SQSCANGHA-121 Add vulnerability warning

Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

.cirrus/wss-unified-agent.config

@@ -1,4 +0,0 @@
-docker.projectNameFormat=repositoryNameAndTag
-docker.scanImages=true
-wss.url=https://saas-eu.whitesourcesoftware.com/agent
-productName=GitHubAction/SonarQubeScanAction

.github/CODEOWNERS

@@ -1 +1 @@
-.github/CODEOWNERS @sonarsource/analysis-experience-squad
+.github/* @sonarsource/orchestration-processing-squad

.github/workflows/PullRequestClosed.yml

@@ -5,16 +5,15 @@ on:
     types: [closed]
 
 jobs:
-  PullRequestMerged_job:
-    name: Pull Request Merged
-    runs-on: ubuntu-latest
+  PullRequestClosed_job:
+    name: Pull Request Closed
+    runs-on: ubuntu-latest-large
     permissions:
       id-token: write
       pull-requests: read
     # For external PR, ticket should be moved manually
     if: |
         github.event.pull_request.head.repo.full_name == github.repository
-        && github.event.pull_request.merged
     steps:
       - id: secrets
         uses: SonarSource/vault-action-wrapper@v3

.github/workflows/PullRequestCreated.yml

@@ -7,7 +7,7 @@ on:
 jobs:
   PullRequestCreated_job:
     name: Pull Request Created
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
     permissions:
       id-token: write
     # For external PR, ticket should be created manually

.github/workflows/RequestReview.yml

@@ -7,7 +7,7 @@ on:
 jobs:
   RequestReview_job:
     name: Request review
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
     permissions:
       id-token: write
     # For external PR, ticket should be moved manually

.github/workflows/SubmitReview.yml

@@ -7,7 +7,7 @@ on:
 jobs:
   SubmitReview_job:
     name: Submit Review
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
     permissions:
       id-token: write
       pull-requests: read

.github/workflows/qa-deprecated-c-cpp.yml

@@ -12,7 +12,7 @@ jobs:
     name: Action outputs
     strategy:
       matrix:
-        os: [ubuntu-latest, windows-latest, macos-latest, macos-13]
+        os: [ubuntu-latest-large, windows-latest-large, macos-latest, macos-13]
         cache: [true, false]
         include:
           - arch: X64
@@ -31,7 +31,7 @@ jobs:
             exit 1
           fi
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
 

.github/workflows/qa-install-build-wrapper.yml

@@ -12,7 +12,7 @@ jobs:
     name: Action outputs
     strategy:
       matrix:
-        os: [ubuntu-latest, windows-latest, macos-latest, macos-13]
+        os: [ubuntu-latest-large, windows-latest-large, macos-latest, macos-13]
         cache: [true, false]
         include:
           - arch: X64
@@ -31,7 +31,7 @@ jobs:
             exit 1
           fi
 
