Initial commit (#1)

* Initial commit

* bump

* test with commonm version

* change dependency version

* fix version

* Use node version

* use zip artifact

* move back to jar

* update cache

* bump

* enable scanner

* add releasability check

* fix sq issues

* more sq issues

* fix sq issues

* add exclusions

Author: zglicz

.cirrus.yml

@@ -1,37 +1,62 @@
 env:
-  CIRRUS_CLONE_DEPTH: "20"
   CIRRUS_SHELL: bash
+  CIRRUS_VAULT_URL: https://vault.sonar.build:8200
+  CIRRUS_VAULT_AUTH_PATH: jwt-cirrusci
+  CIRRUS_VAULT_ROLE: cirrusci-${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}
+
+  ARTIFACTORY_URL: https://repox.jfrog.io/artifactory
+  ARTIFACTORY_PRIVATE_USERNAME: vault-${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-private-reader
+  ARTIFACTORY_PRIVATE_PASSWORD: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-private-reader access_token]
+  ARTIFACTORY_DEPLOY_USERNAME: vault-${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-qa-deployer
+  ARTIFACTORY_DEPLOY_PASSWORD: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-qa-deployer access_token]
+  ARTIFACTORY_DEPLOY_REPO: sonarsource-public-qa
+  ARTIFACTORY_ACCESS_TOKEN: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-private-reader access_token]
+
+only_sonarsource_qa: &ONLY_SONARSOURCE_QA
+  only_if: $CIRRUS_USER_COLLABORATOR == 'true' && $CIRRUS_TAG == "" && ($CIRRUS_PR != "" || $CIRRUS_BRANCH == "master" || $CIRRUS_BRANCH =~ "branch-.*")
+
+nodejs_runtimes_cache_definition: &RUNTIME_CACHE
+  runtime_cache:
+    folder: runtime/downloads/
+    fingerprint_script: cat runtime/pom.xml | grep -o "<nodeVersion>.*"
 
 eks_container_definition: &CONTAINER_DEFINITION
-  image: ${CIRRUS_AWS_ACCOUNT}.dkr.ecr.eu-central-1.amazonaws.com/base:latest
+  image: ${CIRRUS_AWS_ACCOUNT}.dkr.ecr.eu-central-1.amazonaws.com/base:j17-latest
   cluster_name: ${CIRRUS_CLUSTER_NAME}
   region: eu-central-1
   namespace: default
 
 build_task:
   eks_container:
     <<: *CONTAINER_DEFINITION
-    cpu: 1
-    memory: 1G
+    cpu: 2
+    memory: 2G
   env:
-    # Possible values for ARTIFACTORY_DEPLOY_REPO: sonarsource-private-qa, sonarsource-public-qa
-    ARTIFACTORY_DEPLOY_REPO: FIXME
-    ARTIFACTORY_DEPLOY_USERNAME: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-qa-deployer username]
-    ARTIFACTORY_DEPLOY_PASSWORD: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-qa-deployer access_token]
     DEPLOY_PULL_REQUEST: "true"
+    SONAR_TOKEN: VAULT[development/kv/data/next data.token]
+    SONAR_HOST_URL: https://next.sonarqube.com/sonarqube
+  maven_cache:
+    folder: ${CIRRUS_WORKING_DIR}/.m2/repository
+  <<: *RUNTIME_CACHE
   build_script:
     - source cirrus-env BUILD
-    - regular_build_...
+    - regular_mvn_build_deploy_analyze
+  cleanup_before_cache_script:
+    - cleanup_maven_repository
 
 promote_task:
   depends_on:
     - build
+  <<: *ONLY_SONARSOURCE_QA
   eks_container:
     <<: *CONTAINER_DEFINITION
-    cpu: 1
-    memory: 1G
+    cpu: 2
+    memory: 2G
   env:
     ARTIFACTORY_PROMOTE_ACCESS_TOKEN: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-promoter access_token]
     GITHUB_TOKEN: VAULT[development/github/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-promotion token]
-    ARTIFACTS: FIXME # This was for Burgr links, is it still required?
-  script: cirrus_promote_...
+  maven_cache:
+    folder: $CIRRUS_WORKING_DIR/.m2/repository
+  script: cirrus_promote_maven
+  cleanup_before_cache_script:
+    - cleanup_maven_repository

