerLocalFolderWhenPresent: # can happen in uncleaned self-hosted runners
    name: >
      'SCANNER_LOCAL_FOLDER' is cleaned with warning when present
-    runs-on: github-ubuntu-latest-s
+    runs-on: ubuntu-latest-large
    steps:
      - uses: actions/checkout@v5
        with:
@@ -781,7 +773,7 @@ jobs:
  updateTruststoreWhenPresent: # can happen in uncleaned self-hosted runners
    name: >
      truststore.p12 is updated when present
-    runs-on: github-ubuntu-latest-s
+    runs-on: ubuntu-latest-large
    steps:
      - uses: actions/checkout@v5
        with:
@@ -910,7 +902,7 @@ jobs:
  scannerVersionValidationTest:
    name: >
      'scannerVersion' input validation
-    runs-on: github-ubuntu-latest-s
+    runs-on: ubuntu-latest-large
    steps:
      - uses: actions/checkout@v5
        with:
--- a/.github/workflows/qa-scripts.yml
+++ b/.github/workflows/qa-scripts.yml
@@ -10,7 +10,7 @@ on:
 jobs:
  create-install-dir-test:
    name: create_install_path.sh
-    runs-on: github-ubuntu-latest-s
+    runs-on: ubuntu-latest-large
    steps:
      - uses: actions/checkout@v5
        with:
@@ -107,7 +107,7 @@ jobs:
          grep "=== Script failed ===" output
  setup-script-test:
    name: configure_paths.sh
-    runs-on: github-ubuntu-latest-s
+    runs-on: ubuntu-latest-large
    env:
      INSTALL_PATH: 'install-directory'
      SONAR_HOST_URL: 'http://sonar-host.com'
@@ -250,7 +250,7 @@ jobs:
          grep "=== Script failed ===" output
  download-script-test:
    name: download.sh
-    runs-on: github-ubuntu-latest-s
+    runs-on: ubuntu-latest-large
    steps:
      - uses: actions/checkout@v5
        with:
@@ -319,7 +319,7 @@ jobs:
          grep "=== Script failed ===" output
  fetch-latest-version-test:
    name: fetch_latest_version.sh
-    runs-on: github-ubuntu-latest-s
+    runs-on: ubuntu-latest-large
    steps:
      - uses: actions/checkout@v5
        with:
--- a/.github/workflows/update-tags.yml
+++ b/.github/workflows/update-tags.yml
@@ -7,7 +7,7 @@ on:

 jobs:
  generate:
-    runs-on: github-ubuntu-latest-s
+    runs-on: ubuntu-latest-large
    permissions:
      contents: write

--- a/.github/workflows/version_update.yml
+++ b/.github/workflows/version_update.yml
@@ -7,7 +7,7 @@ on:
 jobs:
  check-version:
    name: Check for sonar-scanner version update
-    runs-on: github-ubuntu-latest-s
+    runs-on: ubuntu-latest-large
    outputs:
      should_update: ${{ steps.version-check.outputs.should_update }}
      new-version: ${{ steps.latest-version.outputs.sonar-scanner-version }}
@@ -43,7 +43,7 @@ jobs:
  update-version:
    name: Prepare pull request for sonar-scanner version update
    needs: check-version
-    runs-on: github-ubuntu-latest-s
+    runs-on: ubuntu-latest-large
    permissions:
      contents: write
      pull-requests: write
--- a/action.yml
+++ b/action.yml
@@ -31,6 +31,9 @@ runs:
      env:
        INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }}
        INPUT_SCANNERVERSION: ${{ inputs.scannerVersion }}
+    - name: Vulnerability warning
+      shell: bash
+      run: echo "::warning title=Vulnerability warning::This version of the SonarQube Scanner GitHub Action is no longer supported and contains a security vulnerability. Please update your workflow to use sonarsource/sonarqube-scan-action@v6 for the latest security patches and features. For more information visit https://community.sonarsource.com/gha-v6-update"
    - name: Load Sonar Scanner CLI from cache
      id: sonar-scanner-cli
      uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 #v4.2.4
@@ -51,19 +54,9 @@ runs:
      run: echo "${RUNNER_TEMP}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}/bin" >> $GITHUB_PATH
      shell: bash
    - name: Run SonarScanner
-      uses: satackey/action-js-inline@v0.0.2
-      with:
-        required-packages: "string-argv"
-        script: |
-          const core = require('@actions/core')
-          const exec = require('@actions/exec')
-          const { parseArgsStringToArgv } = require('string-argv');
-          
-          const IS_WINDOWS = process.platform === 'win32'
-          const runnerTemp = process.env.RUNNER_TEMP
-          
-          var args = parseArgsStringToArgv(core.getInput('args'));
-          
-          exec.exec(IS_WINDOWS ? 'sonar-scanner.bat' : 'sonar-scanner', args);
+      run: ${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner.sh
+      shell: bash
      env:
        INPUT_ARGS: ${{ inputs.args }}
+        INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }}
+        SONAR_SCANNER_JRE: ${{ runner.temp }}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}/jre