feat: add sso plugin to plugin image. (#33)

* feat: add sso plugin to plugin image.

Signed-off-by: kychen <[email protected]>

* fix: update Dockerfile and build.gradle dependencies for compatibility

- Updated JRE image version in Dockerfile to use '17.0.16_8-jre-ubi10-minimal'.
- Upgraded sonar-java-symbolic-execution-plugin, sonar-javascript-plugin, and sonar-iac plugins to their latest versions in build.gradle for improved functionality and security.

* fix: update Dockerfile to use ARG for dependency versions

- Replaced hardcoded dependency versions with ARG variables for netty and bouncycastle in Dockerfile.
- This change improves maintainability and allows for easier updates in the future.

---------

Signed-off-by: kychen <[email protected]>

Author: kycheng

.tekton/build-image.yaml

@@ -27,6 +27,9 @@ spec:
         url: "{{ repo_url }}"
         branch: "{{ source_branch }}"
         commit: "{{ revision }}"
+        pull-request-number: "{{ pull_request_number }}"
+        pull-request-source: "{{ source_branch }}"
+        pull-request-target: "{{ target_branch }}"
     - name: clean-cache
       value: "{{ clean-cache }}"
 

.tekton/build-testing-base-image.yaml

@@ -27,6 +27,8 @@ spec:
       value: "{{ source_branch }}"
     - name: git-commit
       value: "{{ revision }}"
+    - name: pull-request-number
+      value: "{{ pull_request_number }}"
 
     - name: image-repository
       value: build-harbor.alauda.cn/devops/sonarqube-ce-test-base

.tekton/integration-test.yaml

@@ -46,6 +46,9 @@ spec:
         url: "{{ repo_url }}"
         branch: "{{ source_branch }}"
         commit: "{{ revision }}"
+        pull-request-number: "{{ pull_request_number }}"
+        pull-request-source: "{{ source_branch }}"
+        pull-request-target: "{{ target_branch }}"
     - name: build-test-image
       value:
         image-repository: build-harbor.alauda.cn/devops/sonarqube-ce-test

.tekton/pipeline/sonar-image-build.yaml

@@ -14,12 +14,26 @@ spec:
       description: "Workspace for cache files"
   params:
     - name: git-revision
-      description: Git revision object with url, branch, commit, and pull-request-number.
+      description: |
+        Git revision object with url, branch, commit, and pull request information.
+        * url: The url of the git repository
+        * branch: The source branch of the git repository
+        * commit: The commit of the git repository
+        * pull-request-number: The pull request number
+        * pull-request-source: The source branch of the pull request
+        * pull-request-target: The target branch of the pull request
       type: object
       properties:
-        url: {}
-        branch: {}
-        commit: {}
+        url: { type: string }
+        branch: { type: string }
+        commit: { type: string }
+        pull-request-number: {} # Pull request number.
+        pull-request-source: {} # Pull request source.
+        pull-request-target: {} # Pull request target branch.
+      default:
+        pull-request-number: ""
+        pull-request-source: ""
+        pull-request-target: ""
     - name: image-scan-gate-enabled
       description: Determine whether to skip the image scan step
       type: string
@@ -40,6 +54,8 @@ spec:
           value: $(params.git-revision.branch)
         - name: depth
           value: 1
+        - name: pr-number
+          value: $(params.git-revision.pull-request-number)
       taskRef:
         resolver: hub
         params:
@@ -327,6 +343,12 @@ spec:
           workspace: source
         - name: basic-auth
           workspace: basic-auth
+      when:
+        - input: $(params.git-revision.pull-request-number)
+          operator: in
+          values:
+            - ""
+            - " "
       params:
         - name: BASE_IMAGE
           value: registry.alauda.cn:60080/devops/nonroot/chainguard/git:latest

.tekton/pr-manage.yaml

@@ -0,0 +1,72 @@
+apiVersion: tekton.dev/v1
+kind: PipelineRun
+metadata:
+  name: pr-manage
+  annotations:
+    pipelinesascode.tekton.dev/pipeline: "https://raw.githubusercontent.com/AlaudaDevops/toolbox/main/pr-cli/pipeline/pr-manage.yaml"
+    pipelinesascode.tekton.dev/on-comment: "^/(help|rebase|lgtm|remove-lgtm|cherry-?pick|assign|merge|ready|unassign|label|unlabel|check|retest|close|batch)($|\\s.*)"
+    pipelinesascode.tekton.dev/max-keep-runs: "5"
+spec:
+  pipelineRef:
+    name: pr-manage
+  params:
+    - name: trigger_comment
+      value: "{{ trigger_comment }}"
+    - name: repo_owner
+      value: "{{ repo_owner }}"
+    - name: repo_name
+      value: "{{ repo_name }}"
+    - name: pull_request_number
+      value: "{{ pull_request_number }}"
+    - name: comment_sender
+      value: "{{ sender }}"
+    - name: git_auth_secret
+      value: "{{ git_auth_secret }}"
+    #
+    # Optional parameters (value is the default):
+    #
+    # The key in git_auth_secret that contains the token (default: git-provider-token)
+    # - name: git_auth_secret_key
+    #   value: "git-provider-token"
+    #
+    # Container image for pr-cli tool (default: registry.alauda.cn:60070/devops/toolbox/pr-cli:latest)
+    # - name: image
+    #   value: "registry.alauda.cn:60070/devops/toolbox/pr-cli:latest"
+    #
+    # The /lgtm threshold needed of approvers for a PR to be approved (default: 1)
+    # - name: lgtm_threshold
+    #   value: "1"
+    #
+    # The permissions the user need to trigger a lgtm (default: admin,write)
+    # - name: lgtm_permissions
+    #   value: "admin,write"
+    #
+    # The review event when lgtm is triggered, can be APPROVE,
+    # REQUEST_CHANGES, or COMMENT if setting to empty string it will be set as
+    # PENDING (default: APPROVE)
+    # - name: lgtm_review_event
+    #   value: "APPROVE"
+    #
+    # The merge method to use. Can be one of: merge, squash, rebase (default: squash)
+    # - name: merge_method
+    #   value: "squash"
+    #
+    # The name used for self-check status (default: pr-manage)
+    # - name: self_check_name
+    #   value: "pr-manage"
+    #
+    # Enable debug mode (skip validation, allow PR creator self-approval) (default: false)
+    # - name: debug
+    #   value: "false"
+    #
+    # Enable verbose logging (debug level logs) (default: false)
+    # - name: verbose
+    #   value: "false"
+    #
+    # The platform to use, can be one of: github, gitlab, gitee (default: github)
+    # - name: platform
+    #   value: "github"
+    #
+    # The robot accounts for managing bot approval reviews.
+    # - name: robot_accounts
+    #   value: "alaudabot,dependabot,renovate"

