diff --git a/CHANGELOG.md b/CHANGELOG.md
index aa8ac590390c3fc92e0f0ebf592fad5ad2e93289..3d7985a9df31434e01c4a44d2ca94c5814b0abdb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,9 +1,9 @@
-## [4.2.3](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/sonar/compare/4.2.2...4.2.3) (2024-05-20)
+## [4.2.4](https://gitlab.com/to-be-continuous/sonar/compare/4.2.3...4.2.4) (2024-10-20)
### Bug Fixes
-* **workflow:** disable MR pipeline from prod & integ branches ([3973282](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/sonar/commit/397328287bfc50c0ccc93856597e699210dbcbfc))
+* **newer-sonar-image:** permissions for custom certificates ([6bc534d](https://gitlab.com/to-be-continuous/sonar/commit/6bc534d7b4df7bb558dd3ca3e9f922ef5ebf0882))
## [4.2.3](https://gitlab.com/to-be-continuous/sonar/compare/4.2.2...4.2.3) (2024-05-05)
diff --git a/README.md b/README.md
index 6b7cda3234882f00fedeff0af0377485fc7b4f19..873c0878419142dd1f046d8e7589329e0c9a36e2 100644
--- a/README.md
+++ b/README.md
@@ -16,7 +16,7 @@ Add the following to your `.gitlab-ci.yml`:
```yaml
include:
# 1: include the component
- - component: $CI_SERVER_FQDN/to-be-continuous/sonar/gitlab-ci-sonar@4.2.3
+ - component: $CI_SERVER_FQDN/to-be-continuous/sonar/gitlab-ci-sonar@4.2.4
# 2: set/override component inputs
inputs:
host-url: https://sonarqube.acme.host # âš this is only an example
@@ -30,7 +30,7 @@ Add the following to your `.gitlab-ci.yml`:
include:
# 1: include the template
- project: 'to-be-continuous/sonar'
- ref: '4.2.3'
+ ref: '4.2.4'
file: '/templates/gitlab-ci-sonar.yml'
variables:
@@ -46,11 +46,11 @@ It is bound to the `test` stage, and uses the following variables:
| Input / Variable | Description | Default value |
| ------------------------ | ------------------------------- | ----------------------------- |
-| `scanner-image` / `SONAR_SCANNER_IMAGE` | The Docker image used to run [sonar-scanner](https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/) | `registry.hub.docker.com/sonarsource/sonar-scanner-cli:latest` |
+| `scanner-image` / `SONAR_SCANNER_IMAGE` | The Docker image used to run [sonar-scanner](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner/) | `registry.hub.docker.com/sonarsource/sonar-scanner-cli:latest` |
| `host-url` / `SONAR_HOST_URL` | SonarQube server url | _none_ (disabled) |
| `project-key` / `SONAR_PROJECT_KEY` | SonarQube Project Key (might also be set in the `sonar-project.properties` file) | fallbacks to `$CI_PROJECT_PATH_SLUG` (see below) |
| `project-name` / `SONAR_PROJECT_NAME` | SonarQube Project Name (might also be set in the `sonar-project.properties` file) | fallbacks to `$CI_PROJECT_PATH` (see below) |
-| :lock: `SONAR_TOKEN` | SonarQube authentication [token](https://docs.sonarqube.org/latest/user-guide/user-token/) (depends on your authentication method) | _none_ |
+| :lock: `SONAR_TOKEN` | SonarQube authentication [token](https://docs.sonarsource.com/sonarqube-server/latest/user-guide/managing-tokens/) (depends on your authentication method) | _none_ |
| :lock: `SONAR_LOGIN` | SonarQube login (depends on your authentication method) | _none_ |
| :lock: `SONAR_PASSWORD` | SonarQube password (depends on your authentication method) | _none_ |
| `base-args` / `SONAR_BASE_ARGS` | SonarQube [analysis arguments](https://docs.sonarqube.org/latest/analysis/analysis-parameters/) | `-Dsonar.links.homepage=${CI_PROJECT_URL} -Dsonar.links.ci=${CI_PROJECT_URL}/-/pipelines -Dsonar.links.issue=${CI_PROJECT_URL}/-/issues` |
@@ -59,7 +59,7 @@ It is bound to the `test` stage, and uses the following variables:
### Automatic Branch Analysis & Merge Request Analysis
-This template relies on SonarScanner's [GitLab integration](https://docs.sonarqube.org/latest/analysis/gitlab-integration), that is able to auto-detect whether to launch Branch Analysis or Merge Request Analysis
+This template relies on SonarScanner's [GitLab integration](https://docs.sonarsource.com/sonarqube-server/latest/devops-platform-integration/gitlab-integration/introduction/), that is able to auto-detect whether to launch Branch Analysis or Merge Request Analysis
from GitLab's environment variables.
