TNS
VOXPOP
What news from AWS re:Invent last week will have the most impact on you?
Amazon Q, an AI chatbot for explaining how AWS works.
0%
Super-fast S3 Express storage.
0%
New Graviton 4 processor instances.
0%
Emily Freeman leaving AWS.
0%
I don't use AWS, so none of this will affect me.
0%
 
Cloud Native Ecosystem Containers Edge Computing Microservices Networking Serverless Storage
Cloud-Based Automated Testing Increases Speed in a Flash
Dec 7th 2023 7:11am, by Jonny Steiner
Real Talk: Why Is Datadog So Expensive?
Dec 7th 2023 6:00am, by Rachel Dines
Top 5 Trends in Cloud Native Software Testing in 2023
Dec 6th 2023 10:45am, by Bruno Lopes
How to Know If You’re Building the Right Internal Tools
Dec 5th 2023 7:16am, by Heather Joslyn
Microsoft’s New .NET Dev Tool Draws Community Support
Nov 30th 2023 8:54am, by Darryl K. Taft
Demystifying Container Security for Developers
Nov 28th 2023 12:21pm, by David Benas
Why Securing Containers Is Like Going to the Dentist
Nov 17th 2023 7:09am, by Neta Krakover
Dell GA's APEX Cloud Platform for Red Hat OpenShift
Nov 2nd 2023 11:00am, by Chris J. Preimesberger
Lynis: Run a Security Audit on Linux for Free
Oct 28th 2023 6:00am, by Jack Wallen
Why Capistrano Got Usurped by Docker and Then Kubernetes
Oct 25th 2023 1:53pm, by David Eastman
Arm Pushes AI into the Smallest IoT Devices with Cortex-M52 Chip
Nov 27th 2023 1:06pm, by Jeffrey Burt
TikTok to Open Source 'Cloud-Neutralizing' Edge Accelerator
Nov 20th 2023 8:30am, by Joab Jackson
Docker at the Edge: How