diff --git a/.cirrus.star b/.cirrus.star
deleted file mode 100644
index bc1f3998b..000000000
--- a/.cirrus.star
+++ /dev/null
@@ -1,4 +0,0 @@
-load("github.com/SonarSource/cirrus-modules@v3", "load_features")
-
-def main(ctx):
- return load_features(ctx)
diff --git a/.cirrus.yml b/.cirrus.yml
deleted file mode 100644
index f87aab3b0..000000000
--- a/.cirrus.yml
+++ /dev/null
@@ -1,136 +0,0 @@
-env:
- CIRRUS_CLONE_DEPTH: 20
- ARTIFACTORY_URL: VAULT[development/kv/data/repox data.url]
- ARTIFACTORY_PRIVATE_USERNAME: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-private-reader username]
- ARTIFACTORY_PRIVATE_PASSWORD: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-private-reader access_token]
- ARTIFACTORY_DEPLOY_USERNAME: vault-${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-qa-deployer
- ARTIFACTORY_DEPLOY_PASSWORD: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-qa-deployer access_token]
- #Possible values for ARTIFACTORY_DEPLOY_REPO: sonarsource-private-qa, sonarsource-public-qa
- ARTIFACTORY_DEPLOY_REPO: sonarsource-public-qa
- ARTIFACTORY_ACCESS_TOKEN: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-private-reader access_token]
- # Use bash (instead of sh on linux or cmd.exe on windows)
- CIRRUS_SHELL: bash
-
-container_definition: &CONTAINER_DEFINITION
- image: "${CIRRUS_AWS_ACCOUNT}.dkr.ecr.eu-central-1.amazonaws.com/base:j23-latest"
- cluster_name: ${CIRRUS_CLUSTER_NAME}
- region: eu-central-1
- namespace: default
-
-orchestrator_cache_preparation_definition: &ORCHESTRATOR_CACHE_PREPARATION_DEFINITION
- set_orchestrator_home_script: |
- export TODAY=$(date '+%Y-%m-%d')
- echo "TODAY=${TODAY}" >> $CIRRUS_ENV
- echo "ORCHESTRATOR_HOME=${CIRRUS_WORKING_DIR}/orchestrator/${TODAY}" >> $CIRRUS_ENV
- mkdir_orchestrator_home_script: |
- echo "Create dir ${ORCHESTRATOR_HOME} if needed"
- mkdir -p ${ORCHESTRATOR_HOME}
-
-orchestrator_cache_elements_definition: &ORCHESTRATOR_CACHE_ELEMENTS_DEFINITION
- folder: ${ORCHESTRATOR_HOME}
- fingerprint_script: echo ${TODAY}
- reupload_on_changes: "true"
-
-only_sonarsource_qa: &ONLY_SONARSOURCE_QA
- only_if: ${CIRRUS_USER_COLLABORATOR} == 'true' && ${CIRRUS_TAG} == "" && (${CIRRUS_PR} != "" || ${CIRRUS_BRANCH} == "master" || ${CIRRUS_BRANCH} =~ "branch-.*" || ${CIRRUS_BRANCH} =~ "dogfood-on-.*")
-
-build_task:
- eks_container:
- <<: *CONTAINER_DEFINITION
- cpu: 4
- memory: 4G
- env:
- # analysis on next
- SONAR_TOKEN: VAULT[development/kv/data/next data.token]
- SONAR_HOST_URL: https://next.sonarqube.com/sonarqube
- #allow deployment of pull request artifacts to repox
- DEPLOY_PULL_REQUEST: true
- # signing artifacts
- SIGN_KEY: VAULT[development/kv/data/sign data.key]
- PGP_PASSPHRASE: VAULT[development/kv/data/sign data.passphrase]
- maven_cache:
- folder: ${CIRRUS_WORKING_DIR}/.m2/repository
- build_script:
- - source cirrus-env BUILD
- - regular_mvn_build_deploy_analyze
- cleanup_before_cache_script: cleanup_maven_repository
-
