.gitlab-ci.yml

+# variables in the GitLab CI/CD variables:
+  #   GITLAB_TOKEN to support the semantic-release
+  #   DOCKER_AUTH_CONFIG to support the usage of private docker images as job docker image
+  #   TMPL_RELEASE_ENABLED to enable the semantic-release job
+  #   TBC_NAMESPACE: smartdatalab/public/ci-cd-components
+
 include:
-  - component: git.code.tecnalia.com/smartdatalab/public/ci-cd-components/gitlab-ci/extract@master
+  - component: $CI_SERVER_FQDN/$TBC_NAMESPACE/gitlab-ci/extract@master
     inputs:
       extract-script-job-tags: ["docker"]
-  - component: git.code.tecnalia.com/smartdatalab/public/ci-cd-components/gitlab-ci/validation@master
+  - component: $CI_SERVER_FQDN/$TBC_NAMESPACE/gitlab-ci/validation@master
     inputs:
       check-links-job-tags: ["docker"]
       tbc-check-job-tags: ["docker"]
-      tbc-check-image: cicd-docker-dev.artifact.tecnalia.com/tbc-check:master
+      tbc-check-image: cicd-docker-dev.artifact.tecnalia.dev/tbc-check:master
       gitlab-ci-lint-job-tags: ["docker"]
-  - component: git.code.tecnalia.com/smartdatalab/public/ci-cd-components/kicker/validation@master
+  - component: $CI_SERVER_FQDN/$TBC_NAMESPACE/kicker/validation@master
     inputs:
       kicker-validation-job-tags: ["docker"]
-      schema-base-url: "https://git.code.tecnalia.com/api/v4/projects/smartdatalab%2Fpublic%2Fci-cd-components%2Fkicker/repository/files"
-  - component: git.code.tecnalia.com/smartdatalab/public/ci-cd-components/bash/gitlab-ci-bash@master
+      schema-base-url: "https://git.code.tecnalia.dev/api/v4/projects/smartdatalab%2Fpublic%2Fci-cd-components%2Fkicker/repository/files"
+  - component: $CI_SERVER_FQDN/$TBC_NAMESPACE/bash/gitlab-ci-bash@master
     inputs:
       bash-shellcheck-job-tags: ["docker"]
-  - component: git.code.tecnalia.com/smartdatalab/public/ci-cd-components/semantic-release/gitlab-ci-semrel@master
+      shellcheck-files: "*.sh"
+  - component: $CI_SERVER_FQDN/$TBC_NAMESPACE/semantic-release/gitlab-ci-semrel@master
     inputs:
       semantic-release-job-tags: ["docker"]
-
-stages:
-  - build
-  - publish
+  - component: $CI_SERVER_FQDN/$TBC_NAMESPACE/gitleaks/gitlab-ci-gitleaks@master
+    inputs:
+      gitleaks-job-tags: ["docker"]
 
 variables:
   GITLAB_CI_FILES: "templates/gitlab-ci-sonar.yml"
-  BASH_SHELLCHECK_FILES: "*.sh"
+  GIT_STRATEGY: clone
 
 semantic-release:
   rules:

CHANGELOG.md

-## [4.2.3](https://git.code.tecnalia.com/smartdatalab/public/ci-cd-components/sonar/compare/4.2.2...4.2.3) (2024-05-20)
+## [4.2.4](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/sonar/compare/4.2.3...4.2.4) (2025-01-20)
 
 
 ### Bug Fixes
 
-* **workflow:** disable MR pipeline from prod & integ branches ([3973282](https://git.code.tecnalia.com/smartdatalab/public/ci-cd-components/sonar/commit/397328287bfc50c0ccc93856597e699210dbcbfc))
+* **newer-sonar-image:** permissions for custom certificates ([6bc534d](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/sonar/commit/6bc534d7b4df7bb558dd3ca3e9f922ef5ebf0882))
+
+## [4.2.4](https://gitlab.com/to-be-continuous/sonar/compare/4.2.3...4.2.4) (2024-10-20)
+
+
+### Bug Fixes
+
+* **newer-sonar-image:** permissions for custom certificates ([6bc534d](https://gitlab.com/to-be-continuous/sonar/commit/6bc534d7b4df7bb558dd3ca3e9f922ef5ebf0882))
 
 ## [4.2.3](https://gitlab.com/to-be-continuous/sonar/compare/4.2.2...4.2.3) (2024-05-05)
 

README.md

@@ -7,16 +7,16 @@ security vulnerabilities as early as possible.
 
