diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index d0f6083..3f43f0d 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,2 +1 @@ -# https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners .github/CODEOWNERS @sonarsource/analysis-experience-squad diff --git a/.github/workflows/qa.yml b/.github/workflows/qa.yml new file mode 100644 index 0000000..3c3bde8 --- /dev/null +++ b/.github/workflows/qa.yml @@ -0,0 +1,84 @@ +name: Tests +on: + push: + branches: + - main + pull_request: + types: [opened, synchronize, reopened] + +jobs: + output-test: + name: Test action outputs + strategy: + matrix: + os: [ubuntu-latest, windows-latest, macos-latest, macos-13] + cache: [true, false] + include: + - arch: X64 + - os: macos-latest + arch: ARM64 + runs-on: ${{ matrix.os }} + steps: + # Specifying a specific architecture of the runner is not possible for Github hosted runners + # We can only check if the runner architecture matches the expected one + - name: check_runner_arch + shell: bash + run: | + echo "Runner architecture: ${{ runner.arch }}" + if [[ "${{ runner.arch }}" != "${{ matrix.arch }}" ]]; then + echo "##[error]Runner architecture does not match the expected one" + exit 1 + fi + + - uses: actions/checkout@v4 + with: + fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis + + - name: Run SonarCloud C/C++ action + id: run-action + uses: ./ + with: + cache-binaries: ${{ matrix.cache }} + + - name: SONAR_HOST_URL is set + shell: bash + run: | + [[ $SONAR_HOST_URL == "https://sonarcloud.io" ]] + + - name: sonar-scanner is installed and in PATH + run: | + sonar-scanner --help | grep "usage: sonar-scanner " + + - name: sonar-scanner-binary output is correct + shell: bash + env: + BINARY: ${{ steps.run-action.outputs.sonar-scanner-binary }} + run: | + "$BINARY" --help | grep "usage: sonar-scanner " + + # build-wrapper does not have --help or equivalent option. + # Pass to few arguments and ignore error code + - name: build-wrapper is installed and in PATH on Windows + if: runner.os == 'Windows' + shell: bash + run: | + (build-wrapper-win-x86-64.exe || true) | grep "build-wrapper, version " + + - name: build-wrapper is installed and in PATH on Linux + if: runner.os == 'Linux' + shell: bash + run: | + (build-wrapper-linux-x86-64 || true) | grep "build-wrapper, version " + + - name: build-wrapper is installed and in PATH on macOS + if: runner.os == 'macOs' + shell: bash + run: | + (build-wrapper-macosx-x86 || true) | grep "build-wrapper, version " + + - name: build-wrapper-binary output is correct + shell: bash + env: + BINARY: ${{ steps.run-action.outputs.build-wrapper-binary }} + run: | + ("$BINARY" || true) | grep "build-wrapper, version " diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml deleted file mode 100644 index 7ec25c8..0000000 --- a/.github/workflows/tests.yml +++ /dev/null @@ -1,432 +0,0 @@ -name: Tests -on: - push: - branches: - - main - pull_request: - types: [opened, synchronize, reopened] - -jobs: - create-install-dir-test: - name: create_install_path.sh script test - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis - - - name: Existing - shell: bash - env: - INSTALL_PATH: '.sonar' - run: | - echo "- Create dir" - mkdir -p "${INSTALL_PATH}" - - echo "- Test script behavior" - ./scripts/create_install_path.sh > output - grep -v "::error::" output - - - name: Non-existing nested in current dir - shell: bash - env: - INSTALL_PATH: '.sonar' - run: | - ./scripts/create_install_path.sh > output - grep -v "::error::" output - test -d "${INSTALL_PATH}" - - - name: Nonexisting nested in home - shell: bash - env: - INSTALL_PATH: '~/third_party/.sonar' - run: | - ./scripts/create_install_path.sh > output - grep -v "::error::" output - test -d "${INSTALL_PATH}" - - - name: Empty install dir specified - shell: bash - env: - INSTALL_PATH: '' - run: | - (./scripts/create_install_path.sh || echo "=== Script failed ===") > output - grep "::error::Empty installation path specified" output - grep "=== Script failed ===" output - - - name: No permission to create directory - shell: bash - env: - INSTALL_PATH: '/non_creatable' - run: | - (./scripts/create_install_path.sh || echo "=== Script failed ===") > output - grep "::error::Failed to create non-existing installation path '/non_creatable'" output - grep "=== Script failed ===" output - - - name: Existing but not directory - shell: bash - env: - INSTALL_PATH: 'not_directory' - run: | - echo "- Create normal file" - echo "content" > "${INSTALL_PATH}" - - echo "- Test script behavior" - (./scripts/create_install_path.sh || echo "=== Script failed ===") > output - grep "::error::Installation path 'not_directory' is not a directory" output - grep "=== Script failed ===" output - - - - name: Existing but not readable - shell: bash - env: - INSTALL_PATH: 'not_readable' - run: | - echo "- Create dir and make it not readable" - mkdir -p "${INSTALL_PATH}" - chmod -r "${INSTALL_PATH}" - - echo "- Test script