to be continuous bot · to be continuous bot · to be continuous bot · to be continuous bot · Pierre Smeyers · Pierre Smeyers
--- a/.gitlab/merge_request_templates/new_feature.md
+++ b/.gitlab/merge_request_templates/new_feature.md
@@ -8,8 +8,8 @@ Closes #999
 ## Checklist

 * General:
-    * [ ] use [rules](https://docs.gitlab.com/ee/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ee/ci/yaml/#onlyexcept-advanced)
-    * [ ] optimized [cache](https://docs.gitlab.com/ee/ci/caching/) configuration (wherever applicable)
+    * [ ] use [rules](https://docs.gitlab.com/ci/yaml/#rules) instead of [only/except](https://docs.gitlab.com/ci/yaml/#onlyexcept-advanced)
+    * [ ] optimized [cache](https://docs.gitlab.com/ci/caching/) configuration (wherever applicable)
 * Publicly usable:
    * [ ] untagged runners
    * [ ] no proxy configuration but support `http_proxy`/`https_proxy`/`no_proxy`

--- a/CHANGELOG.md
+++ b/CHANGELOG.md
-# [4.3.0](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/sonar/compare/4.2.4...4.3.0) (2025-01-29)
+## [4.3.1](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/sonar/compare/4.3.0...4.3.1) (2025-05-07)
+
+
+### Bug Fixes
+
+* use keystore when either DEFAULT_CA_CERTS or CUSTOM_CA_CERTS are set ([b4373ed](https://git.code.tecnalia.dev/smartdatalab/public/ci-cd-components/sonar/commit/b4373edbbb58bc048c351d824e30b823cb94cc06))
+
+## [4.3.1](https://gitlab.com/to-be-continuous/sonar/compare/4.3.0...4.3.1) (2025-03-20)
+
+
+### Bug Fixes
+
+* use keystore when either DEFAULT_CA_CERTS or CUSTOM_CA_CERTS are set ([b4373ed](https://gitlab.com/to-be-continuous/sonar/commit/b4373edbbb58bc048c351d824e30b823cb94cc06))
+
+# [4.3.0](https://gitlab.com/to-be-continuous/sonar/compare/4.2.4...4.3.0) (2025-01-27)


 ### Features

--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -61,7 +61,7 @@ To contribute:

 1. Create an issue describing the bug or enhancement you want to propose (select the right issue template).
 2. Make sure the issue has been reviewed and agreed.
-3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/ee/user/project/repository/forking_workflow.html) documentation).
+3. Create a Merge Request, from your **own** fork (see [forking workflow](https://docs.gitlab.com/user/project/repository/forking_workflow/) documentation).
   Don't hesitate to mark your MR as `Draft` as long as you think it's not ready to be reviewed.

 ### Git Commit Conventions

--- a/README.md
+++ b/README.md
@@ -7,7 +7,7 @@ security vulnerabilities as early as possible.

 ## Usage

-This template can be used both as a [CI/CD component](https://docs.gitlab.com/ee/ci/components/#use-a-component) or using the legacy [`include:project`](https://docs.gitlab.com/ee/ci/yaml/index.html#includeproject) syntax.
+This template can be used both as a [CI/CD component](https://docs.gitlab.com/ci/components/#use-a-component) or using the legacy [`include:project`](https://docs.gitlab.com/ci/yaml/#includeproject) syntax.

