[DO NOT SQUASH] Prepare hotfix release 8.0.2

.github/PULL_REQUEST_TEMPLATE.md

@@ -1 +1,6 @@
-Fixes #<!-- PUT ISSUE NUMBER HERE -->
+Part of <!-- 
+  Only for standalone PRs without Jira issue in the PR title: 
+    * Replace this comment with Epic ID to create a new Task in Jira
+    * Replace this comment with Issue ID to create a new Sub-Task in Jira
+    * Ignore or delete this note to create a new Task in Jira without a parent 
+-->

.github/workflows/PullRequestClosed.yml

@@ -0,0 +1,29 @@
+name: Pull Request Closed
+
+on:
+  pull_request:
+    types: [closed]
+
+jobs:
+  PullRequestMerged_job:
+    name: Pull Request Merged
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      pull-requests: read
+    # For external PR, ticket should be moved manually
+    if: |
+        github.event.pull_request.head.repo.full_name == github.repository
+        && github.event.pull_request.merged
+    steps:
+      - id: secrets
+        uses: SonarSource/vault-action-wrapper@v3
+        with:
+          secrets: |
+            development/kv/data/jira user | JIRA_USER;
+            development/kv/data/jira token | JIRA_TOKEN;
+      - uses: sonarsource/gh-action-lt-backlog/PullRequestClosed@v2
+        with:
+          github-token: ${{secrets.GITHUB_TOKEN}}
+          jira-user:  ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }}
+          jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }}

.github/workflows/PullRequestCreated.yml

@@ -0,0 +1,29 @@
+name: Pull Request Created
+
+on:
+  pull_request:
+    types: ["opened"]
+
+jobs:
+  PullRequestCreated_job:
+    name: Pull Request Created
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    # For external PR, ticket should be created manually
+    if: |
+        github.event.pull_request.head.repo.full_name == github.repository
+    steps:
+      - id: secrets
+        uses: SonarSource/vault-action-wrapper@v3
+        with:
+          secrets: |
+            operations/team/re/kv/data/github/github-jira-integration token | GITHUB_TOKEN;
+            development/kv/data/jira user | JIRA_USER;
+            development/kv/data/jira token | JIRA_TOKEN;
+      - uses: sonarsource/gh-action-lt-backlog/PullRequestCreated@v2
+        with:
+          github-token: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }}
+          jira-user:    ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }}
+          jira-token:   ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }}
+          jira-project: SCAN4NET

.github/workflows/RequestReview.yml

@@ -5,14 +5,24 @@ on:
     types: ["review_requested"]
 
 jobs:
-  MoveCardToReview_job:
-    name: Move card to review
+  RequestReview_job:
+    name: Request review
     runs-on: ubuntu-latest
-    # PRs from forks don't have required token authorization
-    if: github.event.pull_request.head.repo.full_name == github.repository
-        && (github.event.review.author_association == 'COLLABORATOR' || github.event.review.author_association == 'MEMBER')
+    permissions:
+      id-token: write
+    # For external PR, ticket should be moved manually
+    if: |
+        github.event.pull_request.head.repo.full_name == github.repository
     steps:
-      - uses: sonarsource/gh-action-lt-backlog/MoveCardToReview@v1
+      - id: secrets
+        uses: SonarSource/vault-action-wrapper@v3
         with:
-          github-token: ${{secrets.GITHUB_TOKEN}}
-          column-id: 6183857     # Kanban "Review in progress" column
+          secrets: |
+            operations/team/re/kv/data/github/github-jira-integration token | GITHUB_TOKEN;
+            development/kv/data/jira user | JIRA_USER;
+            development/kv/data/jira token | JIRA_TOKEN;
+      - uses: sonarsource/gh-action-lt-backlog/RequestReview@v2
+        with:
+          github-token: ${{ fromJSON(steps.secrets.outputs.vault).GITHUB_TOKEN }}
+          jira-user:    ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }}
+          jira-token:   ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }}

