SQSCANGHA-135 Update dist

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.github/workflows/qa-main.yml

@@ -245,9 +245,9 @@ jobs:
       - name: Assert Sonar Scanner CLI was not executed
         run: |
           ./test/assertFileDoesntExist ./output.properties
-  scannerBinariesUrlCommandInjectionTest:
+  scannerBinariesUrlIsEscapedWithWget:
     name: >
-      'scannerBinariesUrl' does not allow command injection via semicolons
+      'scannerBinariesUrl' is escaped with wget so special chars are not injected in the download command
     runs-on: github-ubuntu-latest-s
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -266,14 +266,22 @@ jobs:
       - name: Assert file.txt does not exist
         run: |
           ./test/assertFileDoesntExist "$RUNNER_TEMP/sonarscanner/file.txt"
-  scannerBinariesUrlCommandInjectionWithSpacesTest:
+  scannerBinariesUrlIsEscapedWithCurl:
     name: >
-      'scannerBinariesUrl' does not allow command injection via spaces and quotes
+      'scannerBinariesUrl' is escaped with curl so special chars are not injected in the download command
     runs-on: github-ubuntu-latest-s
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Remove wget
+        run: sudo apt-get remove -y wget
+      - name: Assert wget is not available
+        run: |
+          if command -v wget 2>&1 >/dev/null
+          then
+            exit 1
+          fi
       - name: Run action with scannerBinariesUrl
         id: runTest
         uses: ./
@@ -464,14 +472,22 @@ jobs:
         run: |
           ./test/assertFileContains ./output.properties "sonar.host.url=mirror.sonarcloud.io"
           ./test/assertFileContains ./output.properties "sonar.scanner.sonarcloudUrl=mirror.sonarcloud.io"
-  scannerBinariesUrlRedirectFollowed:
+  curlPerformsRedirect:
     name: >
-      scannerBinariesUrl redirect (3xx) is followed
+      curl performs redirect when scannerBinariesUrl returns 3xx
     runs-on: github-ubuntu-latest-s
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Remove wget
+        run: sudo apt-get remove -y wget
+      - name: Assert wget is not available
+        run: |
+          if command -v wget 2>&1 >/dev/null
+          then
+            exit 1
+          fi
       - name: Generate SSL certificates for nginx
         run: ./generate-ssl.sh
         working-directory: .github/qa-nginx-redirecting
@@ -825,8 +841,8 @@ jobs:
       - projectBaseDirInputTest
       - scannerVersionTest
       - scannerBinariesUrlTest
-      - scannerBinariesUrlCommandInjectionTest
-      - scannerBinariesUrlCommandInjectionWithSpacesTest
+      - scannerBinariesUrlIsEscapedWithWget
+      - scannerBinariesUrlIsEscapedWithCurl
       - dontFailGradleTest
       - dontFailGradleKotlinTest
       - dontFailMavenTest
@@ -834,7 +850,7 @@ jobs:
       - runnerDebugUsedTest
       - runAnalysisWithCacheTest
       - overrideSonarcloudUrlTest
-      - scannerBinariesUrlRedirectFollowed
+      - curlPerformsRedirect
       - useSslCertificate
       - analysisWithSslCertificate
       - updateTruststoreWhenPresent

README.md

@@ -483,11 +483,11 @@ See also [example configurations of C++ projects for SonarQube Server](https://g
 
 When running the action in a self-hosted runner or container, please ensure that the following programs are installed:
 
+* **curl** or **wget**
+* **unzip**
 * **gpg**
 * **dirmngr**
 
-Note: `gpg` and `dirmngr` are only required for GPG signature verification (enabled by default). They can be omitted when setting `skipSignatureVerification: true`.
-
 ### Additional information
 
 The `sonarqube-scan-action/install-build-wrapper` action installs `coreutils` if run on macOS.

dist/index.js

@@ -3862,6 +3862,19 @@ function getScannerDownloadURL({
 const scannerDirName = (version, flavor) =>
   `sonar-scanner-${version}-${flavor}`;
 
+/**
+ * Converts a 4-part version string (e.g. "8.0.1.6346") to a SemVer 2.0 compatible
+ * string (e.g. "8.0.1-build.6346") for use with GitHub's tool-cache library,
+ * which requires SemVer-compliant version strings.
+ */
+function toSemVer(version) {
+  const parts = version.split(".");
+  if (parts.length === 4) {
+    return `${parts[0]}.${parts[1]}.${parts[2]}-build.${parts[3]}`;
+  }
+  return version;
+}
+
 /*
  * sonarqube-scan-action
  * Copyright (C) 2025 SonarSource SA
@@ -4151,9 +4164,10 @@ async function installSonarScanner({
   skipSignatureVerification = false,
 }) {
   const flavor = getPlatformFlavor(os$1.platform(), os$1.arch());
+  const semVerVersion = toSemVer(scannerVersion);
 
   // Check if tool is already cached
-  let toolDir = find(TOOLNAME, scannerVersion, flavor);
+  let toolDir = find(TOOLNAME, semVerVersion, flavor);
 
   if (!toolDir) {
     info(
@@ -4196,7 +4210,7 @@ async function installSonarScanner({
       scannerDirName(scannerVersion, flavor)
     );
 
-    toolDir = await cacheDir(scannerPath, TOOLNAME, scannerVersion, flavor);
+    toolDir = await cacheDir(scannerPath, TOOLNAME, semVerVersion, flavor);
 
     info(`Sonar Scanner CLI cached to: ${toolDir}`);
   } else {

src/main/__tests__/install-sonar-scanner.test.js

@@ -22,6 +22,7 @@ import assert from "node:assert/strict";
 import { describe, it, mock } from "node:test";
 
 const SCANNER_VERSION = "6.2.0.4584";
+const SCANNER_SEMVER_VERSION = "6.2.0-build.4584";
 const BINARIES_URL = "https://my.artifactory.example.com/sonar-scanner-cli";
 const BINARY_DOWNLOAD_URL = `${BINARIES_URL}/sonar-scanner-cli-${SCANNER_VERSION}-linux-x64.zip`;
 
