CLI-20 CLI update command wip

Author: sophio-japharidze-sonarsource

src/commands/update.ts

@@ -0,0 +1,100 @@
+/*
+ * SonarQube CLI
+ * Copyright (C) 2026 SonarSource Sàrl
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+
+// CLI self-update command
+
+import { VERSION } from '../version.js';
+import {
+  fetchLatestCliVersion,
+  compareVersions,
+  performSelfUpdate,
+} from '../lib/self-update.js';
+import { text, blank, success, warn, info, withSpinner } from '../ui/index.js';
+
+/**
+ * Core version check: compare current version against latest, return update info.
+ */
+async function checkVersion(): Promise<{
+  current: string;
+  latest: string;
+  hasUpdate: boolean;
+}> {
+  const latest = await withSpinner('Checking for updates', fetchLatestCliVersion);
+  const hasUpdate = compareVersions(latest, VERSION) > 0;
+  return { current: VERSION, latest, hasUpdate };
+}
+
+/**
+ * sonar update --check
+ * Check for updates and notify the user, but do not install.
+ */
+export async function updateCheckCommand(): Promise<void> {
+  text(`\nCurrent version: v${VERSION}\n`);
+
+  const { latest, hasUpdate } = await checkVersion();
+
+  if (!hasUpdate) {
+    blank();
+    success(`Already on the latest version (v${VERSION})`);
+    return;
+  }
+
+  blank();
+  warn(`Update available: v${VERSION} → v${latest}`);
+  text(`  Run: sonar update`);
+}
+
+/**
+ * sonar update
+ * Check for updates and install if one is available (binary installs only).
+ * With --force, reinstall even if already on the latest version.
+ */
+export async function updateCommand(options: { check?: boolean; force?: boolean }): Promise<void> {
+  if (options.check) {
+    await updateCheckCommand();
+    return;
+  }
+
+  text(`\nCurrent version: v${VERSION}\n`);
+
+  const { latest, hasUpdate } = await checkVersion();
+
+  if (!hasUpdate && !options.force) {
+    blank();
+    success(`Already on the latest version (v${VERSION})`);
+    return;
+  }
+
+  if (!hasUpdate && options.force) {
+    info(`Forcing reinstall of v${latest}`);
+  } else {
+    info(`Update available: v${VERSION} → v${latest}`);
+  }
+
+  blank();
+  const installedVersion = await withSpinner(
+    `Downloading and installing v${latest}`,
+    () => performSelfUpdate(latest)
+  );
+
+  blank();
+  success(`Updated to v${installedVersion}`);
+  text(`  Path: ${process.execPath}`);
+}

src/index.ts

@@ -40,6 +40,7 @@ import { authLoginCommand, authLogoutCommand, authPurgeCommand, authStatusComman
 import { secretInstallCommand, secretStatusCommand } from './commands/secret.js';
 import { analyzeSecretsCommand } from './commands/analyze.js';
 import { projectsSearchCommand } from './commands/projects.js';
+import { updateCommand } from './commands/update.js';
 
 const program = new Command();
 
@@ -154,6 +155,16 @@ auth
     await authStatusCommand();
   });
 
+// Check for and install CLI updates
+program
+  .command('update')
+  .description('Check for and install CLI updates')
+  .option('--check', 'Check for updates without installing')
+  .option('--force', 'Force update even if already on the latest version')
+  .action(async (options) => {
+    await runCommand(() => updateCommand(options));
+  });
+
 // Analyze code for security issues
 const analyze = program
   .command('analyze')

src/lib/config-constants.ts

@@ -66,6 +66,7 @@ export const BIN_DIR = join(CLI_DIR, 'bin');
 
 export const SONARSOURCE_BINARIES_URL = 'https://binaries.sonarsource.com';
 export const SONAR_SECRETS_DIST_PREFIX = 'CommercialDistribution/sonar-secrets';
+export const SONARQUBE_CLI_DIST_PREFIX = 'Distribution/sonarqube-cli';
 
 // ---------------------------------------------------------------------------
 // SonarCloud

