Merge pull request #42 from ConnorDY/update-sonar-scanner

Update Sonar-Scanner image and add NodeJS package to support scanning JavaScript projects
boozallen · May 5, 2022 · 3dfd0b5 · 3dfd0b5
2 parents 984791f + 940464f
commit 3dfd0b5
Show file tree

Hide file tree

Showing 4 changed files with 27 additions and 14 deletions.
diff --git a/.gitignore b/.gitignore
@@ -4,3 +4,7 @@ jenkinsfile-runner/resources/target
 jenkinsfile-runner/prebuild/dependencies
 jenkinsfile-runner/prebuild/*.tar.gz
 jenkinsfile-runner/.jfr
+
+# Sonar-Scanner
+sonar-scanner/prebuild/dependencies
+sonar-scanner/prebuild/*.tar.gz
diff --git a/sonar-scanner/Dockerfile b/sonar-scanner/Dockerfile
@@ -3,65 +3,74 @@
 
 ARG BASE_REGISTRY=registry.access.redhat.com
 ARG BASE_IMAGE=ubi8/ubi
-ARG BASE_TAG=8.3
+ARG BASE_TAG=8.5
 FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
+ARG SONAR_SCANNER_VERSION=4.7.0.2747
+ARG NODEJS_VERSION=16
 
 
 ### Required Atomic/OpenShift Labels - https://github.com/projectatomic/ContainerApplicationGenericLabels
 LABEL name="Solutions Delivery Platform: Sonar Scanner" \
       maintainer="[email protected]" \
       vendor="Booz Allen Hamilton" \
-      version="4.5.0.2216" \
-      release="4.5.0.2216" \
+      version="$SONAR_SCANNER_VERSION" \
+      release="$SONAR_SCANNER_VERSION" \
       summary="A sonar-scanner container used by the SonarQube library of the Solutions Delivery Platform" \
       description="A sonar-scanner container used by the SonarQube library of the Solutions Delivery Platform"
 
-### add licenses to this directory
+### Add licenses to this directory
 COPY LICENSE /licenses
 
 ### Using yum as root user
 USER root
+
 ### Install packages
-RUN INSTALL_PKGS="java-1.8.0-openjdk curl grep sed which" && \
-    yum clean all &&\
+RUN INSTALL_PKGS="java-11-openjdk nodejs curl grep sed which" && \
+    yum -y module enable nodejs:$NODEJS_VERSION && \
+    yum clean all && \
     yum --disableplugin=subscription-manager -y update-minimal --setopt=tsflags=nodocs \
         --security && \
     yum --disableplugin=subscription-manager -y install --setopt=tsflags=nodocs ${INSTALL_PKGS}
 
-### define necessary variables like PATH to application
+### Define necessary variables like PATH to application
 ARG SDP_BUILD_DEPENDENCY_VERSION=dcar-2.0
-ARG SONAR_SCANNER_VERSION=4.6.2.2472
 ENV SONAR_SCANNER_FILE=sonar-scanner-${SONAR_SCANNER_VERSION}-linux
 ENV TARBALL=sonar-scanner-dependencies-${SDP_BUILD_DEPENDENCY_VERSION}
 ENV user=sonarscanner
 ENV SONAR_RUNNER_HOME=/usr/share/${SONAR_SCANNER_FILE}
 ENV PATH $PATH:/usr/share/${SONAR_SCANNER_FILE}/bin
 
 ### Install Sonar Scanner
+### NOTE: FOR BUILDING LOCALLY WITHOUT A TARBALL, DETERMINE WHERE FILES WILL BE LOCATED AND POINT THE COPY AND RUN COMMANDS TO THE NEW LOCATION ACCORDINGLY
 RUN mkdir /root/tmp
 RUN curl -sSLo /root/tmp/${TARBALL}.tar.gz https://github.com/boozallen/sdp-images/releases/download/${SDP_BUILD_DEPENDENCY_VERSION}/${TARBALL}.tar.gz
 #COPY prebuild/${TARBALL}.tar.gz /root/tmp/${TARBALL}.tar.gz
 