 ### Use as a CI/CD component

@@ -16,7 +16,7 @@ Add the following to your `.gitlab-ci.yml`:
 ```yaml
 include:
  # 1: include the component
-  - component: $CI_SERVER_FQDN/to-be-continuous/sonar/gitlab-ci-sonar@4.3.0
+  - component: $CI_SERVER_FQDN/to-be-continuous/sonar/gitlab-ci-sonar@4.3.1
    # 2: set/override component inputs
    inputs:
      host-url: https://sonarqube.acme.host # ⚠ this is only an example
@@ -30,7 +30,7 @@ Add the following to your `.gitlab-ci.yml`:
 include:
  # 1: include the template
  - project: 'to-be-continuous/sonar'
-    ref: '4.3.0'
+    ref: '4.3.1'
    file: '/templates/gitlab-ci-sonar.yml'

 variables:
@@ -46,7 +46,7 @@ It is bound to the `test` stage, and uses the following variables:

 | Input / Variable | Description                     | Default value |
 | ------------------------ | ------------------------------- | ----------------------------- |
-| `scanner-image` / `SONAR_SCANNER_IMAGE` | The Docker image used to run [sonar-scanner](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner/) | `registry.hub.docker.com/sonarsource/sonar-scanner-cli:latest` |
+| `scanner-image` / `SONAR_SCANNER_IMAGE` | The Docker image used to run [sonar-scanner](https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner/) | `registry.hub.docker.com/sonarsource/sonar-scanner-cli:latest` <br/>[![Trivy Badge](https://to-be-continuous.gitlab.io/doc/secu/trivy-badge-SONAR_SCANNER_IMAGE.svg)](https://to-be-continuous.gitlab.io/doc/secu/trivy-SONAR_SCANNER_IMAGE) |
 | `host-url` / `SONAR_HOST_URL` | SonarQube server url            | _none_ (disabled) |
 | `project-key` / `SONAR_PROJECT_KEY` | SonarQube Project Key (might also be set in the `sonar-project.properties` file) | fallbacks to `$CI_PROJECT_PATH_SLUG` (see below) |
 | `project-name` / `SONAR_PROJECT_NAME` | SonarQube Project Name (might also be set in the `sonar-project.properties` file) | fallbacks to `$CI_PROJECT_PATH` (see below) |
@@ -65,7 +65,7 @@ from GitLab's environment variables.
 :warning: This feature also depends on your SonarQube server version and license.
 If using Community Edition, you'll have to install the [sonarqube-community-branch-plugin](https://github.com/mc1arke/sonarqube-community-branch-plugin) to enable automatic Branch & Merge Request analysis (only works from SonarQube version 8).

-:warning: Merge Request Analysis only works if you're running [Merge Request pipeline](https://docs.gitlab.com/ee/ci/yaml/workflow.html#switch-between-branch-pipelines-and-merge-request-pipelines) strategy (default).
+:warning: Merge Request Analysis only works if you're running [Merge Request pipeline](https://docs.gitlab.com/ci/yaml/workflow/#switch-between-branch-pipelines-and-merge-request-pipelines) strategy (default).

 ### Configuring SonarQube project key, project name and other parameters

@@ -96,7 +96,7 @@ In order to be able to communicate with the Vault server, the variant requires t
 | :lock: `VAULT_ROLE_ID`   | The [AppRole](https://www.vaultproject.io/docs/auth/approle) RoleID | _none_ |
 | :lock: `VAULT_SECRET_ID` | The [AppRole](https://www.vaultproject.io/docs/auth/approle) SecretID | _none_ |

-By default, the variant will authentifacte using a [JWT ID token](https://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html). To use [AppRole](https://www.vaultproject.io/docs/auth/approle) instead the `VAULT_ROLE_ID` and `VAULT_SECRET_ID` should be defined as secret project variables.
+By default, the variant will authentifacte using a [JWT ID token](https://docs.gitlab.com/ci/secrets/id_token_authentication/). To use [AppRole](https://www.vaultproject.io/docs/auth/approle) instead the `VAULT_ROLE_ID` and `VAULT_SECRET_ID` should be defined as secret project variables.

 #### Usage

@@ -118,9 +118,9 @@ With:
 ```yaml
 include:
  # main template
-  - component: $CI_SERVER_FQDN/to-be-continuous/sonar/gitlab-ci-sonar@4.3.0
+  - component: $CI_SERVER_FQDN/to-be-continuous/sonar/gitlab-ci-sonar@4.3.1
  # Vault variant
-  - component: $CI_SERVER_FQDN/to-be-continuous/sonar/gitlab-ci-sonar-vault@4.3.0
+  - component: $CI_SERVER_FQDN/to-be-continuous/sonar/gitlab-ci-sonar-vault@4.3.1
    inputs:
       # audience claim for JWT
      vault-oidc-aud: "https://vault.acme.host"

--- a/templates/gitlab-ci-sonar-vault.yml
+++ b/templates/gitlab-ci-sonar-vault.yml
@@ -22,7 +22,7 @@ variables:
 sonar:
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "sonar", "4.3.0"]
+      command: ["--service", "sonar", "4.3.1"]
    - name: "$TBC_VAULT_IMAGE"
      alias: "vault-secrets-provider"
  variables:

--- a/templates/gitlab-ci-sonar.yml
+++ b/templates/gitlab-ci-sonar.yml
@@ -395,7 +395,7 @@ sonar:
    entrypoint: [""]
  services:
    - name: "$TBC_TRACKING_IMAGE"
-      command: ["--service", "sonar", "4.3.0"]
+      command: ["--service", "sonar", "4.3.1"]
  variables:
    # see: https://docs.sonarsource.com/sonarqube-server/latest/devops-platform-integration/gitlab-integration/setting-up-at-project-level/
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar" # Defines the location of the analysis task cache
@@ -436,13 +436,11 @@ sonar:
        export SONAR_TOKEN="$SONAR_AUTH_TOKEN"
      fi
    - |
-      if [[ -z "$CUSTOM_CA_CERTS" ]]
+      if [[ "$CUSTOM_CA_CERTS" ]] || [[ "$DEFAULT_CA_CERTS" ]]
      then
-        log_info '$CUSTOM_CA_CERTS not set: using default keystore'
-      else
-        log_info '$CUSTOM_CA_CERTS variable detected: using writable keystore path (/tmp/writable_keystore)'
+        log_info "Custom CA certificates detected: using custom Java KeyStore"
        export CUSTOM_KEYSTORE_PATH="/tmp/writable_keystore"
-        export CUSTOM_KEYSTORE_PASSWORD="changeit"
+        export CUSTOM_KEYSTORE_PASSWORD=${JAVA_KEYSTORE_PASSWORD:-changeit}
      fi
    - >-
      sonar-scanner ${TRACE+-Dsonar.verbose=true} $java_proxy_args