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
 

.github/workflows/qa-main.yml

@@ -11,12 +11,15 @@ jobs:
   noInputsTest:
     name: >
       No inputs
-    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        os: [ ubuntu-latest-large, macos-latest ]
+    runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
-      - name: Run action with args
+      - name: Run action without args
         uses: ./
         env:
           SONAR_HOST_URL: http://not_actually_used
@@ -29,31 +32,144 @@ jobs:
       'args' input
     strategy:
       matrix:
-        os: [ ubuntu-latest, windows-latest, macos-latest ]
+        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Run action with args
         uses: ./
         with:
-          args: -Dsonar.someArg=aValue -Dsonar.scanner.internal.dumpToFile=./output.properties
+          args: -Dsonar.someArg=aValue -Dsonar.anotherArgWithSpaces="Another Value" -Dsonar.argWithSingleQuotes='Another Value'
         env:
           SONAR_HOST_URL: http://not_actually_used
           SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
       - name: Assert
         run: |
           ./test/assertFileContains ./output.properties "sonar.someArg=aValue"
+          ./test/assertFileContains ./output.properties 'sonar.anotherArgWithSpaces="Another Value"'
+          ./test/assertFileContains ./output.properties "sonar.argWithSingleQuotes='Another Value'"
+  argsInputInjectionTest:
+    name: >
+      'args' input with command injection will fail
+    strategy:
+      matrix:
+        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
+        args: [ -Dsonar.someArg=aValue && echo "Injection", -Dsonar.someArg="value\"; whoami; echo \"" ]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Run action with args
+        uses: ./
+        continue-on-error: true
+        with:
+          args: ${{ matrix.args }}
+        env:
+          SONAR_HOST_URL: http://not_actually_used
+          SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
+      - name: Fail if action succeeded
+        if: steps.runTest.outcome == 'success'
+        run: exit 1
+      - name: Assert the scanner was not called
+        run: |
+          ./test/assertFileDoesntExist ./output.properties
+  backtickCommandInjectionTest:
+    name: >
+      'args' input with backticks injection does not execute command
+    strategy:
+      matrix:
+        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Run action with args
+        uses: ./
+        continue-on-error: true
+        with:
+          args: >
+            -Dsonar.arg1="refs/heads/branch: [workflows] Bump `actions/*`" -Dsonar.arg2="test `echo Command Injection`" -Dsonar.arg3="`id`" -Dsonar.arg4="test'; `echo injection`; echo '" -Dsonar.arg5="   `whoami`   " -Dsonar.arg6="test\`echo injection\`test"
+        env:
+          SONAR_HOST_URL: http://not_actually_used
+          SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
+      - name: Assert command in arg is not executed
+        run: |
+          ./test/assertFileContains ./output.properties 'sonar.arg1="refs/heads/branch\\: \[workflows\] Bump `actions/\*`"'
+          ./test/assertFileContains ./output.properties 'sonar.arg2="test `echo Command Injection`"'
+          ./test/assertFileContains ./output.properties 'sonar.arg3="`id`"'
+          ./test/assertFileContains ./output.properties "sonar.arg4=\"test'; \`echo injection\`; echo '\""
+          ./test/assertFileContains ./output.properties 'sonar.arg5="   `whoami`   "'
+          ./test/assertFileContains ./output.properties 'sonar.arg6="test\\\\`echo injection\\\\`test"'
+  dollarSymbolCommandInjectionTest:
+    name: >
+      'args' input with dollar command injection does not execute command
+    strategy:
+      matrix:
+        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Run action with args
+        uses: ./
+        continue-on-error: true
+        with:
+          args: -Dsonar.arg1="$(whoami)" -Dsonar.arg2="$GITHUB_TOKEN" -Dsonar.arg3="$(echo outer $(echo inner))" -Dsonar.arg4="value\$(whoami)end" -Dsonar.arg5="$(printf 'A%.0s' {1..10000})" -Dsonar.arg6='value"; $(whoami); echo "'
+        env:
+          SONAR_HOST_URL: http://not_actually_used
+          SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
+      - name: Assert command in arg is not executed
+        run: |
+          ./test/assertFileContains ./output.properties 'sonar.arg1="$(whoami)"'
+          ./test/assertFileContains ./output.properties 'sonar.arg2="$GITHUB_TOKEN"'
