SQSCANGHA-121 Add vulnerability warning

2025-09-25 14:31:06 +02:00
27 changed files with 97 additions and 192 deletions
--- a/.cirrus/wss-unified-agent.config
+++ b/.cirrus/wss-unified-agent.config
@@ -0,0 +1,4 @@
+docker.projectNameFormat=repositoryNameAndTag
+docker.scanImages=true
+wss.url=https://saas-eu.whitesourcesoftware.com/agent
+productName=GitHubAction/SonarQubeScanAction
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1 +1 @@
-.github/* @sonarsource/orchestration-processing-squad
+.github/CODEOWNERS @sonarsource/analysis-experience-squad
--- a/.github/workflows/PullRequestClosed.yml
+++ b/.github/workflows/PullRequestClosed.yml
@@ -5,15 +5,16 @@ on:
    types: [closed]

 jobs:
-  PullRequestClosed_job:
-    name: Pull Request Closed
-    runs-on: ubuntu-latest-large
+  PullRequestMerged_job:
+    name: Pull Request Merged
+    runs-on: ubuntu-latest
    permissions:
      id-token: write
      pull-requests: read
    # For external PR, ticket should be moved manually
    if: |
        github.event.pull_request.head.repo.full_name == github.repository
+        && github.event.pull_request.merged
    steps:
      - id: secrets
        uses: SonarSource/vault-action-wrapper@v3
--- a/.github/workflows/PullRequestCreated.yml
+++ b/.github/workflows/PullRequestCreated.yml
@@ -7,7 +7,7 @@ on:
 jobs:
  PullRequestCreated_job:
    name: Pull Request Created
-    runs-on: ubuntu-latest-large
+    runs-on: ubuntu-latest
    permissions:
      id-token: write
    # For external PR, ticket should be created manually
--- a/.github/workflows/RequestReview.yml
+++ b/.github/workflows/RequestReview.yml
@@ -7,7 +7,7 @@ on:
 jobs:
  RequestReview_job:
    name: Request review
-    runs-on: ubuntu-latest-large
+    runs-on: ubuntu-latest
    permissions:
      id-token: write
    # For external PR, ticket should be moved manually
--- a/.github/workflows/SubmitReview.yml
+++ b/.github/workflows/SubmitReview.yml
@@ -7,7 +7,7 @@ on:
 jobs:
  SubmitReview_job:
    name: Submit Review
-    runs-on: ubuntu-latest-large
+    runs-on: ubuntu-latest
    permissions:
      id-token: write
      pull-requests: read
--- a/.github/workflows/qa-deprecated-c-cpp.yml
+++ b/.github/workflows/qa-deprecated-c-cpp.yml
@@ -12,7 +12,7 @@ jobs:
    name: Action outputs
    strategy:
      matrix:
-        os: [ubuntu-latest-large, windows-latest-large, macos-latest, macos-13]
+        os: [ubuntu-latest, windows-latest, macos-latest, macos-13]
        cache: [true, false]
        include:
          - arch: X64
--- a/.github/workflows/qa-install-build-wrapper.yml
+++ b/.github/workflows/qa-install-build-wrapper.yml
@@ -12,7 +12,7 @@ jobs:
    name: Action outputs
    strategy:
      matrix:
-        os: [ubuntu-latest-large, windows-latest-large, macos-latest, macos-13]
+        os: [ubuntu-latest, windows-latest, macos-latest, macos-13]
        cache: [true, false]
        include:
          - arch: X64
--- a/.github/workflows/qa-main.yml
+++ b/.github/workflows/qa-main.yml
@@ -11,15 +11,12 @@ jobs:
  noInputsTest:
    name: >
      No inputs
-    strategy:
-      matrix:
-        os: [ ubuntu-latest-large, macos-latest ]
-    runs-on: ${{ matrix.os }}
+    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
-      - name: Run action without args
+      - name: Run action with args
        uses: ./
        env:
          SONAR_HOST_URL: http://not_actually_used
@@ -32,7 +29,7 @@ jobs:
      'args' input
    strategy:
      matrix:
-        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
+        os: [ ubuntu-latest, windows-latest, macos-latest ]
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@v4
@@ -41,45 +38,19 @@ jobs:
      - name: Run action with args
        uses: ./
        with:
-          args: -Dsonar.someArg=aValue -Dsonar.anotherArgWithSpaces="Another Value"
+          args: -Dsonar.someArg=aValue -Dsonar.scanner.internal.dumpToFile=./output.properties
        env:
          SONAR_HOST_URL: http://not_actually_used
          SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
      - name: Assert
        run: |
          ./test/assertFileContains ./output.properties "sonar.someArg=aValue"
-          ./test/assertFileContains ./output.properties "sonar.anotherArgWithSpaces=Another Value"
-  argsInputInjectionTest:
-    name: >
-      'args' input with command injection will fail
-    strategy:
