Add sonar-scanner image layered on client + jdk#102
Merged
nixel2007 merged 14 commits intoMay 29, 2026
Conversation
Introduce a new onec-sonar-scanner image built directly on the client layer. It installs the SonarScanner CLI distribution with a bundled JRE, so the jdk/client-vnc layers are not required. - sonar-scanner/Dockerfile: download and install SonarScanner CLI - Makefile: add sonar-scanner target - Layers.md and README.md: document the new layer https://claude.ai/code/session_0172sYatuatmTxzCafudjtXn
Rework the SonarScanner image to layer on top of client + jdk instead of relying on a bundled JRE, using the JDK provided by the jdk layer. - sonar-scanner/Dockerfile: use system Java from the jdk layer - build-sonar-scanner.sh / .bat: build the full client -> jdk -> sonar-scanner chain - .github/workflows/build.yml: add build-sonar-scanner.sh to the CI matrix - Makefile: base sonar-scanner target on onec-client-jdk - Layers.md / README.md: document the new layer stack and build scripts https://claude.ai/code/session_0172sYatuatmTxzCafudjtXn
Java is provided by the jdk layer, so disable downloading a JRE from the server via SONAR_SCANNER_SKIP_JRE_PROVISIONING. https://claude.ai/code/session_0172sYatuatmTxzCafudjtXn
|
Warning Review limit reached
More reviews will be available in 8 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (6)
📝 WalkthroughWalkthroughThis PR introduces SonarScanner Docker image support by adding a new Dockerfile, build automation scripts for both Bash and Batch environments, CI/CD integration, and documentation. The implementation includes fixes to existing base image Dockerfiles to support the layered build strategy. ChangesSonarScanner Docker Image and Build Automation
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~22 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
…DK 21 SonarScanner CLI 8.x requires Java 21+, so build the jdk layer with OpenJDK 21 (SONAR_JDK_VERSION, default 21) in the build scripts. https://claude.ai/code/session_0172sYatuatmTxzCafudjtXn
There was a problem hiding this comment.
Pull request overview
Adds a new onec-sonar-scanner image intended to run SonarScanner CLI on top of the existing 1C client plus JDK layer.
Changes:
- Added a
sonar-scanner/Dockerfilethat installs SonarScanner CLI and runs asusr1cv8. - Added Linux/Windows build scripts and CI matrix entry for the new image chain.
- Updated README, Layers documentation, and Makefile with SonarScanner build instructions/target.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
sonar-scanner/Dockerfile |
Defines the new SonarScanner image layer. |
build-sonar-scanner.sh |
Builds and pushes the Linux image chain for SonarScanner. |
build-sonar-scanner.bat |
Adds the Windows build flow for the same image chain. |
.github/workflows/build.yml |
Adds the new build script to CI. |
README.md |
Documents the new SonarScanner image and build command. |
Layers.md |
Documents the new client → jdk → sonar-scanner layer stack. |
Makefile |
Adds a sonar-scanner build target. |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@build-sonar-scanner.bat`:
- Around line 71-72: The batch file ends with the label ":end" and uses "goto
end" flow but currently has LF-only line endings; change the file's line endings
to CRLF so the Windows batch parser handles the "goto end"/":end" label
correctly (either convert the file to CRLF in your editor or run a tool to
convert line endings) and, to prevent regressions, add or update your repository
attributes to force CRLF for *.bat (e.g., add a .gitattributes entry for "*.bat
text eol=crlf").
- Line 7: The batch if comparisons use unquoted variable expansions which break
when variables are unset; update the comparisons that reference
DOCKER_SYSTEM_PRUNE and NO_CACHE in build-sonar-scanner.bat so the operands are
quoted (e.g., compare "%DOCKER_SYSTEM_PRUNE%" to "true" and "%NO_CACHE%" to
"true"), ensuring both sides are quoted to avoid producing malformed if ==...
expressions when the variables are empty.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 82eb0ebd-bfbc-4f49-a260-86bbe8164ccb
📒 Files selected for processing (7)
.github/workflows/build.ymlLayers.mdMakefileREADME.mdbuild-sonar-scanner.batbuild-sonar-scanner.shsonar-scanner/Dockerfile
The onec-client-jdk image is not a standalone repo image; it only exists as an intermediate built inside build-sonar-scanner.sh. Multi-layer stacks are not represented in the Makefile (they use build-*.sh scripts), so drop the broken target and make the README example self-contained by building the jdk layer first. https://claude.ai/code/session_0172sYatuatmTxzCafudjtXn
- jdk/Dockerfile: switch to USER root before apt-get so the layer works when based on the client image (which ends as USER usr1cv8). No-op for existing root-based consumers. - build-sonar-scanner.bat: quote DOCKER_SYSTEM_PRUNE/NO_CACHE comparisons to avoid malformed if-statements when unset. https://claude.ai/code/session_0172sYatuatmTxzCafudjtXn
The oscript image failed to build on newer base images (e.g. the eclipse-temurin:17 base used by the oscript agent scripts) because it used the deprecated 'apt-key adv' with an hkp:// keyserver. Switch to the modern signed-by keyring approach over https, mirroring the pattern already used in client/Dockerfile.
