Upgrade to SonarQube 10.7

.github/workflows/docker-image.yml

@@ -10,7 +10,7 @@ on:
 
 env:
   CODE: "PROJ1"
-  RULES: "+csharpsquid:S104;-ts:S1561;+Web:WhiteSpaceAroundCheck"
+  RULES: "+csharpsquid:S104;-typescript:S1301;+Web:UnclosedTagCheck"
 
 jobs:
   build:

.github/workflows/docker-release.yml

@@ -0,0 +1,37 @@
+---
+name: Publish container images to Docker Hub
+
+on: workflow_dispatch  # Only triggered manually, must be done from a semantic version tag
+
+jobs:
+  push_to_registry:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+          - env:
+              IMAGE_EDITION: community
+              IMAGE_SUFFIX:
+          - env:
+              IMAGE_EDITION: developer
+              IMAGE_SUFFIX: -developer
+    steps:
+      - uses: actions/checkout@v4
+
+      - id: semver
+        name: Ensure that selected tag is a semantic version
+        uses: matt-usurp/validate-semver@v2
+        with:
+          version: ${{ github.ref }}
+
+      - uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Package and push container to Docker Hub
+        if: ${{ github.ref_type == "tag" }}
+        run: |
+          export CONTAINER_TAG="${{ steps.semver.outputs.version }}${{ matrix.env.IMAGE_SUFFIX }}"
+          docker build --build-arg="IMAGE_EDITION=${{ matrix.env.IMAGE_EDITION }}" -t ictu/sonar:${CONTAINER_TAG} .
+          echo "Would run: docker push ictu/sonar:${CONTAINER_TAG}"

.github/workflows/helm-chart.yml

@@ -41,17 +41,26 @@ jobs:
 
       - name: Build and run chart
         run: |
-          docker build --build-arg="IMAGE_EDITION=${{ matrix.env.IMAGE_EDITION }}" -t ci .
+          docker build --build-arg="IMAGE_EDITION=${{ matrix.env.IMAGE_EDITION }}" -t ictu/sonar:ci-latest .
           eval $(minikube -p minikube docker-env)
+          minikube image load ictu/sonar:ci-latest
           kubectl apply -f helm/deploy-ci.yaml
           helm dependency build helm
-          helm upgrade --install --render-subchart-notes ictu-sonarqube helm
+          helm upgrade --set-json='sonarqube.elasticsearch.bootstrapChecks="false"' --set-json='sonarqube.image.tag="ci-latest"' --install --render-subchart-notes ictu-sonarqube helm
+
+      - name: Disable ES disk watermark checks
+        run: |
+          eval $(minikube -p minikube docker-env)
+          kubectl wait pod/ictu-sonarqube-sonarqube-0 --timeout=1m --for=jsonpath='{.status.phase}'=Running
+          kubectl logs -f pod/ictu-sonarqube-sonarqube-0 |& sed "/app\[\]\[o.s.a.SchedulerImpl\] Process\[es\] is up/ q"
+          kubectl exec pod/ictu-sonarqube-sonarqube-0 -- curl -s -XPUT "http://localhost:9001/_cluster/settings" -H "Content-Type: application/json" -d '{"transient":{"cluster.routing.allocation.disk.threshold_enabled":false}}'
+        timeout-minutes: 2
 
       - name: Wait for Sonar instance to start
         # profile for language 'web' is the last; assume everything is working if we got this far
         run: |
           eval $(minikube -p minikube docker-env)
-          kubectl wait --all pods --timeout=4m --for=condition=Ready
+          kubectl wait --all pods --timeout=5m --for=condition=Ready
           kubectl wait --all statefulsets --timeout=30s --for=jsonpath=status.availableReplicas=1
           kubectl logs -f pod/ictu-sonarqube-sonarqube-0 |& sed "/Current profile for language 'web' is 'Sonar way'/ q"
-        timeout-minutes: 5
+        timeout-minutes: 6