+          ./test/assertFileContains ./output.properties 'sonar.arg3="$(echo outer $(echo inner))"'
+          ./test/assertFileContains ./output.properties 'sonar.arg4="value\\\\$(whoami)end"'
+          ./test/assertFileContains ./output.properties 'sonar.arg5="$(printf '\''A%.0s'\'' {1..10000})"'
+          ./test/assertFileContains ./output.properties 'sonar.arg6='\''value"; $(whoami); echo "'\'''
+  otherCommandInjectionVariantsTest:
+    name: >
+      'args' input with other command injection variants does not execute command
+    strategy:
+      matrix:
+        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Run action with args
+        uses: ./
+        continue-on-error: true
+        with:
+          args: -Dsonar.arg1="test | base64" -Dsonar.arg2="value; whoami" -Dsonar.arg3="value && echo test" -Dsonar.arg4="value > /tmp/output.txt" -Dsonar.arg5="< /etc/passwd" -Dsonar.arg6="" -Dsonar.arg7="../../../*" -Dsonar.arg8="*.key" -Dsonar.arg9="test\u0027\u0060whoami\u0060"
+        env:
+          SONAR_HOST_URL: http://not_actually_used
+          SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
+      - name: Assert command in arg is not executed
+        run: |
+          ./test/assertFileContains ./output.properties 'sonar.arg1="test | base64"'
+          ./test/assertFileContains ./output.properties 'sonar.arg2="value; whoami"'
+          ./test/assertFileContains ./output.properties 'sonar.arg3="value && echo test"'
+          ./test/assertFileContains ./output.properties 'sonar.arg4="value > /tmp/output.txt"'
+          ./test/assertFileContains ./output.properties 'sonar.arg5="< /etc/passwd"'
+          ./test/assertFileContains ./output.properties 'sonar.arg6=""'
+          ./test/assertFileContains ./output.properties 'sonar.arg7="../../../\*"'
+          ./test/assertFileContains ./output.properties 'sonar.arg8="\*.key"'
+          ./test/assertFileContains ./output.properties 'sonar.arg9="test\\\\u0027\\\\u0060whoami\\\\u0060"'
   projectBaseDirInputTest:
     name: >
       'projectBaseDir' input
     strategy:
       matrix:
-        os: [ ubuntu-latest, windows-latest, macos-latest ]
+        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - run: mkdir -p ./baseDir
@@ -71,9 +187,9 @@ jobs:
   scannerVersionTest:
     name: >
       'scannerVersion' input
-    runs-on: ubuntu-latest # assumes default RUNNER_ARCH for linux is X64
+    runs-on: ubuntu-latest-large # assumes default RUNNER_ARCH for linux is X64
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Run action with scannerVersion
@@ -91,9 +207,9 @@ jobs:
   scannerBinariesUrlTest:
     name: >
       'scannerBinariesUrl' input with invalid URL
-    runs-on: ubuntu-latest # assumes default RUNNER_ARCH for linux is X64
+    runs-on: ubuntu-latest-large # assumes default RUNNER_ARCH for linux is X64
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Run action with scannerBinariesUrl
@@ -119,9 +235,9 @@ jobs:
   scannerBinariesUrlIsEscapedWithWget:
     name: >
       'scannerBinariesUrl' is escaped with wget so special chars are not injected in the download command
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Run action with scannerBinariesUrl
@@ -140,9 +256,9 @@ jobs:
   scannerBinariesUrlIsEscapedWithCurl:
     name: >
       'scannerBinariesUrl' is escaped with curl so special chars are not injected in the download command
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Remove wget
@@ -169,9 +285,9 @@ jobs:
   dontFailGradleTest:
     name: >
       Don't fail on Gradle project
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Run action on Gradle project
@@ -190,9 +306,9 @@ jobs:
   dontFailGradleKotlinTest:
     name: >
       Don't fail on Kotlin Gradle project
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Run action on Kotlin Gradle project
@@ -211,9 +327,9 @@ jobs:
   dontFailMavenTest:
     name: >
       Don't fail on Maven project
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Run action on Maven project
@@ -230,7 +346,7 @@ jobs:
         run: |
           ./test/assertFileExists ./output.properties
   runAnalysisTest:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
     services:
       sonarqube:
         image: sonarqube:lts-community
@@ -246,7 +362,7 @@ jobs:
           --health-timeout 5s
           --health-retries 10
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Run action on sample project
@@ -265,10 +381,10 @@ jobs:
       'RUNNER_DEBUG' is used
     strategy:
       matrix:
-        os: [ ubuntu-latest, windows-latest, macos-latest ]
+        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Run action with debug mode
@@ -283,7 +399,7 @@ jobs:
         run: |
           ./test/assertFileContains ./output.properties "sonar.verbose=true"
   runAnalysisWithCacheTest:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
     services:
       sonarqube:
         image: sonarqube:lts-community
@@ -299,7 +415,7 @@ jobs:
           --health-timeout 5s
           --health-retries 10
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: SonarQube Cache
@@ -324,16 +440,16 @@ jobs:
       'SONARCLOUD_URL' is used
     strategy:
       matrix:
-        os: [ ubuntu-latest, windows-latest, macos-latest ]
+        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Run action with SONARCLOUD_URL
         uses: ./
         with:
-          args: -Dsonar.scanner.internal.dumpToFile=./output.properties
+          args: -Dsonar.scanner.apiBaseUrl=api.mirror.sonarcloud.io -Dsonar.scanner.internal.dumpToFile=./output.properties
         env:
           SONARCLOUD_URL: mirror.sonarcloud.io
           SONAR_TOKEN: FAKE_TOKEN
@@ -343,9 +459,9 @@ jobs:
           ./test/assertFileContains ./output.properties "sonar.scanner.sonarcloudUrl=mirror.sonarcloud.io" 
   dontFailWhenMissingWgetButCurlAvailable:
     name: Don't fail when missing wget but curl available
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Remove wget
@@ -369,9 +485,9 @@ jobs:
           ./test/assertFileExists ./output.properties
   dontFailWhenMissingCurlButWgetAvailable:
     name: Don't fail when missing curl but wget available
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Remove curl
@@ -396,9 +512,9 @@ jobs:
           ./test/assertFileExists ./output.properties
   failWhenBothWgetAndCurlMissing:
     name: Fail when both wget and curl are missing
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Remove wget and curl
@@ -429,9 +545,9 @@ jobs:
   curlPerformsRedirect:
     name: >
       curl performs redirect when scannerBinariesUrl returns 3xx
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Remove wget
@@ -449,6 +565,7 @@ jobs:
         id: runTest
         uses: ./
         with:
+          scannerVersion: 6.2.1.4610
           scannerBinariesUrl: http://localhost:8080/clientRedirectToSonarBinaries
         env:
           NO_CACHE: true
@@ -462,10 +579,10 @@ jobs:
       'SONAR_ROOT_CERT' is converted to truststore
     strategy:
       matrix:
-        os: [ ubuntu-latest, windows-latest, macos-latest ]
+        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
     runs-on: ${{ matrix.os }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Run action with SSL certificate
@@ -514,9 +631,9 @@ jobs:
   analysisWithSslCertificate:
     name: >
       Analysis takes into account 'SONAR_ROOT_CERT'
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Generate server certificate
@@ -622,9 +739,9 @@ jobs:
   overridesScannerLocalFolderWhenPresent: # can happen in uncleaned self-hosted runners
     name: >
       'SCANNER_LOCAL_FOLDER' is cleaned with warning when present
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Create a dummy SCANNER_LOCAL_FOLDER with dummy content in it
@@ -656,9 +773,9 @@ jobs:
   updateTruststoreWhenPresent: # can happen in uncleaned self-hosted runners
     name: >
       truststore.p12 is updated when present
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
       - name: Create SONAR_SSL_FOLDER with a file in it (not-truststore.p12)
@@ -782,3 +899,26 @@ jobs:
           [ -f "$SONAR_SSL_FOLDER/truststore.p12" ] || exit 1
           TRUSTSTORE_P12_MOD_TIME_T3=$(stat -c %Y "$SONAR_SSL_FOLDER/truststore.p12")
           [ "$TRUSTSTORE_P12_MOD_TIME_T2" != "$TRUSTSTORE_P12_MOD_TIME_T3" ] || exit 1
+  scannerVersionValidationTest:
+    name: >
+      'scannerVersion' input validation
+    runs-on: ubuntu-latest-large
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Run action with invalid scannerVersion
+        id: invalid_version
+        uses: ./
+        continue-on-error: true
+        with:
+          scannerVersion: "7.1.0-SNAPSHOT"
+          args: -Dsonar.scanner.internal.dumpToFile=./output.properties
+        env:
+          NO_CACHE: true
+          SONAR_HOST_URL: http://not_actually_used
+      - name: Assert failure of previous step
+        if: steps.invalid_version.outcome == 'success'
+        run: |
+          echo "Action with invalid scannerVersion should have failed but succeeded"
+          exit 1