-      matrix:
-        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
-    runs-on: ${{ matrix.os }}
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-      - name: Run action with args
-        uses: ./
-        continue-on-error: true
-        with:
-          args: -Dsonar.someArg=aValue && echo "Injection"
-        env:
-          SONAR_HOST_URL: http://not_actually_used
-          SONAR_SCANNER_JSON_PARAMS: '{"sonar.scanner.internal.dumpToFile": "./output.properties"}'
-      - name: Fail if action succeeded
-        if: steps.runTest.outcome == 'success'
-        run: exit 1
-      - name: Assert the scanner was not called
-        run: |
-          ./test/assertFileDoesntExist ./output.properties
  projectBaseDirInputTest:
    name: >
      'projectBaseDir' input
    strategy:
      matrix:
-        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
+        os: [ ubuntu-latest, windows-latest, macos-latest ]
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@v4
@@ -100,7 +71,7 @@ jobs:
  scannerVersionTest:
    name: >
      'scannerVersion' input
-    runs-on: ubuntu-latest-large # assumes default RUNNER_ARCH for linux is X64
+    runs-on: ubuntu-latest # assumes default RUNNER_ARCH for linux is X64
    steps:
      - uses: actions/checkout@v4
        with:
@@ -120,7 +91,7 @@ jobs:
  scannerBinariesUrlTest:
    name: >
      'scannerBinariesUrl' input with invalid URL
-    runs-on: ubuntu-latest-large # assumes default RUNNER_ARCH for linux is X64
+    runs-on: ubuntu-latest # assumes default RUNNER_ARCH for linux is X64
    steps:
      - uses: actions/checkout@v4
        with:
@@ -148,7 +119,7 @@ jobs:
  scannerBinariesUrlIsEscapedWithWget:
    name: >
      'scannerBinariesUrl' is escaped with wget so special chars are not injected in the download command
-    runs-on: ubuntu-latest-large
+    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
@@ -169,7 +140,7 @@ jobs:
  scannerBinariesUrlIsEscapedWithCurl:
    name: >
      'scannerBinariesUrl' is escaped with curl so special chars are not injected in the download command
-    runs-on: ubuntu-latest-large
+    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
@@ -198,7 +169,7 @@ jobs:
  dontFailGradleTest:
    name: >
      Don't fail on Gradle project
-    runs-on: ubuntu-latest-large
+    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
@@ -219,7 +190,7 @@ jobs:
  dontFailGradleKotlinTest:
    name: >
      Don't fail on Kotlin Gradle project
-    runs-on: ubuntu-latest-large
+    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
@@ -240,7 +211,7 @@ jobs:
  dontFailMavenTest:
    name: >
      Don't fail on Maven project
-    runs-on: ubuntu-latest-large
+    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
@@ -259,7 +230,7 @@ jobs:
        run: |
          ./test/assertFileExists ./output.properties
  runAnalysisTest:
-    runs-on: ubuntu-latest-large
+    runs-on: ubuntu-latest
    services:
      sonarqube:
        image: sonarqube:lts-community
@@ -294,7 +265,7 @@ jobs:
      'RUNNER_DEBUG' is used
    strategy:
      matrix:
-        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
+        os: [ ubuntu-latest, windows-latest, macos-latest ]
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@v4
@@ -312,7 +283,7 @@ jobs:
        run: |
          ./test/assertFileContains ./output.properties "sonar.verbose=true"
  runAnalysisWithCacheTest:
-    runs-on: ubuntu-latest-large
+    runs-on: ubuntu-latest
    services:
      sonarqube:
        image: sonarqube:lts-community
@@ -353,7 +324,7 @@ jobs:
      'SONARCLOUD_URL' is used
    strategy:
      matrix:
-        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
+        os: [ ubuntu-latest, windows-latest, macos-latest ]
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@v4
@@ -362,7 +333,7 @@ jobs:
      - name: Run action with SONARCLOUD_URL
        uses: ./
        with:
-          args: -Dsonar.scanner.apiBaseUrl=api.mirror.sonarcloud.io -Dsonar.scanner.internal.dumpToFile=./output.properties
+          args: -Dsonar.scanner.internal.dumpToFile=./output.properties
        env:
          SONARCLOUD_URL: mirror.sonarcloud.io
          SONAR_TOKEN: FAKE_TOKEN
@@ -372,7 +343,7 @@ jobs:
          ./test/assertFileContains ./output.properties "sonar.scanner.sonarcloudUrl=mirror.sonarcloud.io" 
  dontFailWhenMissingWgetButCurlAvailable:
    name: Don't fail when missing wget but curl available
-    runs-on: ubuntu-latest-large
+    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
@@ -398,7 +369,7 @@ jobs:
          ./test/assertFileExists ./output.properties
  dontFailWhenMissingCurlButWgetAvailable:
    name: Don't fail when missing curl but wget available
-    runs-on: ubuntu-latest-large
+    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
@@ -425,7 +396,7 @@ jobs:
          ./test/assertFileExists ./output.properties
  failWhenBothWgetAndCurlMissing:
    name: Fail when both wget and curl are missing
-    runs-on: ubuntu-latest-large
+    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
@@ -458,7 +429,7 @@ jobs:
  curlPerformsRedirect:
    name: >
      curl performs redirect when scannerBinariesUrl returns 3xx
-    runs-on: ubuntu-latest-large
+    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
@@ -478,7 +449,6 @@ jobs:
        id: runTest
        uses: ./
        with:
-          scannerVersion: 6.2.1.4610
          scannerBinariesUrl: http://localhost:8080/clientRedirectToSonarBinaries
        env:
          NO_CACHE: true
@@ -492,7 +462,7 @@ jobs:
      'SONAR_ROOT_CERT' is converted to truststore
    strategy:
      matrix:
-        os: [ ubuntu-latest-large, windows-latest-large, macos-latest ]
+        os: [ ubuntu-latest, windows-latest, macos-latest ]
    runs-on: ${{ matrix.os }}
    steps:
      - uses: actions/checkout@v4
@@ -544,7 +514,7 @@ jobs:
  analysisWithSslCertificate:
    name: >
      Analysis takes into account 'SONAR_ROOT_CERT'
-    runs-on: ubuntu-latest-large
+    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
@@ -652,7 +622,7 @@ jobs:
  overridesScannerLocalFolderWhenPresent: # can happen in uncleaned self-hosted runners
    name: >
      'SCANNER_LOCAL_FOLDER' is cleaned with warning when present
-    runs-on: ubuntu-latest-large
+    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
@@ -686,7 +656,7 @@ jobs:
  updateTruststoreWhenPresent: # can happen in uncleaned self-hosted runners
    name: >
      truststore.p12 is updated when present
-    runs-on: ubuntu-latest-large
+    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
@@ -812,26 +782,3 @@ jobs:
          [ -f "$SONAR_SSL_FOLDER/truststore.p12" ] || exit 1
          TRUSTSTORE_P12_MOD_TIME_T3=$(stat -c %Y "$SONAR_SSL_FOLDER/truststore.p12")
          [ "$TRUSTSTORE_P12_MOD_TIME_T2" != "$TRUSTSTORE_P12_MOD_TIME_T3" ] || exit 1
-  scannerVersionValidationTest:
-    name: >
-      'scannerVersion' input validation
-    runs-on: ubuntu-latest-large
-    steps:
-      - uses: actions/checkout@v4
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-      - name: Run action with invalid scannerVersion
-        id: invalid_version
-        uses: ./
-        continue-on-error: true
-        with:
-          scannerVersion: "7.1.0-SNAPSHOT"
-          args: -Dsonar.scanner.internal.dumpToFile=./output.properties
-        env:
-          NO_CACHE: true
-          SONAR_HOST_URL: http://not_actually_used
-      - name: Assert failure of previous step
-        if: steps.invalid_version.outcome == 'success'
-        run: |
-          echo "Action with invalid scannerVersion should have failed but succeeded"
-          exit 1
--- a/.github/workflows/qa-scripts.yml
+++ b/.github/workflows/qa-scripts.yml
@@ -10,7 +10,7 @@ on:
 jobs:
  create-install-dir-test:
    name: create_install_path.sh
-    runs-on: ubuntu-latest-large
+    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
@@ -107,7 +107,7 @@ jobs:
          grep "=== Script failed ===" output
  setup-script-test:
    name: configure_paths.sh
-    runs-on: ubuntu-latest-large
+    runs-on: ubuntu-latest
    env:
      INSTALL_PATH: 'install-directory'
      SONAR_HOST_URL: 'http://sonar-host.com'
@@ -250,7 +250,7 @@ jobs:
          grep "=== Script failed ===" output
  download-script-test:
    name: download.sh
-    runs-on: ubuntu-latest-large
+    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
@@ -319,7 +319,7 @@ jobs:
          grep "=== Script failed ===" output
  fetch-latest-version-test:
    name: fetch_latest_version.sh
-    runs-on: ubuntu-latest-large
+    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with:
--- a/.github/workflows/update-tags.yml
+++ b/.github/workflows/update-tags.yml
@@ -7,7 +7,7 @@ on:

 jobs:
  generate:
-    runs-on: ubuntu-latest-large
+    runs-on: ubuntu-latest
    permissions:
      contents: write

@@ -16,7 +16,7 @@ jobs:
        uses: actions/checkout@v4

      - name: Parse semver
-        uses: madhead/semver-utils@36d1e0ed361bd7b4b77665de8093092eaeabe6ba # v4.3.0
+        uses: madhead/semver-utils@v4
        id: version
        with:
          version: ${{ github.ref_name }}
--- a/.github/workflows/version_update.yml
+++ b/.github/workflows/version_update.yml
@@ -5,15 +5,12 @@ on:
    - cron: '15 10 * * *'

 jobs:
-  check-version:
-    name: Check for sonar-scanner version update
-    runs-on: ubuntu-latest-large
-    outputs:
-      should_update: ${{ steps.version-check.outputs.should_update }}
-      latest_version: ${{ steps.latest-version.outputs.latest }}
+  update-version:
+    name: Prepare pull request for sonar-scanner version update
+    runs-on: ubuntu-latest
    steps:
      - run: sudo apt install -y jq
-      - run: sudo snap install yq
+
      - uses: actions/checkout@v4
        with:
          ref: master
@@ -25,50 +22,25 @@ jobs:
        shell: bash
        run: cat sonar-scanner-version >> $GITHUB_OUTPUT

-      - name: "Fetch latest sonar-scanner version"
+      - name: "Fetch lastest sonar-scanner version"
        id: latest-version
        shell: bash
        run: |
          ./scripts/fetch_latest_version.sh > sonar-scanner-version
-          echo "latest=$(cat sonar-scanner-version)" >> $GITHUB_OUTPUT
+          cat sonar-scanner-version >> $GITHUB_OUTPUT

-      - name: "Determine if update is needed"
-        id: version-check
-        shell: bash
-        run: |
-          if [[ "${{ steps.tagged-version.outputs.sonar-scanner-version }}" != "${{ steps.latest-version.outputs.latest }}" ]]; then
-            echo "should_update=true" >> $GITHUB_OUTPUT
-          else
-            echo "should_update=false" >> $GITHUB_OUTPUT
-          fi
-
-  update-version:
-    name: Prepare pull request for sonar-scanner version update
-    needs: check-version
-    runs-on: ubuntu-latest-large
-    permissions:
-      contents: write
-      pull-requests: write
-    if: needs.check-version.outputs.should_update == 'true'
-    steps:
-      - name: "Update default version"
-        shell: bash
-        env:
-          NEW_VERSION: ${{ needs.check-version.outputs.latest-version }}
-        run: |
-           yq -i '.inputs.scannerVersion.default = strenv(NEW_VERSION)' action.yml
      - name: "Create Pull Request for version update"
+        if: steps.tagged-version.outputs.sonar-scanner-version != steps.latest-version.outputs.sonar-scanner-version
        shell: bash
        env:
-          UPDATE_BRANCH: update-to-sonar-scanner-${{ needs.check-version.outputs.latest-version }}
-          TITLE: "Update SonarScanner CLI to ${{ needs.check-version.outputs.latest-version }}"
+          UPDATE_BRANCH: update-to-sonar-scanner-${{ steps.latest-version.outputs.sonar-scanner-version }}
+          TITLE: "Update sonar-scanner-version to ${{ steps.latest-version.outputs.sonar-scanner-version }}"
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          git config --global user.name "SonarTech"
          git config --global user.email "sonartech@sonarsource.com"
          git checkout -b ${UPDATE_BRANCH}
          git add sonar-scanner-version
-          git add action.yml
          git commit -m "${TITLE}"
          git push --force-with-lease origin ${UPDATE_BRANCH}
          gh pr list
--- a/README.md
+++ b/README.md
@@ -2,10 +2,8 @@