-ws_scan_task:
- <<: *ONLY_SONARSOURCE_QA
- eks_container:
- <<: *CONTAINER_DEFINITION
- image: ${CIRRUS_AWS_ACCOUNT}.dkr.ecr.eu-central-1.amazonaws.com/base:j17-latest
- cpu: 4
- memory: 4G
- # run only on master and long-term branches
- only_if: $CIRRUS_USER_COLLABORATOR == 'true' && ($CIRRUS_BRANCH == "master" || $CIRRUS_BRANCH =~ "branch-.*" || $CIRRUS_BRANCH =~ "mend-.*")
- env:
- WS_APIKEY: VAULT[development/kv/data/mend data.apikey]
- maven_cache:
- folder: ${CIRRUS_WORKING_DIR}/.m2/repository
- whitesource_script:
- - source cirrus-env QA
- - source set_maven_build_version $BUILD_NUMBER
- - mvn clean install --batch-mode -Dmaven.test.skip=true -pl '!java-symbolic-execution/java-symbolic-execution-checks-test-sources'
- - source ws_scan.sh
- allow_failures: "true"
- always:
- ws_artifacts:
- path: "whitesource/**/*"
-
-ruling_task:
- depends_on:
- - build
- <<: *ONLY_SONARSOURCE_QA
- eks_container:
- <<: *CONTAINER_DEFINITION
- image: ${CIRRUS_AWS_ACCOUNT}.dkr.ecr.eu-central-1.amazonaws.com/base:j17-latest
- cpu: 14
- memory: 8G
- maven_cache:
- folder: ${CIRRUS_WORKING_DIR}/.m2/repository
- <<: *ORCHESTRATOR_CACHE_PREPARATION_DEFINITION
- orchestrator_LATEST_RELEASE_cache:
- <<: *ORCHESTRATOR_CACHE_ELEMENTS_DEFINITION
- submodules_script:
- - git submodule update --init --recursive
- env:
- MAVEN_OPTS: "-Xmx3g"
- GITHUB_TOKEN: VAULT[development/github/token/licenses-ro token]
- matrix:
- # Supported values for JAVA_PLUGIN_VERSION:
- # LATEST_RELEASE, LATEST_MASTER, LATEST_DOGFOOD, POM_PROPERTY or a fixed version like 8.15.0.39249
- - PROFILE: without-sonarqube-project
- JAVA_PLUGIN_VERSION: LATEST_MASTER
- - PROFILE: without-sonarqube-project
- JAVA_PLUGIN_VERSION: POM_PROPERTY
- - PROFILE: only-sonarqube-project
- JAVA_PLUGIN_VERSION: LATEST_MASTER
- ruling_script:
- - source cirrus-env QA
- - source set_maven_build_version $BUILD_NUMBER
- - export SONAR_JAVA_VERSION="$(.cirrus/resolve-sonar-java-plugin-version.sh "${JAVA_PLUGIN_VERSION}")"
- - echo "Using SONAR_JAVA_VERSION=${SONAR_JAVA_VERSION}"
- - cd its/ruling
- - mvn package --batch-mode "-Pit-ruling,$PROFILE" -Dsonar.java.version="$SONAR_JAVA_VERSION" -Dsonar.runtimeVersion=LATEST_RELEASE -Dmaven.test.redirectTestOutputToFile=false -B -e -V -Dparallel=methods -DuseUnlimitedThreads=true
- cleanup_before_cache_script: cleanup_maven_repository
- on_failure:
- actual_artifacts:
- path: "${CIRRUS_WORKING_DIR}/its/ruling/target/actual/**/*"
-
-promote_task:
- depends_on:
- - build
- - ws_scan
- - ruling
- <<: *ONLY_SONARSOURCE_QA
- eks_container:
- <<: *CONTAINER_DEFINITION
- cpu: 2
- memory: 1G
- env:
- ARTIFACTORY_PROMOTE_ACCESS_TOKEN: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-promoter access_token]
- maven_cache:
- folder: ${CIRRUS_WORKING_DIR}/.m2/repository
- main_script: cirrus_promote_maven
- cleanup_before_cache_script: cleanup_maven_repository
diff --git a/.cirrus/resolve-sonar-java-plugin-version.sh b/.github/scripts/resolve-sonar-java-plugin-version.sh
