SCANDOCKER-10 Add OCI image annotations

.cirrus.yml

@@ -12,7 +12,8 @@
 
   # Staging image configuration
   STAGING_IMAGE_NAME: sonarsource/sonarqube
-  CURRENT_TAG: scanner-5.0.1
+  IMAGE_VERSION: 10.0.0
+  SONAR_SCANNER_VERSION: 5.0.1
 
 vm_instance_template: &VM_TEMPLATE
   experimental: true # see https://github.com/cirruslabs/cirrus-ci-docs/issues/1051
@@ -24,18 +25,39 @@
   cpu: 4
   memory: 16G
 
+only_sonarsource_qa: &ONLY_SONARSOURCE_QA
+  only_if: $CIRRUS_USER_COLLABORATOR == 'true' && $CIRRUS_TAG == "" && ($CIRRUS_PR != "" || $CIRRUS_BRANCH == $CIRRUS_DEFAULT_BRANCH || $CIRRUS_BRANCH =~ "branch-.*" || $CIRRUS_BUILD_SOURCE == 'api' )
+
 build_task:
+  <<: *ONLY_SONARSOURCE_QA
+  env:
+    FULL_VERSION: ${IMAGE_VERSION}.${CI_BUILD_NUMBER}_${SONAR_SCANNER_VERSION}
   ec2_instance:
     <<: *VM_TEMPLATE
   login_script:
     - docker login --username $DOCKER_USERNAME --password $DOCKER_PASSWORD
   build_script:
-    - echo "Build and push the ${STAGING_IMAGE_NAME}:${CURRENT_TAG} image"
-    - docker build --tag "${STAGING_IMAGE_NAME}:${CURRENT_TAG}" --push .
+    - echo "Build and push the ${STAGING_IMAGE_NAME}:scanner-${FULL_VERSION} image"
+    - docker --version
+    - > 
+      docker build
+      --annotation "org.opencontainers.image.title=SonarScanner CLI for SonarQube and SonarCloud"
+      --annotation "org.opencontainers.image.description=SonarScanner is the official scanner used to run code analysis on SonarQube and SonarCloud"
+      --annotation "org.opencontainers.image.vendor=SonarSource"
+      --annotation "org.opencontainers.image.url=https://hub.docker.com/r/sonarsource/sonar-scanner-cli"
+      --annotation "org.opencontainers.image.source=https://github.com/my-organization/my-project/${CIRRUS_REPO_FULL_NAME}"
+      --annotation "org.opencontainers.image.documentation=https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/"
+      --annotation "org.opencontainers.image.revision=${CIRRUS_CHANGE_IN_REPO}"
+      --annotation "org.opencontainers.image.version=${FULL_VERSION}"
+      --tag "${STAGING_IMAGE_NAME}:scanner-${FULL_VERSION}"
+      --push
+      .
 
 private_scan_task:
   # run only on master and long-term branches
   only_if: $CIRRUS_USER_COLLABORATOR == 'true' && ($CIRRUS_BRANCH == "master" || $CIRRUS_BRANCH =~ "branch-.*")
+  env:
+    FULL_VERSION: ${IMAGE_VERSION}.${CI_BUILD_NUMBER}_${SONAR_SCANNER_VERSION}
   ec2_instance:
     <<: *VM_TEMPLATE
   login_script:
@@ -44,10 +66,10 @@
     - apt-get remove -y unattended-upgrades
     - apt-get update && apt-get install -y --no-install-recommends openjdk-17-jre
     - curl -sSL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar -o wss-unified-agent.jar
-    - echo "docker.includes=.*${CURRENT_TAG}.*" >> .cirrus/wss-unified-agent.config
+    - echo "docker.includes=.*${STAGING_IMAGE_NAME}.*" >> .cirrus/wss-unified-agent.config
   scan_script:
-    - echo "Scan the ${STAGING_IMAGE_NAME}:${CURRENT_TAG} image"
-    - docker pull "${STAGING_IMAGE_NAME}:${CURRENT_TAG}"
+    - echo "Scan the ${STAGING_IMAGE_NAME}:scanner-${FULL_VERSION} image"
+    - docker pull "${STAGING_IMAGE_NAME}:scanner-${FULL_VERSION}"
     - java -jar wss-unified-agent.jar -c .cirrus/wss-unified-agent.config -apiKey $MEND_API_KEY
 depends_on: build
 
