Modal Title
Cloud Native Ecosystem Containers Edge Computing Microservices Networking Serverless Storage
Cloud Native Skill Gaps are Killing Your Gains 
May 22nd 2023 7:15am, by Victoria Wright
A Boring Kubernetes Release
May 19th 2023 12:23pm, by Alex Williams
Why Upgrade to Observability from Application Monitoring?
May 19th 2023 11:49am, by George Hamilton
How Otomi Helped the City of Utrecht Move to Kubernetes
May 15th 2023 10:00am, by Sander Rodenhuis
RabbitMQ Is Boring, and I Love It
May 15th 2023 6:30am, by Josh Long
Red Hat Podman Container Engine Gets a Desktop Interface
May 23rd 2023 7:30am, by Joab Jackson
Scan Container Images for Vulnerabilities with Docker Scout
May 20th 2023 6:00am, by Jack Wallen
Container or VM? How to Choose the Right Option in 2023
May 17th 2023 8:42am, by Andrew Sullivan and Alex Handy
How Otomi Helped the City of Utrecht Move to Kubernetes
May 15th 2023 10:00am, by Sander Rodenhuis
Deploy an On-Premises Bitwarden Server with Docker
May 6th 2023 6:00am, by Jack Wallen
Gothenburg, Sweden Used Open Source IoT to Drastically Cut Water Waste
May 23rd 2023 6:58am, by Alex Handy
Building a Plant Monitoring Tool with IoT
May 8th 2023 9:27am, by Zoe Steinkamp
How to Choose and Model Time Series Databases
Apr 28th 2023 3:00am, by Robert Kimani
How to Optimize Queries for Time Series Data
Apr 27th 2023 12:00pm, by Robert Kimani
Calyptia Core 2.0 Tackles Fleet Management for Observability
Apr 26th 2023 6:49am, by Jelani Harper
RabbitMQ Is Boring, and I Love It
May 15th 2023 6:30am, by Josh Long
How OpenSearch Visualizes Jaeger's Distributed Tracing
May 11th 2023 10:00am, by Derek Ho and Jonah Kowall
Spring Cloud Gateway: The Swiss Army Knife of Cloud Development
May 8th 2023 6:47am, by Juergen Sussner
Return of the Monolith: Amazon Dumps Microservices for Video Monitoring
May 4th 2023 7:23am, by Joab Jackson
Cloud Native Basics: 4 Concepts to Know 
Apr 27th 2023 9:42am, by Khallai Taylor
How to Decide Between a Layer 2 or Layer 3 Network
Apr 25th 2023 10:00am, by Gino Dion
Linkerd Service Mesh Update Addresses More Demanding User Base
Apr 11th 2023 6:17am, by Joab Jackson and Alex Williams
Wireshark Celebrates 25th Anniversary with a New Foundation
Mar 28th 2023 5:00am, by Joab Jackson
This Week in Computing: Malware Gone Wild
Mar 25th 2023 7:10am, by Joab Jackson
JWTs: Connecting the Dots: Why, When and How
Mar 20th 2023 7:10am, by Michal Trojanowski
Microsoft Fabric Defragments Analytics, Enters Public Preview
May 23rd 2023 8:00am, by Andrew Brust
Forrester on WebAssembly for Developers: Frontend to Backend
May 17th 2023 6:00am, by Loraine Lawson
Return of the Monolith: Amazon Dumps Microservices for Video Monitoring
May 4th 2023 7:23am, by Joab Jackson
IBM's Quiet Approach to AI, Wasm and Serverless
May 4th 2023 6:00am, by Loraine Lawson
Cloud Control Planes for All: Implement Internal Platforms with Crossplane
Apr 13th 2023 10:00am, by Bassam Tabbara
Boost DevOps Maturity with a Data Lakehouse
May 17th 2023 10:20am, by Guido Deinhammer
Vercel Offers Postgres, Redis Options for Frontend Developers
May 1st 2023 9:00am, by Loraine Lawson
Why We Need an Inter-Cloud Data Standard
Apr 27th 2023 8:19am, by Aaron Schneider
We Designed Our Chips with First Pass Success — and So Can You
Apr 26th 2023 10:00am, by Parag Madhani
ACID Transactions Change the Game for Cassandra Developers
Apr 26th 2023 8:33am, by Aaron Ploetz
Frontend Development Software Development Typescript WebAssembly Cloud Services Data Machine Learning Security
Microsoft One-ups Google with Copilot Stack for Developers