.github/workflows/qa-scripts.yml

@@ -10,9 +10,9 @@ on:
 jobs:
   create-install-dir-test:
     name: create_install_path.sh
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
 
@@ -107,7 +107,7 @@ jobs:
           grep "=== Script failed ===" output
   setup-script-test:
     name: configure_paths.sh
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
     env:
       INSTALL_PATH: 'install-directory'
       SONAR_HOST_URL: 'http://sonar-host.com'
@@ -123,7 +123,7 @@ jobs:
       SONAR_SCANNER_URL_MACOSX_AARCH64: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-macosx-aarch64.zip'
       SONAR_SCANNER_SHA_MACOSX_AARCH64: 'DOWNLOAD-SHA-MACOSX-AARCH64'
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
 
@@ -250,9 +250,9 @@ jobs:
           grep "=== Script failed ===" output
   download-script-test:
     name: download.sh
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
 
@@ -319,9 +319,9 @@ jobs:
           grep "=== Script failed ===" output
   fetch-latest-version-test:
     name: fetch_latest_version.sh
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
       - name: Test script

.github/workflows/update-tags.yml

@@ -7,16 +7,16 @@ on:
 
 jobs:
   generate:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-latest-large
     permissions:
       contents: write
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Parse semver
-        uses: madhead/semver-utils@v4
+        uses: madhead/semver-utils@36d1e0ed361bd7b4b77665de8093092eaeabe6ba # v4.3.0
         id: version
         with:
           version: ${{ github.ref_name }}

.github/workflows/version_update.yml

@@ -5,16 +5,17 @@ on:
     - cron: '15 10 * * *'
 
 jobs:
-  update-version:
-    name: Prepare pull request for sonar-scanner version update
-    runs-on: ubuntu-latest
+  check-version:
+    name: Check for sonar-scanner version update
+    runs-on: ubuntu-latest-large
+    outputs:
+      should_update: ${{ steps.version-check.outputs.should_update }}
+      new-version: ${{ steps.latest-version.outputs.sonar-scanner-version }}
     steps:
       - run: sudo apt install -y jq
-
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
         with:
           ref: master
-          persist-credentials: true
           fetch-depth: 0
 
       - name: "Fetch currently used sonar-scanner version"
@@ -22,29 +23,61 @@ jobs:
         shell: bash
         run: cat sonar-scanner-version >> $GITHUB_OUTPUT
 
-      - name: "Fetch lastest sonar-scanner version"
+      - name: "Fetch latest sonar-scanner version"
         id: latest-version
         shell: bash
         run: |
           ./scripts/fetch_latest_version.sh > sonar-scanner-version
           cat sonar-scanner-version >> $GITHUB_OUTPUT
 
-      - name: "Create Pull Request for version update"
-        if: steps.tagged-version.outputs.sonar-scanner-version != steps.latest-version.outputs.sonar-scanner-version
+      - name: "Determine if update is needed"
+        id: version-check
+        shell: bash
+        run: |
+          if [[ "${{ steps.tagged-version.outputs.sonar-scanner-version }}" != "${{ steps.latest-version.outputs.sonar-scanner-version }}" ]]; then
+            echo "should_update=true" >> $GITHUB_OUTPUT
+          else
+            echo "should_update=false" >> $GITHUB_OUTPUT
+          fi
+
+  update-version:
+    name: Prepare pull request for sonar-scanner version update
+    needs: check-version
+    runs-on: ubuntu-latest-large
+    permissions:
+      contents: write
+      pull-requests: write
+    if: needs.check-version.outputs.should_update == 'true'
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          ref: master
+          persist-credentials: true
+          fetch-depth: 0
+      - run: sudo snap install yq
+      - name: "Update default version"
         shell: bash
         env:
-          UPDATE_BRANCH: update-to-sonar-scanner-${{ steps.latest-version.outputs.sonar-scanner-version }}
-          TITLE: "Update sonar-scanner-version to ${{ steps.latest-version.outputs.sonar-scanner-version }}"
+          NEW_VERSION: ${{ needs.check-version.outputs.new-version }}
+        run: |
+          yq -i '.inputs.scannerVersion.default = strenv(NEW_VERSION)' action.yml
+          ./scripts/fetch_latest_version.sh > sonar-scanner-version
+      - name: "Create Pull Request for version update"
+        shell: bash
+        env:
+          UPDATE_BRANCH: update-to-sonar-scanner-${{ needs.check-version.outputs.new-version }}
+          TITLE: "Update SonarScanner CLI to ${{ needs.check-version.outputs.new-version }}"
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           git config --global user.name "SonarTech"
           git config --global user.email "sonartech@sonarsource.com"
           git checkout -b ${UPDATE_BRANCH}
           git add sonar-scanner-version
+          git add action.yml
           git commit -m "${TITLE}"
           git push --force-with-lease origin ${UPDATE_BRANCH}
           gh pr list
 
           if [[ $(gh pr list -H "${UPDATE_BRANCH}" | grep "${UPDATE_BRANCH}" | wc -l) -eq 0 ]]; then
-            gh pr create -B master -H ${UPDATE_BRANCH} --title "${TITLE}" --body "Automatic updated of sonar-scanner version value. Needs to be tagged for release."
+            gh pr create -B master -H ${UPDATE_BRANCH} --title "${TITLE}" --body "Automatic update of the sonar-scanner version value. Be sure to trigger the QA workflow by closing and reopening this PR (see https://github.com/orgs/community/discussions/65321)."
           fi

README.md

@@ -2,8 +2,10 @@
 
 This SonarSource project, available as a GitHub Action, scans your projects with SonarQube [Server](https://www.sonarsource.com/products/sonarqube/) or [Cloud](https://www.sonarsource.com/products/sonarcloud/).
 
