How to Install the SonarQube Security Analysis Platform

SonarQube is a web-based software analysis platform with open source roots that can go a long way to delivering cleaner, issue-free code. SonarQube includes features like bug and vulnerability detection and code tracking. SonarQube can integrate into GitHub, Azure DevOps, Bitbucket, GitLab, and Docker.
Let’s get SonarQube installed. I’ll be demonstrating on the community edition (which includes static code analysis for 15 languages and a number of other features). If you find this tool of value, you might then consider upselling yourself into one of the three other editions (Developer, Enterprise, or Data Center), each of which has an associated cost (find out more on the SonarQube download page).
SonarQube can be installed on Linux, macOS, and Windows. For the purpose of this tutorial, I’ll demonstrate the installation process on Ubuntu Server 20.04.
Prepare the Environment
The first thing we must do is modify the kernel system limits. For this we must set the following:
- vm.max_map_count must be greater than or equal to 524288
- fs.file-max must be greater than or equal to 131072
- The SonarQube user must be able to open at least 131072 file descriptors
- The SonarQube user must be able to open at least 8192 threads
This is actually easier than it looks. Open the necessary file in the nano editor with the command:
sudo nano /etc/sysctl.conf
Scroll to the bottom of the file and paste the following:
1 2 3 4 |
vm.max_map_count=262144 fs.file-max=65536 ulimit -n 65536 ulimit -u 4096 |
Save and close the file with the [Ctrl]+[x] keyboard combination.
Next, open the limits.conf file with the command:
sudo nano /etc/security/limits.conf
Scroll to the bottom of this file and paste the following:
1 2 |
sonarqube - nofile 65536 sonarqube - nproc 4096 |
Save and close the file with the [Ctrl]+[x] keyboard combination.
In order for these changes to take effect, reboot the system with the command:
sudo reboot
Install OpenJDK 11
SonarQube depends on Java. For that, we’ll install OpenJDK 11, which can be done with the command:
sudo apt-get install openjdk-11-jdk -y
That was easy. Let’s move on.
Install and Configure the Database
On Linux, SonarQube only works with PostgreSQL, which means we have to take a few extra steps to get it installed. First, download the PostgreSQL GPG key with the command:
wget -q https://www.postgresql.org/media/keys/ACCC4CF8.asc -O - | sudo apt-key add -
Next, add the PostgreSQL apt repository by running the command:
sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt/
lsb_release -cs
-pgdg main" >> /etc/apt/sources.list.d/pgdg.list'
Update apt with the command:
sudo apt-get update
Install PostgreSQL with by issuing:
sudo apt install postgresql postgresql-contrib -y
Once the installation completes, start the PostgreSQL service with the command:
sudo systemctl start postgresql
Enable the service to start at boot with the command:
sudo systemctl enable postgresql
Now we must set a password for the PostgreSQL user with the command:
sudo passwd postgres
Type and verify a new password.
Switch to the postgres user with the command:
su - postgres
Let’s create a new database user:
createuser sonar
We can now create our database. To do so, first log into the PostgreSQL console:
psql
Set a password for the sonar user with the command:
ALTER USER sonar WITH ENCRYPTED PASSWORD 'PWORD';
Where PWORD is a strong/unique password.
Create the SonarQube database with the command:
CREATE DATABASE sonarqube OWNER sonar;
Modify the privileges, such that the sonar user can access/use/modify the data with the command:
GRANT ALL PRIVILEGES ON DATABASE sonarqube to sonar;
Exit the database console with the command:
\q
Type exit to leave the postres user.
Download and Unpack SonarQube
For this tutorial, we’ll be installing SonarQube 8.6.1.40680. You’ll want to check the official SonarQube download page to make sure you’re installing the latest version.
Download SonarQube with the command:
wget https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-8.6.1.40680.zip
Install zip with the command:
sudo apt-get install zip -y
Unpack the downloaded file with the command:
unzip sonarqube*.zip
Move (and rename) the newly created file with the command:
sudo mv sonarqube-XXX /opt/sonarqube
Where XXX is the release number of SonarQube.
