diff --git a/.cirrus.star b/.cirrus.star
deleted file mode 100644
index bc1f3998b..000000000
--- a/.cirrus.star
+++ /dev/null
@@ -1,4 +0,0 @@
-load("github.com/SonarSource/cirrus-modules@v3", "load_features")
-
-def main(ctx):
- return load_features(ctx)
diff --git a/.cirrus.yml b/.cirrus.yml
deleted file mode 100644
index b69433182..000000000
--- a/.cirrus.yml
+++ /dev/null
@@ -1,142 +0,0 @@
-env:
- CIRRUS_CLONE_DEPTH: 20
- ARTIFACTORY_URL: VAULT[development/kv/data/repox data.url]
- ARTIFACTORY_PRIVATE_USERNAME: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-private-reader username]
- ARTIFACTORY_PRIVATE_PASSWORD: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-private-reader access_token]
- ARTIFACTORY_DEPLOY_USERNAME: vault-${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-qa-deployer
- ARTIFACTORY_DEPLOY_PASSWORD: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-qa-deployer access_token]
- #Possible values for ARTIFACTORY_DEPLOY_REPO: sonarsource-private-qa, sonarsource-public-qa
- ARTIFACTORY_DEPLOY_REPO: sonarsource-public-qa
- ARTIFACTORY_ACCESS_TOKEN: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-private-reader access_token]
- # Use bash (instead of sh on linux or cmd.exe on windows)
- CIRRUS_SHELL: bash
-
-container_definition: &CONTAINER_DEFINITION
- image: "${CIRRUS_AWS_ACCOUNT}.dkr.ecr.eu-central-1.amazonaws.com/base:j23-latest"
- cluster_name: ${CIRRUS_CLUSTER_NAME}
- region: eu-central-1
- namespace: default
-
-orchestrator_cache_preparation_definition: &ORCHESTRATOR_CACHE_PREPARATION_DEFINITION
- set_orchestrator_home_script: |
- export TODAY=$(date '+%Y-%m-%d')
- echo "TODAY=${TODAY}" >> $CIRRUS_ENV
- echo "ORCHESTRATOR_HOME=${CIRRUS_WORKING_DIR}/orchestrator/${TODAY}" >> $CIRRUS_ENV
- mkdir_orchestrator_home_script: |
- echo "Create dir ${ORCHESTRATOR_HOME} if needed"
- mkdir -p ${ORCHESTRATOR_HOME}
-
-orchestrator_cache_elements_definition: &ORCHESTRATOR_CACHE_ELEMENTS_DEFINITION
- folder: ${ORCHESTRATOR_HOME}
- fingerprint_script: echo ${TODAY}
- reupload_on_changes: "true"
-
-only_sonarsource_qa: &ONLY_SONARSOURCE_QA
- only_if: ${CIRRUS_USER_COLLABORATOR} == 'true' && ${CIRRUS_TAG} == "" && (${CIRRUS_PR} != "" || ${CIRRUS_BRANCH} == "master" || ${CIRRUS_BRANCH} =~ "branch-.*" || ${CIRRUS_BRANCH} =~ "dogfood-on-.*")
-
-build_task:
- eks_container:
- <<: *CONTAINER_DEFINITION
- cpu: 4
- memory: 4G
- env:
- # analysis on next
- SONAR_TOKEN: VAULT[development/kv/data/next data.token]
- SONAR_HOST_URL: https://next.sonarqube.com/sonarqube
- #allow deployment of pull request artifacts to repox
- DEPLOY_PULL_REQUEST: true
- # signing artifacts
- SIGN_KEY: VAULT[development/kv/data/sign data.key]
- PGP_PASSPHRASE: VAULT[development/kv/data/sign data.passphrase]
- maven_cache:
- folder: ${CIRRUS_WORKING_DIR}/.m2/repository
- build_script:
- - source cirrus-env BUILD
- - regular_mvn_build_deploy_analyze
- cleanup_before_cache_script: cleanup_maven_repository
-
-sonar_shadow_scan_and_issue_replication_task:
- depends_on:
- - build
- # Only run when triggered by the cirrus-ci cron job named "nightly"
- only_if: $CIRRUS_CRON == "nightly"
- eks_container:
- <<: *CONTAINER_DEFINITION
- cpu: 4
- memory: 4G
- env:
- SONAR_PROJECT_KEY: "org.sonarsource.java:sonar-java-symbolic-execution"
- SHADOW_ORGANIZATION: "sonarsource"
- # to replicate issue states from next
- SONAR_TOKEN: VAULT[development/kv/data/next data.token]
- SONAR_HOST_URL: https://next.sonarqube.com/sonarqube
- matrix:
- - name: "sonarcloud.io"