.github/workflows/releasability.yml

@@ -0,0 +1,27 @@
+name: Releasability status
+'on':
+  check_suite:
+    types:
+      - completed
+jobs:
+  update_releasability_status:
+    runs-on: ubuntu-latest
+    name: Releasability status
+    permissions:
+      id-token: write
+      statuses: write
+      contents: read
+    if: >-
+      (contains(fromJSON('["main", "master"]'),
+      github.event.check_suite.head_branch) ||
+      startsWith(github.event.check_suite.head_branch, 'dogfood-') ||
+      startsWith(github.event.check_suite.head_branch, 'branch-')) &&
+      github.event.check_suite.conclusion == 'success' &&
+      github.event.check_suite.app.slug == 'cirrus-ci'
+    steps:
+      -   uses: >-
+            SonarSource/gh-action_releasability/releasability-status@v2
+          with:
+            optional_checks: "Jira"
+          env:
+            GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'

.github/workflows/release.yml

@@ -1,16 +1,18 @@
 ---
-name: Release
+name: sonar-release
+# This workflow is triggered when publishing a new github release
+# yamllint disable-line rule:truthy
 on:
   release:
     types:
       - published
 
-env:
-  PYTHONUNBUFFERED: 1
-
 jobs:
   release:
     permissions:
       id-token: write
       contents: write
-    uses: SonarSource/gh-action_release/.github/workflows/main.yaml@34d8b20d125bfd58d124e84b007d3a18e61c358a # 5.10.4
+    uses: SonarSource/gh-action_release/.github/workflows/main.yaml@v5
+    with:
+      publishToBinaries: true
+      slackChannel:  squad-web

.gitignore

@@ -0,0 +1,36 @@
+# Maven
+target/
+bin/
+
+# IntelliJ IDEA
+*.iws
+*.iml
+*.ipr
+.idea/
+
+# Eclipse
+.classpath
+.project
+.settings
+
+# Visual Studio
+.vs/
+
+# VS Code
+.vscode/
+
+# ---- Mac OS X
+.DS_Store
+
+# ---- Windows
+# Windows image file caches
+Thumbs.db
+# Folder config file
+Desktop.ini
+
+# ---- Sonar
+.sonar
+.scannerwork
+
+runtime/downloads
+**/.flattened-pom.xml

README.md

@@ -1,3 +1,11 @@
-# nodejs-maven-plugin
+# Maven plugin dedicated to the SonarJS project lifecycle
 
-Maven plugin to provide Node.js runtimes
+## Goals
+
+### `compress`
+
+Compress the passed `filenames` using LZMA2 compression algorithm.
+
+### `download-runtimes`
+
+Download the Node.js runtimes and create their manifests (`version.txt`).

SECURITY.md

@@ -0,0 +1,17 @@
+# Reporting Security Issues
+
+A mature software vulnerability treatment process is a cornerstone of a robust information security management system.
+Contributions from the community play an important role in the evolution and security of our products, and in safeguarding
+the security and privacy of our users.
+
+If you believe you have discovered a security vulnerability in Sonar's products, we encourage you to report it immediately.
+
+To responsibly report a security issue, please email us at [[email protected]](mailto:[email protected]).
+Sonar’s security team will acknowledge your report, guide you through the next steps, or request additional information if necessary.
+Customers with a support contract can also report the vulnerability directly through the support channel.
+
+For security vulnerabilities found in third-party libraries, please also contact the library's owner or maintainer directly.
+
+## Responsible Disclosure Policy
+
+For more information about disclosing a security vulnerability to Sonar, please refer to our community post: [Responsible Vulnerability Disclosure](https://community.sonarsource.com/t/responsible-vulnerability-disclosure/9317/).

