Merge branch 'master' into APPSEC-1248/S5144/Add-support-for-aiohttp

.cirrus.star

@@ -1,4 +1,4 @@
-load("github.com/SonarSource/cirrus-modules@v2", "load_features")
+load("github.com/SonarSource/cirrus-modules@v3", "load_features")
 
 def main(ctx):
     return load_features(ctx)

.cirrus.yml

@@ -2,7 +2,7 @@ env:
   GITHUB_TOKEN: VAULT[development/github/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-ro token]
   SONAR_HOST_URL: VAULT[development/kv/data/next data.url]
   SONAR_TOKEN: VAULT[development/kv/data/next data.token]
-  SONAR_SCANNER_VERSION: 4.6.1.2450
+  SONAR_SCANNER_VERSION: 5.0.1.3006
   SONAR_SCANNER_HOME: ${HOME}/.sonar/sonar-scanner-${SONAR_SCANNER_VERSION}-linux
   PATH: ${SONAR_SCANNER_HOME}/bin:$PATH
   # Need to clone full depth to track the changed files: for SQ analysis and for validation tasks
@@ -25,7 +25,7 @@ container_definition: &CONTAINER_DEFINITION
 
 setup_sonar_scanner: &SETUP_SONAR_SCANNER
   setup_sonar_scanner_script:
-    - apt update -y && apt upgrade -y && apt update -y && apt install -y unzip       
+    - apt update -y && apt upgrade -y && apt update -y && apt install -y unzip
     - curl --create-dirs -sSLo $HOME/.sonar/sonar-scanner.zip https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-$SONAR_SCANNER_VERSION-linux.zip
     - unzip -o $HOME/.sonar/sonar-scanner.zip -d $HOME/.sonar/
 
@@ -38,9 +38,7 @@ tooling_tests_task:
   env:
     PYTHONPATH: .
   install_dependencies_script:
-    - cd rspec-tools
-    - pipenv install --dev
-    - pipenv run pip install pytest pytest-cov
+    - ci/install_rspec_tools_dependencies.sh
   tests_script:
     - bash ci/fetch_branches.sh
     - cd rspec-tools
@@ -56,7 +54,7 @@ frontend_tests_task:
     <<: *CONTAINER_DEFINITION
     dockerfile: ci/frontend-tests-dockerfile
     cpu: 1
-    memory: 2G
+    memory: 3G
   node_modules_cache:
     folder: frontend/node_modules
     reupload_on_changes: false # since there is a fingerprint script
@@ -77,15 +75,6 @@ frontend_tests_task:
     - cd frontend
     - sonar-scanner
 
-validate_metadata_task:
-  eks_container:
-    <<: *CONTAINER_DEFINITION
-    dockerfile: ci/Dockerfile
-    cpu: 1
-    memory: 2G
-  metadata_tests_script:
-    - ./ci/validate_metadata.sh
-
 validate_ci_tests_task:
   skip: "!changesInclude('ci_tests/**', 'ci/**')"
   eks_container:
@@ -96,17 +85,22 @@ validate_ci_tests_task:
   ci_tests_script:
     - ./ci_tests/asciidoc_validation/run_tests.sh
 
-validate_asciidoc_task:
+validate_rules_task:
   eks_container:
     <<: *CONTAINER_DEFINITION
     dockerfile: ci/Dockerfile
     cpu: 1
     memory: 2G
-  asciidoc_tests_script:
+  metadata_validation_script:
+    - ./ci/validate_metadata.sh
+  file_extensions_validation_script:
+    - ./ci/validate_file_extensions.sh
+  asciidoc_validation_script:
     - ./ci/validate_asciidoc.sh
 
 validate_links_task:
   timeout_in: 120m
+  execution_lock: RSPEC_validate_links
   eks_container:
     <<: *CONTAINER_DEFINITION
     dockerfile: ci/Dockerfile
@@ -117,31 +111,20 @@ validate_links_task:
     LINK_CACHE_PATH: /root/link-probing-history.cache
   cache_download_script:
     - bash ci/cirrus-cache.sh download ${LINK_CACHE_NAME} ${LINK_CACHE_PATH}
-  tests_script:
     - md5sum /root/link-probing-history.cache/link_probes.history || true
+  tests_script:
     - ./ci/validate_links.sh ${LINK_CACHE_PATH}
-    - md5sum /root/link-probing-history.cache/link_probes.history
   always:
     cache_upload_script:
+      - md5sum /root/link-probing-history.cache/link_probes.history || true
       - bash ci/cirrus-cache.sh upload ${LINK_CACHE_NAME} ${LINK_CACHE_PATH}
 
