From 5c2103650b1946d42316536ab34bc43ee55da442 Mon Sep 17 00:00:00 2001
From: Tomasz Tylenda <tomasz.tylenda@sonarsource.com>
Date: Wed, 25 Mar 2026 14:34:45 +0100
Subject: [PATCH 1/6] Upload ruling artifacts

---
 .github/actions/upload-actual/action.yml | 48 ++++++++++++++++++++++++
 .github/workflows/build.yml              | 16 ++++++++
 2 files changed, 64 insertions(+)
 create mode 100644 .github/actions/upload-actual/action.yml

diff --git a/.github/actions/upload-actual/action.yml b/.github/actions/upload-actual/action.yml
new file mode 100644
index 00000000000..86b8e8a20b4
--- /dev/null
+++ b/.github/actions/upload-actual/action.yml
@@ -0,0 +1,48 @@
+name: Upload Actual Results
+description: Upload test artifacts and diffs when an integration test fails
+
+inputs:
+  name:
+    description: Name used for the uploaded artifacts. We upload actual_name and diff_name.
+    required: true
+  it-dir:
+    description: Path to integration tests.
+    required: true
+  expected-dir:
+    description: Relative path to expected test results.
+    required: true
+  actual-dir:
+    description: Relative path to actual test results.
+    required: true
+
+env:
+  RETENTION_DAYS: 7
+
+runs:
+  using: composite
+  steps:
+    - name: Upload Actual Results
+      uses: actions/upload-artifact@v4
+      with:
+        name: actual_${{ inputs.name }}
+        path: ${{ inputs.it-dir }}/${{ inputs.actual-dir }}
+        retention-days: ${{ env.RETENTION_DAYS }}
+
+    - name: Generate Diff Report
+      shell: bash
+      env:
+        IT_DIR: ${{ inputs.it-dir }}
+        EXPECTED_DIR: ${{ inputs.expected-dir }}
+        ACTUAL_DIR: ${{ inputs.actual-dir }}
+      run: |
+        cd "${IT_DIR}"
+        mkdir -p target
+        diff --unified --recursive --strip-trailing-cr "${EXPECTED_DIR}" "${ACTUAL_DIR}" > "target/test.diff" || true
+        npx diff2html-cli --input file --style side --file "target/diff_${{ inputs.name }}.html" -- "target/test.diff"
+
+    - name: Upload Diff Report
+      uses: actions/upload-artifact@v4
+      with:
+        name: diff_${{ inputs.name }}
+        path: ${{ inputs.it-dir }}/target/diff_${{ inputs.name }}.html
+        retention-days: ${{ env.RETENTION_DAYS }}
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 0fe065958d0..45a95634552 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -98,6 +98,14 @@ jobs:
         run: |
           cd its/ruling
           mvn package --batch-mode "-Pit-ruling,${{ matrix.item.profile }}" -Dsonar.runtimeVersion=LATEST_RELEASE -Dmaven.test.redirectTestOutputToFile=false -B -e -V -Dparallel=methods -DuseUnlimitedThreads=true
+      - name: Upload Actual Results On Failure
+        if: failure()
+        uses: ./.github/actions/upload-actual
+        with:
+          name: ${{ matrix.item.runner }}_${{ matrix.item.profile }}
+          it-dir: its/ruling
+          expected-dir: src/test/resources
+          actual-dir: target/actual
 
   plugin-qa:
     strategy:
@@ -323,6 +331,14 @@ jobs:
           -Dmaven.test.redirectTestOutputToFile=false
           -Dparallel=methods
           -DuseUnlimitedThreads=true
+      - name: Upload Actual Results On Failure
+        if: failure()
+        uses: ./.github/actions/upload-actual
+        with:
+          name: autoscan
+          it-dir: its/autoscan
+          expected-dir: src/test/resources/autoscan/diffs
+          actual-dir: target/actual/autoscan-diffs
 
   qa-os-win:
     name: Build and Unit Test on Windows

From 4d5222022ebdeaa7c34a3246904123a6fe19137d Mon Sep 17 00:00:00 2001
From: Tomasz Tylenda <tomasz.tylenda@sonarsource.com>
Date: Wed, 25 Mar 2026 14:09:08 +0100
Subject: [PATCH 2/6] Break some ruling goldens