behavior" - (./scripts/create_install_path.sh || echo "=== Script failed ===") > output - grep "::error::Installation path 'not_readable' is not readable" output - grep "=== Script failed ===" output - - - name: Existing but not writeable - shell: bash - env: - INSTALL_PATH: 'not_writeable' - run: | - echo "- Create dir and make it not writeable" - mkdir -p "${INSTALL_PATH}" - chmod -w "${INSTALL_PATH}" - - echo "- Test script behavior" - (./scripts/create_install_path.sh || echo "=== Script failed ===") > output - grep "::error::Installation path 'not_writeable' is not writeable" output - grep "=== Script failed ===" output - - setup-script-test: - name: configure_paths.sh script test - runs-on: ubuntu-latest - env: - INSTALL_PATH: 'install-directory' - SONAR_HOST_URL: 'http://sonar-host.com' - SONAR_SCANNER_VERSION: 'vX.Y.Z.MMMM' - SONAR_SCANNER_URL_WINDOWS_X64: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-windows-x64.zip' - SONAR_SCANNER_SHA_WINDOWS_X64: 'DOWNLOAD-SHA-WINDOWS-X64' - SONAR_SCANNER_URL_LINUX_X64: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-linux-x64.zip' - SONAR_SCANNER_SHA_LINUX_X64: 'DOWNLOAD-SHA-LINUX-X64' - SONAR_SCANNER_URL_LINUX_AARCH64: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-linux-aarch64.zip' - SONAR_SCANNER_SHA_LINUX_AARCH64: 'DOWNLOAD-SHA-LINUX-AARCH64' - SONAR_SCANNER_URL_MACOSX_X64: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-macosx-x64.zip' - SONAR_SCANNER_SHA_MACOSX_X64: 'DOWNLOAD-SHA-MACOSX-X64' - SONAR_SCANNER_URL_MACOSX_AARCH64: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-macosx-aarch64.zip' - SONAR_SCANNER_SHA_MACOSX_AARCH64: 'DOWNLOAD-SHA-MACOSX-AARCH64' - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis - - - name: Windows - shell: bash - env: - OS: 'Windows' - ARCH: 'X64' - run: | - ./scripts/configure_paths.sh > output - grep -v "::error::" output - - echo "- Check sonar-scanner:" - grep "sonar-scanner-url=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-windows-x64.zip" output - grep "sonar-scanner-sha=DOWNLOAD-SHA-WINDOWS-X64" output - grep "sonar-scanner-dir=install-directory/sonar-scanner-vX.Y.Z.MMMM-windows-x64" output - grep "sonar-scanner-bin=install-directory/sonar-scanner-vX.Y.Z.MMMM-windows-x64/bin/sonar-scanner.bat" output - - echo "- Check build-wrapper:" - grep "build-wrapper-url=http://sonar-host.com/static/cpp/build-wrapper-win-x86.zip" output - grep "build-wrapper-dir=install-directory/build-wrapper-win-x86" output - grep "build-wrapper-bin=install-directory/build-wrapper-win-x86/build-wrapper-win-x86-64.exe" output - - - name: Linux_X64 - shell: bash - env: - OS: 'Linux' - ARCH: 'X64' - run: | - ./scripts/configure_paths.sh > output - grep -v "::error::" output - - echo "- Check sonar-scanner:" - grep "sonar-scanner-url=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-linux-x64.zip" output - grep "sonar-scanner-sha=DOWNLOAD-SHA-LINUX-X64" output - grep "sonar-scanner-dir=install-directory/sonar-scanner-vX.Y.Z.MMMM-linux-x64" output - grep "sonar-scanner-bin=install-directory/sonar-scanner-vX.Y.Z.MMMM-linux-x64/bin/sonar-scanner" output - - echo "- Check build-wrapper:" - grep "build-wrapper-url=http://sonar-host.com/static/cpp/build-wrapper-linux-x86.zip" output - grep "build-wrapper-dir=install-directory/build-wrapper-linux-x86" output - grep "build-wrapper-bin=install-directory/build-wrapper-linux-x86/build-wrapper-linux-x86-64" output - - - name: Linux_ARM64 - shell: bash - env: - OS: 'Linux' - ARCH: 'ARM64' - run: | - ./scripts/configure_paths.sh > output - grep -v "::error::" output - - echo "- Check sonar-scanner:" - grep "sonar-scanner-url=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-linux-aarch64.zip" output - grep "sonar-scanner-sha=DOWNLOAD-SHA-LINUX-AARCH64" output - grep "sonar-scanner-dir=install-directory/sonar-scanner-vX.Y.Z.MMMM-linux-aarch64" output - grep "sonar-scanner-bin=install-directory/sonar-scanner-vX.Y.Z.MMMM-linux-aarch64/bin/sonar-scanner" output - - echo "- Check build-wrapper:" - grep "build-wrapper-url=http://sonar-host.com/static/cpp/build-wrapper-linux-aarch64.zip" output - grep "build-wrapper-dir=install-directory/build-wrapper-linux-aarch64" output - grep "build-wrapper-bin=install-directory/build-wrapper-linux-aarch64/build-wrapper-linux-aarch64" output - - - name: macOSX_X64 - shell: bash - env: - OS: 'macOS' - ARCH: 'X64' - run: | - ./scripts/configure_paths.sh > output - grep -v "::error::" output - - echo "- Check sonar-scanner:" - grep "sonar-scanner-url=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-macosx-x64.zip" output - grep "sonar-scanner-sha=DOWNLOAD-SHA-MACOSX-X64" output - grep "sonar-scanner-dir=install-directory/sonar-scanner-vX.Y.Z.MMMM-macosx-x64" output - grep "sonar-scanner-bin=install-directory/sonar-scanner-vX.Y.Z.MMMM-macosx-x64/bin/sonar-scanner" output - - echo "- Check build-wrapper:" - grep "build-wrapper-url=http://sonar-host.com/static/cpp/build-wrapper-macosx-x86.zip" output - grep "build-wrapper-dir=install-directory/build-wrapper-macosx-x86" output - grep "build-wrapper-bin=install-directory/build-wrapper-macosx-x86/build-wrapper-macosx-x86" output - - - name: macOSX_ARM64 - shell: bash - env: - OS: 'macOS' - ARCH: 'ARM64' - run: | - ./scripts/configure_paths.sh > output - grep -v "::error::" output - - echo "- Check sonar-scanner:" - grep "sonar-scanner-url=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-vX.Y.Z.MMMM-macosx-aarch64.zip" output - grep "sonar-scanner-sha=DOWNLOAD-SHA-MACOSX-AARCH64" output - grep "sonar-scanner-dir=install-directory/sonar-scanner-vX.Y.Z.MMMM-macosx-aarch64" output - grep "sonar-scanner-bin=install-directory/sonar-scanner-vX.Y.Z.MMMM-macosx-aarch64/bin/sonar-scanner" output - - echo "- Check build-wrapper:" - grep "build-wrapper-url=http://sonar-host.com/static/cpp/build-wrapper-macosx-x86.zip" output - grep "build-wrapper-dir=install-directory/build-wrapper-macosx-x86" output - grep "build-wrapper-bin=install-directory/build-wrapper-macosx-x86/build-wrapper-macosx-x86" output - - - name: Unssuported OS - shell: bash - env: - OS: 'unsupportedOS' - ARCH: 'X64' - run: | - (./scripts/configure_paths.sh || echo "=== Script failed ===") > output - - echo "- Check errors:" - grep "::error::Unsupported runner OS 'unsupportedOS'" output - grep "=== Script failed ===" output - - - name: Unssuported architecture - shell: bash - env: - OS: 'Linux' - ARCH: 'X86' - run: | - (./scripts/configure_paths.sh || echo "=== Script failed ===") > output - - echo "- Check errors:" - grep "::error::Architecture 'X86' is unsupported by build-wrapper" output - grep "=== Script failed ===" output - - - download-script-test: - name: download.sh script test - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis - - - name: Download test without validation - shell: bash - env: - INSTALL_PATH: 'install-directory-no-sha-validation' - DOWNLOAD_URL: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.6.2.2472-linux.zip' - EXPECTED_SHA: 'incorrect-sha-not-validated' - TMP_ZIP_PATH: ${{ runner.temp }}/sonar-scanner.zip - run: | - ./scripts/download.sh > output - test -f "$TMP_ZIP_PATH" - grep -v "::error::" output - - name: Download test with validation - shell: bash - env: - INSTALL_PATH: 'install-directory-sha-validation' - DOWNLOAD_URL: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.6.2.2472-linux.zip' - EXPECTED_SHA: '9411331814c1d002bd65d37758b872918b7602e7cf3ca5b83a3e19a729b2be05' - TMP_ZIP_PATH: ${{ runner.temp }}/sonar-scanner.zip - run: | - ./scripts/download.sh -v > output - test -f "$TMP_ZIP_PATH" - grep -v "::error::" output - - name: Incorrect install dir - shell: bash - env: - INSTALL_PATH: '' - run: | - (./scripts/download.sh || echo "=== Script failed ===") > output - grep "::error::Failed to create" output - grep "=== Script failed ===" output - - name: Incorrect download url - shell: bash - env: - INSTALL_PATH: 'install-directory-incorrect-url' - DOWNLOAD_URL: 'incorrect-url' - run: | - (./scripts/download.sh || echo "=== Script failed ===") > output - grep "::error::Failed to download 'incorrect-url'" output - grep "=== Script failed ===" output - - name: Incorrect SHA256 - shell: bash - env: - INSTALL_PATH: 'install-directory-incorrect-sha' - DOWNLOAD_URL: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.6.2.2472-linux.zip' - EXPECTED_SHA: 'incorrect-sha256' - TMP_ZIP_PATH: ${{ runner.temp }}/sonar-scanner.zip - run: | - (./scripts/download.sh -v || echo "=== Script failed ===") > output - grep "::error::Checking sha256 failed" output - grep "=== Script failed ===" output - - name: Mismatching SHA256 - shell: bash - env: - INSTALL_PATH: 'install-directory-mismtaching-sha' - DOWNLOAD_URL: 'https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.6.2.2472-linux.zip' - EXPECTED_SHA: '3e121d85a4adb1f30b917d5f3eb897966b59e02c3d6d313a78dcd964193dc963' - TMP_ZIP_PATH: ${{ runner.temp }}/sonar-scanner.zip - run: | - (./scripts/download.sh -v || echo "=== Script failed ===") > output - grep "::error::Checking sha256 failed" output - grep "=== Script failed ===" output - - fetch-latest-version-test: - name: fetch_latest_version.sh script test - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis - - name: Test script - shell: bash - run: | - ./scripts/fetch_latest_version.sh > output - - echo "- Check sonar-scanner version:" - grep "sonar-scanner-version=" output - SONAR_SCANNER_VERSION=$(cat output | cut -d= -f 2) - test ! -z "${SONAR_SCANNER_VERSION}" - - echo "- Check windows sonar-scanner URLs:" - grep "sonar-scanner-url-windows-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-windows-x64.zip" output - grep -e "^sonar-scanner-sha-windows-x64=[0-9A-Fa-f]\+$" output - - echo "- Check linux sonar-scanner URLs:" - grep "sonar-scanner-url-linux-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-linux-x64.zip" output - grep -e "^sonar-scanner-sha-linux-x64=[0-9A-Fa-f]\+$" output - grep "sonar-scanner-url-linux-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-linux-aarch64.zip" output - grep -e "^sonar-scanner-sha-linux-aarch64=[0-9A-Fa-f]\+$" output - - echo "- Check macosx sonar-scanner URLs:" - grep "sonar-scanner-url-macosx-x64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-macosx-x64.zip" output - grep -e "^sonar-scanner-sha-macosx-x64=[0-9A-Fa-f]\+$" output - grep "sonar-scanner-url-macosx-aarch64=https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-macosx-aarch64.zip" output - grep -e "^sonar-scanner-sha-macosx-aarch64=[0-9A-Fa-f]\+$" output - - output-test: - name: Test action outputs - strategy: - matrix: - os: [ubuntu-latest, windows-latest, macos-latest, macos-13] - cache: [true, false] - include: - - arch: X64 - - os: macos-latest - arch: ARM64 - runs-on: ${{ matrix.os }} - steps: - # Specifying a specific architecture of the runner is not possible for Github hosted runners - # We can only check if the runner architecture matches the expected one - - name: check_runner_arch - shell: bash - run: | - echo "Runner architecture: ${{ runner.arch }}" - if [[ "${{ runner.arch }}" != "${{ matrix.arch }}" ]]; then - echo "##[error]Runner architecture does not match the expected one" - exit 1 - fi - - - uses: actions/checkout@v4 - with: - fetch-depth: 0 # Shallow clones should be disabled for a better relevancy of analysis - - - name: Run SonarCloud C/C++ action - id: run-action - uses: ./ - with: - cache-binaries: ${{ matrix.cache }} - - - name: SONAR_HOST_URL is set - shell: bash - run: | - [[ $SONAR_HOST_URL == "https://sonarcloud.io" ]] - - - name: sonar-scanner is installed and in PATH - run: | - sonar-scanner --help | grep "usage: sonar-scanner " - - - name: sonar-scanner-binary output is correct - shell: bash - env: - BINARY: ${{ steps.run-action.outputs.sonar-scanner-binary }} - run: | - "$BINARY" --help | grep "usage: sonar-scanner " - - # build-wrapper does not have --help or equivalent option. - # Pass to few arguments and ignore error code - - name: build-wrapper is installed and in PATH on Windows - if: runner.os == 'Windows' - shell: bash - run: | - (build-wrapper-win-x86-64.exe || true) | grep "build-wrapper, version " - - - name: build-wrapper is installed and in PATH on Linux - if: runner.os == 'Linux' - shell: bash - run: | - (build-wrapper-linux-x86-64 || true) | grep "build-wrapper, version " - - - name: build-wrapper is installed and in PATH on macOS - if: runner.os == 'macOs' - shell: bash - run: | - (build-wrapper-macosx-x86 || true) | grep "build-wrapper, version " - - - name: build-wrapper-binary output is correct - shell: bash - env: - BINARY: ${{ steps.run-action.outputs.build-wrapper-binary }} - run: | - ("$BINARY" || true) | grep "build-wrapper, version " diff --git a/.github/workflows/update-tags.yml b/.github/workflows/update-tags.yml new file mode 100644 index 0000000..a07d193 --- /dev/null +++ b/.github/workflows/update-tags.yml @@ -0,0 +1,32 @@ +name: Update Tags + +on: + push: + tags: + - v*.*.* + +jobs: + generate: + runs-on: ubuntu-latest + permissions: + contents: write + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Parse semver + uses: madhead/semver-utils@40bbdc6e50b258c09f35f574e83c51f60d2ce3a2 # v4.0.0 + id: version + with: + version: ${{ github.ref_name }} + + - name: Update tags + run: | + TAGS='v${{ steps.version.outputs.major }} v${{ steps.version.outputs.major }}.${{ steps.version.outputs.minor }}' + + for t in $TAGS; do + git tag -f "$t" + git push origin ":$t" 2>/dev/null || true + git push origin "$t" + done diff --git a/README.md b/README.md index 4aa3019..d087419 100644 --- a/README.md +++ b/README.md @@ -1,48 +1,51 @@ -# Analyze your code for free with SonarCloud +# Scan your C, C++, and Objective-C code with SonarQube Cloud [![QA](https://github.com/SonarSource/sonarcloud-github-c-cpp/actions/workflows/qa.yml/badge.svg)](https://github.com/SonarSource/sonarcloud-github-c-cpp/actions/workflows/qa.yml) -This SonarSource project, available as a GitHub Action, helps you configure and scan your C, C++, and Objective-C projects with SonarCloud, to produce -[Clean Code](https://www.sonarsource.com/solutions/clean-code/?utm_medium=referral&utm_source=github&utm_campaign=clean-code&utm_content=sonarqube-scan-action). +This SonarSource project, available as a GitHub Action, scans your C, C++, and Objective-C projects with SonarQube [Cloud](https://www.sonarsource.com/products/sonarcloud/). - +![Logo](./images/SQ_Logo_Cloud_Dark_Backgrounds.png#gh-dark-mode-only) +![Logo](./images/SQ_Logo_Cloud_Light_Backgrounds.png#gh-light-mode-only) -[SonarCloud](https://www.sonarsource.com/products/sonarcloud/) is a widely used static analysis solution for continuous code quality and security inspection. -It helps developers identify and fix issues in their code that could lead to bugs, vulnerabilities, or decreased development velocity. -SonarCloud supports the most popular programming languages, including