.github/workflows/SubmitReview.yml

@@ -2,33 +2,29 @@ name: Submit Review
 
 on:
   pull_request_review:
-    types: ["submitted"]
+    types: [submitted]
 
 jobs:
-  MoveCardToProgress_job:
-    name: Move card to progress
+  SubmitReview_job:
+    name: Submit Review
     runs-on: ubuntu-latest
-    # Single quotes must be used here https://docs.github.com/en/free-pro-team@latest/actions/reference/context-and-expression-syntax-for-github-actions#literals
-    # PRs from forks don't have required token authorization
+    permissions:
+      id-token: write
+      pull-requests: read
+    # For external PR, ticket should be moved manually
     if: |
         github.event.pull_request.head.repo.full_name == github.repository
-        && github.event.review.author_association != 'NONE'
-        && github.event.review.state == 'changes_requested'
+        && (github.event.review.state == 'changes_requested'
+            || github.event.review.state == 'approved')
     steps:
-      - uses: sonarsource/gh-action-lt-backlog/MoveCardAfterReview@v1
+      - id: secrets
+        uses: SonarSource/vault-action-wrapper@v3
         with:
-          github-token: ${{secrets.GITHUB_TOKEN}}
-          column-id: 6183856     # Kanban "In progress" column
-
-  ReviewApproved_job:
-    name: Move card to review approved
-    runs-on: ubuntu-latest
-    if: |
-        github.event.pull_request.head.repo.full_name == github.repository
-        && github.event.review.author_association != 'NONE'
-        && github.event.review.state == 'approved'
-    steps:
-      - uses: sonarsource/gh-action-lt-backlog/MoveCardAfterReview@v1
+          secrets: |
+            development/kv/data/jira user | JIRA_USER;
+            development/kv/data/jira token | JIRA_TOKEN;
+      - uses: sonarsource/gh-action-lt-backlog/SubmitReview@v2
         with:
           github-token: ${{secrets.GITHUB_TOKEN}}
-          column-id: 6183858     # Kanban "Review approved" column
+          jira-user: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_USER }}
+          jira-token: ${{ fromJSON(steps.secrets.outputs.vault).JIRA_TOKEN }}

AssemblyInfo.Shared.cs

@@ -22,9 +22,9 @@
 using System.Resources;
 using System.Runtime.InteropServices;
 
-[assembly: AssemblyVersion("8.0.1")]
-[assembly: AssemblyFileVersion("8.0.1.0")]
-[assembly: AssemblyInformationalVersion("Version:8.0.1.0 Branch:not-set Sha1:not-set")]
+[assembly: AssemblyVersion("8.0.2")]
+[assembly: AssemblyFileVersion("8.0.2.0")]
+[assembly: AssemblyInformationalVersion("Version:8.0.2.0 Branch:not-set Sha1:not-set")]
 [assembly: AssemblyConfiguration("")]
 [assembly: AssemblyCompany("SonarSource and Microsoft")]
 [assembly: AssemblyCopyright("Copyright © SonarSource and Microsoft 2015-2023")]

README.md

@@ -30,6 +30,10 @@ and at our user guides
 
 Check out the [contributing](CONTRIBUTING.md) page to see the best places to log issues and start discussions.
 
+## Security Issues
+
+If you believe you have discovered a security vulnerability in Sonar's products, please check [this document](./SECURITY.md)
+
 ## License
 
 Copyright 2016-2024 SonarSource.