 ## Usage
 
-This template can be used both as a [CI/CD component](https://docs.gitlab.com/ee/ci/components/#use-a-component-in-a-cicd-configuration) or using the legacy [`include:project`](https://docs.gitlab.com/ee/ci/yaml/index.html#includeproject) syntax.
+This template can be used both as a [CI/CD component](https://docs.gitlab.com/ee/ci/components/#use-a-component) or using the legacy [`include:project`](https://docs.gitlab.com/ee/ci/yaml/index.html#includeproject) syntax.
 
 ### Use as a CI/CD component
 
-Add the following to your `gitlab-ci.yml`:
+Add the following to your `.gitlab-ci.yml`:
 
 ```yaml
 include:
   # 1: include the component
-  - component: gitlab.com/to-be-continuous/sonar/gitlab-ci-sonar@4.2.3
+  - component: $CI_SERVER_FQDN/to-be-continuous/sonar/gitlab-ci-sonar@4.2.4
     # 2: set/override component inputs
     inputs:
       host-url: https://sonarqube.acme.host # ⚠ this is only an example
@@ -24,13 +24,13 @@ include:
 
 ### Use as a CI/CD template (legacy)
 
-Add the following to your `gitlab-ci.yml`:
+Add the following to your `.gitlab-ci.yml`:
 
 ```yaml
 include:
   # 1: include the template
   - project: 'to-be-continuous/sonar'
-    ref: '4.2.3'
+    ref: '4.2.4'
     file: '/templates/gitlab-ci-sonar.yml'
 
 variables:
@@ -46,11 +46,11 @@ It is bound to the `test` stage, and uses the following variables:
 
 | Input / Variable | Description                     | Default value |
 | ------------------------ | ------------------------------- | ----------------------------- |
-| `scanner-image` / `SONAR_SCANNER_IMAGE` | The Docker image used to run [sonar-scanner](https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/) | `registry.hub.docker.com/sonarsource/sonar-scanner-cli:latest` |
+| `scanner-image` / `SONAR_SCANNER_IMAGE` | The Docker image used to run [sonar-scanner](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner/) | `registry.hub.docker.com/sonarsource/sonar-scanner-cli:latest` |
 | `host-url` / `SONAR_HOST_URL` | SonarQube server url            | _none_ (disabled) |
 | `project-key` / `SONAR_PROJECT_KEY` | SonarQube Project Key (might also be set in the `sonar-project.properties` file) | fallbacks to `$CI_PROJECT_PATH_SLUG` (see below) |
 | `project-name` / `SONAR_PROJECT_NAME` | SonarQube Project Name (might also be set in the `sonar-project.properties` file) | fallbacks to `$CI_PROJECT_PATH` (see below) |
-| :lock: `SONAR_TOKEN`     | SonarQube authentication [token](https://docs.sonarqube.org/latest/user-guide/user-token/) (depends on your authentication method) | _none_ |
+| :lock: `SONAR_TOKEN`     | SonarQube authentication [token](https://docs.sonarsource.com/sonarqube-server/latest/user-guide/managing-tokens/) (depends on your authentication method) | _none_ |
 | :lock: `SONAR_LOGIN`     | SonarQube login (depends on your authentication method)                | _none_ |
 | :lock: `SONAR_PASSWORD`  | SonarQube password (depends on your authentication method)             | _none_ |
 | `base-args` / `SONAR_BASE_ARGS` | SonarQube [analysis arguments](https://docs.sonarqube.org/latest/analysis/analysis-parameters/) | `-Dsonar.links.homepage=${CI_PROJECT_URL} -Dsonar.links.ci=${CI_PROJECT_URL}/-/pipelines -Dsonar.links.issue=${CI_PROJECT_URL}/-/issues` |
@@ -59,7 +59,7 @@ It is bound to the `test` stage, and uses the following variables:
 
 ### Automatic Branch Analysis & Merge Request Analysis
 
-This template relies on SonarScanner's [GitLab integration](https://docs.sonarqube.org/latest/analysis/gitlab-integration), that is able to auto-detect whether to launch Branch Analysis or Merge Request Analysis
+This template relies on SonarScanner's [GitLab integration](https://docs.sonarsource.com/sonarqube-server/latest/devops-platform-integration/gitlab-integration/introduction/), that is able to auto-detect whether to launch Branch Analysis or Merge Request Analysis
 from GitLab's environment variables.
 
