From d9d50ad81188c640cd62c8315ada055b0e2cce53 Mon Sep 17 00:00:00 2001 From: Tibor Blenessy Date: Mon, 27 Apr 2026 11:36:39 +0200 Subject: [PATCH 1/9] Add gradle/verification-metadata.xml for dependency verification Records SHA-256 checksums for all resolved dependencies, providing supply-chain guarantees. Also satisfies SonarQube rule S8569 which requires either gradle.lockfile or gradle/verification-metadata.xml next to each build.gradle.kts. --- gradle/verification-metadata.xml | 1971 ++++++++++++++++++++++++++++++ 1 file changed, 1971 insertions(+) create mode 100644 gradle/verification-metadata.xml diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml new file mode 100644 index 00000000..5036bfdb --- /dev/null +++ b/gradle/verification-metadata.xml @@ -0,0 +1,1971 @@ + + + + true + false + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + From 88605f87218ddbba4cd92544a0780d739f3b1149 Mon Sep 17 00:00:00 2001 From: Tibor Blenessy Date: Mon, 27 Apr 2026 11:55:23 +0200 Subject: [PATCH 2/9] Route all dependency resolution through repox Add pluginManagement in settings.gradle.kts and update buildSrc and e2e to resolve through repox first, following the same pattern as sonar-skunk. This ensures verification-metadata.xml checksums match on CI where all artifacts are fetched through repox. --- buildSrc/build.gradle.kts | 4 +- e2e/build.gradle.kts | 4 +- gradle/verification-metadata.xml | 64 ++++++++++++++++++-------------- settings.gradle.kts | 8 ++++ 4 files changed, 50 insertions(+), 30 deletions(-) diff --git a/buildSrc/build.gradle.kts b/buildSrc/build.gradle.kts index 995b6489..9820dfce 100644 --- a/buildSrc/build.gradle.kts +++ b/buildSrc/build.gradle.kts @@ -7,7 +7,9 @@ dependencyLocking { } repositories { - mavenCentral() + maven { + url = uri("https://repox.jfrog.io/repox/sonarsource") + } gradlePluginPortal() } diff --git a/e2e/build.gradle.kts b/e2e/build.gradle.kts index 4d1bee2c..f07c899e 100644 --- a/e2e/build.gradle.kts +++ b/e2e/build.gradle.kts @@ -28,7 +28,9 @@ dependencies { } repositories { - mavenCentral() + maven { + url = uri("https://repox.jfrog.io/repox/sonarsource") + } mavenLocal() } diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml index 5036bfdb..c1f41fe9 100644 --- a/gradle/verification-metadata.xml +++ b/gradle/verification-metadata.xml @@ -107,17 +107,17 @@ - + - + - + @@ -135,14 +135,19 @@ + + + + + - + - + @@ -152,17 +157,17 @@ - + - + - + @@ -172,7 +177,7 @@ - + @@ -380,7 +385,7 @@ - + @@ -595,32 +600,32 @@ - + - + - + - + - + - + @@ -640,7 +645,7 @@ - + @@ -795,7 +800,7 @@ - + @@ -984,7 +989,7 @@ - + @@ -1483,9 +1488,6 @@ - - - @@ -1501,6 +1503,9 @@ + + + @@ -1514,14 +1519,14 @@ - - - + + + @@ -1540,6 +1545,9 @@ + + + @@ -1912,13 +1920,13 @@ - + - - + + diff --git a/settings.gradle.kts b/settings.gradle.kts index f6232551..ebeee941 100644 --- a/settings.gradle.kts +++ b/settings.gradle.kts @@ -5,6 +5,14 @@ * For more detailed information on multi-project builds, please refer to https://docs.gradle.org/8.12.1/userguide/multi_project_builds.html in the Gradle documentation. */ +pluginManagement { + repositories { + maven { + url = uri("https://repox.jfrog.io/repox/sonarsource") + } + } +} + plugins { // Apply the foojay-resolver plugin to allow automatic download of JDKs id("org.gradle.toolchains.foojay-resolver-convention") version "1.0.0" From 8454a9ec6ea180690da7313c3111c3e060e3013a Mon Sep 17 00:00:00 2001 From: Tibor Blenessy Date: Mon, 27 Apr 2026 12:18:26 +0200 Subject: [PATCH 3/9] Regenerate verification metadata with --refresh-dependencies --- gradle/verification-metadata.xml | 100 +++++++++++++++++++++++++++++++ 1 file changed, 100 insertions(+) diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml index c1f41fe9..2308dcb7 100644 --- a/gradle/verification-metadata.xml +++ b/gradle/verification-metadata.xml @@ -135,6 +135,11 @@ + + + + + @@ -150,6 +155,11 @@ + + + + + @@ -170,6 +180,11 @@ + + + + + @@ -556,6 +571,16 @@ + + + + + + + + + + @@ -780,6 +805,14 @@ + + + + + + + + @@ -819,6 +852,11 @@ + + + + + @@ -827,6 +865,11 @@ + + + + + @@ -979,6 +1022,11 @@ + + + + + @@ -1431,6 +1479,11 @@ + + + + + @@ -1488,16 +1541,25 @@ + + + + + + + + + @@ -1510,6 +1572,14 @@ + + + + + + + + @@ -1519,6 +1589,9 @@ + + + @@ -1532,15 +1605,29 @@ + + + + + + + + + + + + + + @@ -1621,6 +1708,11 @@ + + + + + @@ -1935,6 +2027,14 @@ + + + + + + + + From 8d722d72af06d50170a89a1ce18343b5ab3c435f Mon Sep 17 00:00:00 2001 From: Tibor Blenessy Date: Mon, 27 Apr 2026 12:51:46 +0200 Subject: [PATCH 4/9] Add gradlePluginPortal fallback in pluginManagement for foojay plugin --- gradle/verification-metadata.xml | 13 +++++++++++++ settings.gradle.kts | 1 + 2 files changed, 14 insertions(+) diff --git a/gradle/verification-metadata.xml b/gradle/verification-metadata.xml index 2308dcb7..a7b58e4f 100644 --- a/gradle/verification-metadata.xml +++ b/gradle/verification-metadata.xml @@ -424,6 +424,19 @@ + + + + + + + + + + + + + diff --git a/settings.gradle.kts b/settings.gradle.kts index ebeee941..5d9fd914 100644 --- a/settings.gradle.kts +++ b/settings.gradle.kts @@ -10,6 +10,7 @@ pluginManagement { maven { url = uri("https://repox.jfrog.io/repox/sonarsource") } + gradlePluginPortal() } } From 3771626691d37237e44606c9de0b753c2d7eca95 Mon Sep 17 00:00:00 2001 From: Tibor Blenessy Date: Mon, 27 Apr 2026 12:53:34 +0200 Subject: [PATCH 5/9] Remove foojay-resolver plugin, Java is managed through mise --- settings.gradle.kts | 6 ------ 1 file changed, 6 deletions(-) diff --git a/settings.gradle.kts b/settings.gradle.kts index 5d9fd914..318f524b 100644 --- a/settings.gradle.kts +++ b/settings.gradle.kts @@ -10,15 +10,9 @@ pluginManagement { maven { url = uri("https://repox.jfrog.io/repox/sonarsource") } - gradlePluginPortal() } } -plugins { - // Apply the foojay-resolver plugin to allow automatic download of JDKs - id("org.gradle.toolchains.foojay-resolver-convention") version "1.0.0" -} - rootProject.name = "sonar-rust-plugin" include("sonar-rust-plugin") From 38b0790680e4f06360863cf1e1187dfd94a565fb Mon Sep 17 00:00:00 2001 From: Tibor Blenessy Date: Mon, 27 Apr 2026 13:17:28 +0200 Subject: [PATCH 6/9] Add credentials to pluginManagement repox repository --- settings.gradle.kts | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/settings.gradle.kts b/settings.gradle.kts index 318f524b..263b92c0 100644 --- a/settings.gradle.kts +++ b/settings.gradle.kts @@ -6,9 +6,19 @@ */ pluginManagement { + val artifactoryUsername: String? = System.getenv("ARTIFACTORY_PRIVATE_USERNAME") + ?: providers.gradleProperty("artifactoryUsername").orNull + val artifactoryPassword: String? = System.getenv("ARTIFACTORY_PRIVATE_PASSWORD") + ?: providers.gradleProperty("artifactoryPassword").orNull repositories { maven { url = uri("https://repox.jfrog.io/repox/sonarsource") + if (artifactoryUsername != null && artifactoryPassword != null) { + credentials { + username = artifactoryUsername + password = artifactoryPassword + } + } } } } From 082a99e0c8734f83cc844eef5510a0a6db97724f Mon Sep 17 00:00:00 2001 From: Tibor Blenessy Date: Mon, 27 Apr 2026 13:41:08 +0200 Subject: [PATCH 7/9] Add credentials to repox repositories in buildSrc and e2e --- buildSrc/build.gradle.kts | 8 ++++++++ e2e/build.gradle.kts | 8 ++++++++ 2 files changed, 16 insertions(+) diff --git a/buildSrc/build.gradle.kts b/buildSrc/build.gradle.kts index 9820dfce..c8b575b0 100644 --- a/buildSrc/build.gradle.kts +++ b/buildSrc/build.gradle.kts @@ -7,8 +7,16 @@ dependencyLocking { } repositories { + val artifactoryUsername = System.getenv("ARTIFACTORY_PRIVATE_USERNAME") ?: project.findProperty("artifactoryUsername") + val artifactoryPassword = System.getenv("ARTIFACTORY_PRIVATE_PASSWORD") ?: project.findProperty("artifactoryPassword") maven { url = uri("https://repox.jfrog.io/repox/sonarsource") + if (artifactoryUsername is String && artifactoryPassword is String) { + credentials { + username = artifactoryUsername + password = artifactoryPassword + } + } } gradlePluginPortal() } diff --git a/e2e/build.gradle.kts b/e2e/build.gradle.kts index f07c899e..0d346942 100644 --- a/e2e/build.gradle.kts +++ b/e2e/build.gradle.kts @@ -28,8 +28,16 @@ dependencies { } repositories { + val artifactoryUsername = System.getenv("ARTIFACTORY_PRIVATE_USERNAME") ?: project.findProperty("artifactoryUsername") + val artifactoryPassword = System.getenv("ARTIFACTORY_PRIVATE_PASSWORD") ?: project.findProperty("artifactoryPassword") maven { url = uri("https://repox.jfrog.io/repox/sonarsource") + if (artifactoryUsername is String && artifactoryPassword is String) { + credentials { + username = artifactoryUsername + password = artifactoryPassword + } + } } mavenLocal() } From e26f2f759ad173b2fa92cb546eb83bb9f95c36a8 Mon Sep 17 00:00:00 2001 From: Tibor Blenessy Date: Mon, 27 Apr 2026 14:06:36 +0200 Subject: [PATCH 8/9] Add gradlePluginPortal fallback in pluginManagement The cross_platform_analyzers CI job has no Artifactory credentials, so plugins can only be resolved via Gradle Plugin Portal when repox returns 401. --- settings.gradle.kts | 1 + 1 file changed, 1 insertion(+) diff --git a/settings.gradle.kts b/settings.gradle.kts index 263b92c0..1a419303 100644 --- a/settings.gradle.kts +++ b/settings.gradle.kts @@ -20,6 +20,7 @@ pluginManagement { } } } + gradlePluginPortal() } } From 7d0d9126ce7add9404c6886bb2917ff695e8d890 Mon Sep 17 00:00:00 2001 From: Tibor Blenessy Date: Mon, 27 Apr 2026 14:16:27 +0200 Subject: [PATCH 9/9] Configure Gradle with repox credentials in cross_platform_analyzers job --- .github/workflows/build.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 999254a6..68a96c93 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -110,6 +110,7 @@ jobs: rustup target add x86_64-unknown-linux-musl rustup target add x86_64-unknown-linux-gnu rustup target add aarch64-unknown-linux-musl + - uses: SonarSource/ci-github-actions/config-gradle@v1 - name: Build Rust analyzers run: | ./gradlew :analyzer:compileRustLinuxMusl :analyzer:compileRustLinuxArm :analyzer:compileRustWin --info --stacktrace