Latest version (10) of Docker image sonar-scanner-cli misses cURL binary. Earlier version (5) has it.
root@sample-host:~ docker exec -it sonar-cli-5 bash
7ae33b19d2e7:/usr/src ls -l /usr/bin/curl
-rwxr-xr-x 1 root root 260104 Jul 26 2023 /usr/bin/curl
7ae33b19d2e7:/usr/src
exit
root@sample-host:~ docker exec -it sonar-cli-10 bash
7ba9ae27268d:/usr/src$ ls -l /usr/bin/curl
ls: /usr/bin/curl: No such file or directory
Hey there.
We indeed removed it on purpose since it wasnât serving any purpose for the core functionality of the docker image.
Is it too much to ask to install it on top of the docker image?
Hi, thanks for reply!
I use cURL in Gitlab CI/CD job to utilize secure files. I must get the download-secure-files tool to download the files in the job. So example code looks like this:
before_script:
- curl --silent "https://gitlab.com/gitlab-org/incubation-engineering/mobile-devops/download-secure-files/-/raw/main/installer" | bash
In my use case I need to use custom Java Trust Store
export SONAR_SCANNER_OPTS="-Djavax.net.ssl.trustStore=$CI_PROJECT_DIR/.secure_files/cacerts
which is loaded from secure file.
Installation of new packages via apk are now more complicated since entrypoint in container started from newest image (10) run commands as regular user (not root). Also building custom image only for get cURL is in my opinion pointless.
Iâll pass on the feedback to the right place. Thanks for your patience, and keep using the older version if you need (not that you need my permission 
)
Hi @Tomasz,
thanks for the feedback we consider every input from our community. To better understand the issue:
Would âwgetâ, which is already available on the image, work for you for that specific use case?
We would like to support you with a usable image as much as possible, but we also need to limit unused packages and possible sources of security vulnerabilities.
Thanks
Csaba
Hi,
in my specific use case âcurlâ will be needed because of download-secure-files requitment:
This installer will:
- Detect the target platform, and download the appropriate distribution
- Copy the distribution to the bin directory as
download-secure-files- Make
download-secure-filesexecutable- Run
dowload-secure-files
Please note:
This will only work on Linux and macOS systems
curl is required
Hi Tomasz,
I know that is not the most convenient solution so far. Is there a reason not to use a separate stage to download the secure files and reuse them in the Sonar step?
I understand that it may be extra work on your side; however, we would like to concentrate on using our image for the scan functionalities.
We will reconsider the packages on the images from time to time, but so far, we would like to keep them in their current form.
Thanks
Csaba
Hi,
I understand and acknowledge your point. I will handle it by implementing the workaround you suggested or come up with another solution of my own.
Thank you for your assistance!
Hi @stept,
I wanted to inform you that we have changed the base image for SonarSource/sonar-scanner-cli in the latest 11 version. It should have curl installed.
The curl here comes from the base image, which will be patched and controlled by AWS. We do not necessarily intend to have a curl on the image, but we will have it until the base image provides it, which seems stable for a while.
The latest tag has not yet been updated, so you need to be specific with the version numbers to have the latest changes.
Thanks
Csaba
Hi,
thank you for update and information!