Update sonar evidence example

.github/workflows/sonar-evidence-example.yml

@@ -6,8 +6,8 @@ on:
     branches:
       - CCS-2-Additional_evidence_examples
   pull_request:
-      branches:
-        - CCS-2-Additional_evidence_examples
+    branches:
+      - CCS-2-Additional_evidence_examples
 permissions:
   id-token: write
   contents: read
@@ -25,56 +25,30 @@ jobs:
           echo "Job name: $GITHUB_JOB"
 
       - name: Install jfrog cli
-        id:   setup-cli
+        id: setup-cli
         uses: jfrog/setup-jfrog-cli@v4
         env:
           JF_URL: ${{ vars.ARTIFACTORY_URL }}
         with:
-         oidc-provider-name: jfrog-github-oidc
+          oidc-provider-name: jfrog-github-oidc
+          version: latest
 
       - uses: actions/checkout@v4
 
-      - name: Install SonarQube Scanner
-        run: |          
-          curl -sL  -sSLo sonar-scanner.zip  https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-6.2.1.4610.zip
-          unzip sonar-scanner.zip
-          export PATH=$PATH:$PWD/sonar-scanner-6.2.1.4610/bin
-          pwd
-          ls -l $PWD/sonar-scanner-6.2.1.4610/bin/
-          echo "$PWD/sonar-scanner-6.2.1.4610/bin"
-      - name: Set up JDK 17
-        uses: actions/setup-java@v4
-        with:
-          java-version: '21' # Specify the desired Java version here
-          distribution: 'temurin' # You can also use 'temurin', 'zulu', etc.
-
-      - name: Run SonarScanner
-        id: run-sonar-scanner
+      - name: Sonar scan
+        uses: SonarSource/sonarqube-scan-action@v5
+        continue-on-error: true  # Don't fail build on SonarCloud quality gate issues
         env:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-        run: |
-          $PWD/sonar-scanner-6.2.1.4610/bin/sonar-scanner \
-            -Dsonar.projectKey=test-evidence \
-            -Dsonar.organization=my-evidence-test-org \
-            -Dsonar.host.url=https://sonarcloud.io \
-            -Dsonar.java.jdkHome=$JAVA_HOME \
-            -Dsonar.verbose=true \
-            -Dsonar.token=$SONAR_TOKEN
-          # create evidence from sonar-scan analysis
-          set +e
-          # --FailOnAnalysisFailure causes a failure on gateway-failed sonar analysis 
-          ./examples/sonar-scan/bin/sonar-scan-extractor-linux-amd64  --reportTaskFile=$PWD/.scannerwork/report-task.txt > predicate.json
-          EXIT_CODE=$?
-          set -e          
-          # write the exit code to the github output so that it can be used in the evidence creation step
-          echo "------predicate.json------"
-          cat predicate.json
-          echo "------sonar-scan.log------"
-          cat sonar-scan.log
-          echo "------EXIT------"
-          echo "create-sonar-evidence=$EXIT_CODE" 
-          echo "create-sonar-evidence=$EXIT_CODE" >> $GITHUB_OUTPUT 
-
+        with:
+          args: >
+            -Dsonar.projectKey=my-evidence-test-org1_evidence-example
+            -Dsonar.organization=my-evidence-test-org1
+            -Dsonar.projectBaseDir=examples/sonar-scan
+            -Dsonar.sources=.
+            -Dsonar.inclusions=**/*.go
+            -Dsonar.java.jdkHome=$JAVA_HOME
+            -Dsonar.verbose=true
 
       - name: Log in to Artifactory Docker Registry
         uses: docker/login-action@v3
@@ -109,14 +83,14 @@ jobs:
           jf rt build-publish         
 
       - name: Create evidence
-        if: ${{ steps.run-sonar-scanner.outputs.create-sonar-evidence == 0 }}
-        run: |            
+        env:
+          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          SONAR_REPORT_TASK_FILE: ${{ github.workspace }}/examples/sonar-scan/.scannerwork/report-task.txt
+        run: |
           # Attach evidence onto build using JFrog CLI                
           jf evd create \
+            --integration sonar \
             --build-name $GITHUB_WORKFLOW \
             --build-number "${{ github.run_number }}" \
-            --predicate ./predicate.json \
-            --predicate-type https://jfrog.com/evidence/sonar-scan/v1 \
-            --provider-id "sonar" \
-            --key "${{ secrets.JIRA_TEST_PKEY }}" \
-            --key-alias ${{ vars.JIRA_TEST_KEY }}
+            --key "${{ secrets.EVIDENCE_SIGNING_KEY }}" \
+            --key-alias "${{ vars.EVIDENCE_PUBLIC_KEY_ALIAS }}" 

