[Draft DO-NOT-MERGE] Add sonar-scanner-cli as official docker image #15326
Conversation
jCOTINEAU
force-pushed
the
sonarsource/sonar-scanner-cli-docker
branch
2 times, most recently
from
0201173
to
93b67ae
Compare
jCOTINEAU
force-pushed
the
sonarsource/sonar-scanner-cli-docker
branch
from
93b67ae
to
07b3804
Compare
Diff for 07b3804:diff --git a/_bashbrew-arches b/_bashbrew-arches
index 8b13789..e85a97f 100644
--- a/_bashbrew-arches
+++ b/_bashbrew-arches
@@ -1 +1,2 @@
-
+amd64
+arm64v8
diff --git a/_bashbrew-cat b/_bashbrew-cat
index bdfae4a..e48adbb 100644
--- a/_bashbrew-cat
+++ b/_bashbrew-cat
@@ -1 +1,7 @@
-Maintainers: New Image! :D (@docker-library-bot)
+Maintainers: Carmine Vassallo <[email protected]> (@carminevassallo), Jeremy Cotineau <[email protected]> (@jCOTINEAU), Davi Koscianski-vidal <[email protected]> (@davividal)
+Architectures: amd64, arm64v8
+GitRepo: https://github.com/SonarSource/sonar-scanner-cli-docker
+GitCommit: dc6c344d32f09e905665d2463e3a0de9c7f8c948
+
+Tags: 5.0.1.3006, 5.0.1, 5.0, 5, latest
+Directory: 5
diff --git a/_bashbrew-list b/_bashbrew-list
index e69de29..f7bca28 100644
--- a/_bashbrew-list
+++ b/_bashbrew-list
@@ -0,0 +1,5 @@
+sonar-scanner-cli:5
+sonar-scanner-cli:5.0
+sonar-scanner-cli:5.0.1
+sonar-scanner-cli:5.0.1.3006
+sonar-scanner-cli:latest
diff --git a/_bashbrew-list-build-order b/_bashbrew-list-build-order
index e69de29..b3b7397 100644
--- a/_bashbrew-list-build-order
+++ b/_bashbrew-list-build-order
@@ -0,0 +1 @@
+sonar-scanner-cli:latest
diff --git a/sonar-scanner-cli_latest/Dockerfile b/sonar-scanner-cli_latest/Dockerfile
new file mode 100755
index 0000000..cf71079
--- /dev/null
+++ b/sonar-scanner-cli_latest/Dockerfile
@@ -0,0 +1,58 @@
+FROM eclipse-temurin:17-jre
+
+LABEL org.opencontainers.image.url=https://github.com/SonarSource/sonar-scanner-cli-docker
+
+ARG SONAR_SCANNER_HOME=/opt/sonar-scanner
+ARG SONAR_SCANNER_VERSION=5.0.1.3006
+ARG NODE_MAJOR=18
+ENV JAVA_HOME=/opt/java/openjdk \
+ HOME=/tmp \
+ XDG_CONFIG_HOME=/tmp \
+ SONAR_SCANNER_HOME=${SONAR_SCANNER_HOME} \
+ SONAR_USER_HOME=${SONAR_SCANNER_HOME}/.sonar \
+ PATH=${SONAR_SCANNER_HOME}/bin:${PATH} \
+ NODE_PATH=/usr/lib/node_modules \
+ SRC_PATH=/usr/src \
+ LANG=en_US.UTF-8 \
+ LC_ALL=en_US.UTF-8
+
+WORKDIR /opt
+
+SHELL ["/bin/bash", "-euxo", "pipefail", "-c"]
+RUN groupadd --system --gid 1000 scanner-cli && \
+ useradd --system --uid 1000 --gid scanner-cli scanner-cli && \
+ apt-get update && \
+ apt-get install -y ca-certificates curl gnupg --no-install-recommends && \
+ mkdir -p /etc/apt/keyrings && \
+ curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg && \
+ echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_${NODE_MAJOR}.x nodistro main" | tee /etc/apt/sources.list.d/nodesource.list && \
+ apt-get update && \
+ apt-get install -y --no-install-recommends git unzip wget bash fonts-dejavu python3 python3-pip shellcheck nodejs build-essential && \
+ wget -U "scannercli" -q -O /opt/sonar-scanner-cli.zip https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}.zip && \
+ wget -U "scannercli" -q -O /opt/sonar-scanner-cli.zip.asc https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}.zip.asc && \
+ for server in $(shuf -e hkps://keys.openpgp.org \
+ hkps://keyserver.ubuntu.com) ; do \
+ gpg --batch --keyserver "${server}" --recv-keys 679F1EE92B19609DE816FDE81DB198F93525EC1A && break || : ; \
+ done && \
+ gpg --verify /opt/sonar-scanner-cli.zip.asc /opt/sonar-scanner-cli.zip && \
+ unzip sonar-scanner-cli.zip && \
+ rm sonar-scanner-cli.zip sonar-scanner-cli.zip.asc && \
+ mv sonar-scanner-${SONAR_SCANNER_VERSION} ${SONAR_SCANNER_HOME} && \
+ pip install --no-cache-dir --upgrade pip && \
+ pip install --no-cache-dir pylint && \
+ mkdir -p "${SRC_PATH}" "${SONAR_USER_HOME}" "${SONAR_USER_HOME}/cache" && \