Java, JavaScript, TypeScript, C#, Python, C, C++, and [many more](https://www.sonarsource.com/knowledge/languages/). +SonarQube [Cloud](https://www.sonarsource.com/products/sonarcloud/) (formerly SonarCloud) is a widely used static analysis solution for continuous code quality and security inspection. +It helps developers detect coding issues in 30+ languages, frameworks, and IaC platforms, including Java, JavaScript, TypeScript, C#, Python, C, C++, and [many more](https://www.sonarsource.com/knowledge/languages/). + +The solution also provides fix recommendations leveraging AI with Sonar's AI CodeFix capability. ## Requirements -* Create your account on SonarCloud. Sign up for free now if it's not already the case! [SonarCloud Sign Up](https://www.sonarsource.com/products/sonarcloud/signup/?utm_medium=referral&utm_source=githubscan-ccpp&utm_campaign=sc-product&utm_content=signup-sonarcloud-listing-x-x&utm_term=ww-psp-x) -* The repository to analyze is set up on SonarCloud. [Set it up](https://sonarcloud.io/projects/create) in just one click. +* Create your account on SonarQube Cloud. [Sign up for free](https://www.sonarsource.com/products/sonarcloud/signup/?utm_medium=referral&utm_source=github&utm_campaign=sc-signup&utm_content=signup-sonarcloud-listing-x-x&utm_term=ww-psp-x) now if it's not already the case! +* The repository to analyze is set up on SonarQube Cloud. [Set it up](https://sonarcloud.io/projects/create) in just one click. ## Usage - Project metadata, including the location to the sources to be analyzed, must be declared in the file `sonar-project.properties` in the base directory: ```properties -sonar.organization= -sonar.projectKey= +sonar.organization= +sonar.projectKey= # relative paths to source directories. More details and properties are described -# in https://sonarcloud.io/documentation/project-administration/narrowing-the-focus/ +# at https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/analysis-scope/ sonar.sources=. ``` -The workflow, usually declared in `.github/workflows/build.yml`, looks like: +The workflow, usually declared under `.github/workflows`, looks like: ```yaml on: - # Trigger analysis when pushing in master or pull requests, and when creating - # a pull request. + # Trigger analysis when pushing to your main branches, and when creating a pull request. push: branches: + - main - master + - develop + - 'releases/**' pull_request: types: [opened, synchronize, reopened] + name: Main Workflow jobs: - sonarcloud: + sonarqube: runs-on: ubuntu-latest env: BUILD_WRAPPER_OUT_DIR: build_wrapper_output_directory # Directory where build-wrapper output will be placed @@ -52,10 +55,10 @@ jobs: # Disabling shallow clone is recommended for improving relevancy of reporting fetch-depth: 0 - name: Install sonar-scanner and build-wrapper - uses: sonarsource/sonarcloud-github-c-cpp@v3 + uses: sonarsource/sonarcloud-github-c-cpp@ # Ex: v4.0.0, See the latest version at https://github.com/marketplace/actions/sonarcloud-scan-for-c-and-c - name: Run build-wrapper run: | - # here goes your compilation wrapped with build-wrapper; See https://docs.sonarcloud.io/advanced-setup/languages/c-c-objective-c/#analysis-steps-using-build-wrapper for more information + # here goes your compilation wrapped with build-wrapper; See https://docs.sonarsource.com/sonarqube-cloud/advanced-setup/languages/c-family/overview/#analysis-steps-using-build-wrapper for more information # build-preparation steps # build-wrapper-linux-x86-64 --out-dir ${{ env.BUILD_WRAPPER_OUT_DIR }} build-command - name: Run sonar-scanner @@ -65,39 +68,54 @@ jobs: run: sonar-scanner --define sonar.cfamily.compile-commands="${{ env.BUILD_WRAPPER_OUT_DIR }}/compile_commands.json" #Consult https://docs.sonarcloud.io/advanced-setup/ci-based-analysis/sonarscanner-cli/ for more information and options ``` +## Action parameters + You can change the `build-wrapper` and `sonar-scanner` installation path by using the optional input `installation-path` like this: ```yaml -uses: sonarsource/sonarcloud-github-c-cpp@v3 +uses: sonarsource/sonarcloud-github-c-cpp@ with: installation-path: my/custom/directory/path ``` + Also, the absolute paths to the installed build-wrapper and sonar-scanner binaries are returned as outputs from the action. Moreover, by default the action will cache sonar-scanner installation. However, you can disable caching by using the optional input: `cache-binaries` like this: ```yaml -uses: sonarsource/sonarcloud-github-c-cpp@v3 +uses: sonarsource/sonarcloud-github-c-cpp@ with: cache-binaries: false ``` See also [example configurations](https://github.com/sonarsource-cfamily-examples?q=gh-actions-sc&type=all&language=&sort=) -### Secrets +### Environment variables -Following secrets are required for successful invocation of sonar-scanner: -- `SONAR_TOKEN` – **Required** this is the token used to authenticate access to SonarCloud. You can generate a token on your [Security page in SonarCloud](https://sonarcloud.io/account/security/). You can set the `SONAR_TOKEN` environment variable in the "Secrets" settings page of your repository. +- `SONAR_TOKEN` – **Required** this is the token used to authenticate access to SonarQube. You can read more about security tokens in the [documentation](https://docs.sonarsource.com/sonarqube-cloud/managing-your-account/managing-tokens/). You can set the `SONAR_TOKEN` environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended). - *`GITHUB_TOKEN` – Provided by Github (see [Authenticating with the GITHUB_TOKEN](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/authenticating-with-the-github_token)).