similarity index 100%
rename from .cirrus/resolve-sonar-java-plugin-version.sh
rename to .github/scripts/resolve-sonar-java-plugin-version.sh
diff --git a/.github/workflows/PrepareNextIteration.yml b/.github/workflows/PrepareNextIteration.yml
index d647ac0ba..8758735f5 100644
--- a/.github/workflows/PrepareNextIteration.yml
+++ b/.github/workflows/PrepareNextIteration.yml
@@ -10,7 +10,7 @@ on:
jobs:
Next-Iteration-Job:
name: Next Iteration Job
- runs-on: ubuntu-latest-large
+ runs-on: github-ubuntu-latest-s
permissions:
pull-requests: write
contents: write
diff --git a/.github/workflows/PullRequestClosed.yml b/.github/workflows/PullRequestClosed.yml
index 8885ef062..a02004726 100644
--- a/.github/workflows/PullRequestClosed.yml
+++ b/.github/workflows/PullRequestClosed.yml
@@ -7,7 +7,7 @@ on:
jobs:
PullRequestMerged_job:
name: Pull Request Merged
- runs-on: ubuntu-latest-large
+ runs-on: github-ubuntu-latest-s
permissions:
id-token: write
pull-requests: read
diff --git a/.github/workflows/PullRequestCreated.yml b/.github/workflows/PullRequestCreated.yml
index acf0da5c4..a8d3850bf 100644
--- a/.github/workflows/PullRequestCreated.yml
+++ b/.github/workflows/PullRequestCreated.yml
@@ -7,7 +7,7 @@ on:
jobs:
PullRequestCreated_job:
name: Pull Request Created
- runs-on: ubuntu-latest-large
+ runs-on: github-ubuntu-latest-s
permissions:
id-token: write
# For external PR, ticket should be created manually
diff --git a/.github/workflows/RequestReview.yml b/.github/workflows/RequestReview.yml
index 5e74c2b6f..eb1425d40 100644
--- a/.github/workflows/RequestReview.yml
+++ b/.github/workflows/RequestReview.yml
@@ -7,7 +7,7 @@ on:
jobs:
RequestReview_job:
name: Request review
- runs-on: ubuntu-latest-large
+ runs-on: github-ubuntu-latest-s
permissions:
id-token: write
# For external PR, ticket should be moved manually
diff --git a/.github/workflows/SubmitReview.yml b/.github/workflows/SubmitReview.yml
index 763ca30be..d5b18a7ed 100644
--- a/.github/workflows/SubmitReview.yml
+++ b/.github/workflows/SubmitReview.yml
@@ -7,7 +7,7 @@ on:
jobs:
SubmitReview_job:
name: Submit Review
- runs-on: ubuntu-latest-large
+ runs-on: github-ubuntu-latest-s
permissions:
id-token: write
pull-requests: read
diff --git a/.github/workflows/ToggleLockBranch.yml b/.github/workflows/ToggleLockBranch.yml
index 205dfefd7..6da9ebb9a 100644
--- a/.github/workflows/ToggleLockBranch.yml
+++ b/.github/workflows/ToggleLockBranch.yml
@@ -6,7 +6,7 @@ on:
jobs:
ToggleLockBranch_job:
name: Toggle lock branch
- runs-on: ubuntu-latest-large
+ runs-on: github-ubuntu-latest-s
permissions:
id-token: write
steps:
diff --git a/.github/workflows/UpdateRuleMetadata.yml b/.github/workflows/UpdateRuleMetadata.yml
index 2ce1a8abe..1a517091c 100644
--- a/.github/workflows/UpdateRuleMetadata.yml
+++ b/.github/workflows/UpdateRuleMetadata.yml
@@ -8,7 +8,7 @@ env:
jobs:
UpdateRuleMetadata_job:
name: Update Rule Metadata
- runs-on: ubuntu-latest-large
