SQSCANGHA-88 Deprecate the SONARCLOUD_URL env variable support

Emit a warning when SONARCLOUD_URL is set, directing users to either
pass nothing, use SONAR_REGION=us for the US region, or pass
-Dsonar.scanner.sonarcloudUrl and -Dsonar.scanner.apiBaseUrl via args
for advanced needs. Backward compatibility is preserved.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.github/workflows/qa-main.yml

@@ -245,9 +245,9 @@ jobs:
       - name: Assert Sonar Scanner CLI was not executed
         run: |
           ./test/assertFileDoesntExist ./output.properties
-  scannerBinariesUrlCommandInjectionTest:
+  scannerBinariesUrlIsEscapedWithWget:
     name: >
-      'scannerBinariesUrl' does not allow command injection via semicolons
+      'scannerBinariesUrl' is escaped with wget so special chars are not injected in the download command
     runs-on: github-ubuntu-latest-s
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -266,14 +266,22 @@ jobs:
       - name: Assert file.txt does not exist
         run: |
           ./test/assertFileDoesntExist "$RUNNER_TEMP/sonarscanner/file.txt"
-  scannerBinariesUrlCommandInjectionWithSpacesTest:
+  scannerBinariesUrlIsEscapedWithCurl:
     name: >
-      'scannerBinariesUrl' does not allow command injection via spaces and quotes
+      'scannerBinariesUrl' is escaped with curl so special chars are not injected in the download command
     runs-on: github-ubuntu-latest-s
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Remove wget
+        run: sudo apt-get remove -y wget
+      - name: Assert wget is not available
+        run: |
+          if command -v wget 2>&1 >/dev/null
+          then
+            exit 1
+          fi
       - name: Run action with scannerBinariesUrl
         id: runTest
         uses: ./
@@ -443,7 +451,7 @@ jobs:
           ./test/assertFileExists ./test/example-project/.scannerwork/report-task.txt
   overrideSonarcloudUrlTest:
     name: >
-      'SONARCLOUD_URL' is used
+      Deprecated 'SONARCLOUD_URL' still works and emits a deprecation warning
     strategy:
       fail-fast: false
       matrix:
@@ -453,7 +461,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
-      - name: Run action with SONARCLOUD_URL
+      - name: Run action with deprecated SONARCLOUD_URL
         uses: ./
         with:
           args: -Dsonar.scanner.apiBaseUrl=api.mirror.sonarcloud.io -Dsonar.scanner.internal.dumpToFile=./output.properties
@@ -464,14 +472,22 @@ jobs:
         run: |
           ./test/assertFileContains ./output.properties "sonar.host.url=mirror.sonarcloud.io"
           ./test/assertFileContains ./output.properties "sonar.scanner.sonarcloudUrl=mirror.sonarcloud.io"
-  scannerBinariesUrlRedirectFollowed:
+  curlPerformsRedirect:
     name: >
-      scannerBinariesUrl redirect (3xx) is followed
+      curl performs redirect when scannerBinariesUrl returns 3xx
     runs-on: github-ubuntu-latest-s
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Remove wget
+        run: sudo apt-get remove -y wget
+      - name: Assert wget is not available
+        run: |
+          if command -v wget 2>&1 >/dev/null
+          then
+            exit 1
+          fi
       - name: Generate SSL certificates for nginx
         run: ./generate-ssl.sh
         working-directory: .github/qa-nginx-redirecting
@@ -825,8 +841,8 @@ jobs:
       - projectBaseDirInputTest
       - scannerVersionTest
       - scannerBinariesUrlTest
-      - scannerBinariesUrlCommandInjectionTest
-      - scannerBinariesUrlCommandInjectionWithSpacesTest
+      - scannerBinariesUrlIsEscapedWithWget
+      - scannerBinariesUrlIsEscapedWithCurl
       - dontFailGradleTest
       - dontFailGradleKotlinTest
       - dontFailMavenTest
@@ -834,7 +850,7 @@ jobs:
       - runnerDebugUsedTest
       - runAnalysisWithCacheTest
       - overrideSonarcloudUrlTest
-      - scannerBinariesUrlRedirectFollowed
+      - curlPerformsRedirect
       - useSslCertificate
       - analysisWithSslCertificate
       - updateTruststoreWhenPresent

README.md

@@ -483,11 +483,11 @@ See also [example configurations of C++ projects for SonarQube Server](https://g
 
 When running the action in a self-hosted runner or container, please ensure that the following programs are installed:
 
+* **curl** or **wget**
+* **unzip**
 * **gpg**
 * **dirmngr**
 
-Note: `gpg` and `dirmngr` are only required for GPG signature verification (enabled by default). They can be omitted when setting `skipSignatureVerification: true`.
-
 ### Additional information
 
 The `sonarqube-scan-action/install-build-wrapper` action installs `coreutils` if run on macOS.

