SONARJAVA-5742 Add sonar.sca.exclusions, fix integration tests

Author: leonardo-pilastri-sonarsource

.cirrus.yml

@@ -149,15 +149,8 @@ plugin_qa_task:
     cpu: 14
     memory: 6G
   <<: *ORCHESTRATOR_CACHE_PREPARATION_DEFINITION
-  matrix:
-    - env:
-        SQ_VERSION: LATEST_RELEASE[2025.1]
-      orchestrator_LATEST_RELEASE_cache:
-        <<: *ORCHESTRATOR_CACHE_ELEMENTS_DEFINITION
-    - env:
-        SQ_VERSION: DEV[2025.1]
-      orchestrator_DEV_cache:
-        <<: *ORCHESTRATOR_CACHE_ELEMENTS_DEFINITION
+  orchestrator_LATEST_RELEASE_cache:
+    <<: *ORCHESTRATOR_CACHE_ELEMENTS_DEFINITION
 
   maven_cache:
     folder: ${CIRRUS_WORKING_DIR}/.m2/repository
@@ -168,7 +161,7 @@ plugin_qa_task:
     - source cirrus-env QA
     - source set_maven_build_version $BUILD_NUMBER
     - cd its/plugin
-    - mvn package --batch-mode -Pit-plugin -Dsonar.runtimeVersion=${SQ_VERSION} -Dmaven.test.redirectTestOutputToFile=false -B -e -V -Dparallel=classes -DuseUnlimitedThreads=true
+    - mvn package --batch-mode -Pit-plugin -Dsonar.runtimeVersion=LATEST_RELEASE[2025.1] -Dmaven.test.redirectTestOutputToFile=false -B -e -V -Dparallel=classes -DuseUnlimitedThreads=true
   cleanup_before_cache_script: cleanup_maven_repository
 
 sanity_task:

.cirrus/Dockerfile.jdk17AndLatest

@@ -11,18 +11,18 @@ ENV DEBIAN_FRONTEND=noninteractive
 # Use a similar method to install Java 23 copied from https://github.com/adoptium/containers/blob/main/22/jdk/ubuntu/jammy/Dockerfile
 
 ENV JAVA_LATEST_HOME /opt/java/openjdk23
-ENV JAVA_LATEST_VERSION jdk-23.0.1+11
+ENV JAVA_LATEST_VERSION jdk-23.0.2+7
 
 RUN set -eux; \
     ARCH="$(dpkg --print-architecture)"; \
     case "${ARCH}" in \
        amd64) \
-         ESUM='2400267e4e9c0f6ae880a4d763af6caf18c673714bdee5debf8388b0b5d52886'; \
-         BINARY_URL='https://github.com/adoptium/temurin23-binaries/releases/download/jdk-23.0.1%2B11/OpenJDK23U-jdk_x64_linux_hotspot_23.0.1_11.tar.gz'; \
+         ESUM='870ac8c05c6fe563e7a3878a47d0234b83c050e83651d2c47e8b822ec74512dd'; \
+         BINARY_URL='https://github.com/adoptium/temurin23-binaries/releases/download/jdk-23.0.2%2B7/OpenJDK23U-jdk_x64_linux_hotspot_23.0.2_7.tar.gz'; \
          ;; \
        arm64) \
-         ESUM='0b498a5b673cb50fe9cfd0a13bd39c7259b4fad4d930d614e1563aeb8bca7f0e'; \
-         BINARY_URL='https://github.com/adoptium/temurin23-binaries/releases/download/jdk-23.0.1%2B11/OpenJDK23U-jre_aarch64_linux_hotspot_23.0.1_11.tar.gz'; \
+         ESUM='b2a8a287ebd2d2a1d5d32eb6b79768cf2b5e02f1b4d6d4791297feb8636b9e2f'; \
+         BINARY_URL='https://github.com/adoptium/temurin23-binaries/releases/download/jdk-23.0.2%2B7/OpenJDK23U-jre_aarch64_linux_hotspot_23.0.2_7.tar.gz'; \
          ;; \
        *) \
          echo "Unsupported arch: ${ARCH}"; \

its/autoscan/src/test/java/org/sonar/java/it/AutoScanTest.java

@@ -195,8 +195,8 @@ public void javaCheckTestSources() throws Exception {
     SoftAssertions softly = new SoftAssertions();
     softly.assertThat(newDiffs).containsExactlyInAnyOrderElementsOf(knownDiffs.values());
     softly.assertThat(newTotal).isEqualTo(knownTotal);
-    softly.assertThat(rulesCausingFPs).hasSize(9);
-    softly.assertThat(rulesNotReporting).hasSize(11);
+    softly.assertThat(rulesCausingFPs).hasSize(11);
+    softly.assertThat(rulesNotReporting).hasSize(10);
 
     /**
      * 4. Check total number of differences (FPs + FNs)

pom.xml

@@ -106,6 +106,8 @@
 
     <!-- Overrides parent pom to use a more recent version of jacoco -->
     <version.jacoco.plugin>0.8.11</version.jacoco.plugin>
+    <!-- To avoid having security vulnerabilities reported on sample files and projects -->
+    <sonar.sca.exclusions>**/test/files/**, **/test/resources/**, its/plugin/projects/**, java-checks-test-sources/**, its/sources/**</sonar.sca.exclusions>
   </properties>
 
   <distributionManagement>