May 24th 2023 11:45am, by
How to Start a Software Project: A Guide for Junior Devs
May 20th 2023 7:00am, by
Dev News: Trouble in npm, Vue 3.3 and Cloudflare Updates
May 20th 2023 5:00am, by
Generative AI Thread Runs Through Google’s New Products
May 19th 2023 12:37pm, by
AI Improves Developer Workflow, Says Gradle Dev Evangelist
May 19th 2023 10:00am, by
Microsoft One-ups Google with Copilot Stack for Developers
May 24th 2023 11:45am, by
Detect and Mitigate Common Attack Techniques for Containers
May 24th 2023 10:55am, by
Lineaje Unveils SBOM360 Hub for Software Bills of Materials
May 24th 2023 8:46am, by
AppSec 'Worst Practices' with Tanya Janca 
May 24th 2023 8:08am, by
FAQ: What Is Automated Incident Response?
May 24th 2023 6:04am, by
Dev News: Angular v16, plus Node.js and TypeScript Updates
Apr 22nd 2023 4:00am, by
This Week in Computing: Malware Gone Wild
Mar 25th 2023 7:10am, by
TypeScript 5.0: New Decorators Standard, Smaller npm
Mar 24th 2023 11:25am, by
JavaScript or WebAssembly: Which Is More Energy Efficient and Faster?
Jan 30th 2023 9:51am, by
What TypeScript Brings to Node.js
Dec 26th 2022 3:00am, by
Could WebAssembly Be the Key to Decreasing Kubernetes Use?
May 22nd 2023 6:00am, by
Forrester on WebAssembly for Developers: Frontend to Backend
May 17th 2023 6:00am, by
Dev News: Dart 3 Meets Wasm, Flutter 3.10, and Qwik ‘Streamable JavaScript’
May 13th 2023 9:00am, by
Our WebAssembly Experiment: Extending NGINX Agent
May 11th 2023 8:21am, by
A Workaround to WebAssembly’s Endpoint Compatibility Issues?
May 8th 2023 8:00am, by
Microsoft Fabric Defragments Analytics, Enters Public Preview
May 23rd 2023 8:00am, by
A Boring Kubernetes Release
May 19th 2023 12:23pm, by
Optimizing Mastodon Performance with Sidekiq and Redis Enterprise
May 18th 2023 10:30am, by and
Datadog’s $65M Bill and Why Developers Should Care
May 17th 2023 10:56am, by
Google Goes Gaga for AI Developer Tools
May 12th 2023 8:12am, by
Better Data Logistics Is the Key to Effective Machine Learning
May 24th 2023 10:00am, by
Microsoft Fabric Defragments Analytics, Enters Public Preview
May 23rd 2023 8:00am, by
Gothenburg, Sweden Used Open Source IoT to Drastically Cut Water Waste
May 23rd 2023 6:58am, by
What Is Unstructured Data?
May 22nd 2023 9:35am, by
Observability: Working with Metrics, Logs and Traces
May 22nd 2023 8:23am, by
AI Talk at KubeCon
May 24th 2023 1:36pm, by
Better Data Logistics Is the Key to Effective Machine Learning
May 24th 2023 10:00am, by
FAQ: What Is Automated Incident Response?
May 24th 2023 6:04am, by
The Benefits and Limitations of AI for Service Optimization
May 23rd 2023 10:00am, by
Economists Show AI Bringing Positive Impact to Workplaces
May 21st 2023 6:00am, by
Detect and Mitigate Common Attack Techniques for Containers
May 24th 2023 10:55am, by
Lineaje Unveils SBOM360 Hub for Software Bills of Materials
May 24th 2023 8:46am, by
AppSec 'Worst Practices' with Tanya Janca 
May 24th 2023 8:08am, by
Tracy Ragan: My Favorite Open Source Security Projects
May 22nd 2023 12:52pm, by
Scan Container Images for Vulnerabilities with Docker Scout
May 20th 2023 6:00am, by
Platform Engineering Operations CI/CD Tech Life DevOps Kubernetes Observability Service Mesh
Developer Platforms: Key Findings from a Forrester Snapshot
May 19th 2023 10:52am, by Aeris Stewart
How Otomi Helped the City of Utrecht Move to Kubernetes
May 15th 2023 10:00am, by Sander Rodenhuis
IBM Cloud CTO: Pros Outweigh the Cons with Platform Engineering
May 5th 2023 6:00am, by Loraine Lawson
Infrastructure as Code or Cloud Platforms — You Decide!