+ runs-on: github-ubuntu-latest-s
permissions:
pull-requests: write
contents: write
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
new file mode 100644
index 000000000..9f4db2f63
--- /dev/null
+++ b/.github/workflows/build.yml
@@ -0,0 +1,118 @@
+name: Build
+on:
+ push:
+ branches:
+ - master
+ - branch-*
+ - dogfood-*
+ pull_request:
+ workflow_dispatch:
+ schedule:
+ - cron: "30 1 * * *" # Run daily at 1:30 AM UTC
+
+concurrency:
+ group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+ cancel-in-progress: true
+
+jobs:
+ build:
+ name: Build
+ runs-on: github-ubuntu-latest-s
+ permissions:
+ id-token: write
+ contents: write
+ outputs:
+ build-number: ${{ steps.build-step.outputs.BUILD_NUMBER }}
+ deployed: ${{ steps.build-step.outputs.deployed }}
+ steps:
+ - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+ - uses: jdx/mise-action@d6e32c1796099e0f1f3ac741c220a8b7eae9e5dd # v3.2.0
+ with:
+ version: 2025.7.12
+ - uses: SonarSource/ci-github-actions/build-maven@v1
+ id: build-step
+ with:
+ deploy-pull-request: true
+ artifactory-reader-role: private-reader # Override default public-reader
+ artifactory-deployer-role: qa-deployer # Override default public-deployer
+
+ qa:
+ needs: [build]
+ if: ${{ needs.build.outputs.deployed }}
+ runs-on: github-ubuntu-latest-l
+ permissions:
+ id-token: write
+ strategy:
+ fail-fast: false
+ matrix:
+ item:
+ - { name: "with Lastest SonarJava Plugin", profile: "without-sonarqube-project", java_plugin_version: "LATEST_MASTER" }
+ - { name: "for SonarQube Project Only", profile: "only-sonarqube-project", java_plugin_version: "LATEST_MASTER" }
+ - { name: "with Prod SonarJava Plugin", profile: "without-sonarqube-project", java_plugin_version: "POM_PROPERTY" }
+ name: "QA Tests ${{ matrix.item.name }}"
+ env:
+ BUILD_NUMBER: ${{ needs.build.outputs.build-number }}
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+ with:
+ submodules: recursive
+ - uses: jdx/mise-action@d6e32c1796099e0f1f3ac741c220a8b7eae9e5dd # v3.2.0
+ with:
+ working-directory: its/ruling
+ version: 2025.7.12
+ - name: Get GitHub Token for QA Licenses
+ id: secrets
+ uses: SonarSource/vault-action-wrapper@v3
+ with:
+ secrets: |
+ development/github/token/licenses-ro token | GITHUB_TOKEN;
+ - name: Configure Maven
+ id: configure-maven
+ uses: SonarSource/ci-github-actions/config-maven@v1
+ with:
+ artifactory-reader-role: private-reader # Override default public-reader
+ - name: Get Sonar Java plugin version
+ id: resolve-sonar-java-plugin-version
+ run: |
+ VERSION=$(.github/scripts/resolve-sonar-java-plugin-version.sh "${{ matrix.item.java_plugin_version }}")
+ echo "version=${VERSION}" >> $GITHUB_OUTPUT
+ - name: Run QA Tests
+ working-directory: its/ruling
+ env:
+ GITHUB_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }}
+ BUILD_NUMBER: ${{ needs.build.outputs.build-number }}
+ MAVEN_OPTS: "-Xmx3g"
+ SONAR_JAVA_VERSION: ${{ steps.resolve-sonar-java-plugin-version.outputs.version }}
