Fix error message when pom or build.gradle are detected (#48)

(adapt https://github.com/orgs/community/discussions/16925)

Signed-off-by: Dwi Siswanto <me@dw1.io>

CODEOWNERS

@@ -1 +1 @@
-* @kitabisa/security @dwisiswant0
+* @dwisiswant0

Dockerfile

@@ -10,11 +10,6 @@ LABEL repository="https://github.com/kitabisa/sonarqube-action"
 LABEL homepage="https://kitabisa.github.io"
 LABEL maintainer="dwisiswant0"
 
-
-ENV NODE_PATH "/usr/lib/node_modules/"
-
 COPY entrypoint.sh /entrypoint.sh
-
 RUN chmod +x /entrypoint.sh
-
 ENTRYPOINT ["/entrypoint.sh"]

README.md

@@ -2,52 +2,76 @@
 
 Using this GitHub Action, scan your code with SonarQube scanner to detects bugs, vulnerabilities and code smells in more than 20 programming languages!
 
-<img src="https://www.sonarqube.org/assets/logo-31ad3115b1b4b120f3d1efd63e6b13ac9f1f89437f0cf6881cc4d8b5603a52b4.svg" width="320px">
+<img src="https://assets-eu-01.kc-usercontent.com/d1e40bf0-65fc-01ef-5235-9aeaedac229b/12e3974b-220d-4cde-8f17-2ff9fa9d9c27/SonarQube_Logo.svg" width="320px">
 
 SonarQube is an open-source platform developed by SonarSource for continuous inspection of code quality to perform automatic reviews with static analysis of code to detect bugs, code smells, and security vulnerabilities on 20+ programming languages.
 
 ## Requirements
 
-* Have SonarQube on server. [Install now](https://docs.sonarqube.org/latest/setup/install-server/) if it's not already the case!
+* [SonarQube server](https://docs.sonarqube.org/latest/setup/install-server/).
+* That's all!
 
 ## Usage
 
-The workflow, usually declared in `.github/workflows/build.yml`, looks like:
+The workflow, usually declared in `.github/workflows/build.yaml`, looks like:
 
 ```yaml
-on: push
-name: Main Workflow
+on:
+  # Trigger analysis when pushing in master or pull requests, and when creating
+  # a pull request. 
+  push:
+    branches:
+      - master
+  pull_request:
+      types: [opened, synchronize, reopened]
+
+name: SonarQube Scan
 jobs:
-  sonarQubeTrigger:
+  sonarqube:
     name: SonarQube Trigger
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@master
+    - name: Checking out
+      uses: actions/checkout@master
+      with:
+        # Disabling shallow clone is recommended for improving relevancy of reporting
+        fetch-depth: 0
     - name: SonarQube Scan
-      uses: kitabisa/sonarqube-action@v1.1.2
+      uses: kitabisa/sonarqube-action@v1.2.0
       with:
         host: ${{ secrets.SONARQUBE_HOST }}
         login: ${{ secrets.SONARQUBE_TOKEN }}
 ```
 
-You can change the analysis base directory and/ project key _(allowed characters: letters, numbers, -, \_, . and :, with at least one non-digit.)_ by using the optional input like this:
+You can change the analysis base directory and/or project key by using the optional input like this:
 
 ```yaml
 uses: kitabisa/sonarqube-action@master
 with:
-  projectBaseDir: "/path/to/my-custom-project"
+  host: ${{ secrets.SONARQUBE_HOST }}
+  login: ${{ secrets.SONARQUBE_TOKEN }}
+  projectBaseDir: "src/"
   projectKey: "my-custom-project"
-  projectName: "my-custom-project-name"
-  projectVersion: "v0.0.1"
 ```
 
-## Secrets
+### Inputs
 
-- `host` - **_(Required)_** this is the SonarQube server URL.
-- `login` - **_(Required)_** the login or authentication token of a SonarQube user with Execute Analysis permission on the project. See [how to generate SonarQube token](https://docs.sonarqube.org/latest/user-guide/user-token/).
-- `password` - The password that goes with the `login` username. This should be left blank if an `login` are authentication token.
+These are some of the supported input parameters of action.
 
