Merge branch 'master' into vertx-with-junit5

SonarSource · Dec 4, 2022 · 20ea12a · 20ea12a
2 parents aba460b + 6ba23e3
commit 20ea12a
Show file tree

Hide file tree

Showing 1,474 changed files with 7,085 additions and 2,076 deletions.
diff --git a/.cirrus.star b/.cirrus.star
@@ -0,0 +1,4 @@
+load("github.com/SonarSource/cirrus-modules@v1", "cirrus_auth")
+
+def main(ctx):
+  return cirrus_auth()
diff --git a/.cirrus.yml b/.cirrus.yml
@@ -1,55 +1,62 @@
-gcp_credentials: ENCRYPTED[!149d4005ecdba4cdd78bb5ba22756ebb98bf8e3367ee2e9ab08c5a1608c0d3e3b501904b67a1d67c0b63085e469d7dde!]
-
 env:
-  ARTIFACTORY_URL: ENCRYPTED[!2f8fa307d3289faa0aa6791f18b961627ae44f1ef46b136e1a1e63b0b4c86454dbb25520d49b339e2d50a1e1e5f95c88!]
-  ARTIFACTORY_PRIVATE_USERNAME: repox-private-reader-lt-ef42e7
-  ARTIFACTORY_PRIVATE_PASSWORD: ENCRYPTED[!9b954ad23535be51e04d7ad72d8f79b93141341f3b6fe5527140e1ffa9570694f23ddea6fc384b742e7ec956533765d6!]
-  ARTIFACTORY_DEPLOY_USERNAME: repox-qa-deployer-lt-ef42e7
-  ARTIFACTORY_DEPLOY_PASSWORD: ENCRYPTED[!e9d67cbbb9ffaa6a05b863eae9d08292b431481ae920205c7cb42d8811c18a932f2a29f486a46171c9ac6c053bc51e73!]
+  CIRRUS_VAULT_URL: https://vault.sonar.build:8200
+  CIRRUS_VAULT_AUTH_PATH: jwt-cirrusci
+  CIRRUS_VAULT_ROLE: cirrusci-${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}
+
+  ARTIFACTORY_URL: VAULT[development/kv/data/repox data.url]
+  ARTIFACTORY_PRIVATE_USERNAME: vault-${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-private-reader
+  ARTIFACTORY_PRIVATE_PASSWORD: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-private-reader access_token]
+  ARTIFACTORY_DEPLOY_USERNAME: vault-${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-qa-deployer
+  ARTIFACTORY_DEPLOY_PASSWORD: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-qa-deployer access_token]
   #Possible values for ARTIFACTORY_DEPLOY_REPO: sonarsource-private-qa, sonarsource-public-qa
   ARTIFACTORY_DEPLOY_REPO: sonarsource-public-qa
-  ARTIFACTORY_API_KEY: ENCRYPTED[!9b954ad23535be51e04d7ad72d8f79b93141341f3b6fe5527140e1ffa9570694f23ddea6fc384b742e7ec956533765d6!]
+  ARTIFACTORY_ACCESS_TOKEN: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-private-reader access_token]
+  GITHUB_TOKEN: VAULT[development/github/token/licenses-ro token]
   # burgr notification
-  BURGR_URL: ENCRYPTED[!c7e294da94762d7bac144abef6310c5db300c95979daed4454ca977776bfd5edeb557e1237e3aa8ed722336243af2d78!]
-  BURGR_USERNAME: ENCRYPTED[!b29ddc7610116de511e74bec9a93ad9b8a20ac217a0852e94a96d0066e6e822b95e7bc1fe152afb707f16b70605fddd3!]
-  BURGR_PASSWORD: ENCRYPTED[!83e130718e92b8c9de7c5226355f730e55fb46e45869149a9223e724bb99656878ef9684c5f8cfef434aa716e87f4cf2!]
-  GITHUB_TOKEN: ENCRYPTED[!f458126aa9ed2ac526f220c5acb51dd9cc255726b34761a56fc78d4294c11089502a882888cef0ca7dd4085e72e611a5!]
+  BURGR_URL: VAULT[development/kv/data/burgr data.url]
+  BURGR_USERNAME: VAULT[development/kv/data/burgr data.cirrus_username]
+  BURGR_PASSWORD: VAULT[development/kv/data/burgr data.cirrus_password]
   # Use bash (instead of sh on linux or cmd.exe on windows)
   CIRRUS_SHELL: bash
   # Allows to run builds for the 50 last commits in a branch:
   CIRRUS_CLONE_DEPTH: 50
 