:warning: This feature also depends on your SonarQube server version and license.
@@ -73,8 +73,8 @@ You shall define your SonarQube project key and project name in a `sonar-project
Note that when not explictly set, the template will use `$CI_PROJECT_PATH_SLUG` and `$CI_PROJECT_PATH` as fallback project key and project name.
-The `sonar-project.properties` file is also the recommended way to configure other SonarQube [analysis parameters](https://docs.sonarqube.org/latest/analysis/analysis-parameters/)
-as well as [language specific parameters](https://docs.sonarqube.org/latest/analyzing-source-code/test-coverage/overview/).
+The `sonar-project.properties` file is also the recommended way to configure other SonarQube [analysis parameters](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/analysis-parameters/)
+as well as [language specific parameters](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/test-coverage/test-coverage-parameters/).
Each _to-be-continuous_ build template shall briefly document the supported language-specific SonarQube parameters.
@@ -91,10 +91,12 @@ In order to be able to communicate with the Vault server, the variant requires t
| Input / Variable | Description | Default value |
| ----------------- | -------------------------------------- | ----------------- |
| `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:latest` |
-| `vault-base-url` / `VAULT_BASE_URL` | The Vault server base API url | _none_ |
+| `vault-base-url` / `VAULT_BASE_URL` | The Vault server base API url | **must be defined** |
| `vault-oidc-aud` / `VAULT_OIDC_AUD` | The `aud` claim for the JWT | `$CI_SERVER_URL` |
-| :lock: `VAULT_ROLE_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | **must be defined** |
-| :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | **must be defined** |
+| :lock: `VAULT_ROLE_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | _none_ |
+| :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | _none_ |
+
+By default, the variant will authentifacte using a [JWT ID token](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html). To use [AppRole](https://www.vaultproject.io/docs/auth/approle) instead the `VAULT_ROLE_ID` and `VAULT_SECRET_ID` should be defined as secret project variables.
#### Usage
@@ -116,9 +118,9 @@ With:
```yaml
include:
# main template
- - component: $CI_SERVER_FQDN/to-be-continuous/sonar/gitlab-ci-sonar@4.2.3
+ - component: $CI_SERVER_FQDN/to-be-continuous/sonar/gitlab-ci-sonar@4.2.4
# Vault variant
- - component: $CI_SERVER_FQDN/to-be-continuous/sonar/gitlab-ci-sonar-vault@4.2.3
+ - component: $CI_SERVER_FQDN/to-be-continuous/sonar/gitlab-ci-sonar-vault@4.2.4
inputs:
# audience claim for JWT
vault-oidc-aud: "https://vault.acme.host"
@@ -127,5 +129,4 @@ include:
variables:
# Secrets managed by Vault
SONAR_TOKEN: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/my-app/sonar?field=token"
- # $VAULT_ROLE_ID and $VAULT_SECRET_ID defined as a secret CI/CD variable
```
diff --git a/bumpversion.sh b/bumpversion.sh
index 329e866dac988c049574a0a9f26ba89979c523a8..708faf434d2459d63b2bdaceada5eb32b0fd39eb 100755
--- a/bumpversion.sh
+++ b/bumpversion.sh
@@ -27,7 +27,7 @@ if [[ "$curVer" ]]; then
log_info "Bump version from \\e[33;1m${curVer}\\e[0m to \\e[33;1m${nextVer}\\e[0m (release type: $relType)..."
