├── .cirrus.star ├── .cirrus.yml ├── .cirrus ├── scan.sh └── wss-unified-agent.config ├── .github ├── CODEOWNERS ├── ISSUE_TEMPLATE.md ├── PULL_REQUEST_TEMPLATE.md └── workflows │ ├── PullRequestClosed.yml │ ├── PullRequestCreated.yml │ ├── RequestReview.yml │ ├── SubmitReview.yml │ ├── hadolint-analysis.yml │ └── release.yml ├── .gitignore ├── .gitmodules ├── .tool-versions ├── .trivyignore ├── CONTRIBUTING.md ├── DEVELOPER.md ├── Dockerfile ├── LICENSE ├── README.md ├── RELEASE.md ├── SECURITY.md ├── bin └── entrypoint.sh ├── sonar-project.properties └── test ├── cacerts └── selfsigned.cer ├── qa.bats └── ssl └── truststore.p12 /.cirrus.star: -------------------------------------------------------------------------------- 1 | load("github.com/SonarSource/cirrus-modules@v3", "load_features") 2 | 3 | def main(ctx): 4 | return load_features(ctx) 5 | -------------------------------------------------------------------------------- /.cirrus.yml: -------------------------------------------------------------------------------- 1 | env: 2 | # see https://github.com/SonarSource/re-terraform-aws-vault/blob/master/orders/bubble-cfamily.yaml 3 | CIRRUS_VAULT_URL: https://vault.sonar.build:8200 4 | CIRRUS_VAULT_AUTH_PATH: jwt-cirrusci 5 | CIRRUS_VAULT_ROLE: cirrusci-${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME} 6 | 7 | ARTIFACTORY_DEPLOY_USERNAME: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-docker-release username] 8 | ARTIFACTORY_DEPLOY_PASSWORD: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-docker-release access_token] 9 | 10 | # Mend scan global configuration 11 | MEND_API_KEY: VAULT[development/kv/data/mend data.apikey] 12 | 13 | # Staging image configuration 14 | DOCKER_REPOX_BUILDS_REGISTRY: repox-sonarsource-docker-builds.jfrog.io 15 | DOCKER_IMAGE: "sonarsource/sonar-scanner-cli" 16 | STAGING_IMAGE_TAG: "${DOCKER_REPOX_BUILDS_REGISTRY}/${DOCKER_IMAGE}:${CI_BUILD_NUMBER}" 17 | 18 | ec2_instance: &EC2_TEMPLATE 19 | experimental: true # see https://github.com/cirruslabs/cirrus-ci-docs/issues/1051 20 | image: docker-builder-v* 21 | type: t2.xlarge 22 | region: eu-central-1 23 | 24 | only_sonarsource_qa: &ONLY_SONARSOURCE_QA 25 | only_if: $CIRRUS_CRON == "" && $CIRRUS_USER_COLLABORATOR == 'true' && $CIRRUS_TAG == "" && ($CIRRUS_PR != "" || $CIRRUS_BRANCH == $CIRRUS_DEFAULT_BRANCH || $CIRRUS_BRANCH =~ "branch-.*" || $CIRRUS_BUILD_SOURCE == 'api' ) 26 | 27 | build_task: 28 | <<: *ONLY_SONARSOURCE_QA 29 | ec2_instance: 30 | <<: *EC2_TEMPLATE 31 | login_script: 32 | - docker login "${DOCKER_REPOX_BUILDS_REGISTRY}" -u "${ARTIFACTORY_DEPLOY_USERNAME}" --password-stdin <<<"${ARTIFACTORY_DEPLOY_PASSWORD}" 33 | build_script: 34 | - echo "Build and push the ${STAGING_IMAGE_TAG} image" 35 | - docker build --tag "${STAGING_IMAGE_TAG}" --push . 36 | 37 | # Scan the current image built and pushed to Artifactory 38 | mend_task: 39 | # run only on default and long-term branches 40 | only_if: $CIRRUS_CRON == "" && $CIRRUS_USER_COLLABORATOR == 'true' && $CIRRUS_TAG == "" && ($CIRRUS_BRANCH == $CIRRUS_DEFAULT_BRANCH || $CIRRUS_BRANCH =~ "branch-.*") 41 | ec2_instance: 42 | <<: *EC2_TEMPLATE 43 | login_script: 44 | - docker login "${DOCKER_REPOX_BUILDS_REGISTRY}" -u "${ARTIFACTORY_DEPLOY_USERNAME}" --password-stdin <<<"${ARTIFACTORY_DEPLOY_PASSWORD}" 45 | setup_script: 46 | - apt-get remove -y unattended-upgrades 47 | - apt-get update && apt-get install -y --no-install-recommends openjdk-17-jre 48 | - curl -sSL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar -o wss-unified-agent.jar 49 | - echo "docker.includes=.*${CIRRUS_BRANCH}.*" >> .cirrus/wss-unified-agent.config 50 | pull_script: 51 | - docker pull "${STAGING_IMAGE_TAG}" 52 | mend_scan_script: 53 | # Retag the image to have a clean project name on Mend 54 | - docker tag "${STAGING_IMAGE_TAG}" "${DOCKER_IMAGE}:${CIRRUS_BRANCH}" 55 | - java -jar wss-unified-agent.jar -c .cirrus/wss-unified-agent.config -apiKey $MEND_API_KEY 56 | depends_on: build 57 | 58 | # Scan the latest image published on Docker Hub 59 | latest_mend_task: 60 | only_if: $CIRRUS_CRON == 'nightly-mend-scan' 61 | ec2_instance: 62 | <<: *EC2_TEMPLATE 63 | setup_script: 64 | - apt-get remove -y unattended-upgrades 65 | - apt-get update && apt-get install -y --no-install-recommends openjdk-17-jre 66 | - curl -sSL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar -o wss-unified-agent.jar 67 | - echo "docker.includes=.*latest-from-docker-hub.*" >> .cirrus/wss-unified-agent.config 68 | pull_script: 69 | - docker pull "${DOCKER_IMAGE}:latest" 70 | mend_scan_script: 71 | # Retag the image to have a clean project name on Mend 72 | - docker tag "${DOCKER_IMAGE}:latest" "${DOCKER_IMAGE}:latest-from-docker-hub" 73 | - java -jar wss-unified-agent.jar -c .cirrus/wss-unified-agent.config -apiKey $MEND_API_KEY 74 | 75 | test_docker_builder: 76 | <<: *ONLY_SONARSOURCE_QA 77 | submodules_script: 78 | - git submodule init 79 | - git submodule update 80 | login_script: 81 | - docker login "${DOCKER_REPOX_BUILDS_REGISTRY}" -u "${ARTIFACTORY_DEPLOY_USERNAME}" --password-stdin <<<"${ARTIFACTORY_DEPLOY_PASSWORD}" 82 | test_script: 83 | - apt-get update && apt-get install -qy bats curl jq 84 | - echo "Checking out the sonar-scanning-examples repository" 85 | - git clone https://github.com/SonarSource/sonar-scanning-examples.git target_repository 86 | - echo "Test the ${STAGING_IMAGE_TAG} image" 87 | - TEST_IMAGE="${STAGING_IMAGE_TAG}" bats --tap test 88 | depends_on: build 89 | 90 | sonar_scan_task: 91 | <<: *ONLY_SONARSOURCE_QA 92 | eks_container: 93 | region: eu-central-1 94 | cluster_name: ${CIRRUS_CLUSTER_NAME} 95 | namespace: default 96 | image: sonarsource/sonar-scanner-cli:latest 97 | cpu: 4 98 | memory: 4G 99 | env: 100 | SONAR_TOKEN: VAULT[development/kv/data/next data.token] 101 | SONAR_HOST_URL: VAULT[development/kv/data/next data.url] 102 | script: 103 | - source .cirrus/scan.sh 104 | depends_on: build 105 | -------------------------------------------------------------------------------- /.cirrus/scan.