-![Logo](./images/SQ_Logo_Server_Cloud_Dark_Backgrounds.png#gh-dark-mode-only)
-![Logo](./images/SQ_Logo_Server_Cloud_Light_Backgrounds.png#gh-light-mode-only)
+<picture>
+  <source media="(prefers-color-scheme: dark)" srcset="./images/SQ_Logo_Server_Cloud_Dark_Backgrounds.png">
+  <img alt="SonarQube Logo" src="./images/SQ_Logo_Server_Cloud_Light_Backgrounds.png">
+</picture>
 
 SonarQube [Server](https://www.sonarsource.com/products/sonarqube/) and [Cloud](https://www.sonarsource.com/products/sonarcloud/) (formerly SonarQube and SonarCloud) is a widely used static analysis solution for continuous code quality and security inspection.
 
@@ -102,20 +104,21 @@ jobs:
     - name: Install Build Wrapper
       uses: SonarSource/sonarqube-scan-action/install-build-wrapper@<action version>
       env:
-        SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+        SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}
     - name: Run Build Wrapper
       run: |
-        # here goes your compilation wrapped with build-wrapper; See https://docs.sonarsource.com/sonarqube/latest/ analyzing-source-code/languages/c-family/#using-build-wrapper for more information
+        # Here goes your compilation wrapped with Build Wrapper
+        # For more information, see https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/languages/c-family/prerequisites/#using-buildwrapper
         # build-preparation steps
         # build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} build-command
     - name: SonarQube Scan
       uses: SonarSource/sonarqube-scan-action@<action version>
       env:
         SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-        SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
+        SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}
         SONAR_ROOT_CERT: ${{ secrets.SONAR_ROOT_CERT }}
       with:
-        # Consult https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/scanners/sonarscanner/ for more information and options
+        # Consult https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner/ for more information and options
         args: >
           --define sonar.cfamily.compile-commands="${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json" 
 ```
@@ -204,7 +207,8 @@ jobs:
       uses: SonarSource/sonarqube-scan-action/install-build-wrapper@<action version>
     - name: Run Build Wrapper
       run: |
-        # here goes your compilation wrapped with build-wrapper; See https://docs.sonarsource.com/sonarqube/latest/ analyzing-source-code/languages/c-family/#using-build-wrapper for more information
+        # Here goes your compilation wrapped with Build Wrapper
+        # For more information, see https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/languages/c-family/prerequisites/#using-build-wrapper
         # build-preparation steps
         # build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} build-command
     - name: SonarQube Scan
@@ -213,7 +217,7 @@ jobs:
         SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         SONAR_ROOT_CERT: ${{ secrets.SONAR_ROOT_CERT }}
       with:
-        # Consult https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/scanners/sonarscanner/ for more information and options
+        # Consult https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner/ for more information and options
         args: >
           --define sonar.cfamily.compile-commands="${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json" 
 ```