SECURITY.md

@@ -0,0 +1,13 @@
+# Reporting Security Issues
+
+A mature software vulnerability treatment process is a cornerstone of a robust information security management system. Contributions from the community play an important role in the evolution and security of our products, and in safeguarding the security and privacy of our users.
+
+If you believe you have discovered a security vulnerability in Sonar's products, we encourage you to report it immediately.
+
+To responsibly report a security issue, please email us at [[email protected]](mailto:[email protected]). Sonar’s security team will acknowledge your report, guide you through the next steps, or request additional information if necessary. Customers with a support contract can also report the vulnerability directly through the support channel.
+
+For security vulnerabilities found in third-party libraries, please also contact the library's owner or maintainer directly.
+
+## Responsible Disclosure Policy
+
+For more information about disclosing a security vulnerability to Sonar, please refer to our community post: [Responsible Vulnerability Disclosure](https://community.sonarsource.com/t/9317).

Tests/LogArgs/Program.cs

@@ -20,13 +20,12 @@
 
 using System.IO;
 
-namespace LogArgs
+namespace LogArgs;
+
+public static class Program
 {
-    public static class Program
+    public static void Main(string[] args)
     {
-        public static void Main(string[] args)
-        {
-            File.WriteAllLines("LogArgs.log", args);
-        }
+        File.WriteAllLines("LogArgs.log", args);
     }
 }

Tests/SonarScanner.MSBuild.Common.Test/AggregatePropertiesProviderTests.cs

@@ -23,77 +23,76 @@
 using Microsoft.VisualStudio.TestTools.UnitTesting;
 using TestUtilities;
 
-namespace SonarScanner.MSBuild.Common.Test
-{
-    [TestClass]
-    public class AggregatePropertiesProviderTests
-    {
-        public TestContext TestContext { get; set; }
+namespace SonarScanner.MSBuild.Common.Test;
 
-        #region Tests
+[TestClass]
+public class AggregatePropertiesProviderTests
+{
+    public TestContext TestContext { get; set; }
 
-        [TestMethod]
-        public void AggProperties_NullOrEmptyList()
-        {
-            // 1. Null -> error
-            Action act = () => new AggregatePropertiesProvider(null);
-            act.Should().ThrowExactly<ArgumentNullException>();
+    #region Tests
 
-            // 2. Empty list of providers -> valid but returns nothing
-            var provider = new AggregatePropertiesProvider(new IAnalysisPropertyProvider[] { });
+    [TestMethod]
+    public void AggProperties_NullOrEmptyList()
+    {
+        // 1. Null -> error
+        Action act = () => new AggregatePropertiesProvider(null);
+        act.Should().ThrowExactly<ArgumentNullException>();
 
-            provider.GetAllProperties().Should().BeEmpty();
-            var success = provider.TryGetProperty("any key", out var actualProperty);
+        // 2. Empty list of providers -> valid but returns nothing
+        var provider = new AggregatePropertiesProvider(new IAnalysisPropertyProvider[] { });
 
-            success.Should().BeFalse("Not expecting a property to be returned");
-            actualProperty.Should().BeNull("Returned property should be null");
-        }
+        provider.GetAllProperties().Should().BeEmpty();
+        var success = provider.TryGetProperty("any key", out var actualProperty);
 
-        [TestMethod]
-        public void AggProperties_Aggregation()
-        {
-            // Checks the aggregation works as expected
+        success.Should().BeFalse("Not expecting a property to be returned");
+        actualProperty.Should().BeNull("Returned property should be null");
+    }
 
-            // 0. Setup
-            var provider1 = new ListPropertiesProvider();
-            provider1.AddProperty("shared.key.A", "value A from one");
-            provider1.AddProperty("shared.key.B", "value B from one");
-            provider1.AddProperty("p1.unique.key.1", "p1 unique value 1");
+    [TestMethod]
+    public void AggProperties_Aggregation()
+    {
+        // Checks the aggregation works as expected
 
-            var provider2 = new ListPropertiesProvider();
-            provider2.AddProperty("shared.key.A", "value A from two");
-            provider2.AddProperty("shared.key.B", "value B from two");
-            provider2.AddProperty("p2.unique.key.1", "p2 unique value 1");
+        // 0. Setup
+        var provider1 = new ListPropertiesProvider();
+        provider1.AddProperty("shared.key.A", "value A from one");
+        provider1.AddProperty("shared.key.B", "value B from one");
+        provider1.AddProperty("p1.unique.key.1", "p1 unique value 1");
 