---
 .../src/test/resources/commons-beanutils/java-S1192.json     | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/its/ruling/src/test/resources/commons-beanutils/java-S1192.json b/its/ruling/src/test/resources/commons-beanutils/java-S1192.json
index 33de8a56b2e..ef98fd2fbff 100644
--- a/its/ruling/src/test/resources/commons-beanutils/java-S1192.json
+++ b/its/ruling/src/test/resources/commons-beanutils/java-S1192.json
@@ -2,14 +2,9 @@
 "commons-beanutils:commons-beanutils:src/main/java/org/apache/commons/beanutils2/BeanUtilsBean.java": [
 945
 ],
-"commons-beanutils:commons-beanutils:src/main/java/org/apache/commons/beanutils2/ConvertUtilsBean.java": [
-220
-],
 "commons-beanutils:commons-beanutils:src/main/java/org/apache/commons/beanutils2/PropertyUtilsBean.java": [
 292,
 292,
-1625,
-1627,
 1630
 ]
 }

From f48908ef0fc233170320e0953fcc67ac82fca9cf Mon Sep 17 00:00:00 2001
From: Tomasz Tylenda <tomasz.tylenda@sonarsource.com>
Date: Thu, 26 Mar 2026 09:27:41 +0100
Subject: [PATCH 3/6] Break autoscan goldens

---
 .../src/test/resources/autoscan/diffs/diff_S1604.json         | 4 ++--
 .../src/test/resources/autoscan/diffs/diff_S1849.json         | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/its/autoscan/src/test/resources/autoscan/diffs/diff_S1604.json b/its/autoscan/src/test/resources/autoscan/diffs/diff_S1604.json
index 80391c36f4a..d7014b21d17 100644
--- a/its/autoscan/src/test/resources/autoscan/diffs/diff_S1604.json
+++ b/its/autoscan/src/test/resources/autoscan/diffs/diff_S1604.json
@@ -1,6 +1,6 @@
 {
   "ruleKey": "S1604",
   "hasTruePositives": true,
-  "falseNegatives": 2,
+  "falseNegatives": 666,
   "falsePositives": 0
-}
\ No newline at end of file
+}
diff --git a/its/autoscan/src/test/resources/autoscan/diffs/diff_S1849.json b/its/autoscan/src/test/resources/autoscan/diffs/diff_S1849.json
index 9248b185742..baeebc14f67 100644
--- a/its/autoscan/src/test/resources/autoscan/diffs/diff_S1849.json
+++ b/its/autoscan/src/test/resources/autoscan/diffs/diff_S1849.json
@@ -2,5 +2,5 @@
   "ruleKey": "S1849",
   "hasTruePositives": true,
   "falseNegatives": 0,
-  "falsePositives": 0
-}
\ No newline at end of file
+  "falsePositives": 66
+}

From 75026ba46547cd3a02773a97f71965bf0827962f Mon Sep 17 00:00:00 2001
From: Tomasz Tylenda <tomasz.tylenda@sonarsource.com>
Date: Thu, 26 Mar 2026 11:05:29 +0100
Subject: [PATCH 4/6] Revert "Break some ruling goldens"