 This SonarSource project, available as a GitHub Action, scans your projects with SonarQube [Server](https://www.sonarsource.com/products/sonarqube/) or [Cloud](https://www.sonarsource.com/products/sonarcloud/).

-<picture>
-  <source media="(prefers-color-scheme: dark)" srcset="./images/SQ_Logo_Server_Cloud_Dark_Backgrounds.png">
-  <img alt="SonarQube Logo" src="./images/SQ_Logo_Server_Cloud_Light_Backgrounds.png">
-</picture>
+![Logo](./images/SQ_Logo_Server_Cloud_Dark_Backgrounds.png#gh-dark-mode-only)
+![Logo](./images/SQ_Logo_Server_Cloud_Light_Backgrounds.png#gh-light-mode-only)

 SonarQube [Server](https://www.sonarsource.com/products/sonarqube/) and [Cloud](https://www.sonarsource.com/products/sonarcloud/) (formerly SonarQube and SonarCloud) is a widely used static analysis solution for continuous code quality and security inspection.

@@ -104,21 +102,20 @@ jobs:
    - name: Install Build Wrapper
      uses: SonarSource/sonarqube-scan-action/install-build-wrapper@<action version>
      env:
-        SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}
+        SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
    - name: Run Build Wrapper
      run: |
-        # Here goes your compilation wrapped with Build Wrapper
-        # For more information, see https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/languages/c-family/prerequisites/#using-buildwrapper
+        # here goes your compilation wrapped with build-wrapper; See https://docs.sonarsource.com/sonarqube/latest/ analyzing-source-code/languages/c-family/#using-build-wrapper for more information
        # build-preparation steps
        # build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} build-command
    - name: SonarQube Scan
      uses: SonarSource/sonarqube-scan-action@<action version>
      env:
        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-        SONAR_HOST_URL: ${{ vars.SONAR_HOST_URL }}
+        SONAR_HOST_URL: ${{ secrets.SONAR_HOST_URL }}
        SONAR_ROOT_CERT: ${{ secrets.SONAR_ROOT_CERT }}
      with:
-        # Consult https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner/ for more information and options
+        # Consult https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/scanners/sonarscanner/ for more information and options
        args: >
          --define sonar.cfamily.compile-commands="${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json" 
 ```
@@ -207,8 +204,7 @@ jobs:
      uses: SonarSource/sonarqube-scan-action/install-build-wrapper@<action version>
    - name: Run Build Wrapper
      run: |
-        # Here goes your compilation wrapped with Build Wrapper
-        # For more information, see https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/languages/c-family/prerequisites/#using-build-wrapper
+        # here goes your compilation wrapped with build-wrapper; See https://docs.sonarsource.com/sonarqube/latest/ analyzing-source-code/languages/c-family/#using-build-wrapper for more information
        # build-preparation steps
        # build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} build-command
    - name: SonarQube Scan
@@ -217,7 +213,7 @@ jobs:
        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
        SONAR_ROOT_CERT: ${{ secrets.SONAR_ROOT_CERT }}
      with:
-        # Consult https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner/ for more information and options
+        # Consult https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/scanners/sonarscanner/ for more information and options
        args: >
          --define sonar.cfamily.compile-commands="${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json" 
 ```
--- a/action.yml
+++ b/action.yml
@@ -1,8 +1,8 @@
 name: Official SonarQube Scan
 # Warning: changing name would change URL in the marketplace
 description: >
-  Scan your code with SonarQube Server and Cloud to detect issues in 30+ languages. (Formerly SonarQube and SonarCloud)
-
+  Scan your code with SonarQube Server and Cloud to detect 
+  issues in 30+ languages. (Formerly SonarQube and SonarCloud)
 branding:
  icon: check
  color: green
@@ -16,8 +16,7 @@ inputs:
  scannerVersion:
    description: Version of the Sonar Scanner CLI to use
    required: false
-    # to be kept in sync with sonar-scanner-version
-    default: 7.2.0.5079
+    default: 6.2.1.4610 # to be kept in sync with sonar-scanner-version
  scannerBinariesUrl:
    description: URL to download the Sonar Scanner CLI binaries from
    required: false
@@ -30,7 +29,9 @@ runs:
      shell: bash
      env:
        INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }}
-        INPUT_SCANNERVERSION: ${{ inputs.scannerVersion }}
+    - name: Vulnerability warning
+      shell: bash
+      run: echo "::warning title=Vulnerability warning::This version of the SonarQube Scanner GitHub Action is no longer supported and contains a security vulnerability. Please update your workflow to use sonarsource/sonarqube-scan-action@v6 for the latest security patches and features. For more information visit https://community.sonarsource.com/gha-v6-update"
    - name: Load Sonar Scanner CLI from cache
      id: sonar-scanner-cli
      uses: actions/cache@v4
@@ -51,10 +52,7 @@ runs:
      run: echo "${RUNNER_TEMP}/sonar-scanner-cli-${{ inputs.scannerVersion }}-${{ runner.os }}-${{ runner.arch }}/bin" >> $GITHUB_PATH
      shell: bash
    - name: Run SonarScanner
-      run: |
-        args=(${{ inputs.args }})
-        cmd=(${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh "${args[@]}")
-        "${cmd[@]}"
+      run: ${GITHUB_ACTION_PATH}/scripts/run-sonar-scanner-cli.sh ${{ inputs.args }}
      shell: bash
      env:
        INPUT_PROJECTBASEDIR: ${{ inputs.projectBaseDir }}
--- a/scripts/cert.sh
+++ b/scripts/cert.sh
@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/bash