.github/workflows/helm-release.yml

@@ -1,5 +1,5 @@
 ---
-name: Release Helm chart
+name: Release Helm chart to Docker Hub
 
 on: workflow_dispatch  # Only triggered manually
 
@@ -9,8 +9,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: Login to Docker Hub
-        uses: docker/login-action@v3
+      - uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}

CHANGELOG.md

@@ -2,10 +2,15 @@
 
 ## [Unreleased]
 
+## [10.7.0](https://github.com/ICTU/sonar/releases/tag/10.7.0) - 2024-11-14
+
 ### Added
 
 - Kubernetes Helm chart (#74).
 - Changelog with backdated changes (#72).
+- Update to [SonarQube version 10.7.0](https://www.sonarsource.com/products/sonarqube/whats-new/sonarqube-10-7/) (#80).
+- Update plugin `checkstyle/sonar-checkstyle` to [version 10.19.0](https://github.com/checkstyle/sonar-checkstyle/releases/tag/10.19.0) (#80).
+- Update plugin `spotbugs/sonar-findbugs` to [version 4.3.0](https://github.com/spotbugs/sonar-findbugs/releases/tag/4.3.0) (#80).
 
 ## [10.5.1](https://github.com/ICTU/sonar/releases/tag/10.5.1) - 2024-05-23
 

Dockerfile

@@ -1,5 +1,5 @@
 ARG IMAGE_NAME=sonarqube
-ARG IMAGE_VERSION=10.5.1
+ARG IMAGE_VERSION=10.7.0
 ARG IMAGE_EDITION=community
 
 FROM $IMAGE_NAME:$IMAGE_VERSION-$IMAGE_EDITION

MAINTENANCE.md

@@ -3,19 +3,17 @@
 
 ## Version upgrade workflow
 
-1. Update `Dockerfile`s with the new version of SonarQube
-1. Update external plugins in the [config.json](https://github.com/ICTU/sonar/blob/master/src/config.json)
-1. Create profiles based on the internal plugin versions in the [config.json](https://github.com/ICTU/sonar/blob/master/src/config.json)
+1. Update version spec in `Dockerfile`, `helm/Chart.yaml` and `helm/values.yaml` with the new version of SonarQube
+1. Update external plugins in the [config.json](https://github.com/ICTU/sonar/blob/master/src/config.json) with latest versions listed in their respective repository `/releases/` url
+1. Update profile versions based on the internal plugin versions in the [config.json](https://github.com/ICTU/sonar/blob/master/src/config.json)
     1. Obtain the base version numbers from the vanilla SonarQube image directory `/opt/sonarqube/lib/extensions`, excluding build number
     1. Update the configuration rules version number `rules_version` if the rules have been changed
-1. Create new version tags on GitHub
-    1. `MAJOR.MINOR.PATCH`
-    1. `MAJOR.MINOR.PATCH-developer`
-1. Build and push new images to docker hub with [CircleCI](https://app.circleci.com/pipelines/github/ICTU/sonar)
-1. Update helm `Chart.yaml` with the new chart versions, corresponding with the new `appVersion`
-1. Update the helm `values.yaml` with the new `ictu/sonar` image tag
-1. Push the new chart as OCI artifact to docker hub `ictu/ictu-sonarqube`, with the GitHub action
-
+1. Check for any runtime errors and warnings in the container logs
+1. Create new version tag on GitHub, following semantic versioning as: `MAJOR.MINOR.PATCH`
+1. Build and push new container images to Docker Hub `ictu/sonar`, with the [docker release GitHub action](https://github.com/ICTU/sonar/actions/workflows/docker-release.yml)
+1. Push the updated helm chart as OCI artifact to Docker Hub `ictu/ictu-sonarqube`, with the [helm release GitHub action](https://github.com/ICTU/sonar/actions/workflows/helm-release.yml)
+1. Update the `CHANGELOG.md` with new version information and move `[Unreleased]` items to new version section
+1. Update the Docker Hub overview pages if `README.md` content has changed
 