This reverts commit 4d5222022ebdeaa7c34a3246904123a6fe19137d.
---
 .../src/test/resources/commons-beanutils/java-S1192.json     | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/its/ruling/src/test/resources/commons-beanutils/java-S1192.json b/its/ruling/src/test/resources/commons-beanutils/java-S1192.json
index ef98fd2fbff..33de8a56b2e 100644
--- a/its/ruling/src/test/resources/commons-beanutils/java-S1192.json
+++ b/its/ruling/src/test/resources/commons-beanutils/java-S1192.json
@@ -2,9 +2,14 @@
 "commons-beanutils:commons-beanutils:src/main/java/org/apache/commons/beanutils2/BeanUtilsBean.java": [
 945
 ],
+"commons-beanutils:commons-beanutils:src/main/java/org/apache/commons/beanutils2/ConvertUtilsBean.java": [
+220
+],
 "commons-beanutils:commons-beanutils:src/main/java/org/apache/commons/beanutils2/PropertyUtilsBean.java": [
 292,
 292,
+1625,
+1627,
 1630
 ]
 }

From 56cb566426ca197525fe28dc0b1fc0a14b48dce1 Mon Sep 17 00:00:00 2001
From: Tomasz Tylenda <tomasz.tylenda@sonarsource.com>
Date: Thu, 26 Mar 2026 11:05:40 +0100
Subject: [PATCH 5/6] Revert "Break autoscan goldens"

This reverts commit f48908ef0fc233170320e0953fcc67ac82fca9cf.
---
 .../src/test/resources/autoscan/diffs/diff_S1604.json         | 4 ++--
 .../src/test/resources/autoscan/diffs/diff_S1849.json         | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/its/autoscan/src/test/resources/autoscan/diffs/diff_S1604.json b/its/autoscan/src/test/resources/autoscan/diffs/diff_S1604.json
index d7014b21d17..80391c36f4a 100644
--- a/its/autoscan/src/test/resources/autoscan/diffs/diff_S1604.json
+++ b/its/autoscan/src/test/resources/autoscan/diffs/diff_S1604.json
@@ -1,6 +1,6 @@
 {
   "ruleKey": "S1604",
   "hasTruePositives": true,
-  "falseNegatives": 666,
+  "falseNegatives": 2,
   "falsePositives": 0
-}
+}
\ No newline at end of file
diff --git a/its/autoscan/src/test/resources/autoscan/diffs/diff_S1849.json b/its/autoscan/src/test/resources/autoscan/diffs/diff_S1849.json
index baeebc14f67..9248b185742 100644
--- a/its/autoscan/src/test/resources/autoscan/diffs/diff_S1849.json
+++ b/its/autoscan/src/test/resources/autoscan/diffs/diff_S1849.json
@@ -2,5 +2,5 @@
   "ruleKey": "S1849",
   "hasTruePositives": true,
   "falseNegatives": 0,
-  "falsePositives": 66
-}
+  "falsePositives": 0
+}
\ No newline at end of file

From 1aa08f90de37942ce09cd9159c3bb591df1b5427 Mon Sep 17 00:00:00 2001
From: Tomasz Tylenda <tomasz.tylenda@sonarsource.com>
Date: Thu, 26 Mar 2026 11:20:13 +0100
Subject: [PATCH 6/6] Prevent injection

---
 .github/actions/upload-actual/action.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/actions/upload-actual/action.yml b/.github/actions/upload-actual/action.yml
index 86b8e8a20b4..e7e5c4c6218 100644
--- a/.github/actions/upload-actual/action.yml
+++ b/.github/actions/upload-actual/action.yml
@@ -34,11 +34,12 @@ runs:
         IT_DIR: ${{ inputs.it-dir }}
         EXPECTED_DIR: ${{ inputs.expected-dir }}
         ACTUAL_DIR: ${{ inputs.actual-dir }}
+        NAME: ${{ inputs.name }}
       run: |
         cd "${IT_DIR}"
         mkdir -p target
         diff --unified --recursive --strip-trailing-cr "${EXPECTED_DIR}" "${ACTUAL_DIR}" > "target/test.diff" || true
-        npx diff2html-cli --input file --style side --file "target/diff_${{ inputs.name }}.html" -- "target/test.diff"
+        npx diff2html-cli --input file --style side --file "target/diff_${NAME}.html" -- "target/test.diff"
 
     - name: Upload Diff Report
       uses: actions/upload-artifact@v4