May 2nd 2023 9:34am, by Venkat Thiruvengadam
KubeCon Panel: How Platform Engineering Benefits Developers
Apr 28th 2023 8:51am, by Loraine Lawson
AI Talk at KubeCon
May 24th 2023 1:36pm, by Alex Williams
Better Data Logistics Is the Key to Effective Machine Learning
May 24th 2023 10:00am, by Michael Tanenbaum
Red Hat Ansible Gets Event-Triggered Automation, AI Assist on Playbooks
May 24th 2023 6:22am, by Joab Jackson
FAQ: What Is Automated Incident Response?
May 24th 2023 6:04am, by Ariel Russo
The Benefits and Limitations of AI for Service Optimization
May 23rd 2023 10:00am, by Prabjoth Saimbhi
Is DevOps Tool Complexity Slowing Down Developer Velocity?
May 17th 2023 6:29am, by Heather Joslyn and Lawrence E Hecht
AI Has Become Integral to the Software Delivery Lifecycle
May 12th 2023 11:01am, by Richard MacManus
4 Core Principles of GitOps
May 11th 2023 2:17pm, by Alex Williams
5 Version-Control Tools Game Developers Should Know About
May 9th 2023 10:00am, by Sharone Zitzman
Mitigate Risk Beyond the Supply Chain with Runtime Monitoring
May 8th 2023 10:00am, by Mike Long
AppSec 'Worst Practices' with Tanya Janca 
May 24th 2023 8:08am, by Taylor Armerding
Overcoming the Kubernetes Skills Gap with ChatGPT Assistance
May 23rd 2023 11:00am, by Dev Nag
Cloud Native Skill Gaps are Killing Your Gains 
May 22nd 2023 7:15am, by Victoria Wright
Economists Show AI Bringing Positive Impact to Workplaces
May 21st 2023 6:00am, by David Cassel
Tech Works: Why Burnout and Layoffs Hit Some People Harder
May 19th 2023 9:00am, by Jennifer Riggins
How to Start a Software Project: A Guide for Junior Devs
May 20th 2023 7:00am, by David Eastman
AI Improves Developer Workflow, Says Gradle Dev Evangelist
May 19th 2023 10:00am, by Richard MacManus
Guardrails Can Be the Common Language to Bring Dev and Ops Together
May 18th 2023 7:04am, by Cortney Nickerson
Boost DevOps Maturity with a Data Lakehouse
May 17th 2023 10:20am, by Guido Deinhammer
Is DevOps Tool Complexity Slowing Down Developer Velocity?
May 17th 2023 6:29am, by Heather Joslyn and Lawrence E Hecht
Overcoming the Kubernetes Skills Gap with ChatGPT Assistance
May 23rd 2023 11:00am, by Dev Nag
Could WebAssembly Be the Key to Decreasing Kubernetes Use?
May 22nd 2023 6:00am, by Loraine Lawson
A Boring Kubernetes Release
May 19th 2023 12:23pm, by Alex Williams
Guardrails Can Be the Common Language to Bring Dev and Ops Together
May 18th 2023 7:04am, by Cortney Nickerson
HashiCorp Vault Operator Manages Kubernetes Secrets
May 18th 2023 6:00am, by Heather Joslyn
Red Hat Ansible Gets Event-Triggered Automation, AI Assist on Playbooks
May 24th 2023 6:22am, by Joab Jackson
Observability: Working with Metrics, Logs and Traces
May 22nd 2023 8:23am, by Jessica Wachtel
Why Upgrade to Observability from Application Monitoring?
May 19th 2023 11:49am, by George Hamilton
Datadog’s $65M Bill and Why Developers Should Care
May 17th 2023 10:56am, by Loraine Lawson
How OpenSearch Visualizes Jaeger's Distributed Tracing
May 11th 2023 10:00am, by Derek Ho and Jonah Kowall
Linkerd Service Mesh Update Addresses More Demanding User Base
Apr 11th 2023 6:17am, by Joab Jackson and Alex Williams
How to Create Zero Trust Architecture for Service Mesh
Mar 27th 2023 7:00am, by Joe Fay
Ambient Mesh: Sidestepping the Sidecar
Mar 1st 2023 8:44am, by Jeff Goldman
Service Mesh Demand for Kubernetes Shifts to Security
Oct 27th 2022 11:04am, by B. Cameron Gain
AmeriSave Moved Its Microservices to the Cloud with Traefik's Dynamic Reverse Proxy
Sep 8th 2022 2:02pm, by Ann R. Thryft
CI/CD / Containers / Security