-            var provider3 = new ListPropertiesProvider();
-            provider3.AddProperty("shared.key.A", "value A from three"); // this provider only has one of the shared values
-            provider3.AddProperty("p3.unique.key.1", "p3 unique value 1");
+        var provider2 = new ListPropertiesProvider();
+        provider2.AddProperty("shared.key.A", "value A from two");
+        provider2.AddProperty("shared.key.B", "value B from two");
+        provider2.AddProperty("p2.unique.key.1", "p2 unique value 1");
 
-            // 1. Ordering
-            var aggProvider = new AggregatePropertiesProvider(provider1, provider2, provider3);
+        var provider3 = new ListPropertiesProvider();
+        provider3.AddProperty("shared.key.A", "value A from three"); // this provider only has one of the shared values
+        provider3.AddProperty("p3.unique.key.1", "p3 unique value 1");
 
-            aggProvider.AssertExpectedPropertyCount(5);
+        // 1. Ordering
+        var aggProvider = new AggregatePropertiesProvider(provider1, provider2, provider3);
 
-            aggProvider.AssertExpectedPropertyValue("shared.key.A", "value A from one");
-            aggProvider.AssertExpectedPropertyValue("shared.key.B", "value B from one");
+        aggProvider.AssertExpectedPropertyCount(5);
 
-            aggProvider.AssertExpectedPropertyValue("p1.unique.key.1", "p1 unique value 1");
-            aggProvider.AssertExpectedPropertyValue("p2.unique.key.1", "p2 unique value 1");
-            aggProvider.AssertExpectedPropertyValue("p3.unique.key.1", "p3 unique value 1");
+        aggProvider.AssertExpectedPropertyValue("shared.key.A", "value A from one");
+        aggProvider.AssertExpectedPropertyValue("shared.key.B", "value B from one");
 
-            // 2. Reverse the order and try again
-            aggProvider = new AggregatePropertiesProvider(provider3, provider2, provider1);
+        aggProvider.AssertExpectedPropertyValue("p1.unique.key.1", "p1 unique value 1");
+        aggProvider.AssertExpectedPropertyValue("p2.unique.key.1", "p2 unique value 1");
+        aggProvider.AssertExpectedPropertyValue("p3.unique.key.1", "p3 unique value 1");
 
-            aggProvider.AssertExpectedPropertyCount(5);
+        // 2. Reverse the order and try again
+        aggProvider = new AggregatePropertiesProvider(provider3, provider2, provider1);
 
-            aggProvider.AssertExpectedPropertyValue("shared.key.A", "value A from three");
-            aggProvider.AssertExpectedPropertyValue("shared.key.B", "value B from two");
+        aggProvider.AssertExpectedPropertyCount(5);
 
-            aggProvider.AssertExpectedPropertyValue("p1.unique.key.1", "p1 unique value 1");
-            aggProvider.AssertExpectedPropertyValue("p2.unique.key.1", "p2 unique value 1");
-            aggProvider.AssertExpectedPropertyValue("p3.unique.key.1", "p3 unique value 1");
-        }
+        aggProvider.AssertExpectedPropertyValue("shared.key.A", "value A from three");
+        aggProvider.AssertExpectedPropertyValue("shared.key.B", "value B from two");
 
-        #endregion Tests
+        aggProvider.AssertExpectedPropertyValue("p1.unique.key.1", "p1 unique value 1");
+        aggProvider.AssertExpectedPropertyValue("p2.unique.key.1", "p2 unique value 1");
+        aggProvider.AssertExpectedPropertyValue("p3.unique.key.1", "p3 unique value 1");
     }
+
+    #endregion Tests
 }