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | set -euo pipefail 3 | 4 | export GIT_SHA1=${CIRRUS_CHANGE_IN_REPO} 5 | export GITHUB_BASE_BRANCH=${CIRRUS_BASE_BRANCH:-} 6 | export GITHUB_BRANCH=${CIRRUS_BRANCH} 7 | export GITHUB_REPO=${CIRRUS_REPO_FULL_NAME} 8 | export PULL_REQUEST=${CIRRUS_PR:-} 9 | 10 | if [[ "${PULL_REQUEST}" ]] || [[ "${GITHUB_BRANCH}" == "master" ]]; then 11 | 12 | scanner_params=() 13 | 14 | if [[ "${GITHUB_BASE_BRANCH}" ]]; then 15 | git fetch origin "${GITHUB_BASE_BRANCH}" 16 | fi 17 | 18 | if [[ "${GITHUB_BRANCH}" == "master" ]]; then 19 | scanner_params+=("-Dsonar.qualitygate.wait=true") 20 | fi 21 | 22 | if [[ "${PULL_REQUEST}" ]]; then 23 | scanner_params+=("-Dsonar.analysis.prNumber=${PULL_REQUEST}") 24 | fi 25 | 26 | scanner_params+=( 27 | "-Dsonar.host.url=${SONAR_HOST_URL}" 28 | "-Dsonar.token=${SONAR_TOKEN}" 29 | "-Dsonar.analysis.pipeline=${CIRRUS_BUILD_ID}" 30 | "-Dsonar.analysis.repository=${GITHUB_REPO}" 31 | "-Dsonar.analysis.sha1=${GIT_SHA1}") 32 | sonar-scanner "${scanner_params[@]}" 33 | 34 | fi -------------------------------------------------------------------------------- /.cirrus/wss-unified-agent.config: -------------------------------------------------------------------------------- 1 | excludes=**/opt/sonar-scanner/**/* 2 | docker.scanImages=true 3 | wss.url=https://saas-eu.whitesourcesoftware.com/agent 4 | productName=Scanner/CliDocker 5 | docker.projectNameFormat=repositoryNameAndTag 6 | -------------------------------------------------------------------------------- /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | .github/CODEOWNERS @sonarsource/orchestration-processing-squad 2 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | Please ensure your issue adheres to the following guidelines: 2 | - [ ] Please check the problem is not already reported 3 | - [ ] Please include enough details to reproduce the problem: the command executed, the host platform, error messages or relevant logs 4 | -------------------------------------------------------------------------------- /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | 7 | 8 | Please be aware that we are not actively looking for feature contributions. The truth is that it's extremely difficult for someone outside SonarSource to comply with our roadmap and expectations. Therefore, we typically only accept minor cosmetic changes and typo fixes. If you would like to see a new feature, please create a new thread in the forum ["Suggest new features"](https://community.sonarsource.com/c/suggestions/features). 9 | 10 | With that in mind, if you would like to submit a code contribution, make sure that you adhere to the following guidelines and all tests are passing: 11 | 12 | - [ ] Please explain your motives to contribute this change: what problem you are trying to fix, what improvement you are trying to make 13 | - [ ] Use the following formatting style: [SonarSource/sonar-developer-toolset](https://github.com/SonarSource/sonar-developer-toolset#code-style) 14 | - [ ] If there is a [JIRA](http://jira.sonarsource.com/browse/SQSCANNER) ticket available, please make your commits and pull request start with the ticket ID (SQSCANNER-XXXX) 15 | 16 | We will try to give you feedback on your contribution as quickly as possible. 17 | 18 | Thank You! 19 | The SonarSource Team 20 | -------------------------------------------------------------------------------- /.github/workflows/PullRequestClosed.yml: -------------------------------------------------------------------------------- 1 | name: Pull Request Closed 2 | 3 | on: 4 | pull_request: 5 | types: [closed] 6 | 7 | jobs: 8 | PullRequestClosed_job: 9 | name: Pull Request Closed 10 | runs-on: ubuntu-latest-large 11 | permissions: 12 | id-token: write 13 | pull-requests: read 14 | # For external PR, ticket should be moved manually 15 | if: | 16 | github.event.pull_request.head.repo.full_name == github.repository 17 | steps: 18 | - id: secrets 19 | uses: SonarSource/vault-action-wrapper@v3 20 | with: 21 | secrets: | 22 | development/kv/data/jira user | JIRA_USER; 23 | development/kv/data/jira token | JIRA_TOKEN; 24 | - uses: sonarsource/gh-action-lt-backlog/PullRequestClosed@v2 25 | with: 26 | github-token: ${{secrets.GITHUB_TOKEN}} 27 | jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }} 28 | jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }} 29 | -------------------------------------------------------------------------------- /.github/workflows/PullRequestCreated.yml: -------------------------------------------------------------------------------- 1 | name: Pull Request Created 2 | 3 | on: 4 | pull_request: 5 | types: ["opened"] 6 | 7 | jobs: 8 | PullRequestCreated_job: 9 | name: Pull Request Created 10 | runs-on: ubuntu-latest-large 11 | permissions: 12 | id-token: write 13 | # For external PR, ticket should be created manually 14 | if: | 15 | github.event.pull_request.head.repo.full_name == github.repository 16 | steps: 17 | - id: secrets 18 | uses: SonarSource/vault-action-wrapper@v3 19 | with: 20 | secrets: | 21 | development/github/token/{REPO_OWNER_NAME_DASH}-jira token | GITHUB_TOKEN; 22 | development/kv/data/jira user | JIRA_USER; 23 | development/kv/data/jira token | JIRA_TOKEN; 24 | - uses: sonarsource/gh-action-lt-backlog/PullRequestCreated@v2 25 | with: 26 | github-token: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }} 27 | jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }} 28 | jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }} 29 | jira-project: SCANDOCKER 30 | -------------------------------------------------------------------------------- /.github/workflows/RequestReview.yml: -------------------------------------------------------------------------------- 1 | name: Request review 2 | 3 | on: 4 | pull_request: 5 | types: ["review_requested"] 6 | 7 | jobs: 8 | RequestReview_job: 9 | name: Request review 10 | runs-on: ubuntu-latest-large 11 | permissions: 12 | id-token: write 13 | # For external PR, ticket should be moved manually 14 | if: | 15 | github.event.pull_request.head.repo.full_name == github.repository 16 | steps: 17 | - id: secrets 18 | uses: SonarSource/vault-action-wrapper@v3 19 | with: 20 | secrets: | 21 | development/github/token/{REPO_OWNER_NAME_DASH}-jira token | GITHUB_TOKEN; 22 | development/kv/data/jira user | JIRA_USER; 23 | development/kv/data/jira token | JIRA_TOKEN; 24 | - uses: sonarsource/gh-action-lt-backlog/RequestReview@v2 25 | with: 26 | github-token: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }} 27 | jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }} 28 | jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }} 29 | -------------------------------------------------------------------------------- /.github/workflows/SubmitReview.yml: -------------------------------------------------------------------------------- 1 | name: Submit Review 2 | 3 | on: 4 | pull_request_review: 5 | types: [submitted] 6 | 7 | jobs: 8 | SubmitReview_job: 9 | name: Submit Review 10 | runs-on: ubuntu-latest-large 11 | permissions: 12 | id-token: write 13 | pull-requests: read 14 | # For external PR, ticket should be moved manually 15 | if: | 16 | github.event.pull_request.head.repo.full_name == github.repository 17 | && (github.event.review.state == 'changes_requested' 18 | || github.event.review.state == 'approved') 19 | steps: 20 | - id: secrets 21 | uses: SonarSource/vault-action-wrapper@v3 22 | with: 23 | secrets: | 24 | development/kv/data/jira user | JIRA_USER; 25 | development/kv/data/jira token | JIRA_TOKEN; 26 | - uses: sonarsource/gh-action-lt-backlog/SubmitReview@v2 27 | with: 28 | github-token: ${{secrets.GITHUB_TOKEN}} 29 | jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }} 30 | jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }} 31 | -------------------------------------------------------------------------------- /.github/workflows/hadolint-analysis.yml: -------------------------------------------------------------------------------- 1 | name: "linter" 2 | 3 | on: 4 | pull_request: 5 | branches: 6 | - master 7 | paths: 8 | - '**/Dockerfile' 9 | 10 | jobs: 11 | v5: 12 | name: Dockerfile-Linting 13 | runs-on: ubuntu-latest-large 14 | permissions: 15 | contents: read 16 | steps: 17 | - uses: actions/checkout@v2 18 | - name: Pull HaDoLint image 19 | run: docker pull hadolint/hadolint 20 | - name: Lint Dockerfile 21 | run: docker run --rm --interactive hadolint/hadolint hadolint --ignore DL3018 --ignore DL4001 --ignore DL3013 --ignore SC2015 --ignore DL3008 --ignore DL3041 --ignore DL3020 - < ./Dockerfile 22 | -------------------------------------------------------------------------------- /.github/workflows/release.yml: -------------------------------------------------------------------------------- 1 | name: Release 2 | 3 | on: 4 | release: 5 | types: 6 | - published 7 | 8 | jobs: 9 | release: 10 | runs-on: ubuntu-latest-large 11 | name: Start release process 12 | permissions: 13 | contents: write 14 | id-token: write 15 | steps: 16 | - id: secrets 17 | uses: SonarSource/vault-action-wrapper@v3 18 | with: 19 | secrets: | 20 | development/kv/data/sign key | gpg_key; 21 | development/kv/data/sign passphrase | gpg_passphrase; 22 | development/kv/data/docker/sonardockerrw access_token_rwd | docker_access_token; 23 | development/kv/data/docker/sonardockerrw username | docker_username; 24 | development/artifactory/token/{REPO_OWNER_NAME_DASH}-docker-release username | repox_username; 25 | development/artifactory/token/{REPO_OWNER_NAME_DASH}-docker-release access_token | repox_access_token; 26 | development/kv/data/slack webhook | slack_webhook; 27 | - name: Get the version 28 | id: get_version 29 | run: | 30 | full_image_tag=${{ github.event.release.tag_name }} 31 | if [[ ! ${full_image_tag} =~ ^[1-9][0-9]+.[0-9]+.[0-9]+.[0-9]+_[0-9]+.[0-9]+.[0-9]+ ]]; then 32 | echo "The release tag should be in the format of {major}.{minor}.{patch}.{buildnumber}_{scanner_major}.{scanner_minor}.{scanner_patch} but it was ${full_image_tag}" 33 | exit 1 34 | fi 35 | 36 | IFS=. read docker_major docker_minor docker_patch build_and_scanner <<<"${full_image_tag}" 37 | IFS=_ read buildnumber scanner_version <<<"${build_and_scanner}" 38 | echo "major_version=${docker_major}" >> $GITHUB_OUTPUT 39 | echo "major_minor=${docker_major}.${docker_minor}" >> $GITHUB_OUTPUT 40 | echo "full_image_tag=${full_image_tag}" >> $GITHUB_OUTPUT 41 | echo "buildnumber=${buildnumber}" >> $GITHUB_OUTPUT 42 | shell: bash 43 | - uses: actions/checkout@v2 44 | with: 45 | ref: ${{ github.event.release.tag_name }} 46 | - uses: actions/checkout@v2 47 | with: 48 | repository: SonarSource/sonar-scanning-examples 49 | path: target_repository 50 | - name: Pull staged image 51 | run: | 52 | docker login repox-sonarsource-docker-builds.jfrog.io --username ${{ fromJSON(steps.secrets.outputs.vault).repox_username }} --password-stdin <<< "${{ fromJSON(steps.secrets.outputs.vault).repox_access_token }}" 53 | docker pull "repox-sonarsource-docker-builds.jfrog.io/sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.buildnumber }}" 54 | - name: Generate CycloneDX SBOM 55 | uses: SonarSource/gh-action_sbom@v3 56 | with: 57 | image: "repox-sonarsource-docker-builds.jfrog.io/sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.buildnumber }}" 58 | filename: "sonar-scanner-cli-docker-${{ steps.get_version.outputs.full_image_tag }}-bom.json" 59 | upload-artifact: true 60 | upload-release-assets: true 61 | env: 62 | GPG_PRIVATE_KEY_PASSPHRASE: ${{ fromJSON(steps.secrets.outputs.vault).gpg_passphrase }} 63 | GPG_PRIVATE_KEY_BASE64: ${{ fromJSON(steps.secrets.outputs.vault).gpg_key }} 64 | - name: Promote the staged build 65 | env: 66 | ARTIFACTORY_URL: https://repox.jfrog.io/repox 67 | run: | 68 | source_repo_key=sonarsource-docker-builds 69 | target_repo_key=sonarsource-docker-releases 70 | docker_image=sonarsource/sonar-scanner-cli 71 | buildnumber=${{ steps.get_version.outputs.buildnumber }} 72 | full_image_tag=${{ github.event.release.tag_name }} 73 | DATA_JSON="{ \"targetRepo\": \"${target_repo_key}\", \"dockerRepository\": \"${docker_image}\", \"tag\": \"${buildnumber}\", \"targetTag\": \"${full_image_tag}\", \"copy\": true }" 74 | HTTP_CODE=$(curl -s -o /dev/null -w %{http_code} -H "Content-Type: application/json" -H "Authorization: Bearer ${{ fromJSON(steps.secrets.outputs.vault).repox_access_token }}" -X POST "$ARTIFACTORY_URL/api/docker/$source_repo_key/v2/promote" --data "$DATA_JSON") 75 | if [ "$HTTP_CODE" != "200" ]; then 76 | echo "Cannot promote ${docker_image}#${full_image_tag}: ($HTTP_CODE)" 77 | exit 1 78 | else 79 | echo "${docker_image}#${full_image_tag} promoted to ${target_repo_key}" 80 | fi 81 | - name: Push image to Docker Hub 82 | run: | 83 | buildnumber=${{ steps.get_version.outputs.buildnumber }} 84 | 85 | docker tag "repox-sonarsource-docker-builds.jfrog.io/sonarsource/sonar-scanner-cli:${buildnumber}" "sonarsource/sonar-scanner-cli:latest" 86 | docker tag "repox-sonarsource-docker-builds.jfrog.io/sonarsource/sonar-scanner-cli:${buildnumber}" "sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.major_version }}" 87 | docker tag "repox-sonarsource-docker-builds.jfrog.io/sonarsource/sonar-scanner-cli:${buildnumber}" "sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.major_minor }}" 88 | docker tag "repox-sonarsource-docker-builds.jfrog.io/sonarsource/sonar-scanner-cli:${buildnumber}" "sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.full_image_tag }}" 89 | 90 | docker login --username ${{ fromJSON(steps.secrets.outputs.vault).docker_username }} --password-stdin <<< "${{ fromJSON(steps.secrets.outputs.vault).docker_access_token }}" 91 | 92 | docker push sonarsource/sonar-scanner-cli:latest 93 | docker push sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.major_version }} 94 | docker push sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.major_minor }} 95 | docker push sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.full_image_tag }} 96 | - name: Notify success on Slack 97 | uses: slackapi/slack-github-action@v2.0.0 98 | with: 99 | webhook: ${{ fromJSON(steps.secrets.outputs.vault).slack_webhook }} 100 | webhook-type: incoming-webhook 101 | payload: | 102 | { 103 | "channel": "squad-analysis-processing", 104 | "attachments": [ 105 | { 106 | "color": "#00ff00", 107 | "text": "Release `${{ github.event.release.tag_name }}` successful for `${{ github.repository }}` by `${{ github.actor }}`.