maven-plugin/pom.xml

@@ -0,0 +1,52 @@
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <parent>
+        <groupId>org.sonarsource.nodejs</groupId>
+        <artifactId>nodejs-maven</artifactId>
+        <version>${revision}</version>
+    </parent>
+
+    <artifactId>nodejs-maven-plugin</artifactId>
+    <packaging>maven-plugin</packaging>
+    <name>NodeJS Maven Plugin</name>
+    <description>Maven plugin to provide NodeJS runtimes</description>
+    <inceptionYear>2025</inceptionYear>
+    <version>${revision}</version>
+
+    <properties>
+        <maven-plugin-tools.version>3.15.1</maven-plugin-tools.version>
+        <gitRepositoryName>nodejs-maven-plugin</gitRepositoryName>
+        <jdk.min.version>17</jdk.min.version>
+        <maven.compiler.source>17</maven.compiler.source>
+        <maven.compiler.target>17</maven.compiler.target>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    </properties>
+
+
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.maven</groupId>
+            <artifactId>maven-plugin-api</artifactId>
+            <version>3.9.9</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.maven.plugin-tools</groupId>
+            <artifactId>maven-plugin-annotations</artifactId>
+            <version>${maven-plugin-tools.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.codehaus.plexus</groupId>
+            <artifactId>plexus-archiver</artifactId>
+            <version>4.10.0</version>
+        </dependency>
+        <dependency>
+            <groupId>org.tukaani</groupId>
+            <artifactId>xz</artifactId>
+            <version>1.10</version>
+        </dependency>
+    </dependencies>
+</project>

maven-plugin/src/main/java/ChecksumException.java

@@ -0,0 +1,21 @@
+/*
+ * NodeJS Maven Plugin
+ * Copyright (C) 2025-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+public class ChecksumException extends Exception {
+	public ChecksumException(String message) {
+		super(message);
+	}
+}

maven-plugin/src/main/java/CompressMojo.java

@@ -0,0 +1,90 @@
+/*
+ * NodeJS Maven Plugin
+ * Copyright (C) 2025-2025 SonarSource SA
+ * mailto:info AT sonarsource DOT com
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the Sonar Source-Available License Version 1, as published by SonarSource SA.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
+ * See the Sonar Source-Available License for more details.
+ *
+ * You should have received a copy of the Sonar Source-Available License
+ * along with this program; if not, see https://sonarsource.com/license/ssal/
+ */
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.util.Arrays;
+import java.util.List;
+import org.apache.maven.plugin.AbstractMojo;
+import org.apache.maven.plugins.annotations.Mojo;
+import org.apache.maven.plugins.annotations.Parameter;
+import org.tukaani.xz.LZMA2Options;
+import org.tukaani.xz.XZOutputStream;
+
+@Mojo(name = "compress")
+public class CompressMojo extends AbstractMojo {
+
+  @Parameter(required = true)
+  private String baseDirectory;
+
+  @Parameter(required = true)
+  private List<String> filenames;
+
+  @Parameter(required = true)
+  private String targetDirectory;
+
+  @Parameter(defaultValue = "9")
+  private int compressionLevel;
+
+  @Override
+  public void execute() {
+    try {
+      this.compress(
+          this.filenames.stream()
+            .map(filename -> Path.of(this.baseDirectory, filename).toAbsolutePath())
+            .toList()
+        );
+    } catch (IOException e) {
+      throw new IllegalStateException(
+        "Error while compressing " + Arrays.toString(filenames.toArray()),
+        e
+      );
+    }
+  }
+
+  protected void compress(List<Path> filenames) throws IOException {
+    for (var file : filenames) {
+      var outputFile = Path.of(
+        this.targetDirectory,
+        Path.of(this.baseDirectory).toAbsolutePath().relativize(file) + ".xz"
+      );
+
+      this.getLog().info("Compressing " + file + " to " + outputFile);
+
+      if (!Files.exists(file)) {
+        throw new FileNotFoundException(String.format("File %s does not exist.", file));
+      }
+
+      if (Files.exists(outputFile)) {
+        this.getLog()
+          .info(String.format("Skipping compression, file %s already exists.", outputFile));
+        continue;
+      }
+
+      outputFile.toFile().getParentFile().mkdirs();
+
+      try (
+        var is = Files.newInputStream(file);
+        var outfile = Files.newOutputStream(outputFile);
+        var outxz = new XZOutputStream(outfile, new LZMA2Options(this.compressionLevel))
+      ) {
+        is.transferTo(outxz);
+      }
+    }
+  }
+}