* +- `SONAR_ROOT_CERT` – Holds an additional certificate (in PEM format) that is used to validate the certificate of a secured proxy to SonarQube Cloud. You can set the `SONAR_ROOT_CERT` environment variable in the "Secrets" settings page of your repository, or you can add them at the level of your GitHub organization (recommended). -## Example of pull request analysis +Here is an example of how you can pass a certificate (in PEM format) to the Scanner truststore: - +```yaml +- uses: sonarsource/sonarcloud-github-c-cpp@ + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + SONAR_ROOT_CERT: ${{ secrets.SONAR_ROOT_CERT }} +``` + +If your source code file names contain special characters that are not covered by the locale range of `en_US.UTF-8`, you can configure your desired locale like this: -Want to see more examples of SonarCloud in action? You can [explore current Open Source projects in SonarCloud](https://sonarcloud.io/explore/projects?sort=-analysis_date?utm_medium=referral&utm_source=githubscan-ccpp&utm_campaign=sc-product&utm_content=signup-sonarcloud-listing-x-x&utm_term=ww-psp-x) that are using the Clean as You Code methodology. +```yaml +- uses: sonarsource/sonarcloud-github-c-cpp@ + env: + SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + LC_ALL: "ru_RU.UTF-8" +``` ## Do not use this GitHub action if you are in the following situations -* You want to analyze code written in a language other than C or C++. Use [SonarCloud GitHub Action](https://github.com/SonarSource/sonarcloud-github-action/) instead +* You want to analyze code written in a language other than C or C++. Use the [SonarQube GitHub Action for SonarQube Server and Cloud](https://github.com/SonarSource/sonarqube-scan-action/) instead * You want to run the action on a 32-bits system - build wrappers support only 64-bits OS ## Additional information @@ -106,7 +124,7 @@ This action installs `coreutils` if run on macOS ## Have question or feedback? -To provide feedback (requesting a feature or reporting a bug) please post on the [SonarSource Community Forum](https://community.sonarsource.com/) with the tag `sonarcloud`. +To provide feedback (requesting a feature or reporting a bug) please post on the [SonarSource Community Forum](https://community.sonarsource.com/tags/c/help/sc/9/github-actions). ## License diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..3989705 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,13 @@ +# Reporting Security Issues + +A mature software vulnerability treatment process is a cornerstone of a robust information security management system. Contributions from the community play an important role in the evolution and security of our products, and in safeguarding the security and privacy of our users. + +If you believe you have discovered a security vulnerability in Sonar's products, we encourage you to report it immediately. + +To responsibly report a security issue, please email us at [security@sonarsource.com](mailto:security@sonarsource.com). Sonar’s security team will acknowledge your report, guide you through the next steps, or request additional information if necessary. Customers with a support contract can also report the vulnerability directly through the support channel. + +For security vulnerabilities found in third-party libraries, please also contact the library's owner or maintainer directly. + +## Responsible Disclosure Policy + +For more information about disclosing a security vulnerability to Sonar, please refer to our community post: [Responsible Vulnerability Disclosure](https://community.sonarsource.com/t/responsible-vulnerability-disclosure/9317). \ No newline at end of file diff --git a/action.yml b/action.yml index 1b94f02..13207ed 100644 --- a/action.yml +++ b/action.yml @@ -1,11 +1,13 @@ -name: 'SonarCloud Scan for C and C++' -description: 'Scan your C and C++ code with SonarCloud to detect bugs, vulnerabilities and code smells.' +name: 'SonarQube Cloud Scan for C and C++' +description: > + Scan your C and C++ code with SonarQube Cloud. (Formerly SonarCloud) branding: icon: check color: green + inputs: installation-path: - description: 'Directory where the sonnar-scanner and build wrapper will be installed. Created if does not exists.' + description: 'Directory where the Sonar Scanner CLI and build wrapper