-You can set all variable in the "Secrets" settings page of your repository.
+| **Parameter**        | **Description**                                   | **Required?** | **Default** | **Note**                                                                                      |
+|----------------------|---------------------------------------------------|---------------|-------------|-----------------------------------------------------------------------------------------------|
+| **`host`**           | SonarQube server URL                              | 🟢            |             |                                                                                               |
+| **`login`**          | Login or authentication token of a SonarQube user | 🟢            |             | `Execute Analysis` permission required.                                                       |
+| **`password`**       | The password that goes with the `login` username  | 🔴            |             | This should be left blank if an `login` are authentication token.                             |
+| **`projectBaseDir`** | Set custom project base directory analysis        | 🔴            | `.`         |                                                                                               |
+| **`projectKey`**     | The project's unique key                          | 🔴            |             | Allowed characters are: letters, numbers, `-`, `_`, `.` and `:`, with at least one non-digit. |
+| **`projectName`**    | Name of the project                               | 🔴            |             | It will be displayed on the SonarQube web interface.                                          |
+| **`projectVersion`** | The project version                               | 🔴            |             |                                                                                               |
+| **`encoding`**       | Encoding of the source code                       | 🔴            | `UTF-8`     |                                                                                               |
+
+
+> [!NOTE]
+> If you opt to configure the project metadata and other related settings in a **`sonar-project.properties`** file (must be placed within the base directory, `projectBaseDir`) instead of using input parameters, this action is compatible with that approach!
 
 ## License
 

action.yaml

@@ -1,15 +1,18 @@
 name: "SonarQube Scan"
 description: "Scan your code with SonarQube Scanner to detect bugs, vulnerabilities and code smells in more than 25 programming languages."
 author: "Dwi Siswanto"
+
 branding:
   icon: "check"
   color: "green"
+
 runs:
   using: "docker"
   image: "Dockerfile"
+
 inputs:
   host:
-    description: "SonarQube server URL"
+    description: "SonarQube server URL."
     required: true
   projectKey:
     description: "The project's unique key. Allowed characters are: letters, numbers, -, _, . and :, with at least one non-digit."
@@ -24,12 +27,16 @@ inputs:
     required: false
     default: ""
   projectBaseDir:
-    description: "Set the sonar.projectBaseDir analysis property"
+    description: "Set the sonar.projectBaseDir analysis property."
     required: false
     default: "."
   login:
-    description: "Login or authentication token of a SonarQube user"
+    description: "Login or authentication token of a SonarQube user."
     required: true
   password:
     description: "Password that goes with the sonar.login username. This should be left blank if an authentication token is being used."
-    required: false
+    required: false
+  encoding:
+    description: "Encoding of the source code."
+    required: false
+    default: "UTF-8"

entrypoint.sh

@@ -2,36 +2,44 @@
 
 set -e
 
-if [[ "${GITHUB_EVENT_NAME}" == "pull_request" ]]; then
-	EVENT_ACTION=$(jq -r ".action" "${GITHUB_EVENT_PATH}")
-	if [[ "${EVENT_ACTION}" != "opened" ]]; then
-		echo "No need to run analysis. It is already triggered by the push event."
-		exit
-	fi
-fi
-
 REPOSITORY_NAME=$(basename "${GITHUB_REPOSITORY}")
 
-[[ ! -z ${INPUT_PASSWORD} ]] && SONAR_PASSWORD="${INPUT_PASSWORD}" || SONAR_PASSWORD=""
+if [[ ! -z "${INPUT_PASSWORD}" ]]; then
+  echo "::warning ::Running this GitHub Action without authentication token is NOT recommended!"
+  SONAR_PASSWORD="${INPUT_PASSWORD}"
+else
+  SONAR_PASSWORD=""
+fi
 