 if [[ -n "${SONAR_ROOT_CERT}" ]]; then
  echo "Adding custom root certificate to java certificate store"
--- a/scripts/configure_paths.sh
+++ b/scripts/configure_paths.sh
@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/bash

 if [[ ${ARCH} != "X64" && ! (${ARCH} == "ARM64" && (${OS} == "macOS" || ${OS} == "Linux")) ]]; then
  echo "::error::Architecture '${ARCH}' is unsupported by build-wrapper"
--- a/scripts/create_install_path.sh
+++ b/scripts/create_install_path.sh
@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/bash

 source "$(dirname -- "$0")/utils.sh"

--- a/scripts/download.sh
+++ b/scripts/download.sh
@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/bash

 source "$(dirname -- "$0")/utils.sh"

--- a/scripts/fetch_latest_version.sh
+++ b/scripts/fetch_latest_version.sh
@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/bash

 source "$(dirname -- "$0")/utils.sh"

--- a/scripts/install-sonar-scanner-cli.sh
+++ b/scripts/install-sonar-scanner-cli.sh
@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/bash

 set -eou pipefail

--- a/scripts/run-sonar-scanner-cli.sh
+++ b/scripts/run-sonar-scanner-cli.sh
@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/bash

 set -eo pipefail

@@ -77,5 +77,5 @@ scanner_args+=("$@")

 set -ux

-$SCANNER_BIN ${scanner_args[@]+"${scanner_args[@]}"}
+$SCANNER_BIN "${scanner_args[@]}"