will be installed. Created if does not exists.' required: false default: '.sonar' cache-binaries: @@ -24,102 +26,25 @@ outputs: runs: using: "composite" steps: - # install packaged required for greadlink and sha256sum command on macOS - - name: Install required packages for macOS - if: runner.os == 'macOS' - shell: bash - run: brew install coreutils - - - name: Verify and create installation path - shell: bash - env: - INSTALL_PATH: ${{ inputs.installation-path }} - run: ${GITHUB_ACTION_PATH}/scripts/create_install_path.sh - - - name: Set version of sonar-scanner - id: sonar-scanner-version - shell: bash - run: cat ${GITHUB_ACTION_PATH}/sonar-scanner-version >> $GITHUB_OUTPUT - - - name: Configure paths - id: configure_paths - shell: bash - env: - OS: ${{ runner.os }} - ARCH: ${{ runner.arch }} - INSTALL_PATH: ${{ inputs.installation-path }} - SONAR_HOST_URL: 'https://sonarcloud.io' - SONAR_SCANNER_VERSION: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-version }} - SONAR_SCANNER_URL_WINDOWS_X64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-url-windows-x64 }} - SONAR_SCANNER_SHA_WINDOWS_X64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-sha-windows-x64 }} - SONAR_SCANNER_URL_LINUX_X64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-url-linux-x64 }} - SONAR_SCANNER_SHA_LINUX_X64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-sha-linux-x64 }} - SONAR_SCANNER_URL_LINUX_AARCH64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-url-linux-aarch64 }} - SONAR_SCANNER_SHA_LINUX_AARCH64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-sha-linux-aarch64 }} - SONAR_SCANNER_URL_MACOSX_X64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-url-macosx-x64 }} - SONAR_SCANNER_SHA_MACOSX_X64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-sha-macosx-x64 }} - SONAR_SCANNER_URL_MACOSX_AARCH64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-url-macosx-aarch64 }} - SONAR_SCANNER_SHA_MACOSX_AARCH64: ${{ steps.sonar-scanner-version.outputs.sonar-scanner-sha-macosx-aarch64 }} - run: ${GITHUB_ACTION_PATH}/scripts/configure_paths.sh >> $GITHUB_OUTPUT - - - name: Cache sonar-scanner installation - id: cache-sonar-tools - if: inputs.cache-binaries == 'true' - uses: actions/cache@v4 + - name: SonarQube Cloud Scan + id: scan + uses: antonioaversa/sonarqube-github-c-cpp@master env: - # The default value is 60mins. Reaching timeout is treated the same as a cache miss. - SEGMENT_DOWNLOAD_TIMEOUT_MINS: 1 + SONAR_HOST_URL: "https://sonarcloud.io" with: - key: sonar-scanner-${{ runner.os }}-${{ runner.arch }}-${{ steps.sonar-scanner-version.outputs.sonar-scanner-version }} - path: ${{ steps.configure_paths.outputs.sonar-scanner-dir }} - - - name: Download and install sonar-scanner - if: steps.cache-sonar-tools.outputs.cache-hit != 'true' - shell: bash - env: - DOWNLOAD_URL: ${{ steps.configure_paths.outputs.sonar-scanner-url }} - EXPECTED_SHA: ${{ steps.configure_paths.outputs.sonar-scanner-sha }} - INSTALL_PATH: ${{ inputs.installation-path }} - TMP_ZIP_PATH: ${{ runner.temp }}/sonar-scanner.zip - run: ${GITHUB_ACTION_PATH}/scripts/download.sh -v - - - name: Download and install build-wrapper - shell: bash - env: - DOWNLOAD_URL: ${{ steps.configure_paths.outputs.build-wrapper-url }} - INSTALL_PATH: ${{ inputs.installation-path }} - TMP_ZIP_PATH: ${{ runner.temp }}/build-wrapper.zip - run: ${GITHUB_ACTION_PATH}/scripts/download.sh - + installation-path: ${{ inputs.installation-path }} + cache-binaries: ${{ inputs.cache-binaries }} - name: Setup action outputs id: setup-outputs shell: bash env: - SONAR_HOST_URL: 'https://sonarcloud.io' - SONAR_SCANNER_DIR: ${{ steps.configure_paths.outputs.sonar-scanner-dir }} - SONAR_SCANNER_BIN: ${{ steps.configure_paths.outputs.sonar-scanner-bin }} - BUILD_WRAPPER_DIR: ${{ steps.configure_paths.outputs.build-wrapper-dir }} - BUILD_WRAPPER_BIN: ${{ steps.configure_paths.outputs.build-wrapper-bin }} + SONAR_SCANNER_BINARY: ${{ steps.scan.outputs.sonar-scanner-binary }} + BUILD_WRAPPER_BINARY: ${{ steps.scan.outputs.build-wrapper-binary }} run: | - source ${GITHUB_ACTION_PATH}/scripts/utils.sh - echo "::group::Action outputs" - echo "SONAR_HOST_URL=${SONAR_HOST_URL}" >> $GITHUB_ENV - echo "'SONAR_HOST_URL' enviroment variable set to '${SONAR_HOST_URL}'" - - SONAR_SCANNER_BIN_DIR=$(realpath "${SONAR_SCANNER_DIR}/bin") - echo "${SONAR_SCANNER_BIN_DIR}" >> $GITHUB_PATH - echo "'${SONAR_SCANNER_BIN_DIR}' added to the path" - - SONAR_SCANNER_BIN=$(realpath "${SONAR_SCANNER_BIN}") - echo "sonar-scanner-binary=${SONAR_SCANNER_BIN}" >> $GITHUB_OUTPUT - echo "'sonar-scanner-binary' output set to '${SONAR_SCANNER_BIN}'" - - BUILD_WRAPPER_BIN_DIR=$(realpath "${BUILD_WRAPPER_DIR}") - echo "${BUILD_WRAPPER_BIN_DIR}" >> $GITHUB_PATH - echo "'${BUILD_WRAPPER_BIN_DIR}' added to the path" + echo "sonar-scanner-binary=${SONAR_SCANNER_BINARY}" >> $GITHUB_OUTPUT + echo "'sonar-scanner-binary' output set to '${SONAR_SCANNER_BINARY}'" - BUILD_WRAPPER_BIN=$(realpath "${BUILD_WRAPPER_BIN}") - echo "build-wrapper-binary=${BUILD_WRAPPER_BIN}" >> $GITHUB_OUTPUT - echo "'build-wrapper-binary' output set to '${BUILD_WRAPPER_BIN}'" + echo "build-wrapper-binary=${BUILD_WRAPPER_BINARY}" >> $GITHUB_OUTPUT + echo "'build-wrapper-binary' output set to '${BUILD_WRAPPER_BINARY}'" echo "::endgroup::" diff --git a/images/SQ_Logo_Cloud_Dark_Backgrounds.png b/images/SQ_Logo_Cloud_Dark_Backgrounds.png new file mode 100644 index 0000000..9e9a1f4 Binary files /dev/null and b/images/SQ_Logo_Cloud_Dark_Backgrounds.png differ diff --git a/images/SQ_Logo_Cloud_Light_Backgrounds.png b/images/SQ_Logo_Cloud_Light_Backgrounds.png new file mode 100644 index 0000000..4a7f25e Binary files /dev/null and b/images/SQ_Logo_Cloud_Light_Backgrounds.png differ diff --git a/images/SonarCloud-72px.png b/images/SonarCloud-72px.png deleted file mode 100644 index 98ce8c1..0000000 Binary files a/images/SonarCloud-72px.png and /dev/null differ diff --git a/images/SonarCloud-analysis-in-Checks.png b/images/SonarCloud-analysis-in-Checks.png deleted file mode 100644 index 2f025a4..0000000 Binary files a/images/SonarCloud-analysis-in-Checks.png and /dev/null differ diff --git a/scripts/configure_paths.sh b/scripts/configure_paths.sh deleted file mode 100755 index f24045d..0000000 --- a/scripts/configure_paths.sh +++ /dev/null @@ -1,71 +0,0 @@ -#!/bin/bash - -if [[ ${ARCH} != "X64" && ! (${ARCH} == "ARM64" && (${OS} == "macOS" || ${OS} == "Linux")) ]]; then - echo "::error::Architecture '${ARCH}' is unsupported by build-wrapper" - exit 1 -fi - -case ${OS} in - Windows) - SONAR_SCANNER_SUFFIX="windows-x64" - BUILD_WRAPPER_SUFFIX="win-x86" - SONAR_SCANNER_NAME="sonar-scanner.bat" - BUILD_WRAPPER_NAME="build-wrapper-win-x86-64.exe" - SONAR_SCANNER_URL="${SONAR_SCANNER_URL_WINDOWS_X64}" - SONAR_SCANNER_SHA="${SONAR_SCANNER_SHA_WINDOWS_X64}" - ;; - Linux) - case ${ARCH} in - X64) - SONAR_SCANNER_SUFFIX="linux-x64" - BUILD_WRAPPER_SUFFIX="linux-x86" - BUILD_WRAPPER_NAME="build-wrapper-linux-x86-64" - SONAR_SCANNER_URL="${SONAR_SCANNER_URL_LINUX_X64}" - SONAR_SCANNER_SHA="${SONAR_SCANNER_SHA_LINUX_X64}" - ;; - ARM64) - SONAR_SCANNER_SUFFIX="linux-aarch64" - BUILD_WRAPPER_SUFFIX="linux-aarch64" - BUILD_WRAPPER_NAME="build-wrapper-linux-aarch64" - SONAR_SCANNER_URL="${SONAR_SCANNER_URL_LINUX_AARCH64}" - SONAR_SCANNER_SHA="${SONAR_SCANNER_SHA_LINUX_AARCH64}" - ;; - esac - SONAR_SCANNER_NAME="sonar-scanner" - ;; - macOS) - case ${ARCH} in - X64) - SONAR_SCANNER_SUFFIX="macosx-x64" - SONAR_SCANNER_URL="${SONAR_SCANNER_URL_MACOSX_X64}" - SONAR_SCANNER_SHA="${SONAR_SCANNER_SHA_MACOSX_X64}" - ;; - ARM64) - SONAR_SCANNER_SUFFIX="macosx-aarch64" - SONAR_SCANNER_URL="${SONAR_SCANNER_URL_MACOSX_AARCH64}" - SONAR_SCANNER_SHA="${SONAR_SCANNER_SHA_MACOSX_AARCH64}" - ;; - esac - BUILD_WRAPPER_SUFFIX="macosx-x86" - SONAR_SCANNER_NAME="sonar-scanner" - BUILD_WRAPPER_NAME="build-wrapper-macosx-x86" - ;; - *) - echo "::error::Unsupported runner OS '${OS}'" - exit 1 - ;; -esac - - -echo "sonar-scanner-url=${SONAR_SCANNER_URL}" -echo "sonar-scanner-sha=${SONAR_SCANNER_SHA}" - -SONAR_SCANNER_DIR="${INSTALL_PATH}/sonar-scanner-${SONAR_SCANNER_VERSION}-${SONAR_SCANNER_SUFFIX}" -echo "sonar-scanner-dir=${SONAR_SCANNER_DIR}" -echo "sonar-scanner-bin=${SONAR_SCANNER_DIR}/bin/${SONAR_SCANNER_NAME}" - -BUILD_WRAPPER_DIR="${INSTALL_PATH}/build-wrapper-${BUILD_WRAPPER_SUFFIX}" -echo "build-wrapper-url=${SONAR_HOST_URL}/static/cpp/build-wrapper-${BUILD_WRAPPER_SUFFIX}.zip" -echo "build-wrapper-dir=${BUILD_WRAPPER_DIR}" -echo "build-wrapper-bin=${BUILD_WRAPPER_DIR}/${BUILD_WRAPPER_NAME}" - diff --git a/scripts/create_install_path.sh b/scripts/create_install_path.sh deleted file mode 100755 index 7e35571..0000000 --- a/scripts/create_install_path.sh +++ /dev/null @@ -1,26 +0,0 @@ -#!/bin/bash - -source "$(dirname -- "$0")/utils.sh" - -echo "Installation path is '${INSTALL_PATH}'" - -test ! -z "${INSTALL_PATH}" -check_status "Empty installation path specified" - -if [[ ! -e "${INSTALL_PATH}" ]]; then - mkdir -p "${INSTALL_PATH}" - check_status "Failed to create non-existing installation path '${INSTALL_PATH}'" -fi - -ABSOLUTE_INSTALL_PATH=$(realpath "${INSTALL_PATH}") -echo "Absolute installation path is '${ABSOLUTE_INSTALL_PATH}'" - -test -d "${INSTALL_PATH}" -check_status "Installation path '${INSTALL_PATH}' is not a directory (absolute path is '${ABSOLUTE_INSTALL_PATH}')" - -test -r "${INSTALL_PATH}" -check_status "Installation path '${INSTALL_PATH}' is not readable (absolute path is '${ABSOLUTE_INSTALL_PATH}')" - -test -w "${INSTALL_PATH}" -check_status "Installation path '${INSTALL_PATH}' is not writeable (absolute path is '${ABSOLUTE_INSTALL_PATH}')" - diff --git a/scripts/download.sh b/scripts/download.sh deleted file mode 100755 index 9e1aefa..0000000 --- a/scripts/download.sh +++ /dev/null @@ -1,58 +0,0 @@ -#!/bin/bash - -source "$(dirname -- "$0")/utils.sh" - -VERIFY_CORRECTNESS=false - -help() { - cat <