SonarSource/sonarqube-scan-action
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: SonarSource:v5.2.0
Branches Tags
SonarSource:master SonarSource:update-to-sonar-scanner-8.0.1.6346 SonarSource:update-to-sonar-scanner-8.0.0.6341 SonarSource:br-v4.2.1 SonarSource:br-v5.3.1 SonarSource:jh/fix_qa SonarSource:jh/update_version SonarSource:jh/SQSCANGHA-48_update_cirrus
SonarSource:v4 SonarSource:v4.2.2 SonarSource:v4.2 SonarSource:v5 SonarSource:v5.3.2 SonarSource:v5.3 SonarSource:v6.0 SonarSource:v6 SonarSource:v6.0.0 SonarSource:v5.3.1 SonarSource:v5.3.0 SonarSource:v5.2 SonarSource:v5.2.0 SonarSource:v5.1 SonarSource:v5.1.0 SonarSource:v5.0 SonarSource:v5.0.0 SonarSource:v4.2.1 SonarSource:v4.2.0 SonarSource:v4.1.0 SonarSource:v4.1 SonarSource:v4.0 SonarSource:v4.0.0 SonarSource:v3 SonarSource:v3.1 SonarSource:v3.1.0 SonarSource:v3.0 SonarSource:v3.0.0 SonarSource:v2.3 SonarSource:v2.3.0 SonarSource:v2 SonarSource:v2.2 SonarSource:v2.2.0 SonarSource:v2.1 SonarSource:v2.1.0 SonarSource:v2.0 SonarSource:v2.0.2 SonarSource:v2.0.1 SonarSource:v2.0.0 SonarSource:v1 SonarSource:v1.2 SonarSource:v1.2.0 SonarSource:v1.1.0 SonarSource:v1.0.0
...
compare: SonarSource:v5.3.1
Branches Tags
SonarSource:update-to-sonar-scanner-8.0.1.6346 SonarSource:update-to-sonar-scanner-8.0.0.6341 SonarSource:master SonarSource:br-v4.2.1 SonarSource:br-v5.3.1 SonarSource:jh/fix_qa SonarSource:jh/update_version SonarSource:jh/SQSCANGHA-48_update_cirrus
SonarSource:v4 SonarSource:v4.2.2 SonarSource:v4.2 SonarSource:v5 SonarSource:v5.3.2 SonarSource:v5.3 SonarSource:v6.0 SonarSource:v6 SonarSource:v6.0.0 SonarSource:v5.3.1 SonarSource:v5.3.0 SonarSource:v5.2 SonarSource:v5.2.0 SonarSource:v5.1 SonarSource:v5.1.0 SonarSource:v5.0 SonarSource:v5.0.0 SonarSource:v4.2.1 SonarSource:v4.2.0 SonarSource:v4.1.0 SonarSource:v4.1 SonarSource:v4.0 SonarSource:v4.0.0 SonarSource:v3 SonarSource:v3.1 SonarSource:v3.1.0 SonarSource:v3.0 SonarSource:v3.0.0 SonarSource:v2.3 SonarSource:v2.3.0 SonarSource:v2 SonarSource:v2.2 SonarSource:v2.2.0 SonarSource:v2.1 SonarSource:v2.1.0 SonarSource:v2.0 SonarSource:v2.0.2 SonarSource:v2.0.1 SonarSource:v2.0.0 SonarSource:v1 SonarSource:v1.2 SonarSource:v1.2.0 SonarSource:v1.1.0 SonarSource:v1.0.0