@@ -68,18 +90,20 @@
     - docker pull "${PUBLIC_IMAGE_NAME}:${TAG}"
     - java -jar wss-unified-agent.jar -c .cirrus/wss-unified-agent.config -apiKey $MEND_API_KEY
 
 test_docker_builder:
+  env:
+    FULL_VERSION: ${IMAGE_VERSION}.${CI_BUILD_NUMBER}_${SONAR_SCANNER_VERSION}
   login_script:
     - docker login --username $DOCKER_USERNAME --password $DOCKER_PASSWORD
   test_script:
     - apt-get update && apt-get install -qy bats
     - echo "Checking out the sonar-scanning-examples repository"
     - git clone https://github.com/SonarSource/sonar-scanning-examples.git target_repository
-    - echo "Test the ${STAGING_IMAGE_NAME}:${CURRENT_TAG} image"
-    - TEST_IMAGE="${STAGING_IMAGE_NAME}:${CURRENT_TAG}" bats --tap test
+    - echo "Test the ${STAGING_IMAGE_NAME}:scanner-${FULL_VERSION} image"
+    - TEST_IMAGE="${STAGING_IMAGE_NAME}:scanner-${FULL_VERSION}" bats --tap test
   depends_on: build
 
 sonar_scan_task:
   eks_container:
     region: eu-central-1
     cluster_name: ${CIRRUS_CLUSTER_NAME}

.github/workflows/release.yml

@@ -27,15 +27,17 @@ jobs:
         id: get_version
         run: |
           full_image_tag=${{ github.event.release.tag_name }}
-          if [[ ! ${full_image_tag} =~ ^[1-9][0-9]+.[0-9]+.[0-9]+_[0-9]+.[0-9]+.[0-9]+ ]]; then
-            echo "The release tag should be in the format of {major}.{minor}.{patch}_{scanner_major}.{scanner_minor}.{scanner_patch} but it was ${full_image_tag}"
+          if [[ ! ${full_image_tag} =~ ^[1-9][0-9]+.[0-9]+.[0-9]+.[0-9]+_[0-9]+.[0-9]+.[0-9]+ ]]; then
+            echo "The release tag should be in the format of {major}.{minor}.{patch}.{buildnumber}_{scanner_major}.{scanner_minor}.{scanner_patch} but it was ${full_image_tag}"
             exit 1
           fi
 