--- a/scripts/sanity-checks.sh
+++ b/scripts/sanity-checks.sh
@@ -1,12 +1,7 @@
-#!/usr/bin/env bash
+#!/bin/bash

 set -eo pipefail

-if [[ ! "${INPUT_SCANNERVERSION}" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-  echo "::error title=SonarScanner::Invalid scannerVersion format. Expected format: x.y.z.w (e.g., 7.1.0.4889)"
-  exit 1
-fi
-
 if [[ -z "${SONAR_TOKEN}" ]]; then
  echo "::warning title=SonarScanner::Running this GitHub Action without SONAR_TOKEN is not recommended"
 fi
--- a/scripts/utils.sh
+++ b/scripts/utils.sh
@@ -1,4 +1,4 @@
-#!/usr/bin/env bash
+#!/bin/bash

 check_status() {
  exit_status=$?
--- a/22
+++ b/22
@@ -1,11 +1,11 @@
-sonar-scanner-version=7.2.0.5079
-sonar-scanner-url-windows-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.2.0.5079-windows-x64.zip
-sonar-scanner-sha-windows-x64=71936f352206b63cb05ffbcd68e366e52d22916148cf4a2418789bc776f733ea
-sonar-scanner-url-linux-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.2.0.5079-linux-x64.zip
-sonar-scanner-sha-linux-x64=da9f4e64a3d555f08ce38b5469ebd91fe2b311af473f7001a5ee5c1fd58b004b
-sonar-scanner-url-linux-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.2.0.5079-linux-aarch64.zip
-sonar-scanner-sha-linux-aarch64=803ca725d463e95eeb7537515706367bb8e52bf05ac32174daf9773bdb36d1e2
-sonar-scanner-url-macosx-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.2.0.5079-macosx-x64.zip
-sonar-scanner-sha-macosx-x64=7b9e92248ca740fff41503bfe5459c460bac43c501d80043cc4fbebb72dfc5fa
-sonar-scanner-url-macosx-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-7.2.0.5079-macosx-aarch64.zip
-sonar-scanner-sha-macosx-aarch64=c8adb3fbfe5485c17de193a217be765b66cbc10d6540057655afa3c3b5be6f61
+sonar-scanner-version=6.2.1.4610
+sonar-scanner-url-windows-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-6.2.1.4610-windows-x64.zip
+sonar-scanner-sha-windows-x64=b7de8d75c43093e0353e6a3147c3720cafac1c38da96bc61123657197086a1c9
+sonar-scanner-url-linux-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-6.2.1.4610-linux-x64.zip
+sonar-scanner-sha-linux-x64=0b8a3049f0bd5de7abc1582c78c233960d3d4ed7cc983a1d1635e8552f8bb439
+sonar-scanner-url-linux-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-6.2.1.4610-linux-aarch64.zip
+sonar-scanner-sha-linux-aarch64=f67819e7a52ed4c28b541baa5bca0621446314de148f889d7d2d7ff239808f0c
+sonar-scanner-url-macosx-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-6.2.1.4610-macosx-x64.zip
+sonar-scanner-sha-macosx-x64=471348fcb912584f093cebf28114322455979d2cceb1654e0a7990da50add94f
+sonar-scanner-url-macosx-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-6.2.1.4610-macosx-aarch64.zip
+sonar-scanner-sha-macosx-aarch64=583b1ed386b6f61ddfbb39c0ae169355e96a8e1852b0210a5a5ca4f7487347c1
--- a/test/assertFileContains
+++ b/test/assertFileContains
@@ -1,14 +1,10 @@
-#!/usr/bin/env bash
-
-set -eou pipefail
+#!/bin/bash

 error() { echo -e "\\e[31m✗ $*\\e[0m"; }

-scriptDir=$(dirname -- "$(readlink -f -- "${BASH_SOURCE[0]}")")
+assertFileExists $1

-$scriptDir/assertFileExists "$1"
-
-if ! grep -q "$2" "$1"; then
+if ! grep -q $2 $1; then
  error "'$2' not found in '$1'"
  exit 1
 fi
--- a/test/assertFileDoesntExist
+++ b/test/assertFileDoesntExist
@@ -1,10 +1,8 @@
-#!/usr/bin/env bash
-
-set -eou pipefail
+#!/bin/bash

 error() { echo -e "\\e[31m✗ $*\\e[0m"; }

-if [ -f "$1" ]; then
+if [ -f $1 ]; then
  error "File '$1' found"
  exit 1
 fi
--- a/test/assertFileExists
+++ b/test/assertFileExists
@@ -1,10 +1,8 @@
-#!/usr/bin/env bash
-
-set -eou pipefail
+#!/bin/bash

 error() { echo -e "\\e[31m✗ $*\\e[0m"; }

-if [ ! -f "$1" ]; then
+if [ ! -f $1 ]; then
  error "File '$1' not found"
  exit 1
 fi