10 Commits
v5.2.0 ... v5.3.1

Author SHA1 Message Date
Daan Timmer
1a6d90ebcb SQSCANGHA-102 Pin actions/cache to a full-length commit SHA (#199) 2025-08-28 12:18:32 +02:00
Aleksandra Bozhinoska
016cabf33a SQSCANGHA-101 Add more command injection tests 2025-08-28 10:57:10 +02:00
Aleksandra Bozhinoska
5fc8cfce6b SQSCANGHA-101 Fix sha256 check in QA Deprecated C/C++ action 2025-08-28 10:57:10 +02:00
dependabot[bot]
786af10ed4 NO-JIRA Bump actions/checkout from 4 to 5 
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-08-19 13:34:18 +02:00
Julien HENRY
01850e2590 SQSCANGHA-94 Fix the scanner-update workflow 2025-07-22 11:46:10 +02:00
github-actions[bot]
8c71dc039c SQSCANGHA-98 Update SonarScanner CLI to 7.2.0.5079 (#196) 
Co-authored-by: SonarTech <sonartech@sonarsource.com>
 2025-07-22 10:45:53 +02:00
Elian Doran
ef211f93a6 SQSCANGHA-97 Use /usr/bin/env for shebang (#193) 2025-06-30 10:17:39 +02:00
Samir M
74f62c995b BUILD-8073 Migrate public repositories workflows to large runners 2025-05-26 14:06:24 +02:00
Aleksandra Bozhinoska
c8aa051cc4 SQSCANGHA-83 Avoid unbound variable error on parameter expansion (#192) 2025-05-16 16:57:48 +02:00
csaba-feher-sonarsource
bfe63be746 SQSCANGHA-95 Update CODEOWNERS (#190) 2025-05-07 15:34:05 +02:00
26 changed files with 226 additions and 117 deletions
Expand all files Collapse all files

2
.github/CODEOWNERS vendored
View File

@@ -1 +1 @@
.github/CODEOWNERS @sonarsource/orchestration-processing-squad
.github/* @sonarsource/orchestration-processing-squad

2
.github/workflows/PullRequestClosed.yml vendored
View File

@@ -7,7 +7,7 @@ on:
jobs:
PullRequestClosed_job:
name: Pull Request Closed
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
permissions:
id-token: write
pull-requests: read

2
.github/workflows/PullRequestCreated.yml vendored
View File

@@ -7,7 +7,7 @@ on:
jobs:
PullRequestCreated_job:
name: Pull Request Created
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
permissions:
id-token: write
# For external PR, ticket should be created manually

2
.github/workflows/RequestReview.yml vendored
View File

@@ -7,7 +7,7 @@ on:
jobs:
RequestReview_job:
name: Request review
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
permissions:
id-token: write
# For external PR, ticket should be moved manually

2
.github/workflows/SubmitReview.yml vendored
View File

@@ -7,7 +7,7 @@ on:
jobs:
SubmitReview_job:
name: Submit Review
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
permissions:
id-token: write
pull-requests: read

4
.github/workflows/qa-deprecated-c-cpp.yml vendored
View File

@@ -12,7 +12,7 @@ jobs:
name: Action outputs
strategy:
matrix:
os: [ubuntu-latest, windows-latest, macos-latest, macos-13]
os: [ubuntu-latest-large, windows-latest-large, macos-latest, macos-13]
cache: [true, false]
include:
- arch: X64
@@ -31,7 +31,7 @@ jobs:
exit 1
fi
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis

4
.github/workflows/qa-install-build-wrapper.yml vendored
View File

@@ -12,7 +12,7 @@ jobs:
name: Action outputs
strategy:
matrix:
os: [ubuntu-latest, windows-latest, macos-latest, macos-13]
os: [ubuntu-latest-large, windows-latest-large, macos-latest, macos-13]
cache: [true, false]
include:
- arch: X64
@@ -31,7 +31,7 @@ jobs:
exit 1
fi
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis

194
.github/workflows/qa-main.yml vendored
View File

@@ -11,12 +11,15 @@ jobs:
noInputsTest:
name: >
No inputs
runs-on: ubuntu-latest
strategy:
matrix:
os: [ ubuntu-latest-large, macos-latest ]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with args
- name: Run action without args
uses: ./
env:
SONAR_HOST_URL: http://not_actually_used
@@ -29,39 +32,41 @@ jobs:
'args' input
strategy:
matrix:
os: [ ubuntu-latest, windows-latest, macos-latest ]
os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with args
uses: ./
with:
args: -Dsonar.someArg=aValue -Dsonar.anotherArgWithSpaces="Another Value"
args: -Dsonar.someArg=aValue -Dsonar.anotherArgWithSpaces="Another Value" -Dsonar.argWithSingleQuotes='Another Value'
env:
SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
- name: Assert
run: |
./test/assertFileContains ./output.properties "sonar.someArg=aValue"
./test/assertFileContains ./output.properties "sonar.anotherArgWithSpaces=Another Value"
./test/assertFileContains ./output.properties 'sonar.anotherArgWithSpaces="Another Value"'
./test/assertFileContains ./output.properties "sonar.argWithSingleQuotes='Another Value'"
argsInputInjectionTest:
name: >
'args' input with command injection will fail
strategy:
matrix:
os: [ ubuntu-latest, windows-latest, macos-latest ]
os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
args: [ -Dsonar.someArg=aValue && echo "Injection", -Dsonar.someArg="value\"; whoami; echo \"" ]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with args
uses: ./
continue-on-error: true
with:
args: -Dsonar.someArg=aValue && echo "Injection"
args: ${{ matrix.args }}
env:
SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
@@ -71,15 +76,100 @@ jobs:
- name: Assert the scanner was not called
run: |
./test/assertFileDoesntExist ./output.properties
backtickCommandInjectionTest:
name: >
'args' input with backticks injection does not execute command
strategy:
matrix:
os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with args
uses: ./
continue-on-error: true
with:
args: >
-Dsonar.arg1="refs/heads/branch: [workflows] Bump `actions/*`" -Dsonar.arg2="test `echo Command Injection`" -Dsonar.arg3="`id`" -Dsonar.arg4="test'; `echo injection`; echo '" -Dsonar.arg5=" `whoami` " -Dsonar.arg6="test\`echo injection\`test"
env:
SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
- name: Assert command in arg is not executed
run: |
./test/assertFileContains ./output.properties 'sonar.arg1="refs/heads/branch\\: \[workflows\] Bump `actions/\*`"'
./test/assertFileContains ./output.properties 'sonar.arg2="test `echo Command Injection`"'
./test/assertFileContains ./output.properties 'sonar.arg3="`id`"'
./test/assertFileContains ./output.properties "sonar.arg4=\"test'; \`echo injection\`; echo '\""
./test/assertFileContains ./output.properties 'sonar.arg5=" `whoami` "'
./test/assertFileContains ./output.properties 'sonar.arg6="test\\\\`echo injection\\\\`test"'
dollarSymbolCommandInjectionTest:
name: >
'args' input with dollar command injection does not execute command
strategy:
matrix:
os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with args
uses: ./
continue-on-error: true
with:
args: -Dsonar.arg1="$(whoami)" -Dsonar.arg2="$GITHUB_TOKEN" -Dsonar.arg3="$(echo outer $(echo inner))" -Dsonar.arg4="value\$(whoami)end" -Dsonar.arg5="$(printf 'A%.0s' {1..10000})" -Dsonar.arg6='value"; $(whoami); echo "'
env:
SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
- name: Assert command in arg is not executed