dist/index.js

@@ -4543,7 +4543,15 @@ async function run() {
     const { args, projectBaseDir, scannerVersion, scannerBinariesUrl, scannerBinariesAuthHeader, skipSignatureVerification } =
       getInputs();
     const runnerEnv = getEnvVariables();
-    const { sonarToken } = runnerEnv;
+    const { sonarToken, sonarcloudUrl } = runnerEnv;
+
+    if (sonarcloudUrl) {
+      warning(
+        "The SONARCLOUD_URL environment variable is deprecated and will be removed in a future version. " +
+          "Regular users should not set it; use SONAR_REGION=us for the US region. " +
+          "For advanced needs, pass -Dsonar.scanner.sonarcloudUrl and -Dsonar.scanner.apiBaseUrl via the args input."
+      );
+    }
 
     runSanityChecks({ projectBaseDir, scannerVersion, sonarToken });
 

src/main/__tests__/index.test.js

@@ -48,6 +48,85 @@ function mockDependencies(t, { getInputFn, setSecretFn }) {
   });
 }
 
+describe("SONARCLOUD_URL deprecation", () => {
+  it("should warn when SONARCLOUD_URL is set", async (t) => {
+    const warningFn = mock.fn();
+    const getInputFn = mock.fn(() => "");
+
+    t.mock.module("@actions/core", {
+      namedExports: {
+        getInput: getInputFn,
+        getBooleanInput: mock.fn(() => false),
+        setSecret: mock.fn(),
+        setFailed: mock.fn(),
+        info: mock.fn(),
+        warning: warningFn,
+      },
+    });
+    t.mock.module("../install-sonar-scanner.js", {
+      namedExports: { installSonarScanner: mock.fn(async () => "/scanner") },
+    });
+    t.mock.module("../run-sonar-scanner.js", {
+      namedExports: { runSonarScanner: mock.fn(async () => {}) },
+    });
+    t.mock.module("../sanity-checks.js", {
+      namedExports: {
+        validateScannerVersion: mock.fn(),
+        checkSonarToken: mock.fn(),
+        checkMavenProject: mock.fn(),
+        checkGradleProject: mock.fn(),
+      },
+    });
+
+    process.env.SONARCLOUD_URL = "mirror.sonarcloud.io";
+    t.after(() => delete process.env.SONARCLOUD_URL);
+
+    await import("../index.js?test=deprecation-warning");
+
+    assert.equal(warningFn.mock.calls.length, 1);
+    assert.match(
+      warningFn.mock.calls[0].arguments[0],
+      /SONARCLOUD_URL.*deprecated/
+    );
+  });
+
+  it("should not warn when SONARCLOUD_URL is not set", async (t) => {
+    const warningFn = mock.fn();
+    const getInputFn = mock.fn(() => "");
+
+    t.mock.module("@actions/core", {
+      namedExports: {
+        getInput: getInputFn,
+        getBooleanInput: mock.fn(() => false),
+        setSecret: mock.fn(),
+        setFailed: mock.fn(),
+        info: mock.fn(),
+        warning: warningFn,
+      },
+    });
+    t.mock.module("../install-sonar-scanner.js", {
+      namedExports: { installSonarScanner: mock.fn(async () => "/scanner") },
+    });
+    t.mock.module("../run-sonar-scanner.js", {
+      namedExports: { runSonarScanner: mock.fn(async () => {}) },
+    });
+    t.mock.module("../sanity-checks.js", {
+      namedExports: {
+        validateScannerVersion: mock.fn(),
+        checkSonarToken: mock.fn(),
+        checkMavenProject: mock.fn(),
+        checkGradleProject: mock.fn(),
+      },
+    });
+
+    delete process.env.SONARCLOUD_URL;
+
+    await import("../index.js?test=no-deprecation-warning");
+
+    assert.equal(warningFn.mock.calls.length, 0);
+  });
+});
+
 describe("getInputs", () => {
   it("should mask scannerBinariesAuthHeader using setSecret when provided", async (t) => {
     const setSecretFn = mock.fn();

src/main/index.js

@@ -79,7 +79,15 @@ async function run() {
     const { args, projectBaseDir, scannerVersion, scannerBinariesUrl, scannerBinariesAuthHeader, skipSignatureVerification } =
       getInputs();
     const runnerEnv = getEnvVariables();
-    const { sonarToken } = runnerEnv;
+    const { sonarToken, sonarcloudUrl } = runnerEnv;
+
+    if (sonarcloudUrl) {
+      core.warning(
+        "The SONARCLOUD_URL environment variable is deprecated and will be removed in a future version. " +
+          "Regular users should not set it; use SONAR_REGION=us for the US region. " +
+          "For advanced needs, pass -Dsonar.scanner.sonarcloudUrl and -Dsonar.scanner.apiBaseUrl via the args input."
+      );
+    }
 
     runSanityChecks({ projectBaseDir, scannerVersion, sonarToken });