+ chmod -R 555 "${SONAR_SCANNER_HOME}" "${SRC_PATH}" && \
+ chmod -R 777 "${SRC_PATH}" "${SONAR_USER_HOME}" && \
+ rm -rf /var/lib/apt/lists/*
+
+COPY --chown=scanner-cli:scanner-cli bin /usr/bin/
+
+USER scanner-cli
+
+VOLUME [ "/tmp/cacerts" ]
+
+WORKDIR ${SRC_PATH}
+
+ENTRYPOINT ["/usr/bin/entrypoint.sh"]
+
+CMD ["sonar-scanner"]
diff --git a/sonar-scanner-cli_latest/bin/entrypoint.sh b/sonar-scanner-cli_latest/bin/entrypoint.sh
new file mode 100755
index 0000000..b0ad176
--- /dev/null
+++ b/sonar-scanner-cli_latest/bin/entrypoint.sh
@@ -0,0 +1,42 @@
+#!/bin/bash
+
+set -euo pipefail
+
+declare -a args=()
+
+add_env_var_as_env_prop() {
+ if [ "$1" ]; then
+ args+=("-D$2=$1")
+ fi
+}
+
+# If there are certificates in /tmp/cacers we will import those into the systems truststore
+if [ -d /tmp/cacerts ]; then
+ if [ "$(ls -A /tmp/cacerts)" ]; then
+ for f in /tmp/cacerts/*
+ do
+ keytool -importcert -file "${f}" -alias "$(basename ${f})" -keystore /usr/lib/jvm/default-jvm/jre/lib/security/cacerts -storepass changeit -trustcacerts -noprompt
+ done
+ fi
+fi
+
+# if nothing is passed, assume we want to run sonar-scanner
+if [[ "$#" == 0 ]]; then
+ set -- sonar-scanner
+fi
+
+# if first arg looks like a flag, assume we want to run sonar-scanner with flags
+if [[ "${1#-}" != "${1}" ]] || [[ -z "$(command -v "${1}")" ]]; then
+ set -- sonar-scanner "$@"
+fi
+
+if [[ "$1" = 'sonar-scanner' ]]; then
+ add_env_var_as_env_prop "${SONAR_LOGIN:-}" "sonar.login"
+ add_env_var_as_env_prop "${SONAR_PASSWORD:-}" "sonar.password"
+ add_env_var_as_env_prop "${SONAR_PROJECT_BASE_DIR:-}" "sonar.projectBaseDir"
+ if [ ${#args[@]} -ne 0 ]; then
+ set -- sonar-scanner "${args[@]}" "${@:2}"
+ fi
+fi
+
+exec "$@" |
|
Has something changed since #8100? Rewording/expanding my comment linked from |
|
Hello @yosifkit, please may you excuse me, i was not aware this was already attempted that way at sonar. I definitely understand the reasoning, so just to double check, f we specify it as a subtag of sonarqube, this will be accepted and considered a valid use case ? Thanks a lot for your kind answers, I will draft this. |
|
Hello again @yosifkit, brainstormed a bit on that with the team and we have few other questions. One major change compared to #8100 is that the scanner is used both with SonarQube and SonarCloud (our SaaS solution) Having the scanner as a subpart of the SonarQube image would be confusing to users who are looking to use it against SonarCloud. The situation is a bit tricky as you mentioned
For SonarQube itself it is not entirely true, as the product does need this scanner-cli in order to be used. Do we have other options to look for? We were thinking maybe having a Sonar image instead of SonarQube? With something like
But I guess it would be too tight to the company? even if those are opensource products. Also lso the refactor might be tricky as it would be considered a new image/docker-hub page etc ? Please let us know what you think about the situation. Huge thanks in advance. |
|
What is the motivation for having this tool as a Docker Official Image (DOI)? Making the sonarsource organization a Docker Verified Publisher might be a better fit. |
|
Hello @whalelines, two main reason. First was to make sure all our images are distributed the same way, so it is clear and easy to understand where to pick them for our users. In the meantime, being a verified publisher is a discussion we are having internally. |
Hello everyone, we would like to add a new official image for the tool called sonar-scanner-cli.
This is the tool used to interact with SonarQube product (which is already an official image).
Here is the related doc PR
Those PR will stay in draft while gathering your feedback on the ongoing Dockerfile here
Thanks a lot in advance