-validate_file_extensions_task:
-  eks_container:
-    <<: *CONTAINER_DEFINITION
-    dockerfile: ci/Dockerfile
-    cpu: 1
-    memory: 2G
-  file_extension_tests_script:
-    - bash ./ci/validate_file_extensions.sh
-
 all_required_checks_task:
   depends_on:
     - tooling_tests
     - frontend_tests
-    - validate_metadata
-    - validate_asciidoc
+    - validate_rules
     - validate_ci_tests
-    - validate_file_extensions
   eks_container:
     <<: *CONTAINER_DEFINITION
     dockerfile: ci/Dockerfile

.devcontainer/devcontainer.json

@@ -0,0 +1,16 @@
+{
+    "build": {
+        "dockerfile": "../ci/Dockerfile"
+    },
+    // https://code.visualstudio.com/docs/devcontainers/create-dev-container#_rebuild
+    "postCreateCommand": ".devcontainer/finalize-container.sh",
+    "waitFor": "postCreateCommand",
+    "customizations": {
+        "vscode": {
+            "extensions": [
+                "ms-python.python",
+                "asciidoctor.asciidoctor-vscode"
+            ]
+        }
+    }
+}

.devcontainer/finalize-container.sh

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+TOP_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &> /dev/null && pwd)/..
+
+$TOP_DIR/ci/install_rspec_tools_dependencies.sh

.github/CODEOWNERS

@@ -1 +1 @@
-.github/CODEOWNERS @SonarSource/languages-team-cfamily
+.github/CODEOWNERS @sonarsource/quality-cfamily-squad

.github/pull_request_template.md

@@ -1,3 +1,12 @@
+<!--
+Jira Automation:
+
+* Mention existing issue in the PR title to move it around automatically.
+* Mention existing issue in the PR description and a sub-task will be created for you to track this rspec PR separately.
+
+No issue is created by default.
+-->
+
 ## Review
 
 A dedicated reviewer checked the rule description successfully for:

.github/workflows/PullRequestClosed.yml

@@ -0,0 +1,29 @@
+name: Pull Request Closed
+
+on:
+  pull_request:
+    types: [closed]
+
+jobs:
+  PullRequestMerged_job:
+    name: Pull Request Merged
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      pull-requests: read
+    # For external PR, ticket should be moved manually
+    if: |
+        github.event.pull_request.head.repo.full_name == github.repository
+        && github.event.pull_request.merged
+    steps:
+      - id: secrets
+        uses: SonarSource/vault-action-wrapper@v3
+        with:
+          secrets: |
+            development/kv/data/jira user | JIRA_USER;
+            development/kv/data/jira token | JIRA_TOKEN;
+      - uses: sonarsource/gh-action-lt-backlog/PullRequestClosed@v2
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          jira-user:  ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }}
+          jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }}

.github/workflows/PullRequestCreated.yml

@@ -0,0 +1,28 @@
+name: Pull Request Created
+
+on:
+  pull_request:
+    types: ["opened"]
+
+jobs:
+  PullRequestCreated_job:
+    name: Pull Request Created
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    # For external PR, ticket should be created manually
+    if: |
+        github.event.pull_request.head.repo.full_name == github.repository
+    steps:
+      - id: secrets
+        uses: SonarSource/vault-action-wrapper@v3
+        with:
+          secrets: |
+            development/github/token/{REPO_OWNER_NAME_DASH}-jira token | GITHUB_TOKEN;
+            development/kv/data/jira user | JIRA_USER;
+            development/kv/data/jira token | JIRA_TOKEN;
+      - uses: sonarsource/gh-action-lt-backlog/PullRequestCreated@v2
+        with:
+          github-token: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }}
+          jira-user:    ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }}
+          jira-token:   ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }}

.github/workflows/RequestReview.yml

@@ -0,0 +1,28 @@
+name: Request review
+
+on:
+  pull_request:
+    types: ["review_requested"]
+
+jobs:
+  RequestReview_job:
+    name: Request review
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    # For external PR, ticket should be moved manually
+    if: |
+        github.event.pull_request.head.repo.full_name == github.repository
+    steps:
+      - id: secrets
+        uses: SonarSource/vault-action-wrapper@v3
+        with:
+          secrets: |
+            development/github/token/{REPO_OWNER_NAME_DASH}-jira token | GITHUB_TOKEN;
+            development/kv/data/jira user | JIRA_USER;
+            development/kv/data/jira token | JIRA_TOKEN;
+      - uses: sonarsource/gh-action-lt-backlog/RequestReview@v2
+        with:
+          github-token: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }}
+          jira-user:    ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }}
+          jira-token:   ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }}

