SQSCANGHA-92 Validate scanner version (#189 )

Co-authored-by: Julien HENRY <julien.henry@sonarsource.com>
SQSCANGHA-94 Update version update logic (#188 )
2025-05-05 17:48:40 +02:00 · 2025-05-05 17:48:00 +02:00 · 2025-05-05 17:47:42 +02:00 · 2025-04-29 12:17:00 +02:00 · 2025-04-24 11:33:26 +02:00
9 changed files with 103 additions and 23 deletions
--- a/.cirrus/wss-unified-agent.config
+++ b/.cirrus/wss-unified-agent.config
@@ -1,4 +0,0 @@
-docker.projectNameFormat=repositoryNameAndTag
-docker.scanImages=true
-wss.url=https://saas-eu.whitesourcesoftware.com/agent
-productName=GitHubAction/SonarQubeScanAction
--- a/.github/workflows/qa-main.yml
+++ b/.github/workflows/qa-main.yml
@@ -38,13 +38,39 @@ jobs:
      - name: Run action with args
        uses: ./
        with:
-          args: -Dsonar.someArg=aValue -Dsonar.scanner.internal.dumpToFile=./output.properties
+          args: -Dsonar.someArg=aValue -Dsonar.anotherArgWithSpaces="Another Value"
        env:
          SONAR_HOST_URL: http://not_actually_used
          SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
      - name: Assert
        run: |
          ./test/assertFileContains ./output.properties "sonar.someArg=aValue"
+          ./test/assertFileContains ./output.properties "sonar.anotherArgWithSpaces=Another Value"
+  argsInputInjectionTest:
+    name: >
+      'args' input with command injection will fail
+    strategy:
+      matrix:
+        os: [ ubuntu-latest, windows-latest, macos-latest ]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Run action with args
+        uses: ./
+        continue-on-error: true
+        with:
+          args: -Dsonar.someArg=aValue && echo "Injection"
+        env:
+          SONAR_HOST_URL: http://not_actually_used
+          SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
+      - name: Fail if action succeeded
+        if: steps.runTest.outcome == 'success'
+        run: exit 1
+      - name: Assert the scanner was not called
+        run: |
+          ./test/assertFileDoesntExist ./output.properties
  projectBaseDirInputTest:
    name: >
      'projectBaseDir' input
@@ -783,3 +809,26 @@ jobs:
          [ -f "$SONAR_SSL_FOLDER/truststore.p12" ] || exit 1
          TRUSTSTORE_P12_MOD_TIME_T3=$(stat -c %Y "$SONAR_SSL_FOLDER/truststore.p12")
          [ "$TRUSTSTORE_P12_MOD_TIME_T2" != "$TRUSTSTORE_P12_MOD_TIME_T3" ] || exit 1
+  scannerVersionValidationTest:
+    name: >
+      'scannerVersion' input validation
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Run action with invalid scannerVersion
+        id: invalid_version
+        uses: ./
+        continue-on-error: true
+        with:
+          scannerVersion: "7.1.0-SNAPSHOT"
+          args: -Dsonar.scanner.internal.dumpToFile=./output.properties
+        env:
+          NO_CACHE: true
+          SONAR_HOST_URL: http://not_actually_used
+      - name: Assert failure of previous step
+        if: steps.invalid_version.outcome == 'success'
+        run: |
+          echo "Action with invalid scannerVersion should have failed but succeeded"
+          exit 1
--- a/.github/workflows/update-tags.yml
+++ b/.github/workflows/update-tags.yml
@@ -16,7 +16,7 @@ jobs:
        uses: actions/checkout@v4

      - name: Parse semver
-        uses: madhead/semver-utils@v4
+        uses: madhead/semver-utils@36d1e0ed361bd7b4b77665de8093092eaeabe6ba # v4.3.0
        id: version
        with:
          version: ${{ github.ref_name }}
--- a/.github/workflows/version_update.yml
+++ b/.github/workflows/version_update.yml
@@ -5,12 +5,12 @@ on:
    - cron: '15 10 * * *'

 jobs:
-  update-version:
-    name: Prepare pull request for sonar-scanner version update
+  check-version:
+    name: Check for sonar-scanner version update
    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      pull-requests: write
+    outputs:
+      should_update: ${{ steps.version-check.outputs.should_update }}
+      latest_version: ${{ steps.latest-version.outputs.latest }}
    steps:
      - run: sudo apt install -y jq
      - run: sudo snap install yq
@@ -25,25 +25,43 @@ jobs:
        shell: bash
        run: cat sonar-scanner-version >> $GITHUB_OUTPUT