\n <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|Link to workflow run>" 108 | } 109 | ] 110 | } 111 | - name: Notify failures on Slack 112 | uses: slackapi/slack-github-action@v2.0.0 113 | if: failure() 114 | with: 115 | webhook: ${{ fromJSON(steps.secrets.outputs.vault).slack_webhook }} 116 | webhook-type: incoming-webhook 117 | payload: | 118 | { 119 | "channel": "squad-analysis-processing", 120 | "attachments": [ 121 | { 122 | "color": "#ff0000", 123 | "text": "Release `${{ github.event.release.tag_name }}` failed for `${{ github.repository }}` by `${{ github.actor }}`.\n <${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|Link to workflow run>" 124 | } 125 | ] 126 | } 127 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # ---- IntelliJ IDEA 2 | *.iws 3 | *.iml 4 | *.ipr 5 | .idea/ 6 | out/ 7 | 8 | # ---- VS Code 9 | .vscode/ 10 | *.code-workspace 11 | 12 | # ---- Eclipse 13 | .classpath 14 | .project 15 | .settings 16 | .externalToolBuilders 17 | 18 | # ---- Mac OS X 19 | .DS_Store 20 | # Thumbnails 21 | ._* 22 | # Files that might appear on external disk 23 | .Spotlight-V100 24 | .Trashes 25 | 26 | # ---- Windows 27 | # Windows image file caches 28 | Thumbs.db 29 | # Folder config file 30 | Desktop.ini 31 | 32 | # ---- Linux 33 | .directory 34 | 35 | # ---- Local Test 36 | target_repository -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "test/test_helper/bats-support"] 2 | path = test/test_helper/bats-support 3 | url = https://github.com/ztombol/bats-support 4 | [submodule "test/test_helper/bats-assert"] 5 | path = test/test_helper/bats-assert 6 | url = https://github.com/ztombol/bats-assert 7 | -------------------------------------------------------------------------------- /.tool-versions: -------------------------------------------------------------------------------- 1 | bats 1.2.0 2 | -------------------------------------------------------------------------------- /.trivyignore: -------------------------------------------------------------------------------- 1 | CVE-2020-28928 2 | CVE-2020-8231 3 | CVE-2020-1971 4 | CVE-2020-8285 5 | CVE-2020-8286 -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | Contributing 2 | ============ 3 | 4 | If you would like to see a new feature, please create a new thread in the forum ["Suggest new features"](https://community.sonarsource.com/c/suggestions/features). 5 | 6 | Please be aware that we are not actively looking for feature contributions. The truth is that it's extremely difficult for someone outside SonarSource to comply with our roadmap and expectations. Therefore, we typically only accept minor cosmetic changes and typo fixes. 7 | 8 | ## Submitting a pull request 9 | 10 | With that in mind, if you would like to submit a code contribution, please create a pull request for this repository. Please explain your motives to contribute this change: what problem you are trying to fix, what improvement you are trying to make. 11 | 12 | Make sure that you follow our [code style](https://github.com/SonarSource/sonar-developer-toolset#code-style) and all tests are passing (Cirrus CI build is executed for each pull request). 13 | 14 | ## Next steps 15 | 16 | One of the members of our team will carefully review your pull request. You might be asked at this point for clarifications or your pull request might be rejected if we decide that it doesn't fit our roadmap and vision for the product. 17 | If your contribution looks promising then either we will decide: 18 | 19 | - it is good to go and merge your pull request to the master branch 20 | 21 | or 22 | 23 | - that we need to think over your change and modify it to adhere to our roadmap and internal standards. We will close your pull request at this point, but we might come back to your changes later in the future when we decide it is the right time to work on it. 24 | 25 | Thank You! 26 | The SonarSource Team 27 | -------------------------------------------------------------------------------- /DEVELOPER.md: -------------------------------------------------------------------------------- 1 | # How to build the Docker image 2 | 3 | ```bash 4 | docker build --tag scanner-cli-local . 5 | ``` 6 | 7 | ## How to run the Docker image 8 | 9 | ### On Linux with a local SonarQube 10 | 11 | With a SonarQube (SQ) running on default configuration (`http://localhost:9000`), the following will analyze the project in the directory `/path/to/project`: 12 | 13 | ```bash 14 | docker run -it -v "/path/to/project:/usr/src" --network="host" -e SONAR_HOST_URL=http://localhost:9000 scanner-cli-local 15 | ``` 16 | 17 | To analyze the project in the current directory: 18 | 19 | ```bash 20 | docker run -it -v "$PWD:/usr/src" --network="host" -e SONAR_HOST_URL=http://localhost:9000 scanner-cli-local 21 | ``` 22 | 23 | ### On Linux with SonarQube running in Docker 24 | 25 | Create a network and boot SonarQube: 26 | 27 | ```bash 28 | docker network create "scanner-sq-network" 29 | docker run --network="scanner-sq-network" --name="sq" -d sonarqube 30 | ``` 31 | 32 | And run the scanner: 33 | 34 | ```bash 35 | # make sure SQ is up and running 36 | docker run -e SONAR_HOST_URL=http://sq:9000 --network="scanner-sq-network" -it -v "/path/to/project:/usr/src" scanner-cli-local 37 | ``` 38 | 39 | ### On Mac with local SonarQube 40 | 41 | On Mac, `host.docker.internal` should be used instead of `localhost`. 