How to Install the SonarQube Security Analysis Platform

How to install Solarq
Feb 22nd, 2021 2:29pm by
Featued image for: How to Install the SonarQube Security Analysis Platform

SonarQube is a web-based software analysis platform with open source roots that can go a long way to delivering cleaner, issue-free code. SonarQube includes features like bug and vulnerability detection and code tracking. SonarQube can integrate into GitHub, Azure DevOps, Bitbucket, GitLab, and Docker.

Let’s get SonarQube installed. I’ll be demonstrating on the community edition (which includes static code analysis for 15 languages and a number of other features). If you find this tool of value, you might then consider upselling yourself into one of the three other editions (Developer, Enterprise, or Data Center), each of which has an associated cost (find out more on the SonarQube download page).

SonarQube can be installed on Linux, macOS, and Windows. For the purpose of this tutorial, I’ll demonstrate the installation process on Ubuntu Server 20.04.

Prepare the Environment

The first thing we must do is modify the kernel system limits. For this we must set the following:

  • vm.max_map_count must be greater than or equal to 524288
  • fs.file-max must be greater than or equal to 131072
  • The SonarQube user must be able to open at least 131072 file descriptors
  • The SonarQube user must be able to open at least 8192 threads

This is actually easier than it looks. Open the necessary file in the nano editor with the command:

sudo nano /etc/sysctl.conf

Scroll to the bottom of the file and paste the following:


Save and close the file with the [Ctrl]+[x] keyboard combination.

Next, open the limits.conf file with the command:

sudo nano /etc/security/limits.conf

Scroll to the bottom of this file and paste the following:


Save and close the file with the [Ctrl]+[x] keyboard combination.

In order for these changes to take effect, reboot the system with the command:

sudo reboot

Install OpenJDK 11

SonarQube depends on Java. For that, we’ll install OpenJDK 11, which can be done with the command:

sudo apt-get install openjdk-11-jdk -y

That was easy. Let’s move on.

Install and Configure the Database

On Linux, SonarQube only works with PostgreSQL, which means we have to take a few extra steps to get it installed. First, download the PostgreSQL GPG key with the command:

wget -q https://www.postgresql.org/media/keys/ACCC4CF8.asc -O - | sudo apt-key add -

Next, add the PostgreSQL apt repository by running the command:

sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt/ lsb_release -cs-pgdg main" >> /etc/apt/sources.list.d/pgdg.list'

Update apt with the command:

sudo apt-get update

Install PostgreSQL with by issuing:

sudo apt install postgresql postgresql-contrib -y

Once the installation completes, start the PostgreSQL service with the command:

sudo systemctl start postgresql

Enable the service to start at boot with the command:

sudo systemctl enable  postgresql

Now we must set a password for the PostgreSQL user with the command:

sudo passwd postgres

Type and verify a new password.

Switch to the postgres user with the command:

su - postgres

Let’s create a new database user:

createuser sonar

We can now create our database. To do so, first log into the PostgreSQL console:

psql

Set a password for the sonar user with the command:

ALTER USER sonar WITH ENCRYPTED PASSWORD 'PWORD';

Where PWORD is a strong/unique password.

Create the SonarQube database with the command:

CREATE DATABASE sonarqube OWNER sonar;

Modify the privileges, such that the sonar user can access/use/modify the data with the command:

GRANT ALL PRIVILEGES ON DATABASE sonarqube to sonar;

Exit the database console with the command:

\q

Type exit to leave the postres user.

Download and Unpack SonarQube

For this tutorial, we’ll be installing SonarQube 8.6.1.40680. You’ll want to check the official SonarQube download page to make sure you’re installing the latest version.

Download SonarQube with the command:

wget https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-8.6.1.40680.zip

Install zip with the command:

sudo apt-get install zip -y

Unpack the downloaded file with the command:

unzip sonarqube*.zip

Move (and rename) the newly created file with the command:

sudo mv sonarqube-XXX /opt/sonarqube

Where XXX is the release number of SonarQube.