- SHADOW_SONAR_TOKEN: VAULT[development/kv/data/sonarcloud data.token]
- SHADOW_SONAR_HOST_URL: "https://sonarcloud.io"
- - name: "sonarqube.us"
- SHADOW_SONAR_TOKEN: VAULT[development/kv/data/sonarqube-us data.token]
- SHADOW_SONAR_HOST_URL: "https://sonarqube.us"
- maven_cache:
- folder: ${CIRRUS_WORKING_DIR}/.m2/repository
- build_and_shadow_scan_script:
- - source cirrus-env BUILD
- - ./shadow-scan-and-issue-replication.sh
- cleanup_before_cache_script: cleanup_maven_repository
-
-ruling_task:
- depends_on:
- - build
- <<: *ONLY_SONARSOURCE_QA
- eks_container:
- <<: *CONTAINER_DEFINITION
- image: ${CIRRUS_AWS_ACCOUNT}.dkr.ecr.eu-central-1.amazonaws.com/base:j17-latest
- cpu: 14
- memory: 8G
- maven_cache:
- folder: ${CIRRUS_WORKING_DIR}/.m2/repository
- <<: *ORCHESTRATOR_CACHE_PREPARATION_DEFINITION
- orchestrator_LATEST_RELEASE_cache:
- <<: *ORCHESTRATOR_CACHE_ELEMENTS_DEFINITION
- submodules_script:
- - git submodule update --init --recursive
- env:
- MAVEN_OPTS: "-Xmx3g"
- GITHUB_TOKEN: VAULT[development/github/token/licenses-ro token]
- matrix:
- # Supported values for JAVA_PLUGIN_VERSION:
- # LATEST_RELEASE, LATEST_MASTER, LATEST_DOGFOOD, POM_PROPERTY or a fixed version like 8.15.0.39249
- - PROFILE: without-sonarqube-project
- JAVA_PLUGIN_VERSION: LATEST_MASTER
- - PROFILE: without-sonarqube-project
- JAVA_PLUGIN_VERSION: POM_PROPERTY
- - PROFILE: only-sonarqube-project
- JAVA_PLUGIN_VERSION: LATEST_MASTER
- ruling_script:
- - source cirrus-env QA
- - source set_maven_build_version $BUILD_NUMBER
- - export SONAR_JAVA_VERSION="$(.github/scripts/resolve-sonar-java-plugin-version.sh "${JAVA_PLUGIN_VERSION}")"
- - echo "Using SONAR_JAVA_VERSION=${SONAR_JAVA_VERSION}"
- - cd its/ruling
- - mvn package --batch-mode "-Pit-ruling,$PROFILE" -Dsonar.java.version="$SONAR_JAVA_VERSION" -Dsonar.runtimeVersion=LATEST_RELEASE -Dmaven.test.redirectTestOutputToFile=false -B -e -V -Dparallel=methods -DuseUnlimitedThreads=true
- cleanup_before_cache_script: cleanup_maven_repository
- on_failure:
- actual_artifacts:
- path: "${CIRRUS_WORKING_DIR}/its/ruling/target/actual/**/*"
-
-promote_task:
- depends_on:
- - build
- - sonar_shadow_scan_and_issue_replication
- - ruling
- <<: *ONLY_SONARSOURCE_QA
- eks_container:
- <<: *CONTAINER_DEFINITION
- cpu: 2
- memory: 1G
- env:
- ARTIFACTORY_PROMOTE_ACCESS_TOKEN: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-promoter access_token]
- maven_cache:
- folder: ${CIRRUS_WORKING_DIR}/.m2/repository
- main_script: cirrus_promote_maven
- cleanup_before_cache_script: cleanup_maven_repository
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index dfdbae8be..9f4db2f63 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -22,14 +22,15 @@ jobs:
id-token: write
contents: write
outputs:
- build-number: ${{ steps.build-maven.outputs.BUILD_NUMBER }}
+ build-number: ${{ steps.build-step.outputs.BUILD_NUMBER }}
+ deployed: ${{ steps.build-step.outputs.deployed }}
steps:
- - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+ - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- uses: jdx/mise-action@d6e32c1796099e0f1f3ac741c220a8b7eae9e5dd # v3.2.0
with:
version: 2025.7.12
- uses: SonarSource/ci-github-actions/build-maven@v1
- id: build-maven
+ id: build-step
with:
deploy-pull-request: true
artifactory-reader-role: private-reader # Override default public-reader
@@ -37,8 +38,8 @@ jobs:
qa:
needs: [build]
+ if: ${{ needs.build.outputs.deployed }}
runs-on: github-ubuntu-latest-l
- if: github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]')
