update to version 9.9.2

.drone.yml

@@ -9,9 +9,9 @@ steps:
   image: plugins/docker
   settings:
     repo:
-      from_secret: docker_regst
+      from_secret: docker_repo
     registry:
-      from_secret: docker_vrepo
+      from_secret: docker_regst
     dockerfile: 9-comm/Dockerfile
     context: ./9-comm
     insecure: true
@@ -27,15 +27,15 @@ steps:
   image: plugins/docker
   settings:
     repo:
-      from_secret: docker_regst
+      from_secret: docker_repo
     username:
       from_secret: docker_user
     password:
       from_secret: docker_pass
     registry:
-      from_secret: docker_vrepo
-    cache_from:
       from_secret: docker_regst
+    cache_from:
+      from_secret: docker_repo
     dockerfile: 9-comm/Dockerfile
     context: ./9-comm
     auto_tag: true
@@ -46,3 +46,19 @@ steps:
       event:
       - push
       - tag
+
+
+- name: send build notification
+  image: appleboy/drone-telegram
+  settings:
+    token:
+      from_secret: TELE_TOKEN
+    to:
+      from_secret : TELE_GID
+    message: "{{#success build.status}} ✅  Build #{{build.number}} of `{{repo.name}}` succeeded.\n\n📝 Commit by {{commit.author}} on `{{commit.branch}}`:\n``` {{commit.message}} ```\n\n🌐 {{ build.link }} {{else}} ❌  Build #{{build.number}} of `{{repo.name}}` failed.\n\n📝 Commit by {{commit.author}} on `{{commit.branch}}`:\n``` {{commit.message}} ```\n\n🌐 {{ build.link }} {{/success}}\n\n timecost: {{since build.started}}\n"
+    when:
+      branch:
+      - master
+      event:
+      - push
+      - tag

.github/CODEOWNERS

@@ -0,0 +1 @@
+.github/CODEOWNERS @sonarsource/sonarqube-team

.github/ISSUE_TEMPLATE.md

@@ -0,0 +1,6 @@
+Please ensure your issue adheres to the following guidelines: 
+
+This repository is used for technical issues only. For general Support like questions, please create a new Thread in our [Community Forum](https://community.sonarsource.com/)
+
+- [ ] Please check the problem is not already reported, or a known issue documented in [`develop.md`](develop.md)
+- [ ] Please include enough details to reproduce the problem: the command executed, the host platform, error messages or relevant logs

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,5 @@
+Please be aware that we are not actively looking for feature contributions. We typically accept minor improvements and bug-fixes. 
+Please ensure your pull request adheres to the following guidelines:
+- [ ] explain your motives to contribute this change: what problem you are trying to fix, what improvement you are trying to make
+- [ ] If the PR modifies or adds images, use the `run-tests.sh imagedir` command to verify the image works
+- [ ] If the PR modifies or adds images, try to make sure the images run correctly on Linux

.github/workflows/next-scan.yml

@@ -0,0 +1,33 @@
+on:
+  # Trigger analysis when pushing in master or pull requests, and when creating
+  # a pull request. 
+  push:
+    branches:
+      - master
+  pull_request:
+    types: [opened, synchronize, reopened]
+    
+name: Main Workflow
+jobs:
+  next:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      pull-requests: read
+      contents: read
+    steps:
+    - uses: actions/checkout@v3
+      with:
+        # Disabling shallow clone is recommended for improving relevancy of reporting
+        fetch-depth: 0
+    - id: secrets
+      uses: SonarSource/vault-action-wrapper@2.4.3-1
+      with:
+        secrets: |
+          development/kv/data/next token | sq_next_token;
+    - name: SonarQube Next Scan
+      uses: sonarsource/sonarqube-scan-action@master
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        SONAR_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).sq_next_token }}
+        SONAR_HOST_URL: https://next.sonarqube.com/sonarqube/