@@ -31,6 +32,7 @@ function mockUtils(t) {
       getPlatformFlavor: mock.fn(() => "linux-x64"),
       getScannerDownloadURL: mock.fn(() => BINARY_DOWNLOAD_URL),
       scannerDirName: mock.fn(() => `sonar-scanner-${SCANNER_VERSION}-linux-x64`),
+      toSemVer: mock.fn(() => SCANNER_SEMVER_VERSION),
     },
   });
 }
@@ -171,6 +173,50 @@ describe("installSonarScanner", () => {
     assert.equal(downloadCalls[0].auth, "Bearer mytoken");
   });
 
+  it("should use semver-compatible version for tool-cache find and cacheDir", async (t) => {
+    const findFn = mock.fn(() => null);
+    const cacheDirFn = mock.fn(async () => "/tmp/cached");
+
+    mockUtils(t);
+
+    t.mock.module("@actions/tool-cache", {
+      namedExports: {
+        find: findFn,
+        downloadTool: mock.fn(async () => "/tmp/downloaded"),
+        extractZip: mock.fn(async () => "/tmp/extracted"),
+        cacheDir: cacheDirFn,
+      },
+    });
+
+    t.mock.module("@actions/core", {
+      namedExports: {
+        info: mock.fn(),
+        warning: mock.fn(),
+        addPath: mock.fn(),
+      },
+    });
+
+    t.mock.module("../gpg-verification.js", {
+      namedExports: {
+        verifySignature: mock.fn(async () => {}),
+      },
+    });
+
+    const { installSonarScanner } = await import(
+      `../install-sonar-scanner.js?test=semver-version`
+    );
+
+    await installSonarScanner({
+      scannerVersion: SCANNER_VERSION,
+      scannerBinariesUrl: BINARIES_URL,
+    });
+
+    assert.equal(findFn.mock.calls[0].arguments[1], SCANNER_SEMVER_VERSION,
+      "tc.find should be called with semver-compatible version");
+    assert.equal(cacheDirFn.mock.calls[0].arguments[2], SCANNER_SEMVER_VERSION,
+      "tc.cacheDir should be called with semver-compatible version");
+  });
+
   it("should use cached tool when available and skip download", async (t) => {
     const downloadToolFn = mock.fn();
 

src/main/__tests__/utils.test.js

@@ -22,6 +22,7 @@ import {
   getPlatformFlavor,
   getScannerDownloadURL,
   scannerDirName,
+  toSemVer,
 } from "../utils.js";
 
 describe("getPlatformFlavor", () => {
@@ -97,3 +98,22 @@ describe("scannerDirName", () => {
     );
   });
 });
+
+describe("toSemVer", () => {
+  it("converts 4-part version to semver pre-release format", () => {
+    assert.equal(toSemVer("8.0.1.6346"), "8.0.1-build.6346");
+  });
+
+  it("leaves 3-part semver version unchanged", () => {
+    assert.equal(toSemVer("8.0.1"), "8.0.1");
+  });
+
+  it("leaves version with pre-release identifier unchanged", () => {
+    assert.equal(toSemVer("7.2.0-SNAPSHOT"), "7.2.0-SNAPSHOT");
+  });
+
+  it("converts different 4-part versions correctly", () => {
+    assert.equal(toSemVer("6.2.0.4584"), "6.2.0-build.4584");
+    assert.equal(toSemVer("8.1.0.6389"), "8.1.0-build.6389");
+  });
+});

src/main/install-sonar-scanner.js

@@ -24,6 +24,7 @@ import {
   getPlatformFlavor,
   getScannerDownloadURL,
   scannerDirName,
+  toSemVer,
 } from "./utils.js";
 import { verifySignature } from "./gpg-verification.js";
 
@@ -39,9 +40,10 @@ export async function installSonarScanner({
   skipSignatureVerification = false,
 }) {
   const flavor = getPlatformFlavor(os.platform(), os.arch());
+  const semVerVersion = toSemVer(scannerVersion);
 
   // Check if tool is already cached
-  let toolDir = tc.find(TOOLNAME, scannerVersion, flavor);
+  let toolDir = tc.find(TOOLNAME, semVerVersion, flavor);
 
   if (!toolDir) {
     core.info(
@@ -84,7 +86,7 @@ export async function installSonarScanner({
       scannerDirName(scannerVersion, flavor)
     );
 
-    toolDir = await tc.cacheDir(scannerPath, TOOLNAME, scannerVersion, flavor);
+    toolDir = await tc.cacheDir(scannerPath, TOOLNAME, semVerVersion, flavor);
 
     core.info(`Sonar Scanner CLI cached to: ${toolDir}`);
   } else {

src/main/utils.js

@@ -51,3 +51,16 @@ export function getScannerDownloadURL({
 
 export const scannerDirName = (version, flavor) =>
   `sonar-scanner-${version}-${flavor}`;
+
+/**
+ * Converts a 4-part version string (e.g. "8.0.1.6346") to a SemVer 2.0 compatible
+ * string (e.g. "8.0.1-build.6346") for use with GitHub's tool-cache library,
+ * which requires SemVer-compliant version strings.
+ */
+export function toSemVer(version) {
+  const parts = version.split(".");
+  if (parts.length === 4) {
+    return `${parts[0]}.${parts[1]}.${parts[2]}-build.${parts[3]}`;
+  }
+  return version;
+}