-      - name: "Fetch lastest sonar-scanner version"
+      - name: "Fetch latest sonar-scanner version"
        id: latest-version
        shell: bash
        run: |
          ./scripts/fetch_latest_version.sh > sonar-scanner-version
-          cat sonar-scanner-version >> $GITHUB_OUTPUT
+          echo "latest=$(cat sonar-scanner-version)" >> $GITHUB_OUTPUT
+
+      - name: "Determine if update is needed"
+        id: version-check
+        shell: bash
+        run: |
+          if [[ "${{ steps.tagged-version.outputs.sonar-scanner-version }}" != "${{ steps.latest-version.outputs.latest }}" ]]; then
+            echo "should_update=true" >> $GITHUB_OUTPUT
+          else
+            echo "should_update=false" >> $GITHUB_OUTPUT
+          fi
+
+  update-version:
+    name: Prepare pull request for sonar-scanner version update
+    needs: check-version
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    if: needs.check-version.outputs.should_update == 'true'
+    steps:
      - name: "Update default version"
-        if: steps.tagged-version.outputs.sonar-scanner-version != steps.latest-version.outputs.sonar-scanner-version
        shell: bash
        env:
-          NEW_VERSION: ${{ steps.latest-version.outputs.sonar-scanner-version }}
+          NEW_VERSION: ${{ needs.check-version.outputs.latest-version }}
        run: |
           yq -i '.inputs.scannerVersion.default = strenv(NEW_VERSION)' action.yml
      - name: "Create Pull Request for version update"
-        if: steps.tagged-version.outputs.sonar-scanner-version != steps.latest-version.outputs.sonar-scanner-version
        shell: bash
        env:
-          UPDATE_BRANCH: update-to-sonar-scanner-${{ steps.latest-version.outputs.sonar-scanner-version }}
-          TITLE: "Update SonarScanner CLI to ${{ steps.latest-version.outputs.sonar-scanner-version }}"
+          UPDATE_BRANCH: update-to-sonar-scanner-${{ needs.check-version.outputs.latest-version }}
+          TITLE: "Update SonarScanner CLI to ${{ needs.check-version.outputs.latest-version }}"
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          git config --global user.name "SonarTech"
--- a/action.yml
+++ b/action.yml
@@ -30,6 +30,7 @@ runs:
      shell: bash
      env:
        INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }}
+        INPUT_SCANNERVERSION: ${{ inputs.scannerVersion }}
    - name: Load Sonar Scanner CLI from cache
      id: sonar-scanner-cli
      uses: actions/cache@v4
@@ -50,7 +51,10 @@ runs:
      run: echo "${RUNNER_TEMP}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}/bin" >> $GITHUB_PATH
      shell: bash
    - name: Run SonarScanner
-      run: ${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh ${{ inputs.args }}
+      run: |
+        args=(${{ inputs.args }})
+        cmd=(${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh "${args[@]}")
+        "${cmd[@]}"
      shell: bash
      env:
        INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }}
--- a/scripts/sanity-checks.sh
+++ b/scripts/sanity-checks.sh
@@ -2,6 +2,11 @@

 set -eo pipefail

+if [[ ! "${INPUT_SCANNERVERSION}" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+  echo "::error title=SonarScanner::Invalid scannerVersion format. Expected format: x.y.z.w (e.g., 7.1.0.4889)"
+  exit 1
+fi
+
 if [[ -z "${SONAR_TOKEN}" ]]; then
  echo "::warning title=SonarScanner::Running this GitHub Action without SONAR_TOKEN is not recommended"
 fi
--- a/test/assertFileContains
+++ b/test/assertFileContains
@@ -1,10 +1,14 @@
 #!/bin/bash

+set -eou pipefail
+
 error() { echo -e "\\e[31m✗ $*\\e[0m"; }

-assertFileExists $1
+scriptDir=$(dirname -- "$(readlink -f -- "${BASH_SOURCE[0]}")")

-if ! grep -q $2 $1; then
+$scriptDir/assertFileExists "$1"
+
+if ! grep -q "$2" "$1"; then
  error "'$2' not found in '$1'"
  exit 1
 fi
--- a/test/assertFileDoesntExist
+++ b/test/assertFileDoesntExist
@@ -1,8 +1,10 @@
 #!/bin/bash

+set -eou pipefail
+
 error() { echo -e "\\e[31m✗ $*\\e[0m"; }

-if [ -f $1 ]; then
+if [ -f "$1" ]; then
  error "File '$1' found"
  exit 1
 fi
--- a/test/assertFileExists
+++ b/test/assertFileExists
@@ -1,8 +1,10 @@
 #!/bin/bash

+set -eou pipefail
+
 error() { echo -e "\\e[31m✗ $*\\e[0m"; }

-if [ ! -f $1 ]; then
+if [ ! -f "$1" ]; then
  error "File '$1' not found"
  exit 1
 fi
Author	SHA1	Message	Date
csaba-feher-sonarsource	2500896589	SQSCANGHA-92 Validate scanner version (#189 ) Co-authored-by: Julien HENRY <julien.henry@sonarsource.com>	2025-05-05 17:48:40 +02:00
csaba-feher-sonarsource	73bc64cb64	SQSCANGHA-94 Update version update logic (#188 )	2025-05-05 17:48:00 +02:00
csaba-feher-sonarsource	7d51dd28ef	SQSCANGHA-93 Fix madhead/semver-utils' version (#187 ) Co-authored-by: Julien HENRY <julien.henry@sonarsource.com>	2025-05-05 17:47:42 +02:00
Julien HENRY	be0a85295f	SQSCANGHA-89 Fix possible command injection It is unlikely to be a real concern, since an attacker having the possibility to edit a pipeline can easily execute any command, but at least our step won't be involved	2025-04-29 12:17:00 +02:00
Pierre	12d7d00f02	SQSCANGHA-90 remove mend dead conf (#184 )	2025-04-24 11:33:26 +02:00