.github/workflows/release.yml

@@ -0,0 +1,45 @@
+name: Release SBOM Assets
+
+on:
+  release:
+    types:
+      - created
+
+jobs:
+  release:
+    name: Upload Release Asset
+    strategy:
+      fail-fast: false
+      matrix:
+        tag:
+          - 9-community
+          - 9-developer
+          - 9-enterprise
+          - 9-datacenter-app
+          - 9-datacenter-search
+          - 10-community
+          - 10-developer
+          - 10-enterprise
+          - 10-datacenter-app
+          - 10-datacenter-search
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+    steps:
+      - id: secrets
+        uses: SonarSource/vault-action-wrapper@2.4.3-1
+        with:
+          secrets: |
+            development/kv/data/sign key | gpg_key;
+            development/kv/data/sign passphrase | gpg_passphrase;
+      - name: Generate CycloneDX SBOM
+        uses: SonarSource/gh-action_sbom@v1
+        with:
+          image: "sonarqube:${{ matrix.tag }}"
+          filename: "sonarqube-${{ matrix.tag }}-bom.json"
+          upload-artifact: true
+          upload-release-assets: true
+        env:
+          GPG_PRIVATE_KEY_PASSPHRASE: ${{ fromJSON(steps.secrets.outputs.vault).gpg_passphrase }}
+          GPG_PRIVATE_KEY_BASE64: ${{ fromJSON(steps.secrets.outputs.vault).gpg_key }}

10-comm/Dockerfile

@@ -0,0 +1,61 @@
+FROM eclipse-temurin:17-jre
+
+LABEL org.opencontainers.image.url=https://github.com/SonarSource/docker-sonarqube
+
+ENV LANG='en_US.UTF-8' \
+    LANGUAGE='en_US:en' \
+    LC_ALL='en_US.UTF-8'
+
+#
+# SonarQube setup
+#
+ARG SONARQUBE_VERSION=10.2.1.78527
+ARG SONARQUBE_ZIP_URL=https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-${SONARQUBE_VERSION}.zip
+ENV DOCKER_RUNNING="true" \
+    JAVA_HOME='/opt/java/openjdk' \
+    SONARQUBE_HOME=/opt/sonarqube \
+    SONAR_VERSION="${SONARQUBE_VERSION}" \
+    SQ_DATA_DIR="/opt/sonarqube/data" \
+    SQ_EXTENSIONS_DIR="/opt/sonarqube/extensions" \
+    SQ_LOGS_DIR="/opt/sonarqube/logs" \
+    SQ_TEMP_DIR="/opt/sonarqube/temp"
+
+RUN set -eux; \
+    groupadd --system --gid 1000 sonarqube; \
+    useradd --system --uid 1000 --gid sonarqube sonarqube; \
+    apt-get update; \
+    apt-get install -y gnupg unzip curl bash fonts-dejavu; \
+    echo "networkaddress.cache.ttl=5" >> "${JAVA_HOME}/conf/security/java.security"; \
+    sed --in-place --expression="s?securerandom.source=file:/dev/random?securerandom.source=file:/dev/urandom?g" "${JAVA_HOME}/conf/security/java.security"; \
+    # pub   2048R/D26468DE 2015-05-25
+    #       Key fingerprint = F118 2E81 C792 9289 21DB  CAB4 CFCA 4A29 D264 68DE
+    # uid                  sonarsource_deployer (Sonarsource Deployer) <infra@sonarsource.com>
+    # sub   2048R/06855C1D 2015-05-25
+    for server in $(shuf -e hkps://keys.openpgp.org \
+                            hkps://keyserver.ubuntu.com) ; do \
+        gpg --batch --keyserver "${server}" --recv-keys 679F1EE92B19609DE816FDE81DB198F93525EC1A && break || : ; \
+    done; \
+    mkdir --parents /opt; \
+    cd /opt; \
+    curl --fail --location --output sonarqube.zip --silent --show-error "${SONARQUBE_ZIP_URL}"; \
+    curl --fail --location --output sonarqube.zip.asc --silent --show-error "${SONARQUBE_ZIP_URL}.asc"; \
+    gpg --batch --verify sonarqube.zip.asc sonarqube.zip; \
+    unzip -q sonarqube.zip; \
+    mv "sonarqube-${SONARQUBE_VERSION}" sonarqube; \
+    rm sonarqube.zip*; \
+    rm -rf ${SONARQUBE_HOME}/bin/*; \
+    ln -s "${SONARQUBE_HOME}/lib/sonar-application-${SONARQUBE_VERSION}.jar" "${SONARQUBE_HOME}/lib/sonarqube.jar"; \
+    chmod -R 555 ${SONARQUBE_HOME}; \
+    chmod -R ugo+wrX "${SQ_DATA_DIR}" "${SQ_EXTENSIONS_DIR}" "${SQ_LOGS_DIR}" "${SQ_TEMP_DIR}"; \
+    apt-get remove -y gnupg unzip; \
+    rm -rf /var/lib/apt/lists/*;
+
+COPY entrypoint.sh ${SONARQUBE_HOME}/docker/
+
+WORKDIR ${SONARQUBE_HOME}
+EXPOSE 9000
+
+USER sonarqube
+STOPSIGNAL SIGINT
+
+ENTRYPOINT ["/opt/sonarqube/docker/entrypoint.sh"]