-          IFS=. read docker_major docker_minor rest <<<"${full_image_tag}"
+          IFS=. read docker_major docker_minor docker_patch build_and_scanner <<<"${full_image_tag}"
+          IFS=_ read buildnumber scanner_version <<<"${build_and_scanner}"
           echo "major_version=${docker_major}" >> $GITHUB_OUTPUT
           echo "major_minor=${docker_major}.${docker_minor}" >> $GITHUB_OUTPUT
-          echo "major_minor_patch=${full_image_tag}" >> $GITHUB_OUTPUT
+          echo "full_image_tag=${full_image_tag}" >> $GITHUB_OUTPUT
+          echo "buildnumber=${buildnumber}" >> $GITHUB_OUTPUT
         shell: bash
       - uses: actions/checkout@v2
         with:
@@ -46,28 +48,27 @@ jobs:
           path: target_repository
       - name: Build image
         run: |
-          docker build . \
-            --tag "sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.major_version }}" \
-            --tag "repox-sonarsource-docker-releases.jfrog.io/sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.major_version }}" \
-            --tag "sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.major_minor }}" \
-            --tag "repox-sonarsource-docker-releases.jfrog.io/sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.major_minor }}" \
-            --tag "sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.major_minor_patch }}" \
-            --tag "repox-sonarsource-docker-releases.jfrog.io/sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.major_minor_patch }}" \
-            --tag "sonarsource/sonar-scanner-cli:latest" \
-            --tag "repox-sonarsource-docker-releases.jfrog.io/sonarsource/sonar-scanner-cli:latest" \
+          docker login --username ${{ fromJSON(steps.secrets.outputs.vault).docker_username }} --password-stdin <<< "${{ fromJSON(steps.secrets.outputs.vault).docker_access_token }}"
+          docker pull "sonarsource/sonarqube:scanner-${{ steps.get_version.outputs.full_image_tag }}"
+          docker tag "sonarsource/sonarqube:scanner-${{ steps.get_version.outputs.full_image_tag }}" "sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.major_version }}"
+          docker tag "sonarsource/sonarqube:scanner-${{ steps.get_version.outputs.full_image_tag }}" "repox-sonarsource-docker-releases.jfrog.io/sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.major_version }}"
+          docker tag "sonarsource/sonarqube:scanner-${{ steps.get_version.outputs.full_image_tag }}" "sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.major_minor }}"
+          docker tag "sonarsource/sonarqube:scanner-${{ steps.get_version.outputs.full_image_tag }}" "repox-sonarsource-docker-releases.jfrog.io/sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.major_minor }}"
+          docker tag "sonarsource/sonarqube:scanner-${{ steps.get_version.outputs.full_image_tag }}" "sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.full_image_tag }}"
+          docker tag "sonarsource/sonarqube:scanner-${{ steps.get_version.outputs.full_image_tag }}" "repox-sonarsource-docker-releases.jfrog.io/sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.full_image_tag }}"
       - name: Setup BATS
         uses: mig4/setup-bats@v1
         with:
           bats-version: 1.2.1
       - name: Test image
         run: |
           echo "Running tests on image"
-          TEST_IMAGE="sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.major_minor }}" bats --tap test
+          TEST_IMAGE="sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.full_image_tag }}" bats --tap test
       - name: Generate CycloneDX SBOM
         uses: SonarSource/gh-action_sbom@v1
         with:
-          image: "sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.major_minor }}"
-          filename: "sonar-scanner-cli-${{ matrix.tag }}-bom.json"
+          image: "sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.full_image_tag }}"
+          filename: "sonar-scanner-cli-docker-${{ steps.get_version.outputs.full_image_tag }}-bom.json"
           upload-artifact: true
           upload-release-assets: true
         env:
@@ -78,13 +79,11 @@ jobs:
           docker login --username ${{ fromJSON(steps.secrets.outputs.vault).docker_username }} --password-stdin <<< "${{ fromJSON(steps.secrets.outputs.vault).docker_access_token }}"
           docker push sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.major_version }}
           docker push sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.major_minor }}
-          docker push sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.major_minor_patch }}
-          docker push sonarsource/sonar-scanner-cli:latest
+          docker push sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.full_image_tag }}
           docker login repox-sonarsource-docker-releases.jfrog.io --username vault-SonarSource-sonar-scanner-cli-docker-docker-release --password-stdin <<< "${{ fromJSON(steps.secrets.outputs.vault).repox_access_token }}"
           docker push repox-sonarsource-docker-releases.jfrog.io/sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.major_version }}
           docker push repox-sonarsource-docker-releases.jfrog.io/sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.major_minor }}
-          docker push repox-sonarsource-docker-releases.jfrog.io/sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.major_minor_patch }}
-          docker push repox-sonarsource-docker-releases.jfrog.io/sonarsource/sonar-scanner-cli:latest
+          docker push repox-sonarsource-docker-releases.jfrog.io/sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.full_image_tag }}
       - name: Notify success on Slack
         uses: Ilshidur/[email protected]
         env:

Dockerfile

@@ -1,7 +1,5 @@
 FROM alpine:3.19
 
-LABEL org.opencontainers.image.url=https://github.com/SonarSource/sonar-scanner-cli-docker
-
 ARG SONAR_SCANNER_HOME=/opt/sonar-scanner
 ARG SONAR_SCANNER_VERSION=5.0.1.3006
 ENV JAVA_HOME=/usr/lib/jvm/java-17-openjdk \