CentOS Docker环境部署sonarqube
CentOS Docker环境部署开源代码审计和分析平台sonarqube
sonarqube优势:
- 代码质量和代码安全扫描分析平台
- 通过持续的代码质量和代码安全性增强您的工作流程
- 多维度分析代码:代码量、安全隐患、编写规范、重复度、复杂度、代码增量、测试覆盖率等
- 适用于29种编程语言
- 能够与代码编码器、CI/CD平台完美集成
sonarqube使用静态应用程序安全测试代码安全问题,以开发团队为源头解决安全问题,内置Vulnerabilities模块检测安全漏洞,并提供详细的问题描述和代码亮点来突出风险代码,以便开发团队根据指导修复安全漏洞,内置Security Hotspots模块检测敏感代码,需要经过人工复核以确定其是否为需要修复的安全漏洞或是解除报告确认其安全,在生命周期内跟踪安全合规性
CentOS部署Docker环境
详见CentOS部署Docker环境
部署sonarqube
操作系统版本:CentOS Linux release 7.9.2009 (Core)
Docker版本:Docker version 20.10.12, build e91ed57
sonarqube版本:9.5
虚拟CPU:4 虚拟内存:8G 虚拟硬盘:50G
搜索sonarqube容器镜像
sudo docker search sonarqube
拉取sonarqube容器镜像至本地
sudo docker pull sonarqube
2022年6月官方文档建议9.5最新版社区版pull命令sudo docker pull sonarqube:9.5-community
创建并启动sonarqube容器,使用–name参数命名为sonarqube,使用-p参数将sonarqube容器80端口映射至宿主机8088端口,使用-v参数配置sonarqube环境变量相关的参数,因未配置数据库JDBC参数,默认使用数据库H2,官方文档表示不支持MySQL/MariaDB数据库,仅支持H2、PostgreSQL、Oracle、SQL Server等,因sonarqube主要用于测试代码安全性,为避免数据库安装,使用默认H2
sudo docker run -it -d -p:9000:9000 --name sonarqube -v sonarqube_data:/opt/sonarqube/data -v sonarqube_extensions:/opt/sonarqube/extensions -v sonarqube_logs:/opt/sonarqube/logs sonarqube
默认使用HTTP的方式访问sonarqube,IP地址为宿主机IP地址,端口为宿主机9000端口,默认用户名和口令均为admin,首次登录要求强制修改口令
http://localhost:9000
username:admin
password:admin
sonarqube内置了多种检测模式,创建项目Create Project可以任选一种,根据环境需要这里选择Manually,然后输入项目名称、key,这里采用nextcloud作为测试实例
选择Locally
选择Generate-Continue
因NextCloud使用PHP、Linux,故选择PHP、Linux,点击Copy复制Execute,并且根据提示需要Download and unzip the Scanner for Linux,点击后可以确认sonar-scanner最新版本号并下载sonar-scanner-cli-x.x.x.xxxx-linux.zip
可以进入需要检测的项目目录下通过sonar-scanner启动扫描,这里采用nextcloud作为测试实例
因采用Docker方式部署NextCloud,一顿操作如下,主要是将sonar-scanner目录文件放置至项目主机并配置环境变量支持sonar-scanner命令以便于在检测的项目目录下执行sonar-scanner命令
cd /usr/local/
wget -P /usr/local/sonarscanner https://github.com/SonarSource/sonar-scanner-cli/releases/download/4.7.0.2747/sonar-scanner-cli-4.7.0.2747-linux.zip
yum -y install unzip
unzip sonar-scanner-cli-4.7.0.2747-linux.zip
mv sonar-scanner-4.7.0.2747-linux sonar-scanner
sudo docker cp /usr/local/sonar-scanner nextcloud:/usr/local/
sudo docker exec -it nextcloud /bin/bash
cat /etc/profile
sed -i '$aexport SONAR_SCANNER_HOME=/usr/local/sonar-scanner' /etc/profile
sed -i '$aexport PATH=$SONAR_SCANNER_HOME/bin:$PATH' /etc/profile
source /etc/profile
cd /var/www/html/
sonar-scanner -v
查看sonar-scanner是否配置成功,显示版本信息则代表环境变量配置成功
root@91995fc00ffa:/var/www/html# sonar-scanner -v
INFO: Scanner configuration file: /usr/local/sonar-scanner/conf/sonar-scanner.properties
INFO: Project root configuration file: NONE
INFO: SonarScanner 4.7.0.2747
INFO: Java 11.0.14.1 Eclipse Adoptium (64-bit)
INFO: Linux 3.10.0-1160.el7.x86_64 amd64
执行sonarqube管理控制台回显指令,可以根据需要自行添加,如-Dsonar.sourceEncoding=UTF-8 \
sonar-scanner \
-Dsonar.projectKey=nextcloud \
-Dsonar.sources=. \
-Dsonar.host.url=http://127.0.0.1:9000 \
-Dsonar.sourceEncoding=UTF-8 \
-Dsonar.login=sqp_7d39b0f9bfa62c02da180c66da37dff2ecd4b607
INFO: ------------------------------------------------------------------------
INFO: EXECUTION FAILURE