 :warning: This feature also depends on your SonarQube server version and license.
@@ -73,8 +73,8 @@ You shall define your SonarQube project key and project name in a `sonar-project
 
 Note that when not explictly set, the template will use `$CI_PROJECT_PATH_SLUG` and `$CI_PROJECT_PATH` as fallback project key and project name.
 
-The `sonar-project.properties` file is also the recommended way to configure other SonarQube [analysis parameters](https://docs.sonarqube.org/latest/analysis/analysis-parameters/)
-as well as [language specific parameters](https://docs.sonarqube.org/latest/analyzing-source-code/test-coverage/overview/).
+The `sonar-project.properties` file is also the recommended way to configure other SonarQube [analysis parameters](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/analysis-parameters/)
+as well as [language specific parameters](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/test-coverage/test-coverage-parameters/).
 
 Each _to-be-continuous_ build template shall briefly document the supported language-specific SonarQube parameters.
 
@@ -91,10 +91,12 @@ In order to be able to communicate with the Vault server, the variant requires t
 | Input / Variable | Description                            | Default value     |
 | ----------------- | -------------------------------------- | ----------------- |
 | `TBC_VAULT_IMAGE` | The [Vault Secrets Provider](https://gitlab.com/to-be-continuous/tools/vault-secrets-provider) image to use (can be overridden) | `registry.gitlab.com/to-be-continuous/tools/vault-secrets-provider:latest` |
-| `vault-base-url` / `VAULT_BASE_URL` | The Vault server base API url          | _none_ |
+| `vault-base-url` / `VAULT_BASE_URL` | The Vault server base API url          | **must be defined** |
 | `vault-oidc-aud` / `VAULT_OIDC_AUD` | The `aud` claim for the JWT | `$CI_SERVER_URL` |
-| :lock: `VAULT_ROLE_ID`   | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | **must be defined** |
-| :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | **must be defined** |
+| :lock: `VAULT_ROLE_ID`   | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | _none_ |
+| :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | _none_ |
+
+By default, the variant will authentifacte using a [JWT ID token](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html). To use [AppRole](https://www.vaultproject.io/docs/auth/approle) instead the `VAULT_ROLE_ID` and `VAULT_SECRET_ID` should be defined as secret project variables.
 
 #### Usage
 
@@ -116,9 +118,9 @@ With:
 ```yaml
 include:
   # main template
-  - component: gitlab.com/to-be-continuous/sonar/gitlab-ci-sonar@4.2.3
+  - component: $CI_SERVER_FQDN/to-be-continuous/sonar/gitlab-ci-sonar@4.2.4
   # Vault variant
-  - component: gitlab.com/to-be-continuous/sonar/gitlab-ci-sonar-vault@4.2.3
+  - component: $CI_SERVER_FQDN/to-be-continuous/sonar/gitlab-ci-sonar-vault@4.2.4
     inputs:
        # audience claim for JWT
       vault-oidc-aud: "https://vault.acme.host"
@@ -127,5 +129,4 @@ include:
 variables:
   # Secrets managed by Vault
   SONAR_TOKEN: "@url@http://vault-secrets-provider/api/secrets/b7ecb6ebabc231/my-app/sonar?field=token"
-  # $VAULT_ROLE_ID and $VAULT_SECRET_ID defined as a secret CI/CD variable
 ```

bumpversion.sh

@@ -27,7 +27,7 @@ if [[ "$curVer" ]]; then
   log_info "Bump version from \\e[33;1m${curVer}\\e[0m to \\e[33;1m${nextVer}\\e[0m (release type: $relType)..."
 
