test/ci: add sonarqube scan

Adding sonarqube scan to the pipeline.

.gitlab-ci.yml

@@ -476,6 +476,16 @@ SCHEDULED_CLOUD_CLEANER:
     - schutzbot/deploy.sh
     - schutzbot/scheduled_cloud_cleaner.sh
 
+SonarQube:
+  stage: test
+  extends: .terraform
+  script:
+    - schutzbot/sonarqube.sh
+  variables:
+    RUNNER: aws/centos-stream-8-x86_64
+    INTERNAL_NETWORK: "true"
+    GIT_DEPTH: 0
+
 finish:
   stage: finish
   tags:

schutzbot/sonarqube.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+set -euxo pipefail
+
+SONAR_SCANNER_CLI_VERSION=${SONAR_SCANNER_CLI_VERSION:-4.6.2.2472}
+
+export SONAR_SCANNER_OPTS="-Djavax.net.ssl.trustStore=schutzbot/RH-IT-Root-CA.keystore -Djavax.net.ssl.trustStorePassword=$KEYSTORE_PASS"
+sudo dnf install -y unzip
+curl "https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-$SONAR_SCANNER_CLI_VERSION-linux.zip" -o sonar-scanner-cli.zip
+unzip -q sonar-scanner-cli.zip
+
+SONAR_SCANNER_CMD="$(pwd)/sonar-scanner-$SONAR_SCANNER_CLI_VERSION-linux/bin/sonar-scanner"
+
+$SONAR_SCANNER_CMD -Dsonar.projectKey=osbuild:osbuild-composer \
+                   -Dsonar.sources=. \
+                   -Dsonar.host.url=https://sonarqube.corp.redhat.com \
+                   -Dsonar.login="$SONAR_SCANNER_TOKEN" \
+                   -Dsonar.pullrequest.branch="$CI_COMMIT_BRANCH" \
+                   -Dsonar.pullrequest.key="$CI_COMMIT_SHA" \
+                   -Dsonar.pullrequest.base="main" \
+                   -Dsonar.c.file.suffixes=-
+
+SONARQUBE_URL="https://sonarqube.corp.redhat.com/dashboard?id=osbuild%3Aosbuild-composer&pullRequest=$CI_COMMIT_SHA"
+# Report back to GitHub
+curl \
+    -u "${SCHUTZBOT_LOGIN}" \
+    -X POST \
+    -H "Accept: application/vnd.github.v3+json" \
+    "https://api.github.com/repos/osbuild/osbuild-composer/statuses/${CI_COMMIT_SHA}" \
+    -d '{"state":"success", "description": "SonarQube scan sent for analysis", "context": "SonarQube", "target_url": "'"${SONARQUBE_URL}"'"}'