42 | 43 | To analyze the project located in `/path/to/project`, execute: 44 | 45 | ```bash 46 | docker run -e SONAR_HOST_URL=http://host.docker.internal:9000 -it -v "/path/to/project:/usr/src" scanner-cli-local 47 | ``` 48 | 49 | To analyze the project in the current directory, execute: 50 | 51 | ```bash 52 | docker run -e SONAR_HOST_URL=http://host.docker.internal:9000 -it -v "$(pwd):/usr/src" scanner-cli-local 53 | ``` 54 | 55 | ### On Mac with SonarQube running in Docker 56 | 57 | Create a network and boot SonarQube: 58 | 59 | ```bash 60 | docker network create "scanner-sq-network" 61 | docker run --network="scanner-sq-network" --name="sq" -d sonarqube 62 | ``` 63 | 64 | And run the scanner: 65 | 66 | ```bash 67 | # make sure SQ is up and running 68 | docker run -e SONAR_HOST_URL=http://sq:9000 --network="scanner-sq-network" -it -v "/path/to/project:/usr/src" scanner-cli-local 69 | ``` 70 | ## Automatic tests 71 | 72 | The QA process is handled on `.cirrus.yml`, which is responsible for the following: 73 | 74 | - linting the Dockerfile to make sure it complies with best practices 75 | - build the image 76 | - test the image by running a scan on a sample project 77 | - run scans to find potential vulnerabilities 78 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:3.19 AS builder 2 | 3 | LABEL org.opencontainers.image.url=https://github.com/SonarSource/sonar-scanner-cli-docker 4 | 5 | ARG SONAR_SCANNER_HOME=/opt/sonar-scanner 6 | ARG SONAR_SCANNER_VERSION=7.1.0.4889 7 | ENV HOME=/tmp \ 8 | XDG_CONFIG_HOME=/tmp \ 9 | SONAR_SCANNER_HOME=${SONAR_SCANNER_HOME} \ 10 | SCANNER_BINARIES=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli 11 | ENV SCANNER_ZIP_URL="${SCANNER_BINARIES}/sonar-scanner-cli-${SONAR_SCANNER_VERSION}.zip" 12 | 13 | WORKDIR /opt 14 | 15 | ADD ${SCANNER_ZIP_URL} /opt/sonar-scanner-cli.zip 16 | ADD ${SCANNER_ZIP_URL}.asc /opt/sonar-scanner-cli.zip.asc 17 | 18 | RUN set -eux; \ 19 | apk add --no-cache --virtual build-dependencies gnupg unzip wget; \ 20 | for server in $(shuf -e hkps://keys.openpgp.org \ 21 | hkps://keyserver.ubuntu.com) ; do \ 22 | gpg --batch --keyserver "${server}" --recv-keys 679F1EE92B19609DE816FDE81DB198F93525EC1A && break || : ; \ 23 | done; \ 24 | gpg --verify /opt/sonar-scanner-cli.zip.asc /opt/sonar-scanner-cli.zip; \ 25 | unzip sonar-scanner-cli.zip; \ 26 | rm sonar-scanner-cli.zip sonar-scanner-cli.zip.asc; \ 27 | mv sonar-scanner-${SONAR_SCANNER_VERSION} ${SONAR_SCANNER_HOME}; \ 28 | apk del --purge build-dependencies; 29 | 30 | 31 | FROM amazoncorretto:17-al2023 AS scanner-cli-base 32 | 33 | ARG SONAR_SCANNER_HOME=/opt/sonar-scanner 34 | ENV HOME=/tmp \ 35 | XDG_CONFIG_HOME=/tmp \ 36 | SONAR_SCANNER_HOME=${SONAR_SCANNER_HOME} \ 37 | SONAR_USER_HOME=${SONAR_SCANNER_HOME}/.sonar \ 38 | PATH=${SONAR_SCANNER_HOME}/bin:${PATH} \ 39 | SRC_PATH=/usr/src \ 40 | SCANNER_WORKDIR_PATH=/tmp/.scannerwork \ 41 | LANG=C.UTF-8 \ 42 | LC_ALL=C.UTF-8 43 | 44 | # Copy Scanner installation from builder image 45 | COPY --from=builder /opt/sonar-scanner /opt/sonar-scanner 46 | 47 | RUN \ 48 | dnf install -y git \ 49 | && dnf install -y tar \ 50 | && dnf install -y nodejs \ 51 | && dnf clean all \ 52 | && set -eux \ 53 | && groupadd --system --gid 1000 scanner-cli \ 54 | && useradd --system --uid 1000 --gid scanner-cli scanner-cli \ 55 | && chown -R scanner-cli:scanner-cli "${SONAR_SCANNER_HOME}" "${SRC_PATH}" \ 56 | && mkdir -p "${SRC_PATH}" "${SONAR_USER_HOME}" "${SONAR_USER_HOME}/cache" "${SCANNER_WORKDIR_PATH}" \ 57 | && chown -R scanner-cli:scanner-cli "${SONAR_SCANNER_HOME}" "${SRC_PATH}" "${SCANNER_WORKDIR_PATH}" \ 58 | && chmod -R 555 "${SONAR_SCANNER_HOME}" \ 59 | && chmod -R 754 "${SRC_PATH}" "${SONAR_USER_HOME}" "${SCANNER_WORKDIR_PATH}" \ 60 | # Security updates 61 | && dnf upgrade -y --releasever=latest --security 62 | 63 | COPY --chown=scanner-cli:scanner-cli bin /usr/bin/ 64 | 65 | USER scanner-cli 66 | 67 | WORKDIR ${SRC_PATH} 68 | 69 | ENTRYPOINT ["/usr/bin/entrypoint.sh"] 70 | 71 | CMD ["sonar-scanner"] 72 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU LESSER GENERAL PUBLIC LICENSE 2 | Version 3, 29 June 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | 9 | This version of the GNU Lesser General Public License incorporates 10 | the terms and conditions of version 3 of the GNU General Public 11 | License, supplemented by the additional permissions listed below. 12 | 13 | 0. Additional Definitions. 14 | 15 | As used herein, "this License" refers to version 3 of the GNU Lesser 16 | General Public License, and the "GNU GPL" refers to version 3 of the GNU 17 | General Public License. 18 | 19 | "The Library" refers to a covered work governed by this License, 20 | other than an Application or a Combined Work as defined below. 21 | 22 | An "Application" is any work that makes use of an interface provided 23 | by the Library, but which is not otherwise based on the Library. 24 | Defining a subclass of a class defined by the Library is deemed a mode 25 | of using an interface provided by the Library. 26 | 27 | A "Combined Work" is a work produced by combining or linking an 28 | Application with the Library. The particular version of the Library 29 | with which the Combined Work was made is also called the "Linked 30 | Version". 31 | 32 | The "Minimal Corresponding Source" for a Combined Work means the 33 | Corresponding Source for the Combined Work, excluding any source code 34 | for portions of the Combined Work that, considered in isolation, are 35 | based on the Application, and not on the Linked Version. 36 | 37 | The "Corresponding Application Code" for a Combined Work means the 38 | object code and/or source code for the Application, including any data 39 | and utility programs needed for reproducing the Combined Work from the 40 | Application, but excluding the System Libraries of the Combined Work. 41 | 42 | 1. Exception to Section 3 of the GNU GPL. 43 | 44 | You may convey a covered work under sections 3 and 4 of this License 45 | without being bound by section 3 of the GNU GPL. 46 | 47 | 2. Conveying Modified Versions. 48 | 49 | If you modify a copy of the Library, and, in your modifications, a 50 | facility refers to a function or data to be supplied by an Application 51 | that uses the facility (other than as an argument passed when the 52 | facility is invoked), then you may convey a copy of the modified 53 | version: 54 | 55 | a) under this License, provided that you make a good faith effort to 56 | ensure that, in the event an Application does not supply the 57 | function or data, the facility still operates, and performs 58 | whatever part of its purpose remains meaningful, or 59 | 60 | b) under the GNU GPL, with none of the additional permissions of 61 | this License applicable to that copy. 62 | 63 | 3. Object Code Incorporating Material from Library Header Files. 64 | 65 | The object code form of an Application may incorporate material from 66 | a header file that is part of the Library. You may convey such object 67 | code under terms of your choice, provided that, if the incorporated 68 | material is not limited to numerical parameters, data structure 69 | layouts and accessors, or small macros, inline functions and templates 70 | (ten or fewer lines in length), you do both of the following: 71 | 72 | a) Give prominent notice with each copy of the object code that the 73 | Library is used in it and that the Library and its use are 74 | covered by this License. 75 | 76 | b) Accompany the object code with a copy of the GNU GPL and this license 77 | document. 78 | 79 | 4. Combined Works. 