+ run: |
+ mvn package --batch-mode \
+ "-Pit-ruling,${{ matrix.item.profile }}" \
+ "-Dsonar.java.version=${SONAR_JAVA_VERSION}" \
+ "-Dorchestrator.artifactory.accessToken=${ARTIFACTORY_ACCESS_TOKEN}" \
+ "-Dsonar.runtimeVersion=LATEST_RELEASE" \
+ "-Dmaven.test.redirectTestOutputToFile=false" \
+ "-DbuildNumber=${BUILD_NUMBER}" \
+ -B -e -V \
+ "-Dparallel=methods" \
+ "-DuseUnlimitedThreads=true"
+ - name: Upload ruling artifacts on failure
+ if: failure()
+ uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.5.0
+ with:
+ name: ruling-actual-${{ matrix.item.profile }}-${{ matrix.item.java_plugin_version }}
+ path: its/ruling/target/actual/**/*
+
+ promote:
+ name: Promote
+ if: ${{ needs.build.outputs.deployed }}
+ needs:
+ - build
+ - qa
+ runs-on: github-ubuntu-latest-s
+ permissions:
+ id-token: write
+ env:
+ BUILD_NUMBER: ${{ needs.build.outputs.build-number }}
+ steps:
+ - name: Promote artifacts
+ uses: SonarSource/ci-github-actions/promote@v1
\ No newline at end of file
diff --git a/.github/workflows/dogfood.yml b/.github/workflows/dogfood.yml
index 5892a06ad..cd281ec27 100644
--- a/.github/workflows/dogfood.yml
+++ b/.github/workflows/dogfood.yml
@@ -12,7 +12,7 @@ on:
jobs:
dogfood_merge:
- runs-on: ubuntu-latest-large
+ runs-on: github-ubuntu-latest-s
name: Update dogfood branch
permissions:
id-token: write # required for SonarSource/vault-action-wrapper
diff --git a/.github/workflows/mark-prs-stale.yml b/.github/workflows/mark-prs-stale.yml
index ad3dff744..12c46e408 100644
--- a/.github/workflows/mark-prs-stale.yml
+++ b/.github/workflows/mark-prs-stale.yml
@@ -6,7 +6,7 @@ on:
jobs:
stale:
- runs-on: ubuntu-latest-large
+ runs-on: github-ubuntu-latest-s
permissions:
issues: write
pull-requests: write
diff --git a/.github/workflows/pr-cleanup.yml b/.github/workflows/pr-cleanup.yml
new file mode 100644
index 000000000..65c756fc6
--- /dev/null
+++ b/.github/workflows/pr-cleanup.yml
@@ -0,0 +1,13 @@
+name: Cleanup PR Resources
+on:
+ pull_request:
+ types:
+ - closed
+
+jobs:
+ cleanup:
+ runs-on: github-ubuntu-latest-s
+ permissions:
+ actions: write
+ steps:
+ - uses: SonarSource/ci-github-actions/pr_cleanup@v1
diff --git a/.github/workflows/releasability.yaml b/.github/workflows/releasability.yaml
index c85f29216..203d81802 100644
--- a/.github/workflows/releasability.yaml
+++ b/.github/workflows/releasability.yaml
@@ -11,7 +11,7 @@ on:
jobs:
releasability-job:
name: Releasability check
- runs-on: ubuntu-latest-large
+ runs-on: github-ubuntu-latest-s
permissions:
id-token: write # required by SonarSource/vault-action-wrapper
contents: read # required by checkout
@@ -44,7 +44,7 @@ jobs:
echo "LATEST_VERSION=${{ github.event.inputs.version }}" >> "$GITHUB_OUTPUT"
fi
- - uses: SonarSource/gh-action_releasability@v2
+ - uses: SonarSource/gh-action_releasability@v3
id: releasability
with:
branch: ${{ github.ref_name }}
diff --git a/.github/workflows/slack_notify.yml b/.github/workflows/slack_notify.yml