10-comm/entrypoint.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+set -e
+
+DEFAULT_CMD=('/opt/java/openjdk/bin/java' '-jar' 'lib/sonarqube.jar' '-Dsonar.log.console=true')
+
+# this if will check if the first argument is a flag
+# but only works if all arguments require a hyphenated flag
+# -v; -SL; -f arg; etc will work, but not arg1 arg2
+if [ "$#" -eq 0 ] || [ "${1#-}" != "$1" ]; then
+    set -- "${DEFAULT_CMD[@]}" "$@"
+fi
+
+exec "$@"

9-comm/Dockerfile

@@ -9,7 +9,7 @@ ENV LANG='en_US.UTF-8' \
 #
 # SonarQube setup
 #
-ARG SONARQUBE_VERSION=9.9.1.69595
+ARG SONARQUBE_VERSION=9.9.2.77730
 ARG SONARQUBE_ZIP_URL=https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-${SONARQUBE_VERSION}.zip
 ENV JAVA_HOME='/opt/java/openjdk' \
     SONARQUBE_HOME=/opt/sonarqube \

CONTRIBUTING.md

@@ -0,0 +1,15 @@
+Issues / Questions
+------------------
+
+If you want to raise an issue or ask a question ("How do I?", "I got this error, why?", ...), please first read the [documentation](https://docs.sonarqube.org) and then head to the [SonarSource forum](https://community.sonarsource.com/). There are chances that a question similar to yours has already been answered. 
+
+Be aware that this forum is a community, so the standard pleasantries ("Hi", "Thanks", ...) are expected. And if you don't get an answer to your thread, you should sit on your hands for at least three days before bumping it. Operators are not standing by. :-)
+
+Contributing
+------------
+
+If you would like to see a new feature, please create a new thread in the forum ["Suggest new features"](https://community.sonarsource.com/c/suggestions/features).
+
+Please be aware that we are not actively looking for feature contributions. We typically accept minor improvements and bug-fixes.
+
+With that in mind, if you would like to submit a code contribution, please create a pull request for this repository. Please explain your motives to contribute this change: what problem you are trying to fix, what improvement you are trying to make.

NOTICE.txt

@@ -3,4 +3,4 @@ Copyright (C) 2015-2019 SonarSource SA
 mailto:info AT sonarsource DOT com
 
 This product includes software developed at
-SonarSource (http://www.sonarsource.com/).
+SonarSource (http://www.sonarsource.com/).

README.md

@@ -4,8 +4,11 @@ This is the Git repo of the official Docker image for [SonarQube](https://regist
 
 The full readme is generated over in [docker-library/docs](https://github.com/docker-library/docs), specifically in [docker-library/docs/sonarqube](https://github.com/docker-library/docs/tree/master/sonarqube).
 
-Have Question or Feedback?
---------------------------
+Sonar's [Clean Code solution](https://www.sonarsource.com/solutions/clean-code/) helps developers deliver high-quality, efficient code standards that benefit the entire team or organization.
+
+
+Have Questions or Feedback?
+---------------------------
 
 For support questions ("How do I?", "I got this error, why?", ...), please first read the [documentation](https://docs.sonarqube.org) and then head to the [SonarSource forum](https://community.sonarsource.com/). There are chances that a question similar to yours has already been answered. 
 
@@ -17,7 +20,7 @@ Contributing
 
 If you would like to see a new feature, please create a new thread in the forum ["Suggest new features"](https://community.sonarsource.com/c/suggestions/features).
 
-Please be aware that we are not actively looking for feature contributions. We typically accept minor improvements and bug-fixes.
+Please be aware that we are not actively looking for feature contributions. We typically accept minor improvements and bug fixes.
 
