Development / Security

How to Analyze Code and Find Vulnerabilities with SonarQube

16 Apr 2021 10:09am, by

SonarQube is a web-based tool that can help developers produce code free from security issues, bugs, vulnerabilities, smells, and general issues. If you’re working on a small project, that might be an easy feat. You could carefully work through your code to find any issues. But when you’re working on a larger project (or numerous smaller projects), you probably don’t have time to comb through every line of code you’ve written.

Back in February, I wrote a piece on installing the SonarQube code analysis platform. This time around, I want to show you how to use that tool, so you can trust the code you’re working with (be it written by you or someone else).

Although you’ve installed a very nice web-based tool, using Sonarqube isn’t nearly as straightforward as you might think. If you dive into the documentation, you might find it to be less than enlightening.

Fear not, I’m going to walk you through the process of scanning the tried and true Hello, World! application (written in Java) with Sonarqube. And because our original installation was on Ubuntu Server 20.04, I’ll be sticking with that platform. If you’re using Sonarqube on a different OS, you’ll need to make the necessary adjustments.

Are you ready?

Let’s do this.

Installing Sonar-scanner

This is where most users would get lost. Before you do anything with Sonarqube, you have to have the sonar-scanner application installed on the machine housing your project. I’m going to make this even easier and install it on the same server hosting Sonarqube. Here’s how you’d do that.

Log into the server hosting Sonarqube and install a few dependencies with the command:

sudo apt-get update && sudo apt-get install unzip wget nodejs -y

Once those dependencies are installed, create a new directory with the command:

mkdir sonarqube

Change into that directory with the command:

cd sonarqube

Download the sonar-scan file:

wget https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.2.0.1873-linux.zip

Unzip the downloaded file:

unzip sonar-scanner-cli-4.2.0.1873-linux.zip

Finally, move the newly-created folder with the command:

sudo mv sonar-scanner-4.2.0.1873-linux /opt/sonar-scanner

Next, we need to create a sonar-scan configuration file with the command:

sudo nano /opt/sonar-scanner/conf/sonar-scanner.properties

In that file, paste the following:

Where SERVER is the IP address of the hosting server.

Save and close the file.

Now we’ll create another configuration file, one that will set the necessary $PATH variables. Issue the command:

sudo nano /etc/profile.d/sonar-scanner.sh

In that file, paste the following:

Save and close the file.

Add sonar-scanner to your path with the command:

source /etc/profile.d/sonar-scanner.sh

Verify sonar-scanner is working with the command:

sonar-scanner -v

You should see the version numbers of a few tools. Success! You’re ready to run your first scan.

How to Scan Your Code

Let’s create a Hello, World! application example. Create a new directory with the command:

mkdir java

Change into that folder with the command:

cd java

Create the code file with the command:

nano helloworld.java

In that file, paste the following:

Save and close the file.

Now, go back to the Sonarqube web interface and create a new project (Figure 1).

Figure 1: Click Create new project to begin the process.

In the resulting window (Figure 2), give the new project a name for both the key and the display.

Figure 2: Naming your new project in Sonarqube.

In the next window (Figure 3), you must generate a token for the project. Give the token a name and click Generate.

Figure 3: Generating a token for the new project.

You will then have to give the token yet another name and click Generate. This will display the token for you. Copy and save that token (as you will need it for later scans).

Click Continue to move on to the next step. In this window (Figure 4), select the build technology for the project (we’ll select Other).

Figure 4: Selecting the build technology for your project.

You will then be prompted for the OS you’re using for the scan. In our case, we’ll select Linux. Once you’ve made your selection, you’ll be presented with the command to be run on the machine with the sonar-scanner command (Figure 5). Move back to the terminal window and paste that command into the window.

Figure 5: Sonarqube presents the command you use for the scan.

Run the scan from within your project directory and it will do its thing. After a bit (depending on how large your project is) it will finish and the results of the scan will appear in the Sonarqube web GUI (Figure 6).

Figure 6: The results of our scan show a pretty clean project.

Understand, this was a simple Hello, World! example. If your project is larger, it will take considerably longer to scan and your results might not come up as production-ready. So go through the Sonarqube report and address any issues it reports.

This is a great way to make sure your code is as clean and issue-free as possible. Don’t depend on yourself to take on this task alone. With just a few extra steps, you can empower yourself with a platform that can do the job faster and more reliably.

A newsletter digest of the week’s most important stories & analyses.