   # replace in README
-  sed -e "s/ref: *'$curVer'/ref: '$nextVer'/" -e "s/ref: *\"$curVer\”/ref: \”$nextVer\”/" -e "s/component: *\(.*\)@$curVer/component: \1@$nextVer/" README.md > README.md.next
+  sed -e "s/ref: *'$curVer'/ref: '$nextVer'/" -e "s/ref: *\"$curVer\"/ref: \"$nextVer\"/" -e "s/component: *\(.*\)@$curVer/component: \1@$nextVer/" README.md > README.md.next
   mv -f README.md.next README.md
 
   # replace in template and variants

kicker.json

@@ -8,7 +8,7 @@
   "variables": [
     {
       "name": "SONAR_SCANNER_IMAGE",
-      "description": "The Docker image used to run [sonar-scanner](https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/)",
+      "description": "The Docker image used to run [sonar-scanner](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner/)",
       "default": "registry.hub.docker.com/sonarsource/sonar-scanner-cli:latest"
     },
     {
@@ -44,13 +44,13 @@
     },
     {
       "name": "SONAR_BASE_ARGS",
-      "description": "SonarQube [analysis arguments](https://docs.sonarqube.org/latest/analysis/analysis-parameters/)",
+      "description": "SonarQube [analysis arguments](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/analysis-parameters/)",
       "default": "-Dsonar.links.homepage=${CI_PROJECT_URL} -Dsonar.links.ci=${CI_PROJECT_URL}/-/pipelines -Dsonar.links.issue=${CI_PROJECT_URL}/-/issues",
       "advanced": true
     },
     {
       "name": "SONAR_QUALITY_GATE_ENABLED",
-      "description": "Enables SonarQube [Quality Gate](https://docs.sonarqube.org/latest/user-guide/quality-gates/) verification.\n\n_Uses `sonar.qualitygate.wait` parameter ([see doc](https://docs.sonarqube.org/latest/analysis/ci-integration-overview/#header-1))._",
+      "description": "Enables SonarQube [Quality Gate](https://docs.sonarsource.com/sonarqube-server/latest/instance-administration/analysis-functions/quality-gates/) verification.\n\n_Uses `sonar.qualitygate.wait` parameter ([see doc](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/ci-integration/overview/#quality-gate-fails))._",
       "type": "boolean"
     },
     {

templates/gitlab-ci-sonar-vault.yml

@@ -22,7 +22,7 @@ variables:
 sonar:
   services:
     - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "sonar", "4.2.3"]
+      command: ["--service", "sonar", "4.2.4"]
     - name: "$TBC_VAULT_IMAGE"
       alias: "vault-secrets-provider"
   variables:

templates/gitlab-ci-sonar.yml

@@ -17,7 +17,7 @@
 spec:
   inputs:
     scanner-image:
-      description: The Docker image used to run [sonar-scanner](https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/)
+      description: The Docker image used to run [sonar-scanner](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner/)
       default: registry.hub.docker.com/sonarsource/sonar-scanner-cli:latest
     host-url:
       description: SonarQube server url
@@ -29,16 +29,16 @@ spec:
       description: SonarQube Project Name (might also be set in the `sonar-project.properties` file)
       default: ''
     base-args:
-      description: SonarQube [analysis arguments](https://docs.sonarqube.org/latest/analysis/analysis-parameters/)
+      description: SonarQube [analysis arguments](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/analysis-parameters/)
       default: >-
         -Dsonar.links.homepage=${CI_PROJECT_URL}
         -Dsonar.links.ci=${CI_PROJECT_URL}/-/pipelines
         -Dsonar.links.issue=${CI_PROJECT_URL}/-/issues
     quality-gate-enabled:
       description: |-
-        Enables SonarQube [Quality Gate](https://docs.sonarqube.org/latest/user-guide/quality-gates/) verification.
+        Enables SonarQube [Quality Gate](https://docs.sonarsource.com/sonarqube-server/latest/instance-administration/analysis-functions/quality-gates/) verification.
 
-        _Uses `sonar.qualitygate.wait` parameter ([see doc](https://docs.sonarqube.org/latest/analysis/ci-integration-overview/#header-1))._
+        _Uses `sonar.qualitygate.wait` parameter ([see doc](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/ci-integration/overview/#quality-gate-fails))._
       type: boolean
       default: false
     sonar-job-tags:
@@ -101,8 +101,8 @@ variables:
   SONAR_PROJECT_NAME: $[[ inputs.project-name ]]
   SONAR_QUALITY_GATE_ENABLED: $[[ inputs.quality-gate-enabled ]]
   # Sonar base analysis default args
-  # see: https://docs.sonarqube.org/latest/analysis/analysis-parameters/
-  # default uses branch analysis: https://docs.sonarqube.org/latest/branches/overview/
+  # see: https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/analysis-parameters/
+  # default uses branch analysis: https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/branch-analysis/introduction/
   SONAR_BASE_ARGS: $[[ inputs.base-args ]]
 
