diff --git a/.gitlab/merge_request_templates/new_feature.md b/.gitlab/merge_request_templates/new_feature.md index 74abae94c94dc0768bb5c51fe51ad253fce113fe..491b7f98ded7e0da03d18c95978eafcb7d86619f 100644 --- a/.gitlab/merge_request_templates/new_feature.md +++ b/.gitlab/merge_request_templates/new_feature.md @@ -8,8 +8,8 @@ Closes #999 ## Checklist * General: - * [ ] use [rules](https://docs.gitlab.com/ee/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ee/ci/yaml/#onlyexcept-advanced) - * [ ] optimized [cache](https://docs.gitlab.com/ee/ci/caching/) configuration (wherever applicable) + * [ ] use [rules](https://docs.gitlab.com/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ci/yaml/#onlyexcept-advanced) + * [ ] optimized [cache](https://docs.gitlab.com/ci/caching/) configuration (wherever applicable) * Publicly usable: * [ ] untagged runners * [ ] no proxy configuration but support `http_proxy`/`https_proxy`/`no_proxy` diff --git a/CHANGELOG.md b/CHANGELOG.md index da003ae5ebd29d25cee85c177f042efbc0c65d37..4aa14b1cd4d02f237328260e04686b8c1d445334 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,11 @@ -# [4.3.0](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/sonar/compare/4.2.4...4.3.0) (2025-01-29) +## [4.3.1](https://gitlab.com/to-be-continuous/sonar/compare/4.3.0...4.3.1) (2025-03-20) + + +### Bug Fixes + +* use keystore when either DEFAULT_CA_CERTS or CUSTOM_CA_CERTS are set ([b4373ed](https://gitlab.com/to-be-continuous/sonar/commit/b4373edbbb58bc048c351d824e30b823cb94cc06)) + +# [4.3.0](https://gitlab.com/to-be-continuous/sonar/compare/4.2.4...4.3.0) (2025-01-27) ### Features diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 2c732f57dbd940c69f124644cd02dd64338b453e..c7993ac14853a911df1c40b1a497f9528a17830e 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -61,7 +61,7 @@ To contribute: 1. Create an issue describing the bug or enhancement you want to propose (select the right issue template). 2. Make sure the issue has been reviewed and agreed. -3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/ee/user/project/repository/forking_workflow.html) documentation). +3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/user/project/repository/forking_workflow/) documentation). Don't hesitate to mark your MR as `Draft` as long as you think it's not ready to be reviewed. ### Git Commit Conventions diff --git a/README.md b/README.md index ac6a623b91d23e1d6c267aad7fdf1187d045f1d7..2183f2c06a7938d7b663d7edd1f71b8cb9699032 100644 --- a/README.md +++ b/README.md @@ -7,7 +7,7 @@ security vulnerabilities as early as possible. ## Usage -This template can be used both as a [CI/CD component](https://docs.gitlab.com/ee/ci/components/#use-a-component) or using the legacy [`include:project`](https://docs.gitlab.com/ee/ci/yaml/index.html#includeproject) syntax. +This template can be used both as a [CI/CD component](https://docs.gitlab.com/ci/components/#use-a-component) or using the legacy [`include:project`](https://docs.gitlab.com/ci/yaml/#includeproject) syntax. ### Use as a CI/CD component @@ -16,7 +16,7 @@ Add the following to your `.gitlab-ci.yml`: ```yaml include: # 1: include the component - - component: $CI_SERVER_FQDN/to-be-continuous/sonar/gitlab-ci-sonar@4.3.0 + - component: $CI_SERVER_FQDN/to-be-continuous/sonar/gitlab-ci-sonar@4.3.1 # 2: set/override component inputs inputs: host-url: https://sonarqube.acme.host # ⚠ this is only an example @@ -30,7 +30,7 @@ Add the following to your `.gitlab-ci.yml`: include: # 1: include the template - project: 'to-be-continuous/sonar' - ref: '4.3.0' + ref: '4.3.1' file: '/templates/gitlab-ci-sonar.yml' variables: @@ -46,7 +46,7 @@ It is bound to the `test` stage, and uses the following variables: | Input / Variable | Description | Default value | | ------------------------ | ------------------------------- | ----------------------------- | -| `scanner-image` / `SONAR_SCANNER_IMAGE` | The Docker image used to run [sonar-scanner](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner/) | `registry.hub.docker.com/sonarsource/sonar-scanner-cli:latest` | +| `scanner-image` / `SONAR_SCANNER_IMAGE` | The Docker image used to run [sonar-scanner](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner/) | `registry.hub.docker.com/sonarsource/sonar-scanner-cli:latest` <br/>[](https://to-be-continuous.gitlab.io/doc/secu/trivy-SONAR_SCANNER_IMAGE) | | `host-url` / `SONAR_HOST_URL` | SonarQube