feat(plugin): externalize Maven proxy + JRE source + version pin to config.env#2
Merged
Conversation
…y licenses Builds on the marketplace restructure (#1). Changes: 1. Externalize launcher knobs into plugin/skills/sonar-predictor/config.env - SONAR_MAVEN_REPO_URL Maven proxy where the analyzer bundle is fetched - SONAR_BUNDLE_VERSION Bundle version pin (default: 0.1.1) - SONAR_MIN_JAVA_VERSION Minimum Java major required (default: 17) - SONAR_JRE_URL_TEMPLATE JRE source for auto-download; tokens {os} {arch} {version} are substituted (default: Adoptium API) - SONAR_JRE_VERSION JRE version to fetch (default: 17) - SONAR_DISABLE_JRE_AUTODOWNLOAD Set to 1 to refuse the JRE auto-download Plain KEY=VALUE format parsed by both bash and Windows launchers. Env vars of the same name take precedence over the file (one-off override without editing). Forking workflow: clone, edit config.env, push, install. 2. Bash launcher gains a 'no Java anywhere -> download a JRE' step that runs after the bundle is cached. Searches $JAVA_HOME, PATH, and the same common install dirs the bundle's own launcher probes; if nothing meets the minimum, substitutes {os}/{arch}/{version} into SONAR_JRE_URL_TEMPLATE, downloads, extracts to ~/.cache/sonar-predictor/jre/<VERSION>/, and exports JAVA_HOME for the bundle launcher to pick up. Windows launcher reads the same config.env but still requires Java 17+ on the system (or in JAVA_HOME). Auto-install on Windows is deferred. 3. Refresh README.md and dist/README.md for the marketplace install path: - Quick-start is now the two-command marketplace install (Claude + Copilot) - Add a 'Corporate / air-gapped setup' section documenting config.env and SONAR_PREDICTOR_HOME for fully pre-staged installs - Expand the License section into 'License & third-party components' with the SonarSource analyzer license situation called out honestly 4. Add NOTICE listing third-party components and their licenses: - sonarlint-analysis-engine — LGPL v3 - SonarSource language analyzers — SONAR Source-Available License v1.0 (SSALv1) since SonarSource's 2024 relicense - Apache 2.0 build / runtime dependencies (picocli, jackson, maven plugins) - Adoptium Temurin JRE — GPL-2.0 WITH Classpath-exception-2.0 NOTICE also documents the future direction: have the bootstrap fetch each analyzer JAR individually from Maven Central instead of bundling them into the dist artifact. That eliminates any SSALv1 redistribution question (SonarSource's own Maven Central distribution becomes the sole channel). The plugin's config.env already isolates the Maven URL, so the transition is transparent to corporate proxies. Smoke-tested end to end: - default config: bundle from Maven Central, system Java used. - SONAR_MAVEN_REPO_URL=bogus env override correctly steered the download (failed at DNS as expected) — env-var precedence confirmed. - SONAR_MIN_JAVA_VERSION=99 forced the JRE auto-install path; Adoptium Temurin 17.0.19 downloaded and ran. - SONAR_DISABLE_JRE_AUTODOWNLOAD=1 blocked the install with the right error. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
aksOps
force-pushed
the
feat/plugin-as-marketplace
branch
from
a518332 to
b419b83
Compare
…d returns a pointer
A new `./bin/sonar agent-scan [scope]` wrapper in the plugin's bootstrap
that bakes the out-of-context discipline into the tool, replacing the
"agent must remember to redirect to a temp file + jq" pattern.
./bin/sonar agent-scan -> git changeset (default)
./bin/sonar agent-scan check src/Main.java -> specific files
./bin/sonar agent-scan analyze src/ -> whole directory
On invocation:
1. Ensures .sonar-predictor/ exists at the project root.
2. If inside a git repo, appends .sonar-predictor/ to .gitignore on first
use (with a comment header). Idempotent — re-runs do nothing.
3. Runs `sonar --format json <scope>`, redirecting stdout+stderr to
.sonar-predictor/scan.json.
4. Prints a compact summary on stdout: total issue count, severity
breakdown, and the file path. Example:
sonar-predictor: 47 issues written to .sonar-predictor/scan.json
severity: BLOCKER=3 CRITICAL=12 MAJOR=22 MINOR=8 INFO=2
query: jq '...' .sonar-predictor/scan.json
5. Propagates the underlying CLI's exit code (0 clean, 1 issues, 2 error).
The summary uses jq when available; if not, falls back to a plain pointer.
Both agent variants (sonar-scanner-claude, sonar-scanner-copilot) now invoke
`agent-scan` instead of the manual redirect+jq dance. Their prompts retain
the jq drill-down recipe for when the orchestrator asks for specifics — the
file is right there, the recipe stays cheap.
SKILL.md declares the agent-scan contract as the canonical agent invocation
pattern. The repo's own .gitignore gains a .sonar-predictor/ entry so
dogfooding scans against this repo never get committed.
Windows .bat gets parity for the subcommand: writes the file, gitignores the
path, prints a pointer. No jq-based summary on Windows (jq isn't typically
on PATH); just the pointer.
Smoke-tested: agent-scan in this git repo wrote a 0-issue scan.json (116
bytes), exit 0, stdout summary correct, .gitignore unchanged because the
line was already present (the idempotent guard works).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Builds on #1. The launcher's hardcoded Maven URL and bundle version are extracted into a sibling
config.env; the bash launcher also gains a 'no Java anywhere → download a JRE' step using the configured JRE URL template.What lives in
plugin/skills/sonar-predictor/config.envSONAR_MAVEN_REPO_URLhttps://repo1.maven.org/maven2SONAR_BUNDLE_VERSION0.1.1SONAR_MIN_JAVA_VERSION17SONAR_JRE_URL_TEMPLATE{os}/{arch}/{version}SONAR_JRE_VERSION17SONAR_DISABLE_JRE_AUTODOWNLOAD1to refuse the JRE auto-download (corp-policy escape hatch).Plain
KEY=VALUEper line;#for comments. Both launchers parse it identically. Env vars of the same name win over the file (one-off override without editing).Java auto-install (bash launcher)
After the bundle is cached: searches
$JAVA_HOME,PATH, and the same common install dirs the bundle's own launcher probes. If nothing meets the minimum, substitutes{os}/{arch}/{version}into the URL template, downloads, extracts to~/.cache/sonar-predictor/jre/<VERSION>/, and exportsJAVA_HOME. Windows launcher reads the same config but still requires Java 17+ on the system (or inJAVA_HOME).Forking workflow
Smoke-tested locally
SONAR_MAVEN_REPO_URL=boguscorrectly steered the download (failed at DNS as expected).SONAR_MIN_JAVA_VERSION=99forced the path; Adoptium Temurin 17.0.19 downloaded and ran.SONAR_DISABLE_JRE_AUTODOWNLOAD=1blocked the install with the right error.🤖 Generated with Claude Code