permissions:
id-token: write
strategy:
@@ -49,6 +50,8 @@ jobs:
- { name: "for SonarQube Project Only", profile: "only-sonarqube-project", java_plugin_version: "LATEST_MASTER" }
- { name: "with Prod SonarJava Plugin", profile: "without-sonarqube-project", java_plugin_version: "POM_PROPERTY" }
name: "QA Tests ${{ matrix.item.name }}"
+ env:
+ BUILD_NUMBER: ${{ needs.build.outputs.build-number }}
steps:
- name: Checkout repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -101,17 +104,15 @@ jobs:
promote:
name: Promote
- needs: [build, qa]
+ if: ${{ needs.build.outputs.deployed }}
+ needs:
+ - build
+ - qa
runs-on: github-ubuntu-latest-s
- if: github.event_name != 'pull_request' || (github.event.pull_request.head.repo.full_name == github.repository && github.actor != 'dependabot[bot]')
permissions:
id-token: write
+ env:
+ BUILD_NUMBER: ${{ needs.build.outputs.build-number }}
steps:
- - name: Checkout repository
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- - uses: jdx/mise-action@d6e32c1796099e0f1f3ac741c220a8b7eae9e5dd # v3.2.0
- with:
- cache_save: false
- version: 2025.7.12
- name: Promote artifacts
uses: SonarSource/ci-github-actions/promote@v1
\ No newline at end of file
diff --git a/README.md b/README.md
index 89153473c..6782514cf 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-Sonar Java symbolic execution plugin [](https://cirrus-ci.com/github/SonarSource/sonar-java) [](https://next.sonarqube.com/sonarqube/dashboard?id=org.sonarsource.java%3Asonar-java-symbolic-execution) [](https://next.sonarqube.com/sonarqube/component_measures/domain/Coverage?id=org.sonarsource.java%3Asonar-java-symbolic-execution)
+Sonar Java symbolic execution plugin [](https://github.com/SonarSource/sonar-java-symbolic-execution/actions/workflows/build.yml) [](https://next.sonarqube.com/sonarqube/dashboard?id=org.sonarsource.java%3Asonar-java-symbolic-execution) [](https://next.sonarqube.com/sonarqube/component_measures/domain/Coverage?id=org.sonarsource.java%3Asonar-java-symbolic-execution)
==========
This SonarSource project is a plugin designed for advanced bug detection in Java projects, helping developers write [Clean Code](https://www.sonarsource.com/solutions/clean-code/).
diff --git a/pom.xml b/pom.xml
index 60b269a9b..6aa59acb4 100644
--- a/pom.xml
+++ b/pom.xml
@@ -64,8 +64,8 @@
https://jira.sonarsource.com/browse/JAVASE
- Cirrus CI
- https://cirrus-ci.com/github/SonarSource/sonar-java-symbolic-execution
+ GitHub Actions
+ https://github.com/SonarSource/sonar-java-symbolic-execution/actions/workflows/build.yml
diff --git a/shadow-scan-and-issue-replication.sh b/shadow-scan-and-issue-replication.sh
deleted file mode 100755
index 7b3bec624..000000000
--- a/shadow-scan-and-issue-replication.sh
+++ /dev/null
@@ -1,130 +0,0 @@
-#!/usr/bin/env bash
-
-set -euo pipefail
-
-# IRIS: Issue Replication for Sonarqube
-IRIS_JAR_URL="${ARTIFACTORY_URL}/sonarsource-private-releases/com/sonarsource/iris/iris/\[RELEASE\]/iris-\[RELEASE\]-jar-with-dependencies.jar"
-IRIS_JAR_PATH="target/libs/iris.jar"
-
-function build_and_analyze_the_project() {
- echo
- echo "===== Build and analyze the project targeting a shadow SonarQube instance"
- local BUILD_CMD
- if [[ -e "gradlew" ]]; then
- BUILD_CMD="./gradlew --info --stacktrace --console plain build sonar"
- else
- source set_maven_build_version "$BUILD_NUMBER"
- BUILD_CMD="mvn -Pcoverage -Dmaven.test.redirectTestOutputToFile=false --batch-mode --errors --show-version verify sonar:sonar"
- fi
- ${BUILD_CMD} \
- -DbuildNumber="${BUILD_NUMBER}" \