run: |
./test/assertFileContains ./output.properties 'sonar.arg1="$(whoami)"'
./test/assertFileContains ./output.properties 'sonar.arg2="$GITHUB_TOKEN"'
./test/assertFileContains ./output.properties 'sonar.arg3="$(echo outer $(echo inner))"'
./test/assertFileContains ./output.properties 'sonar.arg4="value\\\\$(whoami)end"'
./test/assertFileContains ./output.properties 'sonar.arg5="$(printf '\''A%.0s'\'' {1..10000})"'
./test/assertFileContains ./output.properties 'sonar.arg6='\''value"; $(whoami); echo "'\'''
otherCommandInjectionVariantsTest:
name: >
'args' input with other command injection variants does not execute command
strategy:
matrix:
os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with args
uses: ./
continue-on-error: true
with:
args: -Dsonar.arg1="test | base64" -Dsonar.arg2="value; whoami" -Dsonar.arg3="value && echo test" -Dsonar.arg4="value > /tmp/output.txt" -Dsonar.arg5="< /etc/passwd" -Dsonar.arg6="" -Dsonar.arg7="../../../*" -Dsonar.arg8="*.key" -Dsonar.arg9="test\u0027\u0060whoami\u0060"
env:
SONAR_HOST_URL: http://not_actually_used
SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
- name: Assert command in arg is not executed
run: |
./test/assertFileContains ./output.properties 'sonar.arg1="test | base64"'
./test/assertFileContains ./output.properties 'sonar.arg2="value; whoami"'
./test/assertFileContains ./output.properties 'sonar.arg3="value && echo test"'
./test/assertFileContains ./output.properties 'sonar.arg4="value > /tmp/output.txt"'
./test/assertFileContains ./output.properties 'sonar.arg5="< /etc/passwd"'
./test/assertFileContains ./output.properties 'sonar.arg6=""'
./test/assertFileContains ./output.properties 'sonar.arg7="../../../\*"'
./test/assertFileContains ./output.properties 'sonar.arg8="\*.key"'
./test/assertFileContains ./output.properties 'sonar.arg9="test\\\\u0027\\\\u0060whoami\\\\u0060"'
projectBaseDirInputTest:
name: >
'projectBaseDir' input
strategy:
matrix:
os: [ ubuntu-latest, windows-latest, macos-latest ]
os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- run: mkdir -p ./baseDir
@@ -97,9 +187,9 @@ jobs:
scannerVersionTest:
name: >
'scannerVersion' input
runs-on: ubuntu-latest # assumes default RUNNER_ARCH for linux is X64
runs-on: ubuntu-latest-large # assumes default RUNNER_ARCH for linux is X64
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with scannerVersion
@@ -117,9 +207,9 @@ jobs:
scannerBinariesUrlTest:
name: >
'scannerBinariesUrl' input with invalid URL
runs-on: ubuntu-latest # assumes default RUNNER_ARCH for linux is X64
runs-on: ubuntu-latest-large # assumes default RUNNER_ARCH for linux is X64
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with scannerBinariesUrl
@@ -145,9 +235,9 @@ jobs:
scannerBinariesUrlIsEscapedWithWget:
name: >
'scannerBinariesUrl' is escaped with wget so special chars are not injected in the download command
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with scannerBinariesUrl
@@ -166,9 +256,9 @@ jobs:
scannerBinariesUrlIsEscapedWithCurl:
name: >
'scannerBinariesUrl' is escaped with curl so special chars are not injected in the download command
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Remove wget
@@ -195,9 +285,9 @@ jobs:
dontFailGradleTest:
name: >
Don't fail on Gradle project
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action on Gradle project
@@ -216,9 +306,9 @@ jobs:
dontFailGradleKotlinTest:
name: >
Don't fail on Kotlin Gradle project
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action on Kotlin Gradle project