 ## Adding plugins
 

README.md

@@ -20,12 +20,12 @@ Add a list of semicolon separated rule ids to be enabled or disabled to the envi
 Example to explicitly enable (+) a C# rule and disable (-) a TypeScript rule:
 
     PROJECT_CODE=PROJ1
-    PROJECT_RULES=+csharpsquid:S104;-ts:S1561
+    PROJECT_RULES=+csharpsquid:S104;-typescript:S1301
 
 It is also possible to adjust individual rule parameter values:
 
     PROJECT_CODE=PROJ1
-    PROJECT_RULES=+csharpsquid:S110|max=6;-ts:S1561
+    PROJECT_RULES=+csharpsquid:S110|max=6;-typescript:S1301
 
 
 ## Running with PostgreSQL via a Docker-composition

docker/docker-compose.ci.yml

@@ -9,7 +9,7 @@ services:
       SONAR_JDBC_PASSWORD: "sonar_pass"
       SONARQUBE_PASSWORD: "admin123"
       PROJECT_CODE: "PROJ1"
-      PROJECT_RULES: "+csharpsquid:S104;-ts:S1561;+Web:WhiteSpaceAroundCheck"
+      PROJECT_RULES: "+csharpsquid:S104;-typescript:S1301;+Web:UnclosedTagCheck"
 
   db:
     environment:

helm/Chart.yaml

@@ -1,8 +1,8 @@
 ---
 apiVersion: v2
 name: ictu-sonarqube
-version: 10.5.1
-appVersion: "10.5.1"
+version: 10.7.0
+appVersion: "10.7.0"
 description: A SonarQube helm chart with plugins, profiles and config used at ICTU
 type: application
 home: https://github.com/ICTU/sonar
@@ -11,5 +11,5 @@ dependencies:
     version: 15.5.38  # this corresponds with appVersion 16.4.0, upstream sonarqube helm chart uses version 10.15.0
     repository: https://charts.bitnami.com/bitnami  # https://github.com/bitnami/charts/blob/main/bitnami/postgresql/Chart.yaml
   - name: sonarqube
-    version: 10.5.1
+    version: 10.6.0
     repository: https://SonarSource.github.io/helm-chart-sonarqube  # https://github.com/SonarSource/helm-chart-sonarqube/blob/master/charts/sonarqube/Chart.yaml

helm/values.yaml

@@ -31,7 +31,7 @@ postgresql:
 sonarqube:
   image:
     repository: ictu/sonar
-    tag: "10.5.1"
+    tag: "10.7.0"
     pullPolicy: IfNotPresent
   jdbcOverwrite:
     enable: true