-if [[ ! -f "${GITHUB_WORKSPACE}/sonar-project.properties" ]]; then
-  [[ -z ${INPUT_PROJECTKEY} ]] && SONAR_PROJECTKEY="${REPOSITORY_NAME}" || SONAR_PROJECTKEY="${INPUT_PROJECTKEY}"
-  [[ -z ${INPUT_PROJECTNAME} ]] && SONAR_PROJECTNAME="${REPOSITORY_NAME}" || SONAR_PROJECTNAME="${INPUT_PROJECTNAME}"
-  [[ -z ${INPUT_PROJECTVERSION} ]] && SONAR_PROJECTVERSION="" || SONAR_PROJECTVERSION="${INPUT_PROJECTVERSION}"
+if [[ -f "${INPUT_PROJECTBASEDIR%/}/pom.xml" ]]; then
+  echo "::error file=${INPUT_PROJECTBASEDIR%/}/pom.xml::Maven project detected. You should run the goal 'org.sonarsource.scanner.maven:sonar' during build rather than using this GitHub Action."
+  exit 1
+fi
+
+if [[ -f "${INPUT_PROJECTBASEDIR%/}/build.gradle" ]]; then
+  echo "::error file=${INPUT_PROJECTBASEDIR%/}/build.gradle::Gradle project detected. You should use the SonarQube plugin for Gradle during build rather than using this GitHub Action."
+  exit 1
+fi
+
+unset JAVA_HOME
+
+if [[ ! -f "${INPUT_PROJECTBASEDIR%/}/sonar-project.properties" ]]; then
+  [[ -z "${INPUT_PROJECTKEY}" ]] && SONAR_PROJECTKEY="${REPOSITORY_NAME}" || SONAR_PROJECTKEY="${INPUT_PROJECTKEY}"
+  [[ -z "${INPUT_PROJECTNAME}" ]] && SONAR_PROJECTNAME="${REPOSITORY_NAME}" || SONAR_PROJECTNAME="${INPUT_PROJECTNAME}"
+  [[ -z "${INPUT_PROJECTVERSION}" ]] && SONAR_PROJECTVERSION="" || SONAR_PROJECTVERSION="${INPUT_PROJECTVERSION}"
   sonar-scanner \
-    -Dsonar.host.url=${INPUT_HOST} \
-    -Dsonar.projectKey=${SONAR_PROJECTKEY} \
-    -Dsonar.projectName=${SONAR_PROJECTNAME} \
-    -Dsonar.projectVersion=${SONAR_PROJECTVERSION} \
-    -Dsonar.projectBaseDir=${INPUT_PROJECTBASEDIR} \
-    -Dsonar.login=${INPUT_LOGIN} \
-    -Dsonar.password=${SONAR_PASSWORD} \
-    -Dsonar.sources=. \
-    -Dsonar.sourceEncoding=UTF-8
+    -Dsonar.host.url="${INPUT_HOST}" \
+    -Dsonar.projectKey="${SONAR_PROJECTKEY}" \
+    -Dsonar.projectName="${SONAR_PROJECTNAME}" \
+    -Dsonar.projectVersion="${SONAR_PROJECTVERSION}" \
+    -Dsonar.projectBaseDir="${INPUT_PROJECTBASEDIR}" \
+    -Dsonar.login="${INPUT_LOGIN}" \
+    -Dsonar.password="${SONAR_PASSWORD}" \
+    -Dsonar.sources="${INPUT_PROJECTBASEDIR}" \
+    -Dsonar.sourceEncoding="${INPUT_ENCODING}"
 else
   sonar-scanner \
-    -Dsonar.host.url=${INPUT_HOST} \
-    -Dsonar.projectBaseDir=${INPUT_PROJECTBASEDIR} \
-    -Dsonar.login=${INPUT_LOGIN} \
-    -Dsonar.password=${SONAR_PASSWORD}
+    -Dsonar.host.url="${INPUT_HOST}" \
+    -Dsonar.login="${INPUT_LOGIN}" \
+    -Dsonar.password="${SONAR_PASSWORD}"
 fi