server url | _none_ (disabled) | | `project-key` / `SONAR_PROJECT_KEY` | SonarQube Project Key (might also be set in the `sonar-project.properties` file) | fallbacks to `$CI_PROJECT_PATH_SLUG` (see below) | | `project-name` / `SONAR_PROJECT_NAME` | SonarQube Project Name (might also be set in the `sonar-project.properties` file) | fallbacks to `$CI_PROJECT_PATH` (see below) | @@ -65,7 +65,7 @@ from GitLab's environment variables. :warning: This feature also depends on your SonarQube server version and license. If using Community Edition, you'll have to install the [sonarqube-community-branch-plugin](https://github.com/mc1arke/sonarqube-community-branch-plugin) to enable automatic Branch & Merge Request analysis (only works from SonarQube version 8). -:warning: Merge Request Analysis only works if you're running [Merge Request pipeline](https://docs.gitlab.com/ee/ci/yaml/workflow.html#switch-between-branch-pipelines-and-merge-request-pipelines) strategy (default). +:warning: Merge Request Analysis only works if you're running [Merge Request pipeline](https://docs.gitlab.com/ci/yaml/workflow/#switch-between-branch-pipelines-and-merge-request-pipelines) strategy (default). ### Configuring SonarQube project key, project name and other parameters @@ -96,7 +96,7 @@ In order to be able to communicate with the Vault server, the variant requires t | :lock: `VAULT_ROLE_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | _none_ | | :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | _none_ | -By default, the variant will authentifacte using a [JWT ID token](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html). To use [AppRole](https://www.vaultproject.io/docs/auth/approle) instead the `VAULT_ROLE_ID` and `VAULT_SECRET_ID` should be defined as secret project variables. +By default, the variant will authentifacte using a [JWT ID token](https://docs.gitlab.com/ci/secrets/id_token_authentication/). To use [AppRole](https://www.vaultproject.io/docs/auth/approle) instead the `VAULT_ROLE_ID` and `VAULT_SECRET_ID` should be defined as secret project variables. #### Usage @@ -118,9 +118,9 @@ With: ```yaml include: # main template - - component: $CI_SERVER_FQDN/to-be-continuous/sonar/gitlab-ci-sonar@4.3.0 + - component: $CI_SERVER_FQDN/to-be-continuous/sonar/gitlab-ci-sonar@4.3.1 # Vault variant - - component: $CI_SERVER_FQDN/to-be-continuous/sonar/gitlab-ci-sonar-vault@4.3.0 + - component: $CI_SERVER_FQDN/to-be-continuous/sonar/gitlab-ci-sonar-vault@4.3.1 inputs: # audience claim for JWT vault-oidc-aud: "https://vault.acme.host" diff --git a/templates/gitlab-ci-sonar-vault.yml b/templates/gitlab-ci-sonar-vault.yml index 7b496b2b6bd5d111ae58df2c2f3c0539413a59c6..0db57458cbfe0d10d10d1cf050295051fed22abb 100644 --- a/templates/gitlab-ci-sonar-vault.yml +++ b/templates/gitlab-ci-sonar-vault.yml @@ -22,7 +22,7 @@ variables: sonar: services: - name: "$TBC_TRACKING_IMAGE" - command: ["--service", "sonar", "4.3.0"] + command: ["--service", "sonar", "4.3.1"] - name: "$TBC_VAULT_IMAGE" alias: "vault-secrets-provider" variables: diff --git a/templates/gitlab-ci-sonar.yml b/templates/gitlab-ci-sonar.yml index c31c5d4aee89e7ed750783930adc5a4b095ea31c..3e0d494e01841ca439125b7c0b2f184d26dbcbe2 100644 --- a/templates/gitlab-ci-sonar.yml +++ b/templates/gitlab-ci-sonar.yml @@ -395,7 +395,7 @@ sonar: entrypoint: [""] services: - name: "$TBC_TRACKING_IMAGE" - command: ["--service", "sonar", "4.3.0"] + command: ["--service", "sonar", "4.3.1"] variables: # see: https://docs.sonarsource.com/sonarqube-server/latest/devops-platform-integration/gitlab-integration/setting-up-at-project-level/ SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar" # Defines the location of the analysis task cache @@ -436,13 +436,11 @@ sonar: export SONAR_TOKEN="$SONAR_AUTH_TOKEN" fi - | - if [[ -z "$CUSTOM_CA_CERTS" ]] + if [[ "$CUSTOM_CA_CERTS" ]] || [[ "$DEFAULT_CA_CERTS" ]] then - log_info '$CUSTOM_CA_CERTS not set: using default keystore' - else - log_info '$CUSTOM_CA_CERTS variable detected: using writable keystore path (/tmp/writable_keystore)' + log_info "Custom CA certificates detected: using custom Java KeyStore" export CUSTOM_KEYSTORE_PATH="/tmp/writable_keystore" - export CUSTOM_KEYSTORE_PASSWORD="changeit" + export CUSTOM_KEYSTORE_PASSWORD=${JAVA_KEYSTORE_PASSWORD:-changeit} fi - >- sonar-scanner ${TRACE+-Dsonar.verbose=true} $java_proxy_args