SQSCANGHA-84 Remove outdated wget/curl references

The action was refactored to use Node.js (@actions/tool-cache) for downloads, which doesn't rely on wget or curl. Update the README and QA workflow to reflect this. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-05 17:10:31 +03:00 · 2026-06-04 17:25:27 +02:00
9 changed files with 16 additions and 129 deletions
@@ -245,9 +245,9 @@ jobs:
      - name: Assert Sonar Scanner CLI was not executed
        run: |
          ./test/assertFileDoesntExist ./output.properties
-  scannerBinariesUrlIsEscapedWithWget:
+  scannerBinariesUrlCommandInjectionTest:
    name: >
-      'scannerBinariesUrl' is escaped with wget so special chars are not injected in the download command
+      'scannerBinariesUrl' does not allow command injection via semicolons
    runs-on: github-ubuntu-latest-s
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -266,22 +266,14 @@ jobs:
      - name: Assert file.txt does not exist
        run: |
          ./test/assertFileDoesntExist "$RUNNER_TEMP/sonarscanner/file.txt"
-  scannerBinariesUrlIsEscapedWithCurl:
+  scannerBinariesUrlCommandInjectionWithSpacesTest:
    name: >
-      'scannerBinariesUrl' is escaped with curl so special chars are not injected in the download command
+      'scannerBinariesUrl' does not allow command injection via spaces and quotes
    runs-on: github-ubuntu-latest-s
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Remove wget
        run: sudo apt-get remove -y wget
      - name: Assert wget is not available
        run: |
          if command -v wget 2>&1 >/dev/null
          then
            exit 1
          fi
      - name: Run action with scannerBinariesUrl
        id: runTest
        uses: ./
@@ -472,22 +464,14 @@ jobs:
        run: |
          ./test/assertFileContains ./output.properties "sonar.host.url=mirror.sonarcloud.io"
          ./test/assertFileContains ./output.properties "sonar.scanner.sonarcloudUrl=mirror.sonarcloud.io"
-  curlPerformsRedirect:
+  scannerBinariesUrlRedirectFollowed:
    name: >
-      curl performs redirect when scannerBinariesUrl returns 3xx
+      scannerBinariesUrl redirect (3xx) is followed
    runs-on: github-ubuntu-latest-s
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
      - name: Remove wget
        run: sudo apt-get remove -y wget
      - name: Assert wget is not available
        run: |
          if command -v wget 2>&1 >/dev/null
          then
            exit 1
          fi
      - name: Generate SSL certificates for nginx
        run: ./generate-ssl.sh
        working-directory: .github/qa-nginx-redirecting
@@ -841,8 +825,8 @@ jobs:
      - projectBaseDirInputTest
      - scannerVersionTest
      - scannerBinariesUrlTest
-      - scannerBinariesUrlIsEscapedWithWget
+      - scannerBinariesUrlCommandInjectionTest
-      - scannerBinariesUrlIsEscapedWithCurl
+      - scannerBinariesUrlCommandInjectionWithSpacesTest
      - dontFailGradleTest
      - dontFailGradleKotlinTest
      - dontFailMavenTest
@@ -850,7 +834,7 @@ jobs:
      - runnerDebugUsedTest
      - runAnalysisWithCacheTest
      - overrideSonarcloudUrlTest
-      - curlPerformsRedirect
+      - scannerBinariesUrlRedirectFollowed
      - useSslCertificate
      - analysisWithSslCertificate
      - updateTruststoreWhenPresent
@@ -483,11 +483,11 @@ See also [example configurations of C++ projects for SonarQube Server](https://g
 When running the action in a self-hosted runner or container, please ensure that the following programs are installed:
 * **curl** or **wget**
 * **unzip**
 * **gpg**
 * **dirmngr**
 Note: `gpg` and `dirmngr` are only required for GPG signature verification (enabled by default). They can be omitted when setting `skipSignatureVerification: true`.
 ### Additional information
 The `sonarqube-scan-action/install-build-wrapper` action installs `coreutils` if run on macOS.
@@ -3862,19 +3862,6 @@ function getScannerDownloadURL({
 const scannerDirName = (version, flavor) =>
  `sonar-scanner-${version}-${flavor}`;
 /**
 * Converts a 4-part version string (e.g. "8.0.1.6346") to a SemVer 2.0 compatible
 * string (e.g. "8.0.1-build.6346") for use with GitHub's tool-cache library,
 * which requires SemVer-compliant version strings.