@@ -237,9 +327,9 @@ jobs:
dontFailMavenTest:
name: >
Don't fail on Maven project
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action on Maven project
@@ -256,7 +346,7 @@ jobs:
run: |
./test/assertFileExists ./output.properties
runAnalysisTest:
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
services:
sonarqube:
image: sonarqube:lts-community
@@ -272,7 +362,7 @@ jobs:
--health-timeout 5s
--health-retries 10
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action on sample project
@@ -291,10 +381,10 @@ jobs:
'RUNNER_DEBUG' is used
strategy:
matrix:
os: [ ubuntu-latest, windows-latest, macos-latest ]
os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with debug mode
@@ -309,7 +399,7 @@ jobs:
run: |
./test/assertFileContains ./output.properties "sonar.verbose=true"
runAnalysisWithCacheTest:
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
services:
sonarqube:
image: sonarqube:lts-community
@@ -325,7 +415,7 @@ jobs:
--health-timeout 5s
--health-retries 10
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: SonarQube Cache
@@ -350,10 +440,10 @@ jobs:
'SONARCLOUD_URL' is used
strategy:
matrix:
os: [ ubuntu-latest, windows-latest, macos-latest ]
os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with SONARCLOUD_URL
@@ -369,9 +459,9 @@ jobs:
./test/assertFileContains ./output.properties "sonar.scanner.sonarcloudUrl=mirror.sonarcloud.io"
dontFailWhenMissingWgetButCurlAvailable:
name: Don't fail when missing wget but curl available
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Remove wget
@@ -395,9 +485,9 @@ jobs:
./test/assertFileExists ./output.properties
dontFailWhenMissingCurlButWgetAvailable:
name: Don't fail when missing curl but wget available
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Remove curl
@@ -422,9 +512,9 @@ jobs:
./test/assertFileExists ./output.properties
failWhenBothWgetAndCurlMissing:
name: Fail when both wget and curl are missing
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Remove wget and curl
@@ -455,9 +545,9 @@ jobs:
curlPerformsRedirect:
name: >
curl performs redirect when scannerBinariesUrl returns 3xx
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Remove wget
@@ -489,10 +579,10 @@ jobs:
'SONAR_ROOT_CERT' is converted to truststore
strategy:
matrix:
os: [ ubuntu-latest, windows-latest, macos-latest ]
os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
runs-on: ${{ matrix.os }}
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with SSL certificate
@@ -541,9 +631,9 @@ jobs:
analysisWithSslCertificate:
name: >
Analysis takes into account 'SONAR_ROOT_CERT'
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Generate server certificate
@@ -649,9 +739,9 @@ jobs:
overridesScannerLocalFolderWhenPresent: # can happen in uncleaned self-hosted runners
name: >
'SCANNER_LOCAL_FOLDER' is cleaned with warning when present
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Create a dummy SCANNER_LOCAL_FOLDER with dummy content in it
@@ -683,9 +773,9 @@ jobs:
updateTruststoreWhenPresent: # can happen in uncleaned self-hosted runners
name: >
truststore.p12 is updated when present
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Create SONAR_SSL_FOLDER with a file in it (not-truststore.p12)
@@ -812,9 +902,9 @@ jobs:
scannerVersionValidationTest:
name: >
'scannerVersion' input validation
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
token: ${{ secrets.GITHUB_TOKEN }}
- name: Run action with invalid scannerVersion

