SonarQube is an open source quality management software that analyzes and measures the technical quality of project portfolio to a method which essentially means that it helps analyze the quality of our source code. Formerly known as Sonar, it is written in Java but can analyze code for more than 20 different languages such as:
- VB .NET
- Objective – C, etc.
A Few features of SonarQube:
- Overall Health of the project shows your current quality of code
- Uses Water Leak Paradigm to manage code quality
- Enforces Quality Gate which means it tells the developer if the current version is suitable to be pushed to production or not
- Analyzes pull requests
- Highlights hot spots
- Gives a detailed version of issues
- Using the Web API, SonarQube can be automated
- Using Webhooks, SonarQube can be integrated as a promotion step in the delivery pipeline
- Provides great notifications
SonarQube’s GitHub repository can be found at https://github.com/SonarSource/sonarqube
A ready to go file can be downloaded from https://www.sonarqube.org/downloads/
Once you have downloaded the .zip folder from the above link, extract the contents to:
Now if you will open http://localhost:9000 on your browser, you will see something like this:
Now, this Web UI is just to show the results of the analyses that we will be conducting on a project. To analyze, let’s first start by downloading the scanner (choose according to your OS): https://docs.sonarqube.org/display/SCAN/Analyzing+with+SonarQube+Scanner
Once downloaded, unzip the contents of the folder to:
For demo purposes, SonarQube also provides us with demo projects that can be downloaded from https://codeload.github.com/SonarSource/sonar-scanning-examples/zip/master
Now we need to add /[depending on OS]/sonar-scanner/bin/ to our Path:
To check it is working, simply type:
$ sonar-scanner -h
In case you get the error: Java heap space error or java.lang.out.OutOfMemory, increase the memory by:
Avoid the double-quotes, since they get misinterpreted and combine the two parameters into a single one.
Now we need to create a file called sonar-project.properties at the root directory of /[depending on OS]/sonar-scanning-examples:
# must be unique in a given SonarQube instance
# this is the name and version displayed in the SonarQube UI. Was mandatory before SonarQube 6.1.
# Path is relative to the sonar-project.properties file. Replace “\” by “/” on Windows.
# Since SonarQube 4.2, this property is optional if sonar.modules is set.
# If not set, SonarQube starts looking for source code from the directory containing
# the sonar-project.properties file.
# Encoding of the source code. Default is default system encoding
Alternatives to sonar-project.properties
If for some reason sonar-project.properties file cannot be created in the root directory of the project, here’s what else you can do:
The properties can be specified directly through the command line:
$ sonar-scanner -Dsonar.projectKey=myproject -Dsonar.source=srcl
The property project.settings can be used to specify the path to the project configuration file:
$ sonar-scanner -Dproject.settings=../myproject.properties
And now run sonar-scanner command from the root directory of project examples:
We can head over to the web console and see what the results are:
As we can see, a report of My Project has been created, and it shows us the basic overview of the code. To get a more detailed report, we can go inside by clicking on the project name:
To understand better, let’s see what the vulnerabilities that SonarQube has discovered are. As we can see (marked in blue) SonarQube shows us why it marked it as a vulnerability, along with the how long it should take us to fix the problem, the criticality of the vulnerability. Below, it gives us more information (marked in black) what kind of vulnerability it is along with some literature to read on it.
Ethical Hacking Training – Resources (InfoSec)
On the left-hand side, we can see a filter option that we can use to see more reports of the same type:
To know further about the vulnerability, let’s select one of the vulnerabilities. On further examination, SonarQube tells us the file where the vulnerability was detected (underlined in black), and it also shows us the code (marked in blue), along with line numbers, that it has found suspicious/harmful:
We can also log in as an Administrator through the login page:
The default credentials are:
Being an Administrator, we get a lot more options such as:
- Changing bug/vulnerability type
- Closing/Opening an issue
- Assigning a bug to someone
- Saving comments along with each issue
- Adding/Editing/Deleting rules, etc
The Administration option (located above) gives us a lot more control over SonarQube:
This was a basic overview of what SonarQube is capable of. We can also analyze the following with it:
- MSBuild Files
- Maven Files
- Gradle Files
- Ant Files
- Jenkins Files
- VSTS-TFS Files
SonarQube is a great tool that provides tons of additional features such as integrating plugins ( https://docs.sonarqube.org/display/PLUG/Plugin+Library ), scanning multi-module project structure (https://docs.sonarqube.org/display/SCAN/Advanced+SonarQube+Scanner+Usages ), adding custom rules (https://github.com/SonarSource/sonar-custom-rules-examples ), and even making custom plugins ( https://github.com/SonarSource/sonar-custom-plugin-example ). All in all, SonarQube is a powerful and a useful tool that can be used at a production level as well (https://docs.sonarqube.org/display/SONAR/Installing+the+Server). Not only a developer can structure his/her code better, but managers can also start tracking metrics based on results. SonarQube also replaces tools such as FindBugs, CPPCheck, etc thus making people do everything on the same platform and helping save time.