Add '*.bat eol=crlf' to .gitattributes so Windows batch scripts always check out with CRLF, avoiding GOTO/label parsing issues. Renormalized existing .bat files accordingly.
The oscript builds run on Ubuntu-based images (eclipse-temurin:17, ubuntu:20.04, onec-client-vnc), but the Dockerfile used the Debian-buster Mono repo. On newer Ubuntu the buster packages are no longer installable (mono-libraries unsatisfiable / version-split between 6.12.0.200 and .201), breaking the build. Per the official Mono docs, Ubuntu 20.04+ must use the ubuntu stable-focal suite (consistent 6.12.0.206 package set).
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (5)
sonar-scanner/Dockerfile (2)
6-6: ⚡ Quick winUse the canonical registry-prefix pattern in
FROM.This uses
${DOCKER_REGISTRY_URL}${DOCKER_REGISTRY_URL:+/}while the rest of the repo (e.g.jdk/Dockerfile,oscript/Dockerfile) uses the standard form. Although functionally equivalent, aligning keeps the registry handling consistent across the image chain.♻️ Align with the standard pattern
-FROM ${DOCKER_REGISTRY_URL}${DOCKER_REGISTRY_URL:+/}${BASE_IMAGE}:${BASE_TAG} +FROM ${DOCKER_REGISTRY_URL:+"$DOCKER_REGISTRY_URL/"}${BASE_IMAGE}:${BASE_TAG}As per coding guidelines: "Use registry URL pattern in base image: FROM ${DOCKER_REGISTRY_URL:+"$DOCKER_REGISTRY_URL/"}base-image:tag".
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@sonar-scanner/Dockerfile` at line 6, The FROM line uses a nonstandard registry prefix pattern; replace the current pattern in the Dockerfile's FROM statement with the canonical registry-prefix form so it matches other Dockerfiles (use the ${DOCKER_REGISTRY_URL:+"$DOCKER_REGISTRY_URL/"} pattern) while keeping BASE_IMAGE and BASE_TAG unchanged; update the FROM invocation (the base image reference in the Dockerfile) accordingly so registry handling is consistent across images.
19-32: ⚖️ Poor tradeoffConsider a multi-stage download for the SonarScanner CLI.
The CLI is fetched and unzipped in the final image, requiring a transient
unzipinstall (later purged) plus apt cache cleanup. A builder stage that downloads/extracts and a final stage thatCOPYs/opt/sonar-scannerwould avoid touching apt in the runtime layer entirely. Optional given the cleanup already keeps the layer small.As per coding guidelines: "Use multi-stage builds in Dockerfiles when downloading or building dependencies".
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@sonar-scanner/Dockerfile` around lines 19 - 32, Replace the single-stage RUN download/unzip block with a multi-stage build: create a builder stage (e.g., FROM debian AS builder) that installs unzip, uses SONAR_SCANNER_VERSION to wget and unzip to /opt/sonar-scanner-${SONAR_SCANNER_VERSION}, then in the final stage remove apt install steps and instead COPY --from=builder /opt/sonar-scanner-${SONAR_SCANNER_VERSION} ${SONAR_SCANNER_HOME}; drop the transient unzip install and apt-get cleanup from the final stage so the runtime layer never touches apt caches while still preserving SONAR_SCANNER_VERSION and SONAR_SCANNER_HOME semantics.build-sonar-scanner.sh (3)
56-56: 💤 Low valueQuote
$SONAR_JDK_VERSION(SC2086).Harmless today (value is
25), but quoting prevents word-splitting/globbing if the value is ever overridden with whitespace.♻️ Quote the expansion
- --build-arg OPENJDK_VERSION=$SONAR_JDK_VERSION \ + --build-arg OPENJDK_VERSION="$SONAR_JDK_VERSION" \🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@build-sonar-scanner.sh` at line 56, The shell expansion of $SONAR_JDK_VERSION in the Docker build argument (--build-arg OPENJDK_VERSION=$SONAR_JDK_VERSION) is unquoted and can trigger word-splitting/globbing (SC2086); change the usage to quote the variable (--build-arg OPENJDK_VERSION="$SONAR_JDK_VERSION") in build-sonar-scanner.sh so the value is passed as a single token even if it contains whitespace or special characters.