action.yml

@@ -1,7 +1,8 @@
-name: Official SonarQube (Server, Cloud) Scan
+name: Official SonarQube Scan
+# Warning: changing name would change URL in the marketplace
 description: >
-  Scan your code with SonarQube Server and Cloud to detect 
-  issues in 30+ languages. (Formerly SonarQube and SonarCloud)
+  Scan your code with SonarQube Server and Cloud to detect issues in 30+ languages. (Formerly SonarQube and SonarCloud)
+
 branding:
   icon: check
   color: green
@@ -15,7 +16,8 @@ inputs:
   scannerVersion:
     description: Version of the Sonar Scanner CLI to use
     required: false
-    default: 6.2.1.4610 # to be kept in sync with sonar-scanner-version
+    # to be kept in sync with sonar-scanner-version
+    default: 7.2.0.5079
   scannerBinariesUrl:
     description: URL to download the Sonar Scanner CLI binaries from
     required: false
@@ -28,9 +30,13 @@ runs:
       shell: bash
       env:
         INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }}
+        INPUT_SCANNERVERSION: ${{ inputs.scannerVersion }}
+    - name: Vulnerability warning
+      shell: bash
+      run: echo "::warning title=Vulnerability warning::This version of the SonarQube Scanner GitHub Action is no longer supported and contains a security vulnerability. Please update your workflow to use sonarsource/sonarqube-scan-action@v6 for the latest security patches and features. For more information visit https://community.sonarsource.com/gha-v6-update"
     - name: Load Sonar Scanner CLI from cache
       id: sonar-scanner-cli
-      uses: actions/cache@v4
+      uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 #v4.2.4
       env:
         # The default value is 60mins. Reaching timeout is treated the same as a cache miss.
         SEGMENT_DOWNLOAD_TIMEOUT_MINS: 1
@@ -48,8 +54,9 @@ runs:
       run: echo "${RUNNER_TEMP}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}/bin" >> $GITHUB_PATH
       shell: bash
     - name: Run SonarScanner
-      run: ${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh ${{ inputs.args }}
+      run: ${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner.sh
       shell: bash
       env:
+        INPUT_ARGS: ${{ inputs.args }}
         INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }}
         SONAR_SCANNER_JRE: ${{ runner.temp }}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}/jre

scripts/cert.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 if [[ -n "${SONAR_ROOT_CERT}" ]]; then
   echo "Adding custom root certificate to java certificate store"

scripts/configure_paths.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 if [[ ${ARCH} != "X64" && ! (${ARCH} == "ARM64" && (${OS} == "macOS" || ${OS} == "Linux")) ]]; then
   echo "::error::Architecture '${ARCH}' is unsupported by build-wrapper"

scripts/create_install_path.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 source "$(dirname -- "$0")/utils.sh"
 

scripts/download.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 source "$(dirname -- "$0")/utils.sh"
 
@@ -28,7 +28,7 @@ parse_arguments() {
 }
 
 verify_download_correctness() {
-  echo "${EXPECTED_SHA} ${TMP_ZIP_PATH}" | sha256sum -c
+  echo "${EXPECTED_SHA} ${TMP_ZIP_PATH}" | sha256sum -c -
   check_status "Checking sha256 failed"
 }
 

scripts/fetch_latest_version.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 source "$(dirname -- "$0")/utils.sh"
 

scripts/install-sonar-scanner-cli.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 set -eou pipefail
 

scripts/run-sonar-scanner-cli.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 set -eo pipefail
 
@@ -73,9 +73,19 @@ if [[ -n "${SONAR_ROOT_CERT}" ]]; then
   scanner_args+=("-Dsonar.scanner.truststorePassword=$SONAR_SSL_TRUSTSTORE_PASSWORD")
 fi
 
-scanner_args+=("$@")
+# split input args correctly (passed through INPUT_ARGS env var to avoid execution of injected command)
+args=()
+if [[ -n "${INPUT_ARGS}" ]]; then
+#  the regex recognizes args with values in single or double quotes (without character escaping), and args without quotes as well
+#  more specifically, the following patterns: -Darg="value", -Darg='value', -Darg=value, "-Darg=value" and '-Darg=value'
+  IFS=$'\n'; args=($(echo ${INPUT_ARGS} | egrep -o '[^" '\'']+="[^"]*"|[^" '\'']+='\''[^'\'']*'\''|[^" '\'']+|"[^"]+"|'\''[^'\'']+'\'''))
+fi
+
+for arg in "${args[@]}"; do
+  scanner_args+=("$arg")
+done
 
 set -ux
 
-$SCANNER_BIN "${scanner_args[@]}"
+$SCANNER_BIN ${scanner_args[@]+"${scanner_args[@]}"}
 

scripts/run-sonar-scanner.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# run the sonar scanner cli
+cmd=(${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh "${INPUT_ARGS}")
+"${cmd[@]}"

scripts/sanity-checks.sh

@@ -1,7 +1,12 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 set -eo pipefail
 