 container_definition: &CONTAINER_DEFINITION
-  image: eu.gcr.io/release-engineering-ci-prod/base:j11-latest
-  cluster_name: cirrus-ci
-  zone: europe-west4-b
+  image: ${CIRRUS_AWS_ACCOUNT}.dkr.ecr.eu-central-1.amazonaws.com/base:j11-latest
+  cluster_name: ${CIRRUS_CLUSTER_NAME}
+  region: eu-central-1
   namespace: default
+  nodeSelectorTerms:
+      - matchExpressions:
+        - key: node.kubernetes.io/instance-type
+          operator: In
+          values:
+            - m4.4xlarge
 
 win_vm_definition: &WINDOWS_VM_DEFINITION
-  gce_instance:
-    image_project: release-engineering-ci-prod
-    image_family: lt-base-windows-jdk17
+  ec2_instance:
+    experimental: true # see https://github.com/cirruslabs/cirrus-ci-docs/issues/1051
+    image: base-windows-jdk17-v*
     platform: windows
-    zone: europe-west4-b
-    preemptible: false
+    region: eu-central-1
     disk: 128
-    use_ssd: true
-    type: n2d-standard-16
+    type: c5.4xlarge
+    subnet_id: ${CIRRUS_AWS_SUBNET}
 
 only_sonarsource_qa: &ONLY_SONARSOURCE_QA
   only_if: $CIRRUS_USER_COLLABORATOR == 'true' && $CIRRUS_TAG == "" && ($CIRRUS_PR != "" || $CIRRUS_BRANCH == "master" || $CIRRUS_BRANCH =~ "branch-.*" || $CIRRUS_BRANCH =~ "dogfood-on-.*")
 
 build_task:
-  gke_container:
+  eks_container:
     <<: *CONTAINER_DEFINITION
-    image: eu.gcr.io/release-engineering-ci-prod/base:j17-latest
+    image: ${CIRRUS_AWS_ACCOUNT}.dkr.ecr.eu-central-1.amazonaws.com/base:j17-latest
     cpu: 4
-    memory: 8G
+    memory: 4G
   env:
-    SIGN_KEY: ENCRYPTED[!cc216dfe592f79db8006f2a591f8f98b40aa2b078e92025623594976fd32f6864c1e6b6ba74b50647f608e2418e6c336!]
-    PGP_PASSPHRASE: ENCRYPTED[!314a8fc344f45e462dd5e8dccd741d7562283a825e78ebca27d4ae9db8e65ce618e7f6aece386b2782a5abe5171467bd!]
+    SIGN_KEY: VAULT[development/kv/data/sign data.key]
+    PGP_PASSPHRASE: VAULT[development/kv/data/sign data.passphrase]
     # analysis on next
-    SONAR_TOKEN: ENCRYPTED[!b6fd814826c51e64ee61b0b6f3ae621551f6413383f7170f73580e2e141ac78c4b134b506f6288c74faa0dd564c05a29!]
+    SONAR_TOKEN: VAULT[development/kv/data/next data.token]
     SONAR_HOST_URL: https://next.sonarqube.com/sonarqube
     #allow deployment of pull request artifacts to repox
     DEPLOY_PULL_REQUEST: true
@@ -65,14 +72,14 @@ ws_scan_task:
   depends_on:
     - build
   <<: *ONLY_SONARSOURCE_QA
-  gke_container:
+  eks_container:
     <<: *CONTAINER_DEFINITION
     cpu: 4
-    memory: 8G
+    memory: 4G
   # run only on master and long-term branches
   only_if: $CIRRUS_USER_COLLABORATOR == 'true' && ($CIRRUS_BRANCH == "master" || $CIRRUS_BRANCH =~ "branch-.*")
   env:
-    WS_APIKEY: ENCRYPTED[cda363e6bcac3edd4c259dc05b3570e00152ad50f9ad3ec3cab72d57cda318a0d5472e37c656c3566c2cb8c752d2f5a0]
+    WS_APIKEY: VAULT[development/kv/data/mend data.apikey]
   maven_cache:
     folder: ${CIRRUS_WORKING_DIR}/.m2/repository
   whitesource_script:
@@ -100,10 +107,10 @@ plugin_qa_task:
   depends_on:
     - build
   <<: *ONLY_SONARSOURCE_QA
-  gke_container:
+  eks_container:
     <<: *CONTAINER_DEFINITION
-    cpu: 8
-    memory: 16G
+    cpu: 14
+    memory: 6G
   env:
     matrix:
       - SQ_VERSION: LATEST_RELEASE[8.9]
@@ -126,11 +133,11 @@ sanity_task:
   depends_on:
     - build
   <<: *ONLY_SONARSOURCE_QA
-  gke_container:
+  eks_container:
     <<: *CONTAINER_DEFINITION
-    image: eu.gcr.io/release-engineering-ci-prod/base:j17-latest
+    image: ${CIRRUS_AWS_ACCOUNT}.dkr.ecr.eu-central-1.amazonaws.com/base:j17-latest
     cpu: 4
-    memory: 8G
+    memory: 2G
   maven_cache:
     folder: ${CIRRUS_WORKING_DIR}/.m2/repository
   sanity_script:
@@ -144,11 +151,11 @@ ruling_task:
   depends_on:
     - build
   <<: *ONLY_SONARSOURCE_QA
-  gke_container:
+  eks_container:
     <<: *CONTAINER_DEFINITION
-    image: eu.gcr.io/release-engineering-ci-prod/base:j17-latest
-    cpu: 8
-    memory: 16G
+    image: ${CIRRUS_AWS_ACCOUNT}.dkr.ecr.eu-central-1.amazonaws.com/base:j17-latest
+    cpu: 14
+    memory: 6G
   maven_cache:
     folder: ${CIRRUS_WORKING_DIR}/.m2/repository
   submodules_script:
@@ -185,14 +192,15 @@ promote_task:
     - plugin_qa
     - ws_scan
   <<: *ONLY_SONARSOURCE_QA
-  gke_container:
+  eks_container:
     <<: *CONTAINER_DEFINITION
-    cpu: 1
+    cpu: 2
     memory: 1G
   env:
     #promotion cloud function
-    GCF_ACCESS_TOKEN: ENCRYPTED[!1fb91961a5c01e06e38834e55755231d649dc62eca354593105af9f9d643d701ae4539ab6a8021278b8d9348ae2ce8be!]
-    PROMOTE_URL: ENCRYPTED[!e22ed2e34a8f7a1aea5cff653585429bbd3d5151e7201022140218f9c5d620069ec2388f14f83971e3fd726215bc0f5e!]
+    GCF_ACCESS_TOKEN: VAULT[development/kv/data/promote data.token]
+    PROMOTE_URL: VAULT[development/kv/data/promote data.url]
+    GITHUB_TOKEN: VAULT[development/github/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-promotion token]
     #artifacts that will have downloadable links in burgr
     ARTIFACTS: org.sonarsource.java:sonar-java-plugin:jar
   maven_cache:

diff --git a/.gitattributes b/.gitattributes
@@ -1,2 +1,7 @@
 java-frontend/src/test/files/highlighter/SonarSymTable.java eol=lf
 java-checks/src/test/files/checks/NonEmptyFile.java eol=cr
+java-frontend/src/test/java/org/sonar/java/model/TreeTokenCompletenessTest.java eol=lf
+java-checks/src/main/java/org/sonar/java/checks/helpers/ExpressionEvaluator.java eol=lf
+java-checks-test-sources/src/main/java/checks/CounterModeIVShouldNotBeReusedCheck.java eol=lf
+java-checks/src/main/java/org/sonar/java/checks/helpers/HardcodedStringExpressionChecker.java eol=lf
+its/ruling/src/test/resources/autoscan/autoscan-diff-by-rules.json eol=lf
diff --git a/.github/workflows/dogfood.yml b/.github/workflows/dogfood.yml
@@ -11,15 +11,24 @@ on:
 #      - 'dogfood/*'
 
 env:
-  SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
-  SLACK_USERNAME: Dogfood build action      
-      
+  SLACK_CHANNEL: team-lang-java-notifs
+  SLACK_USERNAME: Dogfood build action
+
 jobs:
   dogfood_merge:
     runs-on: ubuntu-latest
     name: Update dogfood branch
+    permissions:
+      id-token: write # required for SonarSource/vault-action-wrapper
+      contents: write # required to grant GITHUB_TOKEN writing permission
     steps:
-    - name: git octopus step     
+    - name: get secrets
+      id: secrets
+      uses: SonarSource/vault-action-wrapper@d1c1ab4ca5ad07fd9cdfe1eff038a39673dfca64  # tag=2.4.2-1
+      with:
+        secrets: |
+          development/kv/data/slack webhook | SLACK_WEBHOOK;
+    - name: git octopus step
       env:
         GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
       id: dogfood
@@ -33,16 +42,15 @@ jobs:
     - name: Notify success on Slack
       uses: Ilshidur/action-slack@1.6.2
       env:
+        SLACK_WEBHOOK: ${{ fromJSON(steps.secrets.outputs.vault).SLACK_WEBHOOK }}
         SLACK_OVERRIDE_MESSAGE: 'Dogfood build for `${{ steps.dogfood.outputs.sha1 }}`: *successful*'
       with:
         args: 'Succeed to build dogfood branch'
     - name: Notify failures on Slack
       uses: Ilshidur/action-slack@1.6.2
       if: failure()
       env:
-        SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
-        SLACK_USERNAME: Dogfood build action      
+        SLACK_WEBHOOK: ${{ fromJSON(steps.secrets.outputs.vault).SLACK_WEBHOOK }}
         SLACK_OVERRIDE_MESSAGE: 'Dogfood build for `${{ steps.dogfood.outputs.sha1 }}`: *failed*, see the logs at https://github.com/SonarSource/sonar-java/actions'
       with:
         args: 'Fail to build dogfood branch'
-
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,86 +1,19 @@
+---
 name: sonar-release
 # This workflow is triggered when publishing a new github release
-on: 
+# yamllint disable-line rule:truthy
+on:
   release:
     types:
       - published
 