80 | 81 | You may convey a Combined Work under terms of your choice that, 82 | taken together, effectively do not restrict modification of the 83 | portions of the Library contained in the Combined Work and reverse 84 | engineering for debugging such modifications, if you also do each of 85 | the following: 86 | 87 | a) Give prominent notice with each copy of the Combined Work that 88 | the Library is used in it and that the Library and its use are 89 | covered by this License. 90 | 91 | b) Accompany the Combined Work with a copy of the GNU GPL and this license 92 | document. 93 | 94 | c) For a Combined Work that displays copyright notices during 95 | execution, include the copyright notice for the Library among 96 | these notices, as well as a reference directing the user to the 97 | copies of the GNU GPL and this license document. 98 | 99 | d) Do one of the following: 100 | 101 | 0) Convey the Minimal Corresponding Source under the terms of this 102 | License, and the Corresponding Application Code in a form 103 | suitable for, and under terms that permit, the user to 104 | recombine or relink the Application with a modified version of 105 | the Linked Version to produce a modified Combined Work, in the 106 | manner specified by section 6 of the GNU GPL for conveying 107 | Corresponding Source. 108 | 109 | 1) Use a suitable shared library mechanism for linking with the 110 | Library. A suitable mechanism is one that (a) uses at run time 111 | a copy of the Library already present on the user's computer 112 | system, and (b) will operate properly with a modified version 113 | of the Library that is interface-compatible with the Linked 114 | Version. 115 | 116 | e) Provide Installation Information, but only if you would otherwise 117 | be required to provide such information under section 6 of the 118 | GNU GPL, and only to the extent that such information is 119 | necessary to install and execute a modified version of the 120 | Combined Work produced by recombining or relinking the 121 | Application with a modified version of the Linked Version. (If 122 | you use option 4d0, the Installation Information must accompany 123 | the Minimal Corresponding Source and Corresponding Application 124 | Code. If you use option 4d1, you must provide the Installation 125 | Information in the manner specified by section 6 of the GNU GPL 126 | for conveying Corresponding Source.) 127 | 128 | 5. Combined Libraries. 129 | 130 | You may place library facilities that are a work based on the 131 | Library side by side in a single library together with other library 132 | facilities that are not Applications and are not covered by this 133 | License, and convey such a combined library under terms of your 134 | choice, if you do both of the following: 135 | 136 | a) Accompany the combined library with a copy of the same work based 137 | on the Library, uncombined with any other library facilities, 138 | conveyed under the terms of this License. 139 | 140 | b) Give prominent notice with the combined library that part of it 141 | is a work based on the Library, and explaining where to find the 142 | accompanying uncombined form of the same work. 143 | 144 | 6. Revised Versions of the GNU Lesser General Public License. 145 | 146 | The Free Software Foundation may publish revised and/or new versions 147 | of the GNU Lesser General Public License from time to time. Such new 148 | versions will be similar in spirit to the present version, but may 149 | differ in detail to address new problems or concerns. 150 | 151 | Each version is given a distinguishing version number. If the 152 | Library as you received it specifies that a certain numbered version 153 | of the GNU Lesser General Public License "or any later version" 154 | applies to it, you have the option of following the terms and 155 | conditions either of that published version or of any later version 156 | published by the Free Software Foundation. If the Library as you 157 | received it does not specify a version number of the GNU Lesser 158 | General Public License, you may choose any version of the GNU Lesser 159 | General Public License ever published by the Free Software Foundation. 160 | 161 | If the Library as you received it specifies that a proxy can decide 162 | whether future versions of the GNU Lesser General Public License shall 163 | apply, that proxy's public statement of acceptance of any version is 164 | permanent authorization for you to choose that version for the 165 | Library. 166 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # SonarScanner CLI [![Build Status](https://api.cirrus-ci.com/github/SonarSource/sonar-scanner-cli-docker.svg)](https://cirrus-ci.com/github/SonarSource/sonar-scanner-cli-docker) 2 | 3 | This is the Git repository that contains the source for [SonarScanner CLI](https://github.com/SonarSource/sonar-scanner-cli) Docker images. 4 | Images are available on [Docker Hub](https://hub.docker.com/r/sonarsource/sonar-scanner-cli). 5 | 6 | Sonar's [Clean Code solutions](https://www.sonarsource.com/solutions/clean-code/?utm_medium=referral&utm_source=github&utm_campaign=clean-code&utm_content=sonar-scanner-cli-docker) help developers deliver high-quality, efficient code standards that benefit the entire team or organization. 7 | 8 | NB: These Docker images are not compatible with C# and Objective-C projects. For C&C++, the docker images are only compatible with [AutoConfig mode](https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/languages/c-family/analysis-modes/). 9 | 10 | ## Usage and configuration 11 | 12 | For information on how to use and configure the image, head over to the Docker section of [SonarScanner CLI docs](https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/). 13 | 14 | ## Questions or Feedback 15 | 16 | For support questions ("How do I?", "I got this error, why?", ...), please first read the [documentation](https://docs.sonarqube.org) and then head to the [SonarSource forum](https://community.sonarsource.com/). There are chances that a question similar to yours has already been answered. 17 | 18 | Be aware that this forum is a community, so the standard pleasantries ("Hi", "Thanks", ...) are expected. And if you don't get an answer to your thread, you should sit on your hands for at least three days before bumping it. Operators are not standing by. :-) 19 | 20 | ## Contributing 21 | 22 | If you would like to see a new feature or report a bug, please create a new thread in our [forum](https://community.sonarsource.com/tags/c/sq/10/none/docker). 23 | 24 | Please be aware that we are not actively looking for feature contributions. We typically accept minor improvements and bug fixes. 