Create a New User and Group
For our next trick, we’ll create a new group and user. First, create the group with the command:
sudo groupadd sonar
Now we can create the user, set the user’s home directory to /opt/sonarqube, and add them to the new group with the command:
sudo useradd -c "SonarQube - User" -d /opt/sonarqube/ -g sonar sonar
Change the ownership of the sonarqube directory with the command:
sudo chown -R sonar:sonar /opt/sonarqube/
Configure SonarQube
We’re ready to configure SonarQube. Open the configuration file with the command:
sudo nano /opt/sonarqube/conf/sonar.properties
Remove the # character and modify the following lines so they reflect the changes below:
sonar.jdbc.username=sonar
sonar.jdbc.password=PASSWORD
sonar.jdbc.url=jdbc:postgresql://localhost/sonarqube
sonar.search.javaOpts=-Xmx512m -Xms512m -XX:MaxDirectMemorySize=256m -XX:+HeapDumpOnOutOfMemoryError
Where PASSWORD is the PostgreSQL user password.
Finally, make sure to edit the following lines so they look like what you see here:
sonar.web.host=SERVER
sonar.web.port=9000
sonar.web.javaAdditionalOpts=-server
sonar.search.javaOpts=-Xmx512m -Xms512m -XX:+HeapDumpOnOutOfMemoryError
sonar.log.level=INFO
sonar.path.logs=logs
Where SERVER is the IP address or Domain of the hosting server.
If your lines differ from what you see above, make sure to change them.
Save and close the sonar.properties file.
Next, we need to change the user that will run the SonarQube server. Issue the command:
sudo nano /opt/sonarqube/bin/linux-x86-64/sonar.sh
At the bottom of that file, make sure the RUN_AS_USER line looks like:
1 |
RUN_AS_USER=sonar |
Save and close the file.
Create a Startup File
As it stands, the system has no way of knowing how to start SonarQube. To fix that, we must create a systemd startup file. Do that with the command:
sudo nano /etc/systemd/system/sonarqube.service
In this new file, paste the following contents:
1 2 3 |
[Unit] Description=SonarQube service After=syslog.target network.target |
1 2 3 4 5 6 7 8 9 |
[Service] Type=forking ExecStart=/opt/sonarqube/bin/linux-x86-64/sonar.sh start ExecStop=/opt/sonarqube/bin/linux-x86-64/sonar.sh stop User=sonar Group=sonar Restart=always LimitNOFILE=65536 LimitNPROC=4096 |
1 2 |
[Install] WantedBy=multi-user.target |
Save and close the file with the [Ctrl]+[x] keyboard shortcut.
You can now start and enable the SonarQube service with the following two commands:
sudo systemctl start sonarqube
sudo systemctl enable sonarqube
Install and Configure NGINX
We’re not done yet. Remember, SonarQube is a web-based tool, so we need a web server. For this, we’ll use NGINX. To install the NGINX web server, issue the command:
sudo apt-get install nginx -y
Start the NGINX web server with the command:
sudo systemctl start nginx
Enable NGINX to run at system start with the command:
sudo systemctl enable nginx
In order for NGINX to know about SonarQube, we must create a configuration file with the command:
sudo nano /etc/nginx/sites-enabled/sonarqube.conf
In the new configuration file, paste the following:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
server{ listen 80; server_name sonarqube.da.com; access_log /var/log/nginx/sonar.access.log; error_log /var/log/nginx/sonar.error.log; proxy_buffers 16 64k; proxy_buffer_size 128k; location / { proxy_pass http://127.0.0.1:9000; proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto http; } } |
Save and close the file with the [Ctrl]+[x] keyboard combination.
Restart NGINX with the command:
sudo systemctl restart nginx
Access SonarQube
Your installation of SonarQube is now ready to be accessed. Open a web browser and point it to http://SERVER:9000
(Where SERVER is the IP address or Domain of the hosting server). If you get an error, wait a bit before you refresh, as it takes a while for the SonarQube service to start.
You should eventually see a login screen, where you’ll use the default credentials of admin/admin. Upon successful authentication, you’ll be required to change the default password. Once you’ve taken care of that, you’ll find yourself at the SonarQube main page:
-
Figure 1:The SonarQube main window is ready for action.
Congratulations! You can now start checking your code for issues and vulnerabilities, without having to do so manually. Be on the lookout for later posts, where I’ll demonstrate how to use SonarQube to inspect your code.
GitLab is a sponsor of The New Stack.