+if [[ ! "${INPUT_SCANNERVERSION}" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+  echo "::error title=SonarScanner::Invalid scannerVersion format. Expected format: x.y.z.w (e.g., 7.1.0.4889)"
+  exit 1
+fi
+
 if [[ -z "${SONAR_TOKEN}" ]]; then
   echo "::warning title=SonarScanner::Running this GitHub Action without SONAR_TOKEN is not recommended"
 fi

scripts/utils.sh

@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/usr/bin/env bash
 
 check_status() {
   exit_status=$?

sonar-scanner-version

@@ -1,11 +1,11 @@
-sonar-scanner-version=6.2.1.4610
-sonar-scanner-url-windows-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-6.2.1.4610-windows-x64.zip
-sonar-scanner-sha-windows-x64=b7de8d75c43093e0353e6a3147c3720cafac1c38da96bc61123657197086a1c9
-sonar-scanner-url-linux-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-6.2.1.4610-linux-x64.zip
-sonar-scanner-sha-linux-x64=0b8a3049f0bd5de7abc1582c78c233960d3d4ed7cc983a1d1635e8552f8bb439
-sonar-scanner-url-linux-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-6.2.1.4610-linux-aarch64.zip
-sonar-scanner-sha-linux-aarch64=f67819e7a52ed4c28b541baa5bca0621446314de148f889d7d2d7ff239808f0c
-sonar-scanner-url-macosx-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-6.2.1.4610-macosx-x64.zip
-sonar-scanner-sha-macosx-x64=471348fcb912584f093cebf28114322455979d2cceb1654e0a7990da50add94f
-sonar-scanner-url-macosx-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-6.2.1.4610-macosx-aarch64.zip
-sonar-scanner-sha-macosx-aarch64=583b1ed386b6f61ddfbb39c0ae169355e96a8e1852b0210a5a5ca4f7487347c1
+sonar-scanner-version=7.2.0.5079
+sonar-scanner-url-windows-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.2.0.5079-windows-x64.zip
+sonar-scanner-sha-windows-x64=71936f352206b63cb05ffbcd68e366e52d22916148cf4a2418789bc776f733ea
+sonar-scanner-url-linux-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.2.0.5079-linux-x64.zip
+sonar-scanner-sha-linux-x64=da9f4e64a3d555f08ce38b5469ebd91fe2b311af473f7001a5ee5c1fd58b004b
+sonar-scanner-url-linux-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.2.0.5079-linux-aarch64.zip
+sonar-scanner-sha-linux-aarch64=803ca725d463e95eeb7537515706367bb8e52bf05ac32174daf9773bdb36d1e2
+sonar-scanner-url-macosx-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.2.0.5079-macosx-x64.zip
+sonar-scanner-sha-macosx-x64=7b9e92248ca740fff41503bfe5459c460bac43c501d80043cc4fbebb72dfc5fa
+sonar-scanner-url-macosx-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.2.0.5079-macosx-aarch64.zip
+sonar-scanner-sha-macosx-aarch64=c8adb3fbfe5485c17de193a217be765b66cbc10d6540057655afa3c3b5be6f61

test/assertFileContains

@@ -1,10 +1,14 @@
-#!/bin/bash
+#!/usr/bin/env bash
+
+set -eou pipefail
 
 error() { echo -e "\\e[31m✗ $*\\e[0m"; }
 
-assertFileExists $1
+scriptDir=$(dirname -- "$(readlink -f -- "${BASH_SOURCE[0]}")")
 
-if ! grep -q $2 $1; then
+$scriptDir/assertFileExists "$1"
+
+if ! grep -q "$2" "$1"; then
   error "'$2' not found in '$1'"
   exit 1
 fi

test/assertFileDoesntExist

@@ -1,8 +1,10 @@
-#!/bin/bash
+#!/usr/bin/env bash
+
+set -eou pipefail
 
 error() { echo -e "\\e[31m✗ $*\\e[0m"; }
 
-if [ -f $1 ]; then
+if [ -f "$1" ]; then
   error "File '$1' found"
   exit 1
 fi

test/assertFileExists

@@ -1,8 +1,10 @@
-#!/bin/bash
+#!/usr/bin/env bash
+
+set -eou pipefail
 
 error() { echo -e "\\e[31m✗ $*\\e[0m"; }
 
-if [ ! -f $1 ]; then
+if [ ! -f "$1" ]; then
   error "File '$1' not found"
   exit 1
 fi