chart/values.yaml

@@ -7,14 +7,14 @@ global:
     sonarqube:
       code: github.com/AlaudaDevops/docker-sonarqube
       repository: devops/sonarqube
-      tag: v2025.1.0-gbfb64f0
+      tag: v2025.1.0-g59d27f1
       support_arm: true
       thirdparty: true
       digest: sha256:bd8aa76c68de359ef5495dafa155fe98b12009a82ad01bb10325226fd3f6b4be
     pluginPackage:
       code: github.com/AlaudaDevops/docker-sonarqube
       repository: devops/sonarqube-plugins
-      tag: v2025.1.0-gbfb64f0
+      tag: v2025.1.0-g59d27f1
       support_arm: true
       thirdparty: true
       digest: sha256:565500e7f0acfb7da4693eaf49b24629dc1fcd7cc6ca4571809c794959d0c0d8

image/community-build/Dockerfile

@@ -32,16 +32,20 @@ RUN set -eux \
   && chmod -R 550 /data/sonarqube \
   && chmod -R 770 /data/sonarqube/data /data/sonarqube/extensions /data/sonarqube/logs /data/sonarqube/temp
 
-# COPY --chown=sonarsource:sonarsource image/community-build/apply-jar-patch.sh /tmp/apply-jar-patch.sh
-# # renovate: datasource=maven depName=json-smart lookupName=net.minidev:json-smart
-# ARG JSON_SMART_VERSION=2.5.2
-# # renovate: datasource=maven depName=netty-handler lookupName=io.netty:netty-handler
-# ARG NETTY_HANDLER_VERSION=4.1.123.Final
-# RUN set -eux \
-#   && curl -o /data/patches/json-smart-${JSON_SMART_VERSION}.jar https://repo1.maven.org/maven2/net/minidev/json-smart/${JSON_SMART_VERSION}/json-smart-${JSON_SMART_VERSION}.jar \
-#   && curl -o /data/patches/netty-handler-${NETTY_HANDLER_VERSION}.jar https://repo1.maven.org/maven2/io/netty/netty-handler/${NETTY_HANDLER_VERSION}/netty-handler-${NETTY_HANDLER_VERSION}.jar \
-#   && chmod +x /tmp/apply-jar-patch.sh \
-#   && /tmp/apply-jar-patch.sh /data/patches /data/sonarqube
+COPY --chown=sonarsource:sonarsource image/community-build/replace-jar.sh /tmp/replace-jar.sh
+
+# renovate: datasource=maven depName=netty-codec lookupName=io.netty:netty-codec
+ARG NETTY_VERSION=4.1.118.Final
+# renovate: datasource=maven depName=bc-fips lookupName=org.bouncycastle:bc-fips
+ARG BC_VERSION=1.0.2.5
+# renovate: datasource=maven depName=bcpkix-jdk18on lookupName=org.bouncycastle:bcpkix-jdk18on
+ARG BCPKIX_VERSION=1.78.1
+RUN chmod +x /tmp/replace-jar.sh && \
+    /tmp/replace-jar.sh io.netty netty-codec 4.1.118.Final ${NETTY_VERSION} /data/sonarqube/elasticsearch && \
+    /tmp/replace-jar.sh io.netty netty-codec-http 4.1.118.Final ${NETTY_VERSION} /data/sonarqube/elasticsearch && \
+    /tmp/replace-jar.sh io.netty netty-codec-http2 4.1.118.Final ${NETTY_VERSION} /data/sonarqube/elasticsearch && \
+    /tmp/replace-jar.sh org.bouncycastle bc-fips 1.0.2.5 ${BC_VERSION} /data/sonarqube/elasticsearch && \
+    /tmp/replace-jar.sh org.bouncycastle bcpkix-jdk18on 1.78.1 ${BCPKIX_VERSION} /data/sonarqube/elasticsearch
 
 FROM docker-mirrors.alauda.cn/library/eclipse-temurin:${JRE_IMAGE_VERSION}
 
@@ -82,6 +86,7 @@ RUN set -eux; \
     curl \
     fonts-dejavu \
     perl-base=5.34.0-3ubuntu1.5; \
+  apt-get --no-install-recommends -y upgrade libc-bin libc6 locales; \
   echo "networkaddress.cache.ttl=5" >> "${JAVA_HOME}/conf/security/java.security"; \
   sed --in-place --expression="s?securerandom.source=file:/dev/random?securerandom.source=file:/dev/urandom?g" "${JAVA_HOME}/conf/security/java.security"; \
   ln -s ${SONARQUBE_HOME}/lib/sonar-application-${SONARQUBE_VERSION}.jar ${SONARQUBE_HOME}/lib/sonarqube.jar; \