25 | 26 | With that in mind, if you would like to submit a code contribution, please create a pull request for this repository. Please explain your motives to contribute this change: what problem you are trying to fix, what improvement you are trying to make. 27 | 28 | ## License 29 | 30 | Copyright 2015-2025 SonarSource. 31 | 32 | Licensed under the [GNU Lesser General Public License, Version 3.0](http://www.gnu.org/licenses/lgpl.txt) 33 | 34 | -------------------------------------------------------------------------------- /RELEASE.md: -------------------------------------------------------------------------------- 1 | # Releasing 2 | 3 | Docker image release cycle and sonar-scanner-cli product 4 | --- 5 | We consider the **docker image** as a separate component from the sonar-scanner-cli ZIP distribution, having its own release scheme. It has not always been the case. 6 | Before the 10.x release, the two components had the same release cycle. This created bad user experience when we had to release a breaking change of the docker image under the same tag. 7 | 8 | 9 | ## Tips 10 | 11 | Bump the version of packaged sonar-scanner-cli in Dockerfiles 12 | ----------------------------- 13 | 14 | The version of sonar-scanner-cli is hardcoded in the Dockerfile of this repository and must be updated in master branch. 15 | 16 | Update the docker hub sonar-scanner-cli's documentation (if applicable) 17 | ------------------------------- 18 | 19 | If needed, prepare PR of Docker Hub documentation [https://github.com/docker-library/docs](https://github.com/docker-library/docs) 20 | 21 | > Note: Please use your own fork like seen in [this closed PR](https://github.com/docker-library/docs/pull/1660) 22 | 23 | To create a good PR: 24 | 25 | 1. The markdown format must follow a certain standard, otherwise automated tests will fail. You can test with the `markdownfmt.sh` tool included in the repository, for example `./markdownfmt.sh -d sonar-scanner-cli/content.md` will output the diff that would have to be done to make the tests pass. You can use the `patch` command to apply the changes, for example: `./markdownfmt.sh -d sonar-scanner-cli/content.md | patch sonar-scanner-cli/content.md` 26 | 2. Verify the Pull Request passes the automated tests (visible in the status of the PR) 27 | 28 | To control the generated content of the Docker Hub page, look around in the files in `.template-helpers` of the [`docs` repository][docs]. For example, the "Where to get help" section is customized by a copy of `.template-helpers/get-help.md` in `sonar-scanner-cli/get-help.md`. 29 | 30 | Until sonar-scanner-cli is released and the public artifacts are available, keep your PR a draft PR to make it clear it is not ready to be merged yet. 31 | 32 | For more and up to date documentation, see https://github.com/docker-library/docs. 33 | 34 | 35 | Update Docker Hub's sonar-scanner-cli images 36 | ----------------------- 37 | 38 | In order to update the Docker Hub images, a Pull Request must be created on the [official-images](https://github.com/docker-library/official-images) repository. 39 | 40 | To do so you should use your own personal fork 41 | 42 | Create a feature branch on the fork: 43 | * `GitCommit` must be updated to this repository master branch's HEAD. 44 | * `Tags` and `Directory` must be added/updated appropriately for each edition 45 | * see https://github.com/docker-library/official-images/pull/8837/files as an example 46 | 47 | Until sonar-scanner-cli is released and the public artifacts are available, keep your PR a draft PR to make it clear it is not ready to be merged yet. 48 | * Create the PR [here](https://github.com/docker-library/official-images/compare) 49 | * If the documentation was updated in the step before, reference that PR in this PR. 50 | * Click on *compare across fork* to be able to use the fork as head repository. 51 | 52 | 53 | For more and up to date documentation, see https://github.com/docker-library/official-images. 54 | 55 | 56 | Add a GIT tag for the new version 57 | ---------------- 58 | 59 | The commit referenced in the DockerHub Pull Request must be tagged with the sonar-scanner-cli version. 60 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | # Reporting Security Issues 2 | 3 | A mature software vulnerability treatment process is a cornerstone of a robust information security management system. Contributions from the community play an important role in the evolution and security of our products, and in safeguarding the security and privacy of our users. 4 | 5 | If you believe you have discovered a security vulnerability in Sonar's products, we encourage you to report it immediately. 6 | 7 | To responsibly report a security issue, please email us at [security@sonarsource.com](mailto:security@sonarsource.com). Sonar’s security team will acknowledge your report, guide you through the next steps, or request additional information if necessary. Customers with a support contract can also report the vulnerability directly through the support channel. 8 | 9 | For security vulnerabilities found in third-party libraries, please also contact the library's owner or maintainer directly. 10 | 11 | ## Responsible Disclosure Policy 12 | 13 | For more information about disclosing a security vulnerability to Sonar, please refer to our community post: [Responsible Vulnerability Disclosure](https://community.sonarsource.com/t/responsible-vulnerability-disclosure/9317). -------------------------------------------------------------------------------- /bin/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -euo pipefail 4 | 5 | declare -a args=() 6 | 7 | add_env_var_as_env_prop() { 8 | if [[ -n "$1" ]]; then 9 | args+=("-D$2=$1") 10 | fi 11 | } 12 | 13 | # If there are certificates in /tmp/cacerts we will import them into the scanner truststore for backward compatibility 14 | if [[ -d /tmp/cacerts ]]; then 15 | # shellcheck disable=SC2312 16 | if [[ -n "$(ls -A /tmp/cacerts 2>/dev/null)" ]]; then 17 | mkdir -p $SONAR_USER_HOME/ssl 18 | echo "WARNING: Importing certificates from /tmp/cacerts is deprecated. You should put your certificates into $SONAR_USER_HOME/ssl/truststore.p12" 19 | # we can't use the default "sonar" password as keytool requires a password with at least 6 characters 20 | args+=("-Dsonar.scanner.truststorePassword=changeit") 21 | # for older SQ versions < 10.6 22 | export SONAR_SCANNER_OPTS="${SONAR_SCANNER_OPTS:-} -Djavax.net.ssl.trustStore=$SONAR_USER_HOME/ssl/truststore.p12 -Djavax.net.ssl.trustStorePassword=changeit" 23 | for f in /tmp/cacerts/* 24 | do 25 | echo "Importing certificate: ${f}" 26 | keytool -importcert -storetype PKCS12 -file "${f}" -alias "$(basename "${f}")" -keystore $SONAR_USER_HOME/ssl/truststore.p12 -storepass changeit -trustcacerts -noprompt 27 | done 28 | fi 29 | fi 30 | 31 | # if nothing is passed, assume we want to run sonar-scanner 32 | if [[ "$#" == 0 ]]; then 33 | set -- sonar-scanner 34 | fi 35 | 36 | # if first arg looks like a flag, assume we want to run sonar-scanner with flags 37 | if [[ "${1#-}" != "${1}" ]] || ! command -v "${1}" > /dev/null; then 38 | set -- sonar-scanner "$@" 39 | fi 40 | 41 | if [[ "$1" = 'sonar-scanner' ]]; then 42 | add_env_var_as_env_prop "${SONAR_TOKEN:-}" "sonar.token" 43 | add_env_var_as_env_prop "${SONAR_PROJECT_BASE_DIR:-}" "sonar.projectBaseDir" 44 | add_env_var_as_env_prop "${SCANNER_WORKDIR_PATH:-}" "sonar.working.directory" 45 | if [[ ${#args[@]} -ne 0 ]]; then 46 | set -- sonar-scanner "${args[@]}" "${@:2}" 47 | fi 48 | fi 49 | 50 | exec "$@" 51 | -------------------------------------------------------------------------------- /sonar-project.properties: -------------------------------------------------------------------------------- 1 | sonar.projectKey=SonarSource_sonar-scanner-cli-docker_AYc24KKjsMmHG0qPXLZ9 2 | sonar.sources=. 3 | -------------------------------------------------------------------------------- /test/cacerts/selfsigned.cer: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SonarSource/sonar-scanner-cli-docker/f660b622598416163c267755e0c51f6a6edeac41/test/cacerts/selfsigned.cer -------------------------------------------------------------------------------- /test/qa.bats: -------------------------------------------------------------------------------- 1 | load 'test_helper/bats-support/load' 2 | load 'test_helper/bats-assert/load' 3 | 4 | setup_file() { 5 | export DIR 6 | # shellcheck disable=SC2154 # BATS_TEST_FILENAME is set by bats 7 | DIR="$( cd "$( dirname "${BATS_TEST_FILENAME}" )" >/dev/null 2>&1 && pwd )" 8 | 9 | echo "# Create Docker Network for Integration Tests" >&3 10 | docker network create it-sonarqube 11 | 12 | echo "# Start SonarQube Enterprise for Integration Tests" >&3 13 | docker run -p 9000:9000 --network=it-sonarqube --name=it-sonarqube -d sonarqube:enterprise 14 | 15 | echo "# Wait for SonarQube to be up and running" >&3 16 | # shellcheck disable=2312 # The return value is irrelevant 17 | until curl http://localhost:9000/api/system/status | grep '"status":"UP"' ; do 18 | sleep 5 19 | done 20 | 21 | export ANALYSIS_TOKEN="$( curl -s -X POST --user admin:admin "http://localhost:9000/api/user_tokens/generate?type=GLOBAL_ANALYSIS_TOKEN&name=qa" | jq -r '.token' )" 22 | } 23 | 24 | teardown_file() { 25 | docker rm -f it-sonarqube 26 | docker network rm it-sonarqube 27 | } 28 | 29 | @test "scan test project" { 30 | # shellcheck disable=SC2154 # DIR is set by setup 31 | local REPO_DIR="${DIR}/../target_repository" 32 | 33 | local PROJECT_SCAN_DIR="${REPO_DIR}/sonar-scanner" 34 | scanner_props_location="${PROJECT_SCAN_DIR}/sonar-project.properties" 35 | 36 | cat < "${scanner_props_location}" 37 | sonar.projectKey=it-sonarqube-test 38 | sonar.token=${ANALYSIS_TOKEN} 39 | EOF 40 | 41 | # shellcheck disable=SC2154 # TEST_IMAGE is provided as an environment variable 42 | run docker run --network=it-sonarqube --rm \ 43 | -v "${PROJECT_SCAN_DIR}:/usr/src" \ 44 | --env SONAR_HOST_URL="http://it-sonarqube:9000" \ 45 | "${TEST_IMAGE}" 46 | 47 | assert_output --partial 'INFO EXECUTION SUCCESS' 48 | } 49 | 50 | @test "scan test project with cache mapped to host folder" { 51 | local tmpDir="" 52 | tmpDir="$(mktemp -d)" 53 | SONAR_SCANNER_CACHE="${tmpDir}/.sonar" 54 | mkdir -p "${SONAR_SCANNER_CACHE}" 55 | # let the scanner-cli user write to the cache folder 56 | chmod o+w "${SONAR_SCANNER_CACHE}" 57 | 58 | # shellcheck disable=SC2154 # DIR is set by setup_suite 59 | local REPO_DIR="${DIR}/../target_repository" 60 | 61 | local PROJECT_SCAN_DIR="${REPO_DIR}/sonar-scanner" 62 | scanner_props_location="${PROJECT_SCAN_DIR}/sonar-project.properties" 63 | 64 | cat < "${scanner_props_location}" 65 | sonar.projectKey=it-sonarqube-test 66 | sonar.token=${ANALYSIS_TOKEN} 67 | EOF 68 | 69 | # shellcheck disable=SC2154 # TEST_IMAGE is provided as an environment variable 70 | run docker run --network=it-sonarqube --rm \ 71 | -v "${PROJECT_SCAN_DIR}:/usr/src" \ 72 | -v "${SONAR_SCANNER_CACHE}:/usr/.sonar" \ 73 | --env SONAR_HOST_URL="http://it-sonarqube:9000" \ 74 | --env SONAR_USER_HOME="/usr/.sonar" \ 75 | "${TEST_IMAGE}" 76 | 77 | assert_output --partial 'INFO EXECUTION SUCCESS' 78 | 79 | rm -rf "${tmpDir}" 80 | } 81 | 82 | @test "ensure we have nodejs installed" { 83 | run docker run --rm --entrypoint=node "${TEST_IMAGE}" --version 84 | assert_output --regexp '[0-9]+\.[0-9]+\.[0-9]+' 85 | } 86 | 87 | @test "ensure we can add certificates the new way" { 88 | # shellcheck disable=SC2154 # DIR is set by setup_suite 89 | local REPO_DIR="${DIR}/../target_repository" 90 | 91 | local PROJECT_SCAN_DIR="${REPO_DIR}/sonar-scanner" 92 | scanner_props_location="${PROJECT_SCAN_DIR}/sonar-project.properties" 93 | 94 | cat < "${scanner_props_location}" 95 | sonar.projectKey=it-sonarqube-test 96 | sonar.token=${ANALYSIS_TOKEN} 97 | EOF 98 | 99 | # shellcheck disable=SC2154 # TEST_IMAGE is provided as an environment variable 100 | run docker run --network=it-sonarqube --rm \ 101 | -v "${PROJECT_SCAN_DIR}:/usr/src" \ 102 | -v ${DIR}/ssl:/opt/sonar-scanner/.sonar/ssl \ 103 | --env SONAR_HOST_URL="http://it-sonarqube:9000" \ 104 | "${TEST_IMAGE}" 105 | 106 | assert_output --partial 'INFO EXECUTION SUCCESS' 107 | } 108 | 109 | @test "ensure we can add certificates the old way" { 110 | # shellcheck disable=SC2154 # DIR is set by setup_suite 111 | local REPO_DIR="${DIR}/../target_repository" 112 | 113 | local PROJECT_SCAN_DIR="${REPO_DIR}/sonar-scanner" 114 | scanner_props_location="${PROJECT_SCAN_DIR}/sonar-project.properties" 115 | 116 | cat < "${scanner_props_location}" 117 | sonar.projectKey=it-sonarqube-test 118 | sonar.token=${ANALYSIS_TOKEN} 119 | EOF 120 | 121 | # shellcheck disable=SC2154 # TEST_IMAGE is provided as an environment variable 122 | run docker run --network=it-sonarqube --rm \ 123 | -v "${PROJECT_SCAN_DIR}:/usr/src" \ 124 | -v ${DIR}/cacerts:/tmp/cacerts \ 125 | --env SONAR_HOST_URL="http://it-sonarqube:9000" \ 126 | "${TEST_IMAGE}" 127 | 128 | assert_output --partial 'Importing certificates from /tmp/cacerts is deprecated' 129 | assert_output --partial 'INFO EXECUTION SUCCESS' 130 | } 131 | -------------------------------------------------------------------------------- /test/ssl/truststore.p12: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SonarSource/sonar-scanner-cli-docker/f660b622598416163c267755e0c51f6a6edeac41/test/ssl/truststore.p12 --------------------------------------------------------------------------------