index 138d0c3c0..505cf90b5 100644
--- a/.github/workflows/slack_notify.yml
+++ b/.github/workflows/slack_notify.yml
@@ -14,7 +14,7 @@ jobs:
slack-notifications:
if: >-
contains(fromJSON('["main", "master"]'), github.event.check_suite.head_branch) || startsWith(github.event.check_suite.head_branch, 'dogfood-') || startsWith(github.event.check_suite.head_branch, 'branch-')
- runs-on: ubuntu-latest-large
+ runs-on: github-ubuntu-latest-s
steps:
- name: Send Slack Notification
env:
diff --git a/README.md b/README.md
index 89153473c..6782514cf 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-Sonar Java symbolic execution plugin [](https://cirrus-ci.com/github/SonarSource/sonar-java) [](https://next.sonarqube.com/sonarqube/dashboard?id=org.sonarsource.java%3Asonar-java-symbolic-execution) [](https://next.sonarqube.com/sonarqube/component_measures/domain/Coverage?id=org.sonarsource.java%3Asonar-java-symbolic-execution)
+Sonar Java symbolic execution plugin [](https://github.com/SonarSource/sonar-java-symbolic-execution/actions/workflows/build.yml) [](https://next.sonarqube.com/sonarqube/dashboard?id=org.sonarsource.java%3Asonar-java-symbolic-execution) [](https://next.sonarqube.com/sonarqube/component_measures/domain/Coverage?id=org.sonarsource.java%3Asonar-java-symbolic-execution)
==========
This SonarSource project is a plugin designed for advanced bug detection in Java projects, helping developers write [Clean Code](https://www.sonarsource.com/solutions/clean-code/).
diff --git a/its/ruling/mise.toml b/its/ruling/mise.toml
new file mode 100644
index 000000000..5a685377c
--- /dev/null
+++ b/its/ruling/mise.toml
@@ -0,0 +1,2 @@
+[tools]
+java = "17.0"
\ No newline at end of file
diff --git a/mise.toml b/mise.toml
new file mode 100644
index 000000000..9a5dc67a1
--- /dev/null
+++ b/mise.toml
@@ -0,0 +1,3 @@
+[tools]
+java = "23"
+maven = "3.9"
diff --git a/pom.xml b/pom.xml
index 6446bedfc..44f1f5003 100644
--- a/pom.xml
+++ b/pom.xml
@@ -5,7 +5,7 @@
org.sonarsource.parent
parent
- 85.0.0.3035
+ 86.0.0.3040
org.sonarsource.java
@@ -64,8 +64,8 @@
https://jira.sonarsource.com/browse/JAVASE
- Cirrus CI
- https://cirrus-ci.com/github/SonarSource/sonar-java-symbolic-execution
+ GitHub Actions
+ https://github.com/SonarSource/sonar-java-symbolic-execution/actions/workflows/build.yml
diff --git a/wss-unified-agent.config b/wss-unified-agent.config
deleted file mode 100644
index 44a81c262..000000000
--- a/wss-unified-agent.config
+++ /dev/null
@@ -1,15 +0,0 @@
-excludes=**/*sources.jar **/*javadoc.jar **/its/sources/**
-fileSystemScan=False
-resolveAllDependencies=False
-
-maven.aggregateModules=True
-maven.downloadMissingDependencies=False
-maven.m2RepositoryPath=.m2/repository
-maven.resolveDependencies=True
-maven.runPreStep=False
-
-wss.url=https://saas-eu.whitesourcesoftware.com/agent
-
-forceUpdate=true
-checkPolicies=true
-forceUpdate.failBuildOnPolicyViolation=true