src/config.json

@@ -1,11 +1,10 @@
 {
-  "rules_version": 20231222,
   "plugins": [
-    "https://github.com/checkstyle/sonar-checkstyle/releases/download/10.16.0/checkstyle-sonar-plugin-10.16.0.jar",
+    "https://github.com/checkstyle/sonar-checkstyle/releases/download/10.19.0/checkstyle-sonar-plugin-10.19.0.jar",
     "https://github.com/dependency-check/dependency-check-sonar-plugin/releases/download/5.0.0/sonar-dependency-check-plugin-5.0.0.jar",
     "https://github.com/sbaudoin/sonar-ansible/releases/download/v2.5.1/sonar-ansible-plugin-2.5.1.jar",
     "https://github.com/sbaudoin/sonar-yaml/releases/download/v1.9.1/sonar-yaml-plugin-1.9.1.jar",
-    "https://github.com/spotbugs/sonar-findbugs/releases/download/4.2.9/sonar-findbugs-plugin-4.2.9.jar",
+    "https://github.com/spotbugs/sonar-findbugs/releases/download/4.3.0/sonar-findbugs-plugin-4.3.0.jar",
     "https://github.com/vaulttec/sonar-auth-oidc/releases/download/v2.1.1/sonar-auth-oidc-plugin-2.1.1.jar"
   ],
   "profiles": {
@@ -16,41 +15,42 @@
     },
     "cs": {
       "plugin_name": "csharp-plugin",
-      "version": "cs-profile-v9.23.2"
+      "version": "cs-profile-v9.32.0"
     },
     "java": {
       "plugin_name": "java-plugin",
-      "version": "java-profile-v7.33.0"
+      "version": "java-profile-v8.2.0"
     },
     "js": {
       "plugin_name": "javascript-plugin",
-      "version": "js-profile-v10.13.2"
+      "version": "js-profile-v10.16.0"
     },
     "kotlin": {
       "plugin_name": "kotlin-plugin",
       "version": "kotlin-profile-v2.20.0"
     },
     "py": {
       "plugin_name": "python-plugin",
-      "version": "py-profile-v4.17.0"
+      "version": "py-profile-v4.22.0"
     },
     "swift": {
       "plugin_name": "swift-plugin",
       "version": "swift-profile-v4.12.0"
     },
     "ts": {
       "plugin_name": "javascript-plugin",
-      "version": "js-profile-v10.13.2"
+      "version": "js-profile-v10.16.0"
     },
     "vbnet": {
       "plugin_name": "vbnet-plugin",
-      "version": "vbnet-profile-v9.23.2"
+      "version": "vbnet-profile-v9.32.0"
     },
     "web": {
       "plugin_name": "html-plugin",
-      "version": "web-profile-v3.15.0"
+      "version": "web-profile-v3.16.0"
     }
   },
+  "rules_version": 20231222,
   "rules": {
     "cs": [
       "+types=SECURITY_HOTSPOT,VULNERABILITY",

src/start-with-profile.sh

@@ -21,12 +21,13 @@ function waitForDatabase {
         echo "Only PostgreSQL databases are supported"
         return
     fi
-    echo "Waiting for database connection on ${host}:${port}"
+    local pg_connect_params
+    pg_connect_params="-h ${host} -p ${port} ${SONAR_JDBC_USERNAME:+-U "$SONAR_JDBC_USERNAME"} -d $(basename "${SONAR_JDBC_URL%%\?*}")"
+    echo "Waiting for database connection with pg connect params '${pg_connect_params}'"
     local count=0
     local sleep=5
     local timeout=${DB_START_TIMEOUT:-60}
-    until pg_isready -h "${host}" -p "${port}" ${SONAR_JDBC_USERNAME:+-U "$SONAR_JDBC_USERNAME"}
-    do
+    until pg_isready ${pg_connect_params} ; do
         if [[ count -gt timeout ]]; then
             echo "ERROR: Failed to start database within ${timeout} seconds"
             exit 1
@@ -37,6 +38,13 @@ function waitForDatabase {
         count=$((count+sleep))
     done
     echo "Database listening on ${host}:${port}"
+
+    # Reset all plugin hashes to trigger a full reindex of ElasticSearch data, so coding_rules are indexed correctly
+    # Underlying bug should be fixed in 10.8 release, see also:
+    #     - https://community.sonarsource.com/t/rules-not-registered-and-index-correctly-after-upgrade-to-10-7/128030
+    #     - https://sonarsource.atlassian.net/browse/SONAR-23466
+    echo "Forcing ElasticSearch full reindex of rules, due to bug in version 10.7.0"
+    PGPASSWORD=${SONAR_JDBC_PASSWORD} psql ${pg_connect_params} -c "UPDATE PLUGINS SET FILE_HASH = ''"
 }
 
 # Wait until SonarQube is operational

tests/test_functional.py

@@ -42,7 +42,7 @@ def test_sonar_way_profile_remains(self):
     @skipUnless(PROJECT_RULES, "PROJECT_RULES was not passed")
     def test_project_override_profile(self):
         """Check that overridden rule activation is applied."""
-        overridden_key = "Web:WhiteSpaceAroundCheck"
+        overridden_key = "Web:UnclosedTagCheck"
         self.assertTrue(any([rule_line == f"+{overridden_key}" for rule_line in PROJECT_RULES.split(";")]))
 
         version_profile = f"ictu-{self.config_json['profiles']['web']['version']}-{self.config_json['rules_version']}"