SonarQube
Continuously inspecting the Code Quality and Security of your codebases
What is SonarQube ???
SonarQube is a code quality assurance tool that performs in-depth code analysis and generates an analysis report to ensure code reliability. SonarQube combines static and dynamic code analysis to empower continuous code quality practices. SonarQube was founded in 2007, initially under the name Sonar, with the driving philosophy that “continuous inspection must become mainstream as continuous integration.”
It combines static and dynamic analysis tools and enables quality to be measured continually over time. Everything from minor styling choices, to design errors are inspected and evaluated by SonarQube. This provides users with a rich searchable history of the code to analyze where the code is messing up and determine whether or not it is styling issues, code defeats, code duplication, lack of test coverage, or excessively complex code.
Why Do We Need to Use SonarQube ???SonarQube improves productivity by enabling development teams to identify and muzzle redundancy and duplication of code. SonarQube makes it easier for team members to decrease application size, code complexity, time and cost of maintenance and make code easier to read and understand.
Dynamic Code Analysis
Dynamic code analysis (DAST) is a method of analyzing software while it’s running to find vulnerabilities, performance issues, and other problems.A DAST tool uses a dictionary of known vulnerabilities and malicious inputs to “fuzz” an application. Examples of these potentially malicious inputs include:
- SQL queries (to identify SQL injection vulnerabilities)
- Long input strings (to exploit buffer overflow vulnerabilities)
- Negative and large positive numbers (to detect integer overflow and underflow vulnerabilities)
- Unexpected input data (to exploit invalid assumptions by developers)
Static Code Analysis
Static Code Analysis (also known as Source Code Analysis) is usually performed as part of a Code Review (also known as white-box testing) and is carried out at the Implementation phase of a Security Development Lifecycle (SDL). Static Code Analysis commonly refers to the running of Static Code Analysis tools that attempt to highlight possible vulnerabilities within ‘static’ (non-running) source code by using techniques such as Taint Analysis and Data Flow Analysis.
- Detecting errors in programs.
- Recommendations on code formatting with a formatter.
- Metrics computation, which gives you back a rating on how well your code is.
SonarQube Benefits
So why not just existing and proven tools and configure them in the CI server ourselves? Well for SonarQube there are a lot of benefits:
- CI tools do not have a plugin which would make all of these tools work easily together.
- CI tools do not have plugins to provide nice drill-down features that SonarQube .
- CI Plugins does not talk about overall compliance value.
- CI plugins do not provide managerial perspective.
- There is no CI plugin for Design or Architectural issues.
- CI plugins do not provide a dashboard for overall project quality.
Installation of SonarQube
1. Prerequisites
Before installing SonarQube, ensure that your environment meets the following prerequisites:
- Java: SonarQube requires Java 11 or 17.
- Install Java by running:
sudo apt install openjdk-11-jdk
or for Java 17
sudo apt install openjdk-17-jdk
Database: SonarQube requires a database to store its data.
- For production use, SonarQube supports PostgreSQL, MySQL, Oracle, and Microsoft SQL Server. For testing, SonarQube can run with an embedded H2 database, but this should not be used in production.
- Install PostgreSQL:
sudo apt install postgresql postgresql-contrib
2. Download and Install SonarQube
- Download SonarQube from the official SonarQube download page. Choose the version appropriate for your operating system.
- Extract the SonarQube package after downloading:
unzip sonarqube-<version>.zip -d /opt/
- Replace
<version>
with the version of SonarQube you downloaded. - Move to the SonarQube directory:
cd /opt/sonarqube-<version>
3. Configure SonarQube
- Navigate to the
conf
directory inside SonarQube's installation folder:
cd conf
- Open the
sonar.properties
file to configure database and other settings
sudo nano sonar.properties
- Set up the database connection details. For example, for PostgreSQL, add the following settings:
sonar.jdbc.username=sonar sonar.jdbc.password=sonar_password sonar.jdbc.url=jdbc:postgresql://localhost/sonarqube
- Ensure you’ve set up a PostgreSQL database for SonarQube:
sudo -u postgres psql CREATE DATABASE sonarqube; CREATE USER sonar WITH ENCRYPTED PASSWORD 'sonar_password'; GRANT ALL PRIVILEGES ON DATABASE sonarqube TO sonar;
- You may also want to configure SonarQube to listen on a specific IP or port (default is
localhost:9000
):
sonar.web.host=0.0.0.0 sonar.web.port=9000
4. Start SonarQube
- Navigate to the
bin
directory, which contains platform-specific folders:
cd /opt/sonarqube-<version>/bin/linux-x86-64
./sonar.sh start
- Check the logs to ensure SonarQube started correctly:
tail -f /opt/sonarqube-<version>/logs/sonar.log
- You can also start, stop, or restart SonarQube using:
./sonar.sh stop ./sonar.sh restart
5. Access SonarQube
- Open your web browser and navigate to
http://localhost:9000
(or your configured IP/port). - Log in with the default credentials:
- Username:
admin
- Password:
admin
- You will be prompted to change the password after the first login.
6. Install SonarScanner
SonarScanner is a tool that you need to analyze code from your projects and send it to SonarQube for analysis.
- Download the SonarScanner from the official download page.
- Extract it and configure the path:
nzip sonar-scanner-cli-<version>.zip -d /opt/
Add the sonar-scanner
binary to your path:
export PATH=$PATH:/opt/sonar-scanner-<version>/bin
Verify installation:
sonar-scanner --version
7. Analyze a Project with SonarScanner
For a basic project, you can analyze it with the following commands:
- Navigate to your project directory.
- Create a
sonar-project.properties
file in the root of the project with the following basic configuration:
properties
sonar.projectKey=my_project_key sonar.projectName=My Project sonar.projectVersion=1.0 sonar.sources=. sonar.host.url=http://localhost:9000 sonar.login=your_sonarqube_token
3. Run the scanner in the project directory:
sonar-scanner
8. SonarQube with CI/CD
You can integrate SonarQube with your CI/CD pipeline (e.g., GitHub Actions, Jenkins, Azure Pipelines). You’ll need to configure the pipeline to use the SonarScanner, build the project, and trigger a SonarQube analysis.
Example GitHub Actions workflow
on:
push:
branches:
- mainjobs:
sonar:
runs-on: ubuntu-latest steps:
- name: Checkout
uses: actions/checkout@v2 - name: Install SonarScanner
run: sudo apt-get install sonar-scanner - name: SonarQube Scan
run: sonar-scanner -Dsonar.projectKey=my_project_key -Dsonar.sources=. -Dsonar.host.url=http://localhost:9000 -Dsonar.login=$SONAR_TOKEN
This workflow will run SonarQube analysis every time a push is made to the main
branch.