   # default production ref name (pattern)
@@ -152,15 +152,17 @@ stages:
     then
       return
     fi
+    # creat a writable folder for the keystore and certs
+    mkdir -p /tmp/certs
 
     # import in system
-    if echo "$certs" >> /etc/ssl/certs/ca-certificates.crt
+    if echo "$certs" >> /tmp/certs/ca-certificates.crt
     then
-      log_info "CA certificates imported in \\e[33;1m/etc/ssl/certs/ca-certificates.crt\\e[0m"
+      log_info "CA certificates imported in \\e[33;1m/tmp/certs/ca-certificates.crt\\e[0m"
     fi
-    if echo "$certs" >> /etc/ssl/cert.pem
+    if echo "$certs" >> /tmp/certs/cert.pem
     then
-      log_info "CA certificates imported in \\e[33;1m/etc/ssl/cert.pem\\e[0m"
+      log_info "CA certificates imported in \\e[33;1m/tmp/certs/cert.pem\\e[0m"
     fi
 
     # import in Java keystore (if keytool command found)
@@ -172,6 +174,10 @@ stages:
       keystore=${JAVA_KEYSTORE_PATH:-$(ls -1 $javahome/jre/lib/security/cacerts 2>/dev/null || ls -1 $javahome/lib/security/cacerts 2>/dev/null || echo "")}
       if [[ -f "$keystore" ]]
       then
+        # copy keystore into writable folder
+        cp -L -r --no-preserve=mode "$keystore" /tmp/writable_keystore
+        # set writable keystore as keystore
+        keystore="/tmp/writable_keystore"
         storepass=${JAVA_KEYSTORE_PASSWORD:-changeit}
         nb_certs=$(echo "$certs" | grep -c 'END CERTIFICATE')
         log_info "importing $nb_certs certificates in Java keystore \\e[33;1m$keystore\\e[0m..."
@@ -392,9 +398,9 @@ sonar:
     entrypoint: [""]
   services:
     - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "sonar", "4.2.3"]
+      command: ["--service", "sonar", "4.2.4"]
   variables:
-    # see: https://docs.sonarqube.org/latest/analysis/gitlab-integration/#header-4
+    # see: https://docs.sonarsource.com/sonarqube-server/latest/devops-platform-integration/gitlab-integration/setting-up-at-project-level/
     SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar" # Defines the location of the analysis task cache
     GIT_DEPTH: 0 # Tells git to fetch all the branches of the project, required by the analysis task
   cache:
@@ -432,8 +438,19 @@ sonar:
         log_warn '$SONAR_AUTH_TOKEN variable detected: use $SONAR_TOKEN instead (see doc)'
         export SONAR_TOKEN="$SONAR_AUTH_TOKEN"
       fi
+    - |
+      if [[ -z "$CUSTOM_CA_CERTS" ]]
+      then
+        log_info '$CUSTOM_CA_CERTS not set: using default keystore'
+      else
+        log_info '$CUSTOM_CA_CERTS variable detected: using writable keystore path (/tmp/writable_keystore)'
+        export CUSTOM_KEYSTORE_PATH="/tmp/writable_keystore"
+        export CUSTOM_KEYSTORE_PASSWORD="changeit"
+      fi
     - >-
-      sonar-scanner ${TRACE+-Dsonar.verbose=true} $java_proxy_args 
+      sonar-scanner ${TRACE+-Dsonar.verbose=true} $java_proxy_args
+      ${CUSTOM_KEYSTORE_PATH:+-Dsonar.scanner.truststorePath=$CUSTOM_KEYSTORE_PATH}
+      ${CUSTOM_KEYSTORE_PASSWORD:+-Dsonar.scanner.truststorePassword=$CUSTOM_KEYSTORE_PASSWORD}
       ${SONAR_LOGIN:+-Dsonar.login=$SONAR_LOGIN} 
       ${SONAR_PASSWORD:+-Dsonar.password=$SONAR_PASSWORD} 
       ${SONAR_PROJECT_KEY:+-Dsonar.projectKey=$SONAR_PROJECT_KEY}