Create a New User and Group

For our next trick, we’ll create a new group and user. First, create the group with the command:

sudo groupadd sonar

Now we can create the user, set the user’s home directory to /opt/sonarqube, and add them to the new group with the command:

sudo useradd -c "SonarQube - User" -d /opt/sonarqube/ -g sonar sonar

Change the ownership of the sonarqube directory with the command:

sudo chown -R sonar:sonar /opt/sonarqube/

Configure SonarQube

We’re ready to configure SonarQube. Open the configuration file with the command:

sudo nano /opt/sonarqube/conf/sonar.properties

Remove the # character and modify the following lines so they reflect the changes below:

  • sonar.jdbc.username=sonar
  • sonar.jdbc.password=PASSWORD
  • sonar.jdbc.url=jdbc:postgresql://localhost/sonarqube
  • sonar.search.javaOpts=-Xmx512m -Xms512m -XX:MaxDirectMemorySize=256m -XX:+HeapDumpOnOutOfMemoryError

Where PASSWORD is the PostgreSQL user password.

Finally, make sure to edit the following lines so they look like what you see here:

  • sonar.web.host=SERVER
  • sonar.web.port=9000
  • sonar.web.javaAdditionalOpts=-server
  • sonar.search.javaOpts=-Xmx512m -Xms512m -XX:+HeapDumpOnOutOfMemoryError
  • sonar.log.level=INFO
  • sonar.path.logs=logs

Where SERVER is the IP address or Domain of the hosting server.

If your lines differ from what you see above, make sure to change them.

Save and close the sonar.properties file.

Next, we need to change the user that will run the SonarQube server. Issue the command:

sudo nano /opt/sonarqube/bin/linux-x86-64/sonar.sh

At the bottom of that file, make sure the RUN_AS_USER line looks like:


Save and close the file.

Create a Startup File

As it stands, the system has no way of knowing how to start SonarQube. To fix that, we must create a systemd startup file. Do that with the command:

sudo nano /etc/systemd/system/sonarqube.service

In this new file, paste the following contents:



 


Save and close the file with the [Ctrl]+[x] keyboard shortcut.

You can now start and enable the SonarQube service with the following two commands:

sudo systemctl start sonarqube

sudo systemctl enable sonarqube

Install and Configure NGINX

We’re not done yet. Remember, SonarQube is a web-based tool, so we need a web server. For this, we’ll use NGINX. To install the NGINX web server, issue the command:

sudo apt-get install nginx -y

Start the NGINX web server with the command:

sudo systemctl start nginx

Enable NGINX to run at system start with the command:

sudo systemctl enable nginx

In order for NGINX to know about SonarQube, we must create a configuration file with the command:

sudo nano /etc/nginx/sites-enabled/sonarqube.conf

In the new configuration file, paste the following:


Save and close the file with the [Ctrl]+[x] keyboard combination.

Restart NGINX with the command:

sudo systemctl restart nginx

Access SonarQube

Your installation of SonarQube is now ready to be accessed. Open a web browser and point it to http://SERVER:9000 (Where SERVER is the IP address or Domain of the hosting server). If you get an error, wait a bit before you refresh, as it takes a while for the SonarQube service to start.

You should eventually see a login screen, where you’ll use the default credentials of admin/admin. Upon successful authentication, you’ll be required to change the default password. Once you’ve taken care of that, you’ll find yourself at the SonarQube main page:

Figure 1:The SonarQube main window is ready for action.

Congratulations! You can now start checking your code for issues and vulnerabilities, without having to do so manually. Be on the lookout for later posts, where I’ll demonstrate how to use SonarQube to inspect your code.

Group Created with Sketch.
SHARE THIS STORY
RELATED STORIES
Tech Backgrounder: Slim.AI Makes Container Hardening Easier There Is No Resilience without Chaos Simplify CI/CD with a General-Purpose Software Catalog Is DevOps Tool Complexity Slowing Down Developer Velocity? A Better Way to Shift Security Left
TNS owner Insight Partners is an investor in: Enable, Unit, The New Stack, Docker, Real.
RELATED STORIES
Usenix: Continuous Integration Is Just SRE Alerting 'Shifted Left' Is DevOps Tool Complexity Slowing Down Developer Velocity? How 2 Founders Sold Their Startup to Aqua Security in a Year There Is No Resilience without Chaos 5 Version-Control Tools Game Developers Should Know About
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.