Secure coding

SonarQube: A Hidden Gem

Chiragh Dewan
April 28, 2017 by
Chiragh Dewan

SonarQube is an open source quality management software that analyzes and measures the technical quality of project portfolio to a method which essentially means that it helps analyze the quality of our source code. Formerly known as Sonar, it is written in Java but can analyze code for more than 20 different languages such as:

  • C/C++
  • C#
  • Java
  • JavaScript
  • PHP
  • VB .NET
  • Python
  • Flex
  • Swift
  • Objective - C, etc.

A Few features of SonarQube:

  • Overall Health of the project shows your current quality of code
  • Uses Water Leak Paradigm to manage code quality
  • Enforces Quality Gate which means it tells the developer if the current version is suitable to be pushed to production or not
  • Analyzes pull requests
  • Highlights hot spots
  • Gives a detailed version of issues
  • Using the Web API, SonarQube can be automated
  • Using Webhooks, SonarQube can be integrated as a promotion step in the delivery pipeline
  • Provides great notifications

Installation

SonarQube's GitHub repository can be found at https://github.com/SonarSource/sonarqube

Learn Secure Coding

Learn Secure Coding

Build your secure coding skills in C/C++, iOS, Java, .NET, Node.js, PHP and other languages.

A ready to go file can be downloaded from https://www.sonarqube.org/downloads/

Once you have downloaded the .zip folder from the above link, extract the contents to:

On Windows:

C:sonarqube

On Linux/MacOS:

/etc/

To run:

On Windows:

C:sonarqubebinwinddows-x86-xxStartSonar.bat

On Linux/MacOS:

/etc/sonarqube/bin/[OS]/sonar.sh console

Now if you will open http://localhost:9000 on your browser, you will see something like this:

Now, this Web UI is just to show the results of the analyses that we will be conducting on a project. To analyze, let's first start by downloading the scanner (choose according to your OS): https://docs.sonarqube.org/display/SCAN/Analyzing+with+SonarQube+Scanner

Once downloaded, unzip the contents of the folder to:

On Windows:

C:sonar-scanner

On Linux/MacOS:

/etc/sonar-scanner

For demo purposes, SonarQube also provides us with demo projects that can be downloaded from https://codeload.github.com/SonarSource/sonar-scanning-examples/zip/master

Extract them.

On Windows:

C:sonar-scanning-examples

On Linux/MacOS:

/etc/sonar-scanning-examples

Now we need to add /[depending on OS]/sonar-scanner/bin/ to our Path:

To check it is working, simply type:

$ sonar-scanner -h

Troubleshooting

In case you get the error: Java heap space error or java.lang.out.OutOfMemory, increase the memory by:

On Windows:

set SONAR_SCANNER_OPTS=-Xmx512m

Note:

Avoid the double-quotes, since they get misinterpreted and combine the two parameters into a single one.

On Linux/MacOS:

export SONAR_SCANNER_OPTS="-Xmx512m"

Now we need to create a file called sonar-project.properties at the root directory of /[depending on OS]/sonar-scanning-examples:

# must be unique in a given SonarQube instance

sonar.projectKey=my:project

# this is the name and version displayed in the SonarQube UI. Was mandatory before SonarQube 6.1.

sonar.projectName=My project

sonar.projectVersion=1.0

# Path is relative to the sonar-project.properties file. Replace "" by "/" on Windows.

# Since SonarQube 4.2, this property is optional if sonar.modules is set.

# If not set, SonarQube starts looking for source code from the directory containing

# the sonar-project.properties file.

sonar.sources=.

# Encoding of the source code. Default is default system encoding

#sonar.sourceEncoding=UTF-8

Alternatives to sonar-project.properties

If for some reason sonar-project.properties file cannot be created in the root directory of the project, here's what else you can do:

  • The properties can be specified directly through the command line:

    $ sonar-scanner -Dsonar.projectKey=myproject -Dsonar.source=srcl

  • The property project.settings can be used to specify the path to the project configuration file:

    $ sonar-scanner -Dproject.settings=../myproject.properties

And now run sonar-scanner command from the root directory of project examples:

We can head over to the web console and see what the results are:

As we can see, a report of My Project has been created, and it shows us the basic overview of the code. To get a more detailed report, we can go inside by clicking on the project name:

To understand better, let's see what the vulnerabilities that SonarQube has discovered are. As we can see (marked in blue) SonarQube shows us why it marked it as a vulnerability, along with the how long it should take us to fix the problem, the criticality of the vulnerability. Below, it gives us more information (marked in black) what kind of vulnerability it is along with some literature to read on it.

On the left-hand side, we can see a filter option that we can use to see more reports of the same type:

To know further about the vulnerability, let's select one of the vulnerabilities. On further examination, SonarQube tells us the file where the vulnerability was detected (underlined in black), and it also shows us the code (marked in blue), along with line numbers, that it has found suspicious/harmful:

We can also log in as an Administrator through the login page:

The default credentials are:

Username: admin

Password: admin

Being an Administrator, we get a lot more options such as:

  • Changing bug/vulnerability type
  • Closing/Opening an issue
  • Assigning a bug to someone
  • Saving comments along with each issue
  • Adding/Editing/Deleting rules, etc

The Administration option (located above) gives us a lot more control over SonarQube:

This was a basic overview of what SonarQube is capable of. We can also analyze the following with it:

Learn Secure Coding

Learn Secure Coding

Build your secure coding skills in C/C++, iOS, Java, .NET, Node.js, PHP and other languages.

  • MSBuild Files
  • Maven Files
  • Gradle Files
  • Ant Files
  • Jenkins Files
  • VSTS-TFS Files

Conclusion

SonarQube is a great tool that provides tons of additional features such as integrating plugins ( https://docs.sonarqube.org/display/PLUG/Plugin+Library ), scanning multi-module project structure (https://docs.sonarqube.org/display/SCAN/Advanced+SonarQube+Scanner+Usages ), adding custom rules (https://github.com/SonarSource/sonar-custom-rules-examples ), and even making custom plugins ( https://github.com/SonarSource/sonar-custom-plugin-example ). All in all, SonarQube is a powerful and a useful tool that can be used at a production level as well (https://docs.sonarqube.org/display/SONAR/Installing+the+Server). Not only a developer can structure his/her code better, but managers can also start tracking metrics based on results. SonarQube also replaces tools such as FindBugs, CPPCheck, etc thus making people do everything on the same platform and helping save time.

Chiragh Dewan
Chiragh Dewan

A creative problem-solving full-stack web developer with expertise in Information Security Audit, Web Application Audit, Vulnerability Assessment, Penetration Testing/ Ethical Hacking as well as previous experience in Artificial Intelligence, Machine Learning, and Natural Language Processing. He has also been recognised by various companies such as Facebook, Google, Microsoft, PayPal, Netflix, Blackberry, etc for reporting various security vulnerabilities. He has also given various talks on Artificial Intelligence and Cyber Security including at an TEDx event.