 jobs:
   release:
-    runs-on: ubuntu-latest
-    name: Release
-    steps:
-      - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        with:
-          aws-access-key-id: ${{ secrets.BINARIES_AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.BINARIES_AWS_SECRET_ACCESS_KEY }}
-          aws-region: ${{ secrets.BINARIES_AWS_REGION }}
-      - name: Release
-        id: release
-        env:
-          ARTIFACTORY_API_KEY: ${{ secrets.ARTIFACTORY_API_KEY }}
-          BINARIES_AWS_DEPLOY: ${{ secrets.BINARIES_AWS_DEPLOY }} # Required for pushing the binaries
-          BURGRX_USER: ${{ secrets.BURGRX_USER }}
-          BURGRX_PASSWORD: ${{ secrets.BURGRX_PASSWORD }}
-          CIRRUS_TOKEN: ${{ secrets.CIRRUS_TOKEN }}
-          PATH_PREFIX: ${{ secrets.BINARIES_PATH_PREFIX }}
-          GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }}
-          RELEASE_SSH_USER: ${{ secrets.RELEASE_SSH_USER }}
-          RELEASE_SSH_KEY: ${{ secrets.RELEASE_SSH_KEY }}
-          SLACK_API_TOKEN: ${{secrets.SLACK_API_TOKEN }}
-        uses: SonarSource/gh-action_release/main@v4
-        with:
-          publish_to_binaries: true # Used only if the binaries is delivered to costumers
-          slack_channel: team-lang-java-notifs
-      - name: Release action results
-        if: always()
-        run: |
-          echo "${{ steps.release.outputs.releasability }}"
-          echo "${{ steps.release.outputs.promote }}"
-          echo "${{ steps.release.outputs.publish_to_binaries }}"
-          echo "${{ steps.release.outputs.release }}"
-
-  maven-central-sync: # Only required for OSS projects
-    runs-on: ubuntu-latest
-    name: Maven Central Sync
-    needs:
-      - release
-    steps:
-      - name: Setup JFrog CLI
-        uses: jfrog/setup-jfrog-cli@v1
-      - name: JFrog config
-        run: jfrog rt config repox --url https://repox.jfrog.io/artifactory/ --apikey $ARTIFACTORY_API_KEY --basic-auth-only
-        env:
-          ARTIFACTORY_API_KEY: ${{ secrets.ARTIFACTORY_API_KEY }}
-      - name: Get the version
-        id: get_version
-        run: |
-          IFS=. read major minor patch build <<< "${{ github.event.release.tag_name }}"
-          echo ::set-output name=build::"${build}"
-      - name: Create local repository directory
-        id: local_repo
-        run: echo ::set-output name=dir::"$(mktemp -d repo.XXXXXXXX)"
-      - name: Download Artifacts
-        uses: SonarSource/gh-action_release/download-build@v4
-        with:
-          build-number: ${{ steps.get_version.outputs.build }}
-          local-repo-dir: ${{ steps.local_repo.outputs.dir }}
-      - name: Maven Central Sync
-        id: maven-central-sync
-        continue-on-error: true
-        uses: SonarSource/gh-action_release/maven-central-sync@v4
-        with:
-          local-repo-dir: ${{ steps.local_repo.outputs.dir }}
-        env:
-          OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }}
-          OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
-      - name: Notify on failure
-        if: ${{ failure() || steps.maven-central-sync.outcome == 'failure' }}
-        uses: 8398a7/action-slack@v3
-        with:
-          text: 'Maven sync failed'
-          status: failure
-          fields: repo,author,eventName
-        env:
-          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_BUILD_WEBHOOK }}
+    permissions:
+      id-token: write
+      contents: write
+    uses: SonarSource/gh-action_release/.github/workflows/main.yaml@v5
+    with:
+      publishToBinaries: true
+      mavenCentralSync: true
+      slackChannel: team-lang-java-notifs