.github/workflows/SubmitReview.yml

@@ -0,0 +1,30 @@
+name: Submit Review
+
+on:
+  pull_request_review:
+    types: [submitted]
+
+jobs:
+  SubmitReview_job:
+    name: Submit Review
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      pull-requests: read
+    # For external PR, ticket should be moved manually
+    if: |
+        github.event.pull_request.head.repo.full_name == github.repository
+        && (github.event.review.state == 'changes_requested'
+            || github.event.review.state == 'approved')
+    steps:
+      - id: secrets
+        uses: SonarSource/vault-action-wrapper@v3
+        with:
+          secrets: |
+            development/kv/data/jira user | JIRA_USER;
+            development/kv/data/jira token | JIRA_TOKEN;
+      - uses: sonarsource/gh-action-lt-backlog/SubmitReview@v2
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }}
+          jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }}

.github/workflows/add_language.yml

@@ -15,6 +15,9 @@ on:
 jobs:
   add_language_to_rule:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 

.github/workflows/create_new_rspec.yml

@@ -12,6 +12,9 @@ on:
 jobs:
   create_new_rule:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     env:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 

.github/workflows/ensure_label.yml

@@ -0,0 +1,20 @@
+name: PR should have a language label
+on:
+  pull_request:
+    types: [opened, labeled, unlabeled, synchronize]
+
+jobs:
+  label:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+      - uses: mheap/github-action-required-labels@v5
+        with:
+          mode: minimum
+          count: 1
+          add_comment: true
+          use_regex: true
+          labels: ".*"
+          message: "Please add a label with the relevant language(s) to be able to merge this PR"

.github/workflows/update_coverage.yml

@@ -1,21 +1,35 @@
 name: Update rule coverage
 on:
   schedule:
-    - cron: '17 0 * * *'
+    - cron: '17 2 * * *'
+  workflow_dispatch: # When manually triggered from a non-default branch, the results will not be pushed
 
 jobs:
   update_coverage:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write # required by SonarSource/vault-action-wrapper
+      contents: write
+      checks: read # required by fountainhead/action-wait-for-check
+      actions: write # required by andymckay/cancel-action
     env:
       TMP_BRANCH: temporary/coverage_update
 
     steps:
+    - name: 'get secrets'
+      id: secrets
+      uses: SonarSource/vault-action-wrapper@v3
+      with:
+        secrets: |
+          development/github/token/SonarSource-rspec-coverage token | coverage_github_token;
+          development/kv/data/slack token | slack_token;
+
     - uses: actions/checkout@v4
       with:
         persist-credentials: true
-        ref: master
+        fetch-depth: 0
         path: 'rspec'
-        token: ${{ secrets.COVERAGE_GITHUB_TOKEN }}
+        token: ${{ fromJSON(steps.secrets.outputs.vault).coverage_github_token }}
 
     - uses: actions/setup-python@v4
       with:
@@ -31,7 +45,7 @@ jobs:
 
     - name: 'Regenerate coverage information'
       env:
-        GITHUB_TOKEN: ${{ secrets.COVERAGE_GITHUB_TOKEN }}
+        GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).coverage_github_token }}
       id: gen-coverage
       working-directory: 'rspec/rspec-tools'
       run: |
@@ -73,7 +87,8 @@ jobs:
     - name: 'Push the updated coverage to master'
       if: |
         steps.gen-coverage.outputs.new_coverage == 'true' &&
-        steps.wait-for-build.outputs.conclusion == 'success'
+        steps.wait-for-build.outputs.conclusion == 'success' &&
+        (github.event_name != 'workflow_dispatch' || github.ref == format('refs/heads/{0}', github.event.repository.default_branch))
       working-directory: 'rspec'
       run: |
         git checkout master
@@ -84,7 +99,7 @@ jobs:
       if: always() && steps.create-temp-branch.conclusion == 'success'
       uses: dawidd6/action-delete-branch@v3
       with:
-        github_token: ${{ secrets.GITHUB_TOKEN}}
+        github_token: ${{ secrets.GITHUB_TOKEN }}
         branches: ${{ env.TMP_BRANCH}}
 
     - name: 'Fail if the change breaks CI'
@@ -96,9 +111,9 @@ jobs:
     - name: 'Notify on slack about the failure'
       if: ${{ failure() }}
       env:
-        SLACK_API_TOKEN: ${{ secrets.SLACK_API_TOKEN }}
+        SLACK_API_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).slack_token }}
       working-directory: 'rspec/rspec-tools'
       run: |
         pipenv run rspec-tools notify-failure-on-slack \
           --message "ERROR: failed to update rule coverage. See https://github.com/SonarSource/rspec/actions/runs/$GITHUB_RUN_ID" \
-          --channel team-lang-rspec-v2
+          --channel team-analysis-rspec