 With that in mind, if you would like to submit a code contribution, please create a pull request for this repository. Please explain your motives to contribute this change: what problem you are trying to fix, what improvement you are trying to make.
 

deprecated.md

@@ -0,0 +1,84 @@
+# _DEPRECATED_
+
+Dogfooding and images for local artifacts
+=========================================
+
+Dogfooding
+----------
+
+SonarQube Docker images are dogfooded.
+
+This implies that Docker images are produced for every artifact produced from the dogfood branch of SonarQube (see the [dogfood_docker_build_task](https://github.com/SonarSource/sonar-enterprise/blob/master/.cirrus.yml#L263)).
+
+Docker images of SonarQube are built from publicly available artifacts, which means the Dockerfile can simply download them from the public place they are hosted (`binaries.sonarsource.com`).
+
+However, this is not the case for artifacts built from the dogfood branch, which are private.
+
+At some point of time, Dockerfile add the ability to download from the private hosting. Credentials where provided as `docker build` arguments. This option was **dropped because it was leaking credentials into the Docker image layers**.
+
+Instead, the download is now performed by the [`build-docker-from-private-repo.sh`](8/build-docker-from-private-repo.sh) script which then relies on the Dockerfile ability to bundle any locally provided SQ artifact (see below).
+
+Local artifacts
+---------------
+
+Dockerfile supports creating image from any locally provided SQ artifact.
+
+This artifact should be named `sonarqube-${SONARQUBE_VERSION}.zip` and located in the `zip` directory of the `docker build` context. If such file exists, this artifact will be used to build the image instead of downloading it from `binaries.sonarsource.com`.
+
+Note that:
+
+1. there is no check to enforce version of SQ in the zip file matches the `docker build` argument
+	* this is, by the way, used and exploited in dogfooding where Docker images for 8.0 are used to build images of 8.1 currently under development
+2. this feature must be removed from the official Dockerfile published to Docker Hub (see "Release process" below).
+
+
+ITs
+===
+
+ITs run on Travis, see [.travis.yml](.travis.yml).
+
+Currently, ITs are "simply" building a given image of SonarQube and make sure they can run it and have SonarQube responding on HTTP calls in a reasonable time.
+
+Since 8.0, images offer more features which are unfortunately not tested automatically (eg. `--init` parameter and automatice initialization of mounted directories).
+
+
+Discussion around the "version branch"
+======================================
+
+The "version branch" has been introduced as a mean to comply with two opposing constraints:
+
+1. to not have code in Dockerfile which is useless and only developement/dogfood specific
+2. use the real images for dogfooding
+
+This solution is not great:
+
+* it implies multiple manual operations for each release with a high risk of mistake
+* we are not sure how convenient it will be for next releases
+
+However, given the time constraints at the time, it was a good choice: it worked and was very quick and quite low risk to implement.
+
+Alternative
+-----------
+
+One promising alternative has been discussed.
+
+Based on the observation that:
+
+1. edition Dockerfiles vary by hardly more than a URL from each other
+2. the official image is basically the dev image stripped from some identifed code
+
+The idea would be to have:
+
+1. 6 Dockerfiles commit into the repository: two per editions, one for official image (no dev-specific code) and one for dev/dogfooding
+2. a Dockerfile "template"
+3. a script responsible for generating the 6 Dockerfiles from the "template"
+4. an IT ensuring that the 6 Dockerfiles are up to date with the "template" and the script (to prevent dev from forgetting to commit up-to-date Dockerfiles)
+
+With this idea:
+
+1. trust in dogfooding Docker images representatives of the one which will end up as the official images moves from the developer doing the right changes when cleaning the "version" branch to the script and the template
+  * no more human based last minute changes is an obvious improvement
+  * it's all commited so an error is easy to track
+2. there is no longer a need for a "version" branch
+
+However, it requires some time to develop and even confirm it's just feasible. For these reasons, this option wasn't retained at the time.

develop.md

@@ -0,0 +1,41 @@
+Guidelines and documentation for developers of the SonarQube Docker images.
+
+could not find java in ES_JAVA_HOME
+===================================
+
+`could not find java in ES_JAVA_HOME at /usr/lib/jvm/java-11-openjdk/bin/java` is a known error message when the container runtime is too old to be aware of the `faccessat2` syscall.
+This issue is tracked with [SONAR-15167](https://jira.sonarsource.com/browse/SONAR-15167) including some worarounds if a update of the container runtime is not possible. 
+
+Adding images for a new version of SQ
+=====================================
+
+New major version
+-----------------
+
+Create a new subdirectory with the major version number in the root directory of the repository with a sub directory for each supported edition, eg.: 
+
+```
+mkdir -p 9/community 9/developer 9/enterprise
+```
+
+Each edition directory will contain a single Dockerfile.
+
+New non-major version
+---------------------
+
+As of today, we publish only a single version of SQ for a given major version in the "master" branch.
+
+No new image is therefor created for non-major versions of SQ. Instead, existing images are updated.
+
+Docker images of older intermediate versions are accessible via tags.
+
+
+Release process
+===============
+
+Go [here](release.md)
+
+Deprecated
+==========
+
+More information in [deprecated](deprecated.md) processes/pipelines.