42-42: ⚡ Quick winAlso tag images with
latest.The built images are tagged only with
$ONEC_VERSION. Per project convention, publish alatesttag alongside the version (e.g. add a second-t …onec-client:latest) so downstreamBASE_TAG=latestreferences and consumers resolve correctly.As per coding guidelines: "Tag Docker images with both specific version and 'latest' tags".
Also applies to: 57-57, 71-71
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@build-sonar-scanner.sh` at line 42, Add a second Docker tag for the `latest` alias wherever images are built: when invoking `docker build` that currently uses -t ${DOCKER_REGISTRY_URL:+"$DOCKER_REGISTRY_URL/"}onec-client:$ONEC_VERSION (and the other similar -t usages at the other build sites mentioned), add an additional -t argument using the same registry prefix but with `onec-client:latest` (i.e. use the same DOCKER_REGISTRY_URL expansion and replace $ONEC_VERSION with latest) so each image is pushed/tagged with both the version and `latest`.
35-44: ⚡ Quick winValidate required env vars before building.
ONEC_USERNAME,ONEC_PASSWORD, andONEC_VERSIONare consumed unvalidated. An emptyONEC_VERSIONproduces an invalid tagonec-client:and fails the build with a cryptic Docker error rather than a clear message.🛡️ Add an early guard
last_arg='.' if [ "${NO_CACHE}" = 'true' ] ; then last_arg='--no-cache .' fi + +for var in ONEC_USERNAME ONEC_PASSWORD ONEC_VERSION; do + if [ -z "${!var}" ]; then + echo "Required environment variable $var is not set" >&2 + exit 1 + fi +doneAs per coding guidelines: "Validate required environment variables in build scripts".
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@build-sonar-scanner.sh` around lines 35 - 44, Add an early guard in the build script to validate ONEC_USERNAME, ONEC_PASSWORD and ONEC_VERSION are non-empty before running the docker build; check the variables (ONEC_USERNAME, ONEC_PASSWORD, ONEC_VERSION) and if any are missing print a clear error message naming the missing var(s) and exit 1 so the build fails fast with a helpful message rather than producing an invalid image tag like onec-client:. Keep DOCKER_REGISTRY_URL optional as currently used for prefixing the tag.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@jdk/Dockerfile`:
- Around line 9-11: The jdk/Dockerfile switches to USER root to install the JDK
but never switches back, leaving the built onec-client-jdk image running as
root; update jdk/Dockerfile to switch back to the non-root user (USER usr1cv8)
after installation steps so the final image onec-client-jdk used by
build-sonar-scanner.sh and published as onec-client-jdk:${ONEC_VERSION} is
non-root; locate the USER root line in jdk/Dockerfile and add a USER usr1cv8 at
the end (after JDK installation/cleanup) to restore the original runtime user.
In `@oscript/Dockerfile`:
- Around line 18-22: The Dockerfile hardcodes the Mono repo as "stable-focal"
while the image is parametrized by ARGs BASE_IMAGE and BASE_TAG; update
oscript/Dockerfile to derive a MONO_SUITE (or MONO_REPO) from
BASE_IMAGE/BASE_TAG instead of hardcoding "stable-focal": add logic (shell
case/if using ARG and RUN) that maps ubuntu BASE_TAGs to the correct
"stable-<ubuntu-codename>" (e.g., 20.04 -> focal, 22.04 -> jammy) and uses a
Debian-compatible Mono repo or appropriate suite (e.g., bookworm) when
BASE_IMAGE=debian, then use that MONO_SUITE in the echo line and key import;
also ensure build scripts build-oscript-swarm-agent.sh and
build-oscript-k8s-agent.sh pass or inherit BASE_IMAGE/BASE_TAG consistently so
the chosen suite matches the actual base image.
---
Nitpick comments:
In `@build-sonar-scanner.sh`:
- Line 56: The shell expansion of $SONAR_JDK_VERSION in the Docker build
argument (--build-arg OPENJDK_VERSION=$SONAR_JDK_VERSION) is unquoted and can
trigger word-splitting/globbing (SC2086); change the usage to quote the variable
(--build-arg OPENJDK_VERSION="$SONAR_JDK_VERSION") in build-sonar-scanner.sh so
the value is passed as a single token even if it contains whitespace or special
characters.
- Line 42: Add a second Docker tag for the `latest` alias wherever images are
built: when invoking `docker build` that currently uses -t
${DOCKER_REGISTRY_URL:+"$DOCKER_REGISTRY_URL/"}onec-client:$ONEC_VERSION (and
the other similar -t usages at the other build sites mentioned), add an
additional -t argument using the same registry prefix but with
`onec-client:latest` (i.e. use the same DOCKER_REGISTRY_URL expansion and
replace $ONEC_VERSION with latest) so each image is pushed/tagged with both the
version and `latest`.
