- Home
- >
- Software Development
- >
- How to Analyze Code and Find Vulnerabilities with SonarQube – InApps Technology 2022
How to Analyze Code and Find Vulnerabilities with SonarQube – InApps Technology is an article under the topic Software Development Many of you are most interested in today !! Today, let’s InApps.net learn How to Analyze Code and Find Vulnerabilities with SonarQube – InApps Technology in today’s post !
Read more about How to Analyze Code and Find Vulnerabilities with SonarQube – InApps Technology at Wikipedia
You can find content about How to Analyze Code and Find Vulnerabilities with SonarQube – InApps Technology from the Wikipedia website
SonarQube is a web-based tool that can help developers produce code free from security issues, bugs, vulnerabilities, smells, and general issues. If you’re working on a small project, that might be an easy feat. You could carefully work through your code to find any issues. But when you’re working on a larger project (or numerous smaller projects), you probably don’t have time to comb through every line of code you’ve written.
Back in February, I wrote a piece on installing the SonarQube code analysis platform. This time around, I want to show you how to use that tool, so you can trust the code you’re working with (be it written by you or someone else).
Although you’ve installed a very nice web-based tool, using Sonarqube isn’t nearly as straightforward as you might think. If you dive into the documentation, you might find it to be less than enlightening.
Fear not, I’m going to walk you through the process of scanning the tried and true Hello, World! application (written in Java) with Sonarqube. And because our original installation was on Ubuntu Server 20.04, I’ll be sticking with that platform. If you’re using Sonarqube on a different OS, you’ll need to make the necessary adjustments.
Are you ready?
Let’s do this.
Installing Sonar-scanner
This is where most users would get lost. Before you do anything with Sonarqube, you have to have the sonar-scanner application installed on the machine housing your project. I’m going to make this even easier and install it on the same server hosting Sonarqube. Here’s how you’d do that.
Log into the server hosting Sonarqube and install a few dependencies with the command:
sudo apt-get update && sudo apt-get install unzip wget nodejs -y
Once those dependencies are installed, create a new directory with the command:
mkdir sonarqube
Change into that directory with the command:
cd sonarqube
Download the sonar-scan file:
wget https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.2.0.1873-linux.zip
Unzip the downloaded file:
unzip sonar-scanner-cli-4.2.0.1873-linux.zip
Finally, move the newly-created folder with the command:
sudo mv sonar-scanner-4.2.0.1873-linux /opt/sonar-scanner
Next, we need to create a sonar-scan configuration file with the command:
sudo nano /opt/sonar-scanner/conf/sonar-scanner.properties
In that file, paste the following:
sonar.host.url=http://SERVER:9000 sonar.sourceEncoding=UTF–8 |
Where SERVER is the IP address of the hosting server.
Save and close the file.
Now we’ll create another configuration file, one that will set the necessary $PATH variables. Issue the command:
sudo nano /etc/profile.d/sonar-scanner.sh
In that file, paste the following:
#/bin/bash export PATH=“$PATH:/opt/sonar-scanner/bin” |
Save and close the file.
Add sonar-scanner to your path with the command:
source /etc/profile.d/sonar-scanner.sh
Verify sonar-scanner is working with the command:
sonar-scanner -v
You should see the version numbers of a few tools. Success! You’re ready to run your first scan.
How to Scan Your Code
Let’s create a Hello, World! application example. Create a new directory with the command:
mkdir java
Change into that folder with the command:
cd java
Create the code file with the command:
nano helloworld.java
In that file, paste the following:
// Your Hello, World! java application
class HelloWorld { public static void main(String[] args) { System.out.println(“Hello, World!”); } } |
Save and close the file.
Now, go back to the Sonarqube web interface and create a new project (Figure 1).
Figure 1: Click Create new project to begin the process.
In the resulting window (Figure 2), give the new project a name for both the key and the display.
Figure 2: Naming your new project in Sonarqube.
In the next window (Figure 3), you must generate a token for the project. Give the token a name and click Generate.
Figure 3: Generating a token for the new project.
You will then have to give the token yet another name and click Generate. This will display the token for you. Copy and save that token (as you will need it for later scans).
Click Continue to move on to the next step. In this window (Figure 4), select the build technology for the project (we’ll select Other).
Figure 4: Selecting the build technology for your project.
You will then be prompted for the OS you’re using for the scan. In our case, we’ll select Linux. Once you’ve made your selection, you’ll be presented with the command to be run on the machine with the sonar-scanner command (Figure 5). Move back to the terminal window and paste that command into the window.
Figure 5: Sonarqube presents the command you use for the scan.
Run the scan from within your project directory and it will do its thing. After a bit (depending on how large your project is) it will finish and the results of the scan will appear in the Sonarqube web GUI (Figure 6).
Figure 6: The results of our scan show a pretty clean project.
Understand, this was a simple Hello, World! example. If your project is larger, it will take considerably longer to scan and your results might not come up as production-ready. So go through the Sonarqube report and address any issues it reports.
This is a great way to make sure your code is as clean and issue-free as possible. Don’t depend on yourself to take on this task alone. With just a few extra steps, you can empower yourself with a platform that can do the job faster and more reliably.
Source: InApps.net
Let’s create the next big thing together!
Coming together is a beginning. Keeping together is progress. Working together is success.