 */
 function toSemVer(version) {
  const parts = version.split(".");
  if (parts.length === 4) {
    return `${parts[0]}.${parts[1]}.${parts[2]}-build.${parts[3]}`;
  }
  return version;
 }
 /*
 * sonarqube-scan-action
 * Copyright (C) 2025 SonarSource SA
@@ -4164,10 +4151,9 @@ async function installSonarScanner({
  skipSignatureVerification = false,
 }) {
  const flavor = getPlatformFlavor(os$1.platform(), os$1.arch());
  const semVerVersion = toSemVer(scannerVersion);
  // Check if tool is already cached
-  let toolDir = find(TOOLNAME, semVerVersion, flavor);
+  let toolDir = find(TOOLNAME, scannerVersion, flavor);
  if (!toolDir) {
    info(
@@ -4210,7 +4196,7 @@ async function installSonarScanner({
      scannerDirName(scannerVersion, flavor)
    );
-    toolDir = await cacheDir(scannerPath, TOOLNAME, semVerVersion, flavor);
+    toolDir = await cacheDir(scannerPath, TOOLNAME, scannerVersion, flavor);
    info(`Sonar Scanner CLI cached to: ${toolDir}`);
  } else {
@@ -1,2 +0,0 @@
 [tools]
 node = "24"
@@ -22,7 +22,6 @@ import assert from "node:assert/strict";
 import { describe, it, mock } from "node:test";
 const SCANNER_VERSION = "6.2.0.4584";
 const SCANNER_SEMVER_VERSION = "6.2.0-build.4584";
 const BINARIES_URL = "https://my.artifactory.example.com/sonar-scanner-cli";
 const BINARY_DOWNLOAD_URL = `${BINARIES_URL}/sonar-scanner-cli-${SCANNER_VERSION}-linux-x64.zip`;
@@ -32,7 +31,6 @@ function mockUtils(t) {
      getPlatformFlavor: mock.fn(() => "linux-x64"),
      getScannerDownloadURL: mock.fn(() => BINARY_DOWNLOAD_URL),
      scannerDirName: mock.fn(() => `sonar-scanner-${SCANNER_VERSION}-linux-x64`),
      toSemVer: mock.fn(() => SCANNER_SEMVER_VERSION),
    },
  });
 }
@@ -173,50 +171,6 @@ describe("installSonarScanner", () => {
    assert.equal(downloadCalls[0].auth, "Bearer mytoken");
  });
  it("should use semver-compatible version for tool-cache find and cacheDir", async (t) => {
    const findFn = mock.fn(() => null);
    const cacheDirFn = mock.fn(async () => "/tmp/cached");
    mockUtils(t);
    t.mock.module("@actions/tool-cache", {
      namedExports: {
        find: findFn,
        downloadTool: mock.fn(async () => "/tmp/downloaded"),
        extractZip: mock.fn(async () => "/tmp/extracted"),
        cacheDir: cacheDirFn,
      },
    });
    t.mock.module("@actions/core", {
      namedExports: {
        info: mock.fn(),
        warning: mock.fn(),
        addPath: mock.fn(),
      },
    });
    t.mock.module("../gpg-verification.js", {
      namedExports: {
        verifySignature: mock.fn(async () => {}),
      },
    });
    const { installSonarScanner } = await import(
      `../install-sonar-scanner.js?test=semver-version`
    );
    await installSonarScanner({
      scannerVersion: SCANNER_VERSION,
      scannerBinariesUrl: BINARIES_URL,
    });
    assert.equal(findFn.mock.calls[0].arguments[1], SCANNER_SEMVER_VERSION,
      "tc.find should be called with semver-compatible version");
    assert.equal(cacheDirFn.mock.calls[0].arguments[2], SCANNER_SEMVER_VERSION,
      "tc.cacheDir should be called with semver-compatible version");
  });
  it("should use cached tool when available and skip download", async (t) => {
    const downloadToolFn = mock.fn();
@@ -22,7 +22,6 @@ import {
  getPlatformFlavor,
  getScannerDownloadURL,
  scannerDirName,
  toSemVer,
 } from "../utils.js";
 describe("getPlatformFlavor", () => {
@@ -98,22 +97,3 @@ describe("scannerDirName", () => {
    );
  });
 });
 describe("toSemVer", () => {
  it("converts 4-part version to semver pre-release format", () => {
    assert.equal(toSemVer("8.0.1.6346"), "8.0.1-build.6346");
  });
  it("leaves 3-part semver version unchanged", () => {
    assert.equal(toSemVer("8.0.1"), "8.0.1");
  });
  it("leaves version with pre-release identifier unchanged", () => {
    assert.equal(toSemVer("7.2.0-SNAPSHOT"), "7.2.0-SNAPSHOT");
  });
  it("converts different 4-part versions correctly", () => {
    assert.equal(toSemVer("6.2.0.4584"), "6.2.0-build.4584");
    assert.equal(toSemVer("8.1.0.6389"), "8.1.0-build.6389");
  });
 });
@@ -24,7 +24,6 @@ import {
  getPlatformFlavor,
  getScannerDownloadURL,
  scannerDirName,
  toSemVer,
 } from "./utils.js";
 import { verifySignature } from "./gpg-verification.js";
@@ -40,10 +39,9 @@ export async function installSonarScanner({
  skipSignatureVerification = false,
 }) {
  const flavor = getPlatformFlavor(os.platform(), os.arch());
  const semVerVersion = toSemVer(scannerVersion);
  // Check if tool is already cached
-  let toolDir = tc.find(TOOLNAME, semVerVersion, flavor);
+  let toolDir = tc.find(TOOLNAME, scannerVersion, flavor);
  if (!toolDir) {
    core.info(
@@ -86,7 +84,7 @@ export async function installSonarScanner({
      scannerDirName(scannerVersion, flavor)
    );
-    toolDir = await tc.cacheDir(scannerPath, TOOLNAME, semVerVersion, flavor);
+    toolDir = await tc.cacheDir(scannerPath, TOOLNAME, scannerVersion, flavor);
    core.info(`Sonar Scanner CLI cached to: ${toolDir}`);
  } else {
@@ -51,16 +51,3 @@ export function getScannerDownloadURL({
 export const scannerDirName = (version, flavor) =>
  `sonar-scanner-${version}-${flavor}`;
 /**
 * Converts a 4-part version string (e.g. "8.0.1.6346") to a SemVer 2.0 compatible
 * string (e.g. "8.0.1-build.6346") for use with GitHub's tool-cache library,
 * which requires SemVer-compliant version strings.
 */
 export function toSemVer(version) {
  const parts = version.split(".");
  if (parts.length === 4) {
    return `${parts[0]}.${parts[1]}.${parts[2]}-build.${parts[3]}`;
  }
  return version;
 }