This commit provides support for the newly created bitbucket cloud code insights
API endpoints. The implementation has been done under the consideration that in
newer versions no dedicated ALM support for bitbucket cloud exists, thus this
implementation is minimal invasive.
One thing to note here:
* For local testing the link on CloudCreateReportRequest has to be set manually to a non localhost URL since
bitbuckets API doesn't support it.
This change migrates from using Travis CI for performing check builds, to using Github actions for both check and release builds.
To allow this, three jobs have been introduced:
* Snapshot - performs the Gradle builds and publishes the snapshot JAR as an artifact against the check execution;
* Release - executes the release plugin in Gradle whenever a new tag is detected in Git, and creates a new draft release entry on the release page with the release artifact attached;
* Sonarqube - executes Sonarqube against any commit, submitting analysis details to Sonarcloud with the relevant branch, tag, or Pull Request details to allow Sonarcloud to decorate any findings. Note that this requires the `SONAR_TOKEN`, `SONAR_ORG_KEY`, and `SONAR_PROJECT_KEY` secrets to have been set against the repository in Github.
Some ALMs (such as Github) proxy images in Pull Request decoration and therefore need direct access to the images. If the Sonarqube server isn't internet facing, the ALM will not be able to retrieve the images, and they therefore wont be visible on the Pull Request. This change restores the property for allowing Sonarqube administrators to define the URL for retrieving images, with the images defaulting to loading from the Sonarqube if the property is not set/overridden.
Uses Gitlab's rest API to create conversations/threads on a merge request containing annotations for each issue discovered by SonarQube, and provides a message on the merge request containing the scan summary.
Use Bitbucket REST interfaces to apply comments to Pull Requests. Where possible, any existing comments are removed prior to adding comments to prevent any duplication, and properties have been added to control whether commenting and clean-up of comments is enabled.
Uses the Github rest APIs to perform application authentication, and the GraphQL APIs to create a 'Check Run' providing the overall summary of the scan, and individual annotations of issues within each file. No attempt is made to remove old runs/annotations given Github seems to manage this when a new run is generated by the same application. The configuration of Sonarqube to allow this decoration aim to match those provided in the documentation for SonarQube 8.0.
Replaces references to the removed `ScannerUtils` class with Java's `URLEncoder`, and adds implementations of new methods introduced into SonarQube 8.0's interfaces. Since SonarQube 8.0 also changed `ScannerWsClient` from a class to an interface, the `ScannerWsClient` is now invoked through reflection in `ScannerWsClientWrapper` to prevent a `java.lang.IncompatibleClassChangeError` being thrown during invocation.
On top of this, SonarQube Compute Engine now contains a Java Security Manager that blocks access to retrieving `ClassLoader`s, so prevents the work-around used to access the branch API classes required for this plugin to execute. Moving the loading of the impacted classes into a `CoreExtension` and bypassing the class-loading manipulation for these classes overcomes this problem. This will require users of this plugin to install the plugin to both the plugins directory and the core platform's `lib/common` directory (or symlink the files) given plugin classes are only searched for from the plugins directory, and extensions are only loaded from the `common` directory.
As the plugin is currently released using Java 8, OpenJDK 8 is being used until the point that only SonarQube 8 is supported. OpenJDK 11 is being used as a second JVM to ensure correct function against the the main-stream build of SonarQube.
SonarQube 7.8 contains changes to the APIs required for managing branches, with new methods having been introduced, and the existing `getMergeBranchUUid` method signature in `org.sonar.ce.tasj.projectanalysis.Branch` modified in a non-backwards-compatible way. Due to the incompatible changes, the supported SonarQube API version has been bumped from 7.4 to 7.8 and any methods that only existed to support older SonarQube versions have been removed. The 7.8 release of SonarQube does not currently have a sonar-plugin-api dependency released with it, so the SonarQube 7.7 dependency for the plugin-api component is being used in its place.