src/lib/self-update.ts

@@ -0,0 +1,222 @@
+/*
+ * SonarQube CLI
+ * Copyright (C) 2026 SonarSource Sàrl
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 3 of the License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this program; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
+ */
+
+// Self-update logic for the sonarqube-cli binary
+
+import { existsSync } from 'node:fs';
+import { copyFile, chmod, rename, unlink, mkdtemp, writeFile, rm } from 'node:fs/promises';
+import { join } from 'node:path';
+import { tmpdir } from 'node:os';
+import { spawnProcess } from './process.js';
+import { VERSION } from '../version.js';
+import { SONARSOURCE_BINARIES_URL, SONARQUBE_CLI_DIST_PREFIX } from './config-constants.js';
+import { detectPlatform } from './platform-detector.js';
+import logger from './logger.js';
+
+const REQUEST_TIMEOUT_MS = 30000;
+const DOWNLOAD_TIMEOUT_MS = 120000;
+
+/**
+ * Fetch the latest available CLI version from binaries.sonarsource.com
+ */
+export async function fetchLatestCliVersion(): Promise<string> {
+  const url = `${SONARSOURCE_BINARIES_URL}/${SONARQUBE_CLI_DIST_PREFIX}/latest-version.txt`;
+
+  const response = await fetch(url, {
+    headers: { 'User-Agent': `sonarqube-cli/${VERSION}` },
+    signal: AbortSignal.timeout(REQUEST_TIMEOUT_MS),
+  });
+
+  if (!response.ok) {
+    throw new Error(`Failed to fetch latest version: ${response.status} ${response.statusText}`);
+  }
+
+  const version = (await response.text()).trim();
+  if (!version) {
+    throw new Error('Could not determine latest version from release server');
+  }
+
+  return version;
+}
+
+/**
+ * Compare two dot-separated version strings numerically.
+ * Returns negative if a < b, positive if a > b, 0 if equal.
+ */
+export function compareVersions(a: string, b: string): number {
+  return a.localeCompare(b, undefined, { numeric: true });
+}
+
+/**
+ * Build the download URL for a given CLI version on the current platform.
+ * Naming convention: sonarqube-cli-<version>-<os>-<arch>.exe
+ */
+function buildCliDownloadUrl(version: string): string {
+  const platform = detectPlatform();
+  const filename = `sonarqube-cli-${version}-${platform.os}-${platform.arch}.exe`;
+  return `${SONARSOURCE_BINARIES_URL}/${SONARQUBE_CLI_DIST_PREFIX}/${filename}`;
+}
+
+/**
+ * Download the CLI binary to a temporary file and return its path.
+ */
+async function downloadToTemp(url: string): Promise<{ tmpDir: string; tmpFile: string }> {
+  const tmpDir = await mkdtemp(join(tmpdir(), 'sonar-update-'));
+  const tmpFile = join(tmpDir, 'sonar.download');
+
+  logger.debug(`Downloading CLI from: ${url}`);
+
+  const response = await fetch(url, {
+    headers: { 'User-Agent': `sonarqube-cli/${VERSION}` },
+    signal: AbortSignal.timeout(DOWNLOAD_TIMEOUT_MS),
+  });
+
+  if (!response.ok) {
+    throw new Error(`Download failed: ${response.status} ${response.statusText}`);
+  }
+
+  const buffer = await response.arrayBuffer();
+  await writeFile(tmpFile, Buffer.from(buffer));
+
+  return { tmpDir, tmpFile };
+}
+
+/**
+ * Verify a binary responds correctly to --version, returning the version string.
+ */
+async function verifyBinary(binaryPath: string): Promise<string> {
+  const result = await spawnProcess(binaryPath, ['--version'], {
+    stdout: 'pipe',
+    stderr: 'pipe',
+  });
+
+  if (result.exitCode !== 0) {
+    throw new Error('Downloaded binary failed version check');
+  }
+
+  const combined = result.stdout + ' ' + result.stderr;
+  // eslint-disable-next-line sonarjs/regex-complexity -- bounded quantifiers prevent backtracking
+  const match = /(\d{1,20}(?:\.\d{1,20}){1,3})/.exec(combined);
+  if (!match) {
+    throw new Error('Could not parse version from downloaded binary output');
+  }
+
+  return match[1];
+}
+
+/**
+ * Remove macOS quarantine attribute from the file (no-op if not quarantined).
+ */
+async function removeQuarantine(filePath: string): Promise<void> {
+  try {
+    await spawnProcess('xattr', ['-d', 'com.apple.quarantine', filePath], {
+      stdout: 'pipe',
+      stderr: 'pipe',
+    });
+  } catch {
+    // Binary is not quarantined — this is expected and fine
+  }
+}
+
+/**
+ * Perform an in-place binary self-update with rollback on failure.
+ *
+ * Strategy:
+ *  1. Download new binary to system tmpdir
+ *  2. Copy to <binaryPath>.new (same FS → avoids cross-device rename)
+ *  3. Rename current binary to <binaryPath>.backup  (atomic)
+ *  4. Rename .new to current path                  (atomic)
+ *  5. Verify the new binary works
+ *  6. On success: remove backup
+ *  7. On failure: restore backup, throw
+ */
+export async function performSelfUpdate(version: string): Promise<string> {
+  const currentBinaryPath = process.execPath;
+  const newBinaryPath = `${currentBinaryPath}.new`;
+  const backupPath = `${currentBinaryPath}.backup`;
+  const downloadUrl = buildCliDownloadUrl(version);
+  const platform = detectPlatform();
+
+  let tmpDir: string | null = null;
+
+  try {
+    // --- Download ---
+    const { tmpDir: td, tmpFile } = await downloadToTemp(downloadUrl);
+    tmpDir = td;
+
+    // Set permissions before moving
+    if (platform.os !== 'windows') {
+      await chmod(tmpFile, 0o755);
+    }
+
+    if (platform.os === 'macos') {
+      await removeQuarantine(tmpFile);
+    }
+
+    // --- Copy to binary directory (handles cross-filesystem download) ---
+    await copyFile(tmpFile, newBinaryPath);
+    if (platform.os !== 'windows') {
+      await chmod(newBinaryPath, 0o755);
+    }
+
+    // --- Atomic swap ---
+    if (existsSync(currentBinaryPath)) {
+      await rename(currentBinaryPath, backupPath);
+    }
+    await rename(newBinaryPath, currentBinaryPath);
+
+    // --- Verify ---
+    try {
+      const installedVersion = await verifyBinary(currentBinaryPath);
+
+      // Success: remove backup
+      if (existsSync(backupPath)) {
+        await unlink(backupPath);
+      }
+
+      return installedVersion;
+    } catch (verifyErr) {
+      // Rollback: restore backup
+      logger.warn(`Verification failed, rolling back: ${(verifyErr as Error).message}`);
+      if (existsSync(backupPath)) {
+        await rename(backupPath, currentBinaryPath);
+      }
+      throw verifyErr;
+    }
+  } finally {
+    // Best-effort cleanup of temp directory
+    if (tmpDir) {
+      try {
+        await rm(tmpDir, { recursive: true, force: true });
+      } catch {
+        // Ignore cleanup errors
+      }
+    }
+
+    // Best-effort cleanup of .new file if it somehow survived
+    if (existsSync(newBinaryPath)) {
+      try {
+        await unlink(newBinaryPath);
+      } catch {
+        // Ignore cleanup errors
+      }
+    }
+  }
+}