# replace in README
- sed -e "s/ref: *'$curVer'/ref: '$nextVer'/" -e "s/ref: *\"$curVer\â€/ref: \â€$nextVer\â€/" -e "s/component: *\(.*\)@$curVer/component: \1@$nextVer/" README.md > README.md.next
+ sed -e "s/ref: *'$curVer'/ref: '$nextVer'/" -e "s/ref: *\"$curVer\"/ref: \"$nextVer\"/" -e "s/component: *\(.*\)@$curVer/component: \1@$nextVer/" README.md > README.md.next
mv -f README.md.next README.md
# replace in template and variants
diff --git a/kicker.json b/kicker.json
index aedb2d177e7b019ad722d84cc43a768e3086406b..c897b3e558b2915611608bf25967b746a5b62c75 100644
--- a/kicker.json
+++ b/kicker.json
@@ -8,7 +8,7 @@
"variables": [
{
"name": "SONAR_SCANNER_IMAGE",
- "description": "The Docker image used to run [sonar-scanner](https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/)",
+ "description": "The Docker image used to run [sonar-scanner](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner/)",
"default": "registry.hub.docker.com/sonarsource/sonar-scanner-cli:latest"
},
{
@@ -44,13 +44,13 @@
},
{
"name": "SONAR_BASE_ARGS",
- "description": "SonarQube [analysis arguments](https://docs.sonarqube.org/latest/analysis/analysis-parameters/)",
+ "description": "SonarQube [analysis arguments](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/analysis-parameters/)",
"default": "-Dsonar.links.homepage=${CI_PROJECT_URL} -Dsonar.links.ci=${CI_PROJECT_URL}/-/pipelines -Dsonar.links.issue=${CI_PROJECT_URL}/-/issues",
"advanced": true
},
{
"name": "SONAR_QUALITY_GATE_ENABLED",
- "description": "Enables SonarQube [Quality Gate](https://docs.sonarqube.org/latest/user-guide/quality-gates/) verification.\n\n_Uses `sonar.qualitygate.wait` parameter ([see doc](https://docs.sonarqube.org/latest/analysis/ci-integration-overview/#header-1))._",
+ "description": "Enables SonarQube [Quality Gate](https://docs.sonarsource.com/sonarqube-server/latest/instance-administration/analysis-functions/quality-gates/) verification.\n\n_Uses `sonar.qualitygate.wait` parameter ([see doc](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/ci-integration/overview/#quality-gate-fails))._",
"type": "boolean"
},
{
diff --git a/templates/gitlab-ci-sonar-vault.yml b/templates/gitlab-ci-sonar-vault.yml
index 49c9e142b8a5ea4c39eb9197446d5288f812fa3c..3f7754b5eb11e4d1a833aa317dce9c1ae83cd62b 100644
--- a/templates/gitlab-ci-sonar-vault.yml
+++ b/templates/gitlab-ci-sonar-vault.yml
@@ -22,7 +22,7 @@ variables:
sonar:
services:
- name: "$TBC_TRACKING_IMAGE"
- command: ["--service", "sonar", "4.2.3"]
+ command: ["--service", "sonar", "4.2.4"]
- name: "$TBC_VAULT_IMAGE"
alias: "vault-secrets-provider"
variables:
diff --git a/templates/gitlab-ci-sonar.yml b/templates/gitlab-ci-sonar.yml
index d2b64a915ee583a0394f5d6c6f4a31981b73f1ad..756cba00dab9ce8671083546320f9df211bdc389 100644
--- a/templates/gitlab-ci-sonar.yml
+++ b/templates/gitlab-ci-sonar.yml
@@ -17,7 +17,7 @@
spec:
inputs:
scanner-image:
- description: The Docker image used to run [sonar-scanner](https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/)
+ description: The Docker image used to run [sonar-scanner](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner/)
default: registry.hub.docker.com/sonarsource/sonar-scanner-cli:latest
host-url:
description: SonarQube server url
@@ -29,16 +29,16 @@ spec:
description: SonarQube Project Name (might also be set in the `sonar-project.properties` file)
default: ''
base-args:
- description: SonarQube [analysis arguments](https://docs.sonarqube.org/latest/analysis/analysis-parameters/)
+ description: SonarQube [analysis arguments](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/analysis-parameters/)
default: >-
-Dsonar.links.homepage=${CI_PROJECT_URL}
-Dsonar.links.ci=${CI_PROJECT_URL}/-/pipelines
-Dsonar.links.issue=${CI_PROJECT_URL}/-/issues
quality-gate-enabled:
description: |-
- Enables SonarQube [Quality Gate](https://docs.sonarqube.org/latest/user-guide/quality-gates/) verification.
+ Enables SonarQube [Quality Gate](https://docs.sonarsource.com/sonarqube-server/latest/instance-administration/analysis-functions/quality-gates/) verification.