- -Dsonar.host.url="${SHADOW_SONAR_HOST_URL}" \
- -Dsonar.token="${SHADOW_SONAR_TOKEN}" \
- -Dsonar.organization="${SHADOW_ORGANIZATION}" \
- -Dsonar.projectKey="${SONAR_PROJECT_KEY}" \
- -Dsonar.analysis.buildNumber="${BUILD_NUMBER}" \
- -Dsonar.analysis.repository="${GITHUB_REPO}" \
- "$@"
-}
-
-function download_iris() {
- echo
- echo "===== Download ${IRIS_JAR_URL}"
- mkdir -p target/libs
- curl --silent --fail-with-body --location --header "Authorization: Bearer ${ARTIFACTORY_PRIVATE_PASSWORD}" \
- --output "${IRIS_JAR_PATH}" "${IRIS_JAR_URL}"
-}
-
-function sonarcloud_compute_engine_status_for_given_project() {
- local PROJECT_KEY="$1"
- local RESPONSE
- RESPONSE="$(
- curl --silent --fail-with-body --location --request GET \
- --header "Authorization: Bearer ${SHADOW_SONAR_TOKEN}" \
- --output - \
- "${SHADOW_SONAR_HOST_URL}/api/ce/component?component=${PROJECT_KEY}"
- )"
- local STATUS
- # we first check if there is one or more 'PENDING' tasks in the queue
- STATUS="$(echo "${RESPONSE}" | jq -r '.queue[].status')"
- if [[ "${STATUS}" == "null" ]]; then
- STATUS=""
- fi
- if [[ -z "${STATUS}" ]]; then
- # otherwise we get the status of the current task
- STATUS="$(echo "${RESPONSE}" | jq -r '.current.status')"
- fi
- echo -n "${STATUS}"
-}
-
-function wait_for_sonarcloud_compute_engine_to_finish() {
- local MAX_WAIT_TIME_SECONDS="300" # Default to 5 minutes
- local SLEEP_INTERVAL_SECONDS="1"
- local ELAPSED_TIME=0
- local LAST_STATUS=""
- local STATUS
-
- echo "Waiting for SonarCloud compute engine to finish for project key: ${SONAR_PROJECT_KEY}"
- while (( ELAPSED_TIME < MAX_WAIT_TIME_SECONDS )); do
- STATUS=$(sonarcloud_compute_engine_status_for_given_project "${SONAR_PROJECT_KEY}")
- if [[ "${STATUS}" != "${LAST_STATUS}" ]]; then
- echo -n " ${STATUS} "
- LAST_STATUS="${STATUS}"
- fi
-
- if [[ "${STATUS}" == "PENDING" || "${STATUS}" == "IN_PROGRESS" ]]; then
- echo -n "."
- elif [[ "${STATUS}" == "FAILED" || "${STATUS}" == "CANCELED" ]]; then
- echo -e "\nERROR: SonarCloud compute engine finished with status: ${STATUS}"
- return 1
- elif [[ "${STATUS}" == "SUCCESS" ]]; then
- echo -e "\nSonarCloud compute engine finished successfully."
- return 0
- else
- echo -e "\nERROR: Unknown status: ${STATUS}"
- return 1
- fi
- sleep "${SLEEP_INTERVAL_SECONDS}"
- ELAPSED_TIME=$((ELAPSED_TIME + SLEEP_INTERVAL_SECONDS))
- done
- echo -e "\nERROR: Timeout reached after ${MAX_WAIT_TIME_SECONDS} seconds."
- return 1
-}
-
-function run_iris() {
- local DRY_RUN="$1"
- java \
- -Diris.source.projectKey="${SONAR_PROJECT_KEY}" \
- -Diris.source.url="${SONAR_HOST_URL}" \
- -Diris.source.token="${SONAR_TOKEN}" \
- -Diris.destination.projectKey="${SONAR_PROJECT_KEY}" \
- -Diris.destination.organization="${SHADOW_ORGANIZATION}" \
- -Diris.destination.url="${SHADOW_SONAR_HOST_URL}" \
- -Diris.destination.token="${SHADOW_SONAR_TOKEN}" \
- -Diris.dryrun="${DRY_RUN}" \
- -jar "${IRIS_JAR_PATH}"
-}
-
-function run_iris_with_and_without_dry_run() {
- echo
- echo "===== Execute IRIS as dry-run"
- if run_iris true; then
- echo "===== Successful IRIS execution as dry-run"
- echo "===== Execute IRIS for real"
- if run_iris false; then
- echo "===== Successful IRIS execution for real"
- return 0
- else
- echo "===== Failed IRIS execution for real"
- return 1
- fi
- else
- echo "===== Failed IRIS execution as dry-run"
- return 1
- fi
-}
-
-build_and_analyze_the_project "$@"
-download_iris
-wait_for_sonarcloud_compute_engine_to_finish
-run_iris_with_and_without_dry_run