examples/sonar-scan/README.md

@@ -1,61 +1,75 @@
-# Create Sonar Scan Evidence predicate from the build CI and attach it to the build info
-Sonar is a code scanning tool that helps to identify bugs, vulnerabilities, and code smells in your code. 
-It is important to track the code quality and security of the code changes done and released. 
-To allow automation of proper code quality and security checks, we create an evidence of the Sonar scan results
-during the build with confirmation that the code quality and security checks passed before the code was committed.
-using the `FailOnAnalysisFailure` argument the customer can decide if to create the sonar scan evidence if the scan did not pass 
-sonar quality gates, or fail the predicate creation with exist status 1.
-If the Analysis status is not 'OK', but `FailOnAnalysisFailure` was not set, then the predicate is created with analysis.status = 'ERROR' which 
-should be checked using a policy.
-
-## Environment variables
-- `SONAR_TOKEN` - The sonar server token.
-- `SONAR_TYPE` - Should be Either SAAS or SELFHOSTED, defaulting to SAAS.
-- `SONAR_HOST_URL` - The sonar server host name, for example https://mysonar.mycorp.com, for example sonar.myconpany.org. required for SELFHOSTED type, if not provided for SAAS type sonarcloud.io is used as default.
-- `SONAR_PROXY_URL` - The proxy server URL, in the format of http://your-proxy-server:port. or https://username:password@your-proxy-server:port
-
-## Arguments
-`--reportTaskFile=<path>` - The path to the sonar report task file.
-`--FailOnAnalysisFailure` - Fail with exit code 1 if the sonar analysis failed in sonar quality gate.
-`--WaitTime=<seconds>` - between sonar analysis results checks>
-`--MaxRetries=<number>` - The maximum number of retries to check the sonar analysis results.
-`--UseProxy` - Use a proxy server URL, requires PROXY_URL environment variable to be set.
-
-## The example is based on the following steps:
-1. set sonar token as an environment variable
-2. call sonar scan
-for example:
-``
-$PWD/sonar-scanner-6.2.1.4610/bin/sonar-scanner \
-            -Dsonar.projectKey=my-sonar-project-key \
-            -Dsonar.organization=my-sonar-org \
-            -Dsonar.host.url=https://sonarcloud.io \
-            -Dsonar.java.jdkHome=$JAVA_HOME \
-            -Dsonar.verbose=true \
-            -Dsonar.token=$SONAR_TOKEN
-``
-3. call the jira-transition-checker utility (use the binary for your build platform) with these arguments: "transition name" JIRA-ID [,JIRA-ID]
-for example:
- ``./examples/sonar-scan/bin/sonar-scan-extractor-linux-amd64  --reportTaskFile=$PWD/.scannerwork/report-task.txt --FailOnAnalysisFailure > predicate.json
-``               
-4. call the evidence create cli with the predicate.json file
-for example:
-``
-jf evd create \
-            --build-name $GITHUB_WORKFLOW \
-            --build-number "${{ github.run_number }}" \
-            --predicate ./predicate.json \
-            --predicate-type https://jfrog.com/evidence/sonar-scan/v1 \
-            --provider-id "sonar" \
-            --key "${{ secrets.JIRA_TEST_PKEY }}" \
-            --key-alias ${{ vars.JIRA_TEST_KEY }}
-``
-
-## Additional considerations
-```plaintext
-It is advised to decide if to create an evidence with sonar analysis failure scan or refrain from creating the evidence.
-to create the evidence with an analysis gateway failure content, do **not** add the `--FailOnAnalysisFailure` argument.
-
-to refrain from creating the evidence with an analysis gateway failure content, add the `--FailOnAnalysisFailure` argument.
-then check the exit code of the script and decide if to create the evidence or not.
-```
+## Sonar evidence creation
+
+This example shows how to create and attach Sonar analysis evidence using the JFrog CLI.
+
+### Prerequisites
+- SONAR_TOKEN: SonarCloud/SonarQube token.
+- A completed Sonar scan that produced a `report-task.txt` file.
+
+### Default report-task.txt discovery
+When you run:
+```bash
+jf evd create --integration sonar
+```
+the tool auto-detects the Sonar task file using these paths (in order):
+- target/sonar/report-task.txt (Maven)
+- build/sonar/report-task.txt (Gradle)
+- .scannerwork/report-task.txt (CLI scanner)
+- .sonarqube/out/.sonar/report-task.txt (MSBuild)
+
+If the file is not found, configure its location via YAML or env var (see below).
+
+### Minimal workflow step (example)
+```yaml
+- name: Create evidence
+  env:
+    SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+  run: |
+    jf evd create \
+      --build-name $GITHUB_WORKFLOW \
+      --build-number "${{ github.run_number }}" \
+      --key "${{ secrets.SIGNING_KEY }}" \
+      --key-alias ${{ vars.SIGNING_KEY_ALIAS }} \
+      --integration sonar
+```
+
+### Configuration
+You can configure the integration via YAML or environment variables. YAML keys have 1:1 env equivalents.
+
+1) YAML: .jfrog/evidence/evidence.yml
+```yaml
+sonar:
+  url: https://sonarcloud.io
+  reportTaskFile: .scannerwork/report-task.txt
+  pollingMaxRetries: 30
+  pollingRetryIntervalMs: 5000
+```
+
+2) Environment variables
+- SONAR_URL
+- SONAR_REPORT_TASK_FILE
+- SONAR_POLLING_MAX_RETRIES
+- SONAR_POLLING_RETRY_INTERVAL_MS
+
+### Parameters reference
+Evidence creation:
+
+- --integration sonar
+  - Selects the Sonar integration.
+
+Sonar resolution (via YAML/env):
+
+- sonar.url / SONAR_URL
+  - Sonar base URL. By default url is parsed from report-task.txt. If not found there, defaults to https://sonarcloud.io.
+
+- sonar.reportTaskFile / SONAR_REPORT_TASK_FILE
+  - Path to report-task.txt. If omitted, auto-detection (see order above) is used.
+
+- sonar.pollingMaxRetries / SONAR_POLLING_MAX_RETRIES
+  - Maximum polling attempts to wait for analysis results.
+
+- sonar.pollingRetryIntervalMs / SONAR_POLLING_RETRY_INTERVAL_MS
+  - Milliseconds to wait between polling attempts.
+
+### Behavior
+Evidence is created for both successful and failed Sonar analyses (including failed quality gates).