- _Uses `sonar.qualitygate.wait` parameter ([see doc](https://docs.sonarqube.org/latest/analysis/ci-integration-overview/#header-1))._
+ _Uses `sonar.qualitygate.wait` parameter ([see doc](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/ci-integration/overview/#quality-gate-fails))._
type: boolean
default: false
sonar-job-tags:
@@ -101,8 +101,8 @@ variables:
SONAR_PROJECT_NAME: $[[ inputs.project-name ]]
SONAR_QUALITY_GATE_ENABLED: $[[ inputs.quality-gate-enabled ]]
# Sonar base analysis default args
- # see: https://docs.sonarqube.org/latest/analysis/analysis-parameters/
- # default uses branch analysis: https://docs.sonarqube.org/latest/branches/overview/
+ # see: https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/analysis-parameters/
+ # default uses branch analysis: https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/branch-analysis/introduction/
SONAR_BASE_ARGS: $[[ inputs.base-args ]]
# default production ref name (pattern)
@@ -152,15 +152,17 @@ stages:
then
return
fi
+ # creat a writable folder for the keystore and certs
+ mkdir -p /tmp/certs
# import in system
- if echo "$certs" >> /etc/ssl/certs/ca-certificates.crt
+ if echo "$certs" >> /tmp/certs/ca-certificates.crt
then
- log_info "CA certificates imported in \\e[33;1m/etc/ssl/certs/ca-certificates.crt\\e[0m"
+ log_info "CA certificates imported in \\e[33;1m/tmp/certs/ca-certificates.crt\\e[0m"
fi
- if echo "$certs" >> /etc/ssl/cert.pem
+ if echo "$certs" >> /tmp/certs/cert.pem
then
- log_info "CA certificates imported in \\e[33;1m/etc/ssl/cert.pem\\e[0m"
+ log_info "CA certificates imported in \\e[33;1m/tmp/certs/cert.pem\\e[0m"
fi
# import in Java keystore (if keytool command found)
@@ -172,6 +174,10 @@ stages:
keystore=${JAVA_KEYSTORE_PATH:-$(ls -1 $javahome/jre/lib/security/cacerts 2>/dev/null || ls -1 $javahome/lib/security/cacerts 2>/dev/null || echo "")}
if [[ -f "$keystore" ]]
then
+ # copy keystore into writable folder
+ cp -L -r --no-preserve=mode "$keystore" /tmp/writable_keystore
+ # set writable keystore as keystore
+ keystore="/tmp/writable_keystore"
storepass=${JAVA_KEYSTORE_PASSWORD:-changeit}
nb_certs=$(echo "$certs" | grep -c 'END CERTIFICATE')
log_info "importing $nb_certs certificates in Java keystore \\e[33;1m$keystore\\e[0m..."
@@ -392,9 +398,9 @@ sonar:
entrypoint: [""]
services:
- name: "$TBC_TRACKING_IMAGE"
- command: ["--service", "sonar", "4.2.3"]
+ command: ["--service", "sonar", "4.2.4"]
variables:
- # see: https://docs.sonarqube.org/latest/analysis/gitlab-integration/#header-4
+ # see: https://docs.sonarsource.com/sonarqube-server/latest/devops-platform-integration/gitlab-integration/setting-up-at-project-level/
SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar" # Defines the location of the analysis task cache
GIT_DEPTH: 0 # Tells git to fetch all the branches of the project, required by the analysis task
cache:
@@ -432,8 +438,19 @@ sonar:
log_warn '$SONAR_AUTH_TOKEN variable detected: use $SONAR_TOKEN instead (see doc)'
export SONAR_TOKEN="$SONAR_AUTH_TOKEN"
fi
+ - |
+ if [[ -z "$CUSTOM_CA_CERTS" ]]
+ then
+ log_info '$CUSTOM_CA_CERTS not set: using default keystore'
+ else
+ log_info '$CUSTOM_CA_CERTS variable detected: using writable keystore path (/tmp/writable_keystore)'
+ export CUSTOM_KEYSTORE_PATH="/tmp/writable_keystore"
+ export CUSTOM_KEYSTORE_PASSWORD="changeit"
+ fi
- >-
- sonar-scanner ${TRACE+-Dsonar.verbose=true} $java_proxy_args
+ sonar-scanner ${TRACE+-Dsonar.verbose=true} $java_proxy_args
+ ${CUSTOM_KEYSTORE_PATH:+-Dsonar.scanner.truststorePath=$CUSTOM_KEYSTORE_PATH}
+ ${CUSTOM_KEYSTORE_PASSWORD:+-Dsonar.scanner.truststorePassword=$CUSTOM_KEYSTORE_PASSWORD}
${SONAR_LOGIN:+-Dsonar.login=$SONAR_LOGIN}
${SONAR_PASSWORD:+-Dsonar.password=$SONAR_PASSWORD}
${SONAR_PROJECT_KEY:+-Dsonar.projectKey=$SONAR_PROJECT_KEY}