16
.github/workflows/qa-scripts.yml vendored
View File

@@ -10,9 +10,9 @@ on:
jobs:
create-install-dir-test:
name: create_install_path.sh
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
@@ -107,7 +107,7 @@ jobs:
grep "=== Script failed ===" output
setup-script-test:
name: configure_paths.sh
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
env:
INSTALL_PATH: 'install-directory'
SONAR_HOST_URL: 'http://sonar-host.com'
@@ -123,7 +123,7 @@ jobs:
SONAR_SCANNER_URL_MACOSX_AARCH64: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-macosx-aarch64.zip'
SONAR_SCANNER_SHA_MACOSX_AARCH64: 'DOWNLOAD-SHA-MACOSX-AARCH64'
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
@@ -250,9 +250,9 @@ jobs:
grep "=== Script failed ===" output
download-script-test:
name: download.sh
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
@@ -319,9 +319,9 @@ jobs:
grep "=== Script failed ===" output
fetch-latest-version-test:
name: fetch_latest_version.sh
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis
- name: Test script

4
.github/workflows/update-tags.yml vendored
View File

@@ -7,13 +7,13 @@ on:
jobs:
generate:
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
permissions:
contents: write
steps:
- name: Checkout
uses: actions/checkout@v4
uses: actions/checkout@v5
- name: Parse semver
uses: madhead/semver-utils@36d1e0ed361bd7b4b77665de8093092eaeabe6ba # v4.3.0

29
.github/workflows/version_update.yml vendored
View File

@@ -7,17 +7,15 @@ on:
jobs:
check-version:
name: Check for sonar-scanner version update
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
outputs:
should_update: ${{ steps.version-check.outputs.should_update }}
latest_version: ${{ steps.latest-version.outputs.latest }}
new-version: ${{ steps.latest-version.outputs.sonar-scanner-version }}
steps:
- run: sudo apt install -y jq
- run: sudo snap install yq
- uses: actions/checkout@v4
- uses: actions/checkout@v5
with:
ref: master
persist-credentials: true
fetch-depth: 0
- name: "Fetch currently used sonar-scanner version"
@@ -30,13 +28,13 @@ jobs:
shell: bash
run: |
./scripts/fetch_latest_version.sh > sonar-scanner-version
echo "latest=$(cat sonar-scanner-version)" >> $GITHUB_OUTPUT
cat sonar-scanner-version >> $GITHUB_OUTPUT
- name: "Determine if update is needed"
id: version-check
shell: bash
run: |
if [[ "${{ steps.tagged-version.outputs.sonar-scanner-version }}" != "${{ steps.latest-version.outputs.latest }}" ]]; then
if [[ "${{ steps.tagged-version.outputs.sonar-scanner-version }}" != "${{ steps.latest-version.outputs.sonar-scanner-version }}" ]]; then
echo "should_update=true" >> $GITHUB_OUTPUT
else
echo "should_update=false" >> $GITHUB_OUTPUT
@@ -45,23 +43,30 @@ jobs:
update-version:
name: Prepare pull request for sonar-scanner version update
needs: check-version
runs-on: ubuntu-latest
runs-on: ubuntu-latest-large
permissions:
contents: write
pull-requests: write
if: needs.check-version.outputs.should_update == 'true'
steps:
- uses: actions/checkout@v5
with:
ref: master
persist-credentials: true
fetch-depth: 0
- run: sudo snap install yq
- name: "Update default version"
shell: bash
env:
NEW_VERSION: ${{ needs.check-version.outputs.latest-version }}
NEW_VERSION: ${{ needs.check-version.outputs.new-version }}
run: |
yq -i '.inputs.scannerVersion.default = strenv(NEW_VERSION)' action.yml
./scripts/fetch_latest_version.sh > sonar-scanner-version
- name: "Create Pull Request for version update"
shell: bash
env:
UPDATE_BRANCH: update-to-sonar-scanner-${{ needs.check-version.outputs.latest-version }}
TITLE: "Update SonarScanner CLI to ${{ needs.check-version.outputs.latest-version }}"
UPDATE_BRANCH: update-to-sonar-scanner-${{ needs.check-version.outputs.new-version }}
TITLE: "Update SonarScanner CLI to ${{ needs.check-version.outputs.new-version }}"
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
git config --global user.name "SonarTech"
@@ -74,5 +79,5 @@ jobs:
gh pr list
if [[ $(gh pr list -H "${UPDATE_BRANCH}" | grep "${UPDATE_BRANCH}" | wc -l) -eq 0 ]]; then
gh pr create -B master -H ${UPDATE_BRANCH} --title "${TITLE}" --body "Automatic updated of sonar-scanner version value. Needs to be tagged for release."
gh pr create -B master -H ${UPDATE_BRANCH} --title "${TITLE}" --body "Automatic update of the sonar-scanner version value. Be sure to trigger the QA workflow by closing and reopening this PR (see https://github.com/orgs/community/discussions/65321)."
fi