example-compose-files/sq-with-postgres/docker-compose.yml

@@ -33,4 +33,4 @@ volumes:
   sonarqube_extensions:
   sonarqube_logs:
   postgresql:
-  postgresql_data:
+  postgresql_data:

release.md

@@ -10,9 +10,10 @@ Overview
 Release of a new version of the official SonarQube Docker images is made of several operations:
 
 1. bump the version of SonarQube in Dockerfiles
-2. Update the docker hub SonarQube's documentation (if applicable)
-3. Update Docker Hub's SonarQube images
-4. add a GIT tag for the new version 
+2. bump the version of `CURRENT_LTS_VERSION` and `CURRENT_VERSION` accordingly in `.cirrus.yml` (please note that the nightly build will fail before the public image becomes available)
+3. Update the docker hub SonarQube's documentation (if applicable)
+4. Update Docker Hub's SonarQube images
+5. add a GIT tag for the new version 
 
 
 Bump the version of SonarQube in Dockerfiles
@@ -23,9 +24,9 @@ The version of SonarQube is hardcoded in each Dockerfile of this repository and
 Update the docker hub SonarQube's documentation (if applicable)
 -------------------------------
 
-If needed, prepare PR of Docker Hub documentation from SonarSource's fork of [https://github.com/docker-library/docs](https://github.com/docker-library/docs) named [sonarqube-docker-docs](https://github.com/SonarSource/sonarqube-docker-docs)
+If needed, prepare PR of Docker Hub documentation [https://github.com/docker-library/docs](https://github.com/docker-library/docs)
 
-> Note: updating the fork should not be necessary as we only care about the `sonarqube` directory and are the only people updating it
+> Note: Please use your own fork like seen in [this closed PR](https://github.com/docker-library/docs/pull/1660)
 
 To create a good PR:
 
@@ -42,9 +43,11 @@ For more and up to date documentation, see https://github.com/docker-library/doc
 Update Docker Hub's SonarQube images
 -----------------------
 
-Update the SonarSource [fork](https://github.com/SonarSource/official-images) of the [official-images](https://github.com/docker-library/official-images) to ensure that the `sonarqube` library is the latest version.
+In order to update the Docker Hub images, a Pull Request must be created on the [official-images](https://github.com/docker-library/official-images) repository.
 
-Create a feature branch on the company fork:
+To do so you should use your own personal fork
+
+Create a feature branch on the fork:
 * `GitCommit` must be updated to this repository master branch's HEAD.
 * `Tags` and `Directory` must be added/updated appropriatly for each edition
 * see https://github.com/docker-library/official-images/pull/8837/files as an example
@@ -52,7 +55,7 @@ Create a feature branch on the company fork:
 Until SonarQube is released and the public artifacts are available, keep your PR a draft PR to make it clear it is not ready to be merged yet.
 * Create the PR [here](https://github.com/docker-library/official-images/compare)
     * If the documentation was updated in the step before, reference that PR in this PR.
-* Click on *compare across fork* to be able to use the SonarSource fork as head repository.
+* Click on *compare across fork* to be able to use the fork as head repository.
 
 
 For more and up to date documentation, see https://github.com/docker-library/official-images.

run-tests.sh

@@ -116,7 +116,7 @@ sanity_check_image() {
         cd $test_compose_path
         export PORT=$port
         export IMAGE=$1
-        docker-compose up -d sonarqube
+        docker compose up -d sonarqube
         if wait_for_sonarqube_dce "$image"; then
             info "$image-app: OK !"
             result=ok
@@ -126,7 +126,7 @@ sanity_check_image() {
         fi
 
         info "$image-app: stopping container stack"
-        docker-compose stop
+        docker compose stop
 
         [[ $result == ok ]]
     fi

sonar-project.properties

@@ -0,0 +1,3 @@
+sonar.projectKey=SonarSource_docker-sonarqube_AYcnOvlJTpBOcQuGEdI5
+sonar.sources=9/,10/
+sonar.organization=sonarsource