- Around line 35-44: Add an early guard in the build script to validate
ONEC_USERNAME, ONEC_PASSWORD and ONEC_VERSION are non-empty before running the
docker build; check the variables (ONEC_USERNAME, ONEC_PASSWORD, ONEC_VERSION)
and if any are missing print a clear error message naming the missing var(s) and
exit 1 so the build fails fast with a helpful message rather than producing an
invalid image tag like onec-client:. Keep DOCKER_REGISTRY_URL optional as
currently used for prefixing the tag.
In `@sonar-scanner/Dockerfile`:
- Line 6: The FROM line uses a nonstandard registry prefix pattern; replace the
current pattern in the Dockerfile's FROM statement with the canonical
registry-prefix form so it matches other Dockerfiles (use the
${DOCKER_REGISTRY_URL:+"$DOCKER_REGISTRY_URL/"} pattern) while keeping
BASE_IMAGE and BASE_TAG unchanged; update the FROM invocation (the base image
reference in the Dockerfile) accordingly so registry handling is consistent
across images.
- Around line 19-32: Replace the single-stage RUN download/unzip block with a
multi-stage build: create a builder stage (e.g., FROM debian AS builder) that
installs unzip, uses SONAR_SCANNER_VERSION to wget and unzip to
/opt/sonar-scanner-${SONAR_SCANNER_VERSION}, then in the final stage remove apt
install steps and instead COPY --from=builder
/opt/sonar-scanner-${SONAR_SCANNER_VERSION} ${SONAR_SCANNER_HOME}; drop the
transient unzip install and apt-get cleanup from the final stage so the runtime
layer never touches apt caches while still preserving SONAR_SCANNER_VERSION and
SONAR_SCANNER_HOME semantics.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 09ae9380-ca04-4e44-8790-bc59019639b3
📒 Files selected for processing (7)
.gitattributesREADME.mdbuild-sonar-scanner.batbuild-sonar-scanner.shjdk/Dockerfileoscript/Dockerfilesonar-scanner/Dockerfile
✅ Files skipped from review due to trivial changes (2)
- .gitattributes
- README.md
🚧 Files skipped from review as they are similar to previous changes (1)
- build-sonar-scanner.bat
…v guard - sonar-scanner/Dockerfile: multi-stage build (download in a builder stage, runtime layer no longer touches apt); align FROM with the canonical registry-prefix pattern; keep final image non-root. - oscript/Dockerfile: pick the Mono repo suite from the actual base distro via /etc/os-release (Debian -> stable-buster, Ubuntu -> stable-focal) instead of hardcoding, so debian and ubuntu bases both resolve. - build-sonar-scanner.sh: validate required ONEC_* env vars up front.
The oscript-agent images build oscript (Mono) directly on eclipse-temurin:17, which now resolves to a newer Ubuntu where Mono's packages (published only up to Ubuntu focal) are not installable, so the build fails at the mono install. Pin the base to the focal-based JDK 17 image so the OS matches Mono's focal repo. Other build paths already use focal-based Ubuntu and are unaffected.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Что сделано
Новый образ
onec-sonar-scannerс SonarScanner CLI поверх слоёвclient+jdk(без VNC).Образ
sonar-scanner/Dockerfile— собирается на базеclient + jdkчерез стандартныеARG BASE_IMAGE/BASE_TAG/DOCKER_REGISTRY_URL. Скачивает SonarScanner CLI в/opt/sonar-scanner, добавляет вPATH. Java берётся из слояjdk.ARG SONAR_SCANNER_VERSION(по умолчанию5.0.1.3006).unzipудаляется после распаковки, кэш apt чистится.usr1cv8,WORKDIR /usr/src,CMD ["sonar-scanner"].SONAR_SCANNER_SKIP_JRE_PROVISIONING=true— Java предоставляется слоемjdk, скачивать JRE с сервера не нужно.Скрипты сборки
build-sonar-scanner.sh/build-sonar-scanner.bat— собирают всю цепочку слоёвoscript-downloader → onec-client → onec-client-jdk → onec-sonar-scannerпо образцу остальных скриптов (login/prune/push, поддержкаNO_CACHE).CI
.github/workflows/build.yml—build-sonar-scanner.shдобавлен в matrix-список сборки.Документация
Layers.md— секция со стекомclient → jdk → sonar-scannerи ссылками на скрипты.README.md— раздел SonarScanner + пункт «Отдельные образы» в «Как сбилдить образы».Makefile— цельsonar-scannerна базеonec-client-jdk.Проверки
build.ymlвалиден,bash -nпо скрипту чист, отступы.batсовпадают сbuild-crs.bat.https://claude.ai/code/session_0172sYatuatmTxzCafudjtXn
Generated by Claude Code
Summary by CodeRabbit
New Features
Documentation
Chores