10
action.yml
View File

@@ -17,7 +17,7 @@ inputs:
description: Version of the Sonar Scanner CLI to use
required: false
# to be kept in sync with sonar-scanner-version
default: 7.1.0.4889
default: 7.2.0.5079
scannerBinariesUrl:
description: URL to download the Sonar Scanner CLI binaries from
required: false
@@ -33,7 +33,7 @@ runs:
INPUT_SCANNERVERSION: ${{ inputs.scannerVersion }}
- name: Load Sonar Scanner CLI from cache
id: sonar-scanner-cli
uses: actions/cache@v4
uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 #v4.2.4
env:
# The default value is 60mins. Reaching timeout is treated the same as a cache miss.
SEGMENT_DOWNLOAD_TIMEOUT_MINS: 1
@@ -51,11 +51,9 @@ runs:
run: echo "${RUNNER_TEMP}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}/bin" >> $GITHUB_PATH
shell: bash
- name: Run SonarScanner
run: |
args=(${{ inputs.args }})
cmd=(${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh "${args[@]}")
"${cmd[@]}"
run: ${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner.sh
shell: bash
env:
INPUT_ARGS: ${{ inputs.args }}
INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }}
SONAR_SCANNER_JRE: ${{ runner.temp }}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}/jre

2
scripts/cert.sh
View File

@@ -1,4 +1,4 @@
#!/bin/bash
#!/usr/bin/env bash
if [[ -n "${SONAR_ROOT_CERT}" ]]; then
echo "Adding custom root certificate to java certificate store"

2
scripts/configure_paths.sh
View File

@@ -1,4 +1,4 @@
#!/bin/bash
#!/usr/bin/env bash
if [[ ${ARCH} != "X64" && ! (${ARCH} == "ARM64" && (${OS} == "macOS" || ${OS} == "Linux")) ]]; then
echo "::error::Architecture '${ARCH}' is unsupported by build-wrapper"

2
scripts/create_install_path.sh
View File

@@ -1,4 +1,4 @@
#!/bin/bash
#!/usr/bin/env bash
source "$(dirname -- "$0")/utils.sh"

4
scripts/download.sh
View File

@@ -1,4 +1,4 @@
#!/bin/bash
#!/usr/bin/env bash
source "$(dirname -- "$0")/utils.sh"
@@ -28,7 +28,7 @@ parse_arguments() {
}
verify_download_correctness() {
echo "${EXPECTED_SHA} ${TMP_ZIP_PATH}" | sha256sum -c
echo "${EXPECTED_SHA} ${TMP_ZIP_PATH}" | sha256sum -c -
check_status "Checking sha256 failed"
}

2
scripts/fetch_latest_version.sh
View File

@@ -1,4 +1,4 @@
#!/bin/bash
#!/usr/bin/env bash
source "$(dirname -- "$0")/utils.sh"

2
scripts/install-sonar-scanner-cli.sh
View File

@@ -1,4 +1,4 @@
#!/bin/bash
#!/usr/bin/env bash
set -eou pipefail

16
scripts/run-sonar-scanner-cli.sh
View File

@@ -1,4 +1,4 @@
#!/bin/bash
#!/usr/bin/env bash
set -eo pipefail
@@ -73,9 +73,19 @@ if [[ -n "${SONAR_ROOT_CERT}" ]]; then
scanner_args+=("-Dsonar.scanner.truststorePassword=$SONAR_SSL_TRUSTSTORE_PASSWORD")
fi
scanner_args+=("$@")
# split input args correctly (passed through INPUT_ARGS env var to avoid execution of injected command)
args=()
if [[ -n "${INPUT_ARGS}" ]]; then
# the regex recognizes args with values in single or double quotes (without character escaping), and args without quotes as well
# more specifically, the following patterns: -Darg="value", -Darg='value', -Darg=value, "-Darg=value" and '-Darg=value'
IFS=$'\n'; args=($(echo ${INPUT_ARGS} | egrep -o '[^" '\'']+="[^"]*"|[^" '\'']+='\''[^'\'']*'\''|[^" '\'']+|"[^"]+"|'\''[^'\'']+'\'''))
fi
for arg in "${args[@]}"; do
scanner_args+=("$arg")
done
set -ux
$SCANNER_BIN "${scanner_args[@]}"
$SCANNER_BIN ${scanner_args[@]+"${scanner_args[@]}"}