 COPY prebuild/BAH-public.key /root/tmp/.
 COPY prebuild/${TARBALL}.sig /root/tmp/.
 COPY prebuild/${TARBALL}.sha256 /root/tmp/.
+
 # Check authenticity of tarball using gpg and unpack tarball
 RUN cd /root/tmp/ && gpg --import BAH-public.key
 RUN cd /root/tmp/ && gpg --verify ${TARBALL}.sig ${TARBALL}.tar.gz
 RUN cd /root/tmp/ && echo "$(cat ${TARBALL}.sha256) ${TARBALL}.tar.gz" | sha256sum --check --status
 RUN cd /root/tmp && tar -xzf ${TARBALL}.tar.gz
+
 # Move Sonar Scanner to a permenant folder and copy the properties file into the necessary location
 RUN cd /root/tmp/dependencies/sonar-scanner/ && mv ${SONAR_SCANNER_FILE} /usr/share/
 COPY sonar-runner.properties /usr/share/${SONAR_SCANNER_FILE}/conf/sonar-scanner.properties
-# ensure Sonar uses the provided Java for must instead of a borked glibc one
+
+# Ensure Sonar uses the provided Java for must instead of a borked glibc one
 RUN sed -i 's/use_embedded_jre=true/use_embedded_jre=false/g' /usr/share/${SONAR_SCANNER_FILE}/bin/sonar-scanner && \
     useradd -ms /bin/bash ${user}                                           && \
     chown -R ${user}:${user} /usr/share/sonar-scanner-${SONAR_SCANNER_VERSION}-linux
 
 # Switch to non-root user
 USER ${user}
+
 # Use a health check to determine status of container once operational
 HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 CMD which sonar-scanner
+
 # Use bash if you want to run the environment from inside the shell, otherwise use the command that actually runs the underlying stuff
 #CMD /bin/bash
 CMD sonar-scanner
diff --git a/sonar-scanner/Makefile b/sonar-scanner/Makefile
@@ -1,7 +1,7 @@
 OWNER    = boozallen
 REPO     = sdp-images
 IMAGE    = sonar-scanner
-VERSION  = 4.6.2.2472
+VERSION  = 4.7.0.2747
 
 REGISTRY = docker.pkg.github.com/$(OWNER)/$(REPO)
 TAG      = $(REGISTRY)/$(IMAGE):$(VERSION)
@@ -28,8 +28,8 @@ push: ## builds and publishes container image
 
 build-dep: ## build container dependencies
 	$(eval dir := $(shell pwd))
-	docker run -u root -it -v $(dir)/prebuild:/root/prebuild:z registry.access.redhat.com/ubi8/ubi:8.3 /root/prebuild/pull-from-ubi.sh
-	docker run -u root -it -v $(dir)/prebuild:/root/prebuild:z registry.access.redhat.com/ubi8/ubi:8.3 /root/prebuild/build-dep.sh
+	docker run -u root -it -v $(dir)/prebuild:/root/prebuild:z registry.access.redhat.com/ubi8/ubi:8.5 /root/prebuild/pull-from-ubi.sh
+	docker run -u root -it -v $(dir)/prebuild:/root/prebuild:z registry.access.redhat.com/ubi8/ubi:8.5 /root/prebuild/build-dep.sh
 
 info:
 	@echo "$(TAG) -> $$(dirname $$(git ls-files --full-name Makefile))"

diff --git a/sonar-scanner/prebuild/pull-from-ubi.sh b/sonar-scanner/prebuild/pull-from-ubi.sh
@@ -2,15 +2,15 @@
 
 set -xe
 
-SONAR_SCANNER_VERSION=4.6.2.2472
+SONAR_SCANNER_VERSION=4.7.0.2747
 
 rm -rf /root/prebuild/dependencies
 mkdir -p /root/prebuild/dependencies/sonar-scanner
 
 file=sonar-scanner-${SONAR_SCANNER_VERSION}-linux.zip
 curl --create-dirs --insecure -sSLo /root/prebuild/dependencies/sonar-scanner/${file} https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-linux.zip
 
-INSTALL_PKGS="java-1.8.0-openjdk-devel curl grep unzip sed which" && \
+INSTALL_PKGS="java-11-openjdk-devel curl grep unzip sed which" && \
     yum clean all && \
     yum --disablerepo unified_platform_ubi8_appstream --disablerepo unified_platform_ubi8_os --disableplugin=subscription-manager -y update-minimal --setopt=tsflags=nodocs \
         --security --sec-severity=Important --sec-severity=Critical && \