INFO: ------------------------------------------------------------------------
ERROR: Error during SonarScanner execution
java.lang.OutOfMemoryError: Java heap space
因项目过大、内存不足而导致不足以分析,可以通过进入子目录的方式或者扩大内存来解决
正常情况应显示EXECUTION SUCCESS
root@f40c147d0390:/var/www/html/resources# sonar-scanner \
-Dsonar.projectKey=nextcloud \
-Dsonar.sources=. \
-Dsonar.host.url=http://127.0.0.1:9000 \
-Dsonar.sourceEncoding=UTF-8 \
-Dsonar.login=sqp_7d39b0f9bfa62c02da180c66da37dff2ecd4b607
INFO: Scanner configuration file: /usr/local/sonar-scanner/conf/sonar-scanner.properties
INFO: Project root configuration file: NONE
INFO: SonarScanner 4.7.0.2747
INFO: Java 11.0.14.1 Eclipse Adoptium (64-bit)
INFO: Linux 3.10.0-1160.el7.x86_64 amd64
INFO: User cache: /root/.sonar/cache
INFO: Scanner configuration file: /usr/local/sonar-scanner/conf/sonar-scanner.properties
INFO: Project root configuration file: NONE
INFO: Analyzing on SonarQube server 9.5.0.56709
INFO: Default locale: "en_US", source code encoding: "UTF-8"
INFO: Load global settings
INFO: Load global settings (done) | time=246ms
INFO: Server id: 147B411E-AYGuXtde2Rgit7Znb4Ur
INFO: User cache: /root/.sonar/cache
INFO: Load/download plugins
INFO: Load plugins index
INFO: Load plugins index (done) | time=222ms
INFO: Load/download plugins (done) | time=307ms
INFO: Process project properties
INFO: Process project properties (done) | time=55ms
INFO: Execute project builders
INFO: Execute project builders (done) | time=2ms
INFO: Project key: nextcloud
INFO: Base dir: /var/www/html
INFO: Working dir: /var/www/html/.scannerwork
INFO: Load project settings for component key: 'nextcloud'
INFO: Load project settings for component key: 'nextcloud' (done) | time=243ms
WARN: SCM provider autodetection failed. Please use "sonar.scm.provider" to define SCM of your project, or disable the SCM Sensor in the project settings.
INFO: Load quality profiles
INFO: Load quality profiles (done) | time=425ms
INFO: Load active rules
INFO: Load active rules (done) | time=5493ms
INFO: Load analysis cache
INFO: Load analysis cache (404) | time=26ms
INFO: Load project repositories
INFO: Load project repositories (done) | time=46ms
INFO: Indexing files...
INFO: Project configuration:
INFO: 821 files indexed...
........................................................................
........................................................................
........................................................................
INFO: ------------------------------------------------------------------------
INFO: EXECUTION SUCCESS
INFO: ------------------------------------------------------------------------
INFO: Total time: 00:14.572s
INFO: Final Memory: 14M/50M
INFO: ------------------------------------------------------------------------
sonarqube查看nextcloud项目情况,显示Bugs、Vulnerabilities、Security Hotspots等信息
参考链接:
sonar-scanner下载与配置官方文档——https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/
CentOS安装sonar-scanner-cli——http://t.zoukankan.com/eoalfj-p-14352232.html
sonarqube Github pull request扫描代码——https://www.likecs.com/show-305508553.html