6
scripts/run-sonar-scanner.sh Executable file
View File

@@ -0,0 +1,6 @@
#!/usr/bin/env bash
set -euo pipefail
# run the sonar scanner cli
cmd=(${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh "${INPUT_ARGS}")
"${cmd[@]}"

2
scripts/sanity-checks.sh
View File

@@ -1,4 +1,4 @@
#!/bin/bash
#!/usr/bin/env bash
set -eo pipefail

2
scripts/utils.sh
View File

@@ -1,4 +1,4 @@
#!/bin/bash
#!/usr/bin/env bash
check_status() {
exit_status=$?

22
sonar-scanner-version
View File

@@ -1,11 +1,11 @@
sonar-scanner-version=7.1.0.4889
sonar-scanner-url-windows-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-windows-x64.zip
sonar-scanner-sha-windows-x64=64c5154d3d924eb2e03386f10eecb3ec4132298e2c1bf0b60a0d0195cd51a555
sonar-scanner-url-linux-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-linux-x64.zip
sonar-scanner-sha-linux-x64=b4d2a001d65b489f9effe1ea8a78495db1b152f124d7f7b058aad8651c7e1484
sonar-scanner-url-linux-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-linux-aarch64.zip
sonar-scanner-sha-linux-aarch64=7948ccde77843829b87d41815ead669486f681cd38b0b0893006083a9b6f6b5c
sonar-scanner-url-macosx-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-macosx-x64.zip
sonar-scanner-sha-macosx-x64=08ad1e75994d91a17016ce55248d0827b62a757b263917234ea2d89bee8f136d
sonar-scanner-url-macosx-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.1.0.4889-macosx-aarch64.zip
sonar-scanner-sha-macosx-aarch64=9ad8c5da9e9665c065328b86adb3f33ef43801347ecb3ff1ec27d598ac37b449
sonar-scanner-version=7.2.0.5079
sonar-scanner-url-windows-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.2.0.5079-windows-x64.zip
sonar-scanner-sha-windows-x64=71936f352206b63cb05ffbcd68e366e52d22916148cf4a2418789bc776f733ea
sonar-scanner-url-linux-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.2.0.5079-linux-x64.zip
sonar-scanner-sha-linux-x64=da9f4e64a3d555f08ce38b5469ebd91fe2b311af473f7001a5ee5c1fd58b004b
sonar-scanner-url-linux-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.2.0.5079-linux-aarch64.zip
sonar-scanner-sha-linux-aarch64=803ca725d463e95eeb7537515706367bb8e52bf05ac32174daf9773bdb36d1e2
sonar-scanner-url-macosx-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.2.0.5079-macosx-x64.zip
sonar-scanner-sha-macosx-x64=7b9e92248ca740fff41503bfe5459c460bac43c501d80043cc4fbebb72dfc5fa
sonar-scanner-url-macosx-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.2.0.5079-macosx-aarch64.zip
sonar-scanner-sha-macosx-aarch64=c8adb3fbfe5485c17de193a217be765b66cbc10d6540057655afa3c3b5be6f61

2
test/assertFileContains
View File

@@ -1,4 +1,4 @@
#!/bin/bash
#!/usr/bin/env bash
set -eou pipefail

2
test/assertFileDoesntExist
View File

@@ -1,4 +1,4 @@
#!/bin/bash
#!/usr/bin/env bash
set -eou pipefail

2
test/assertFileExists
View File

@@ -1,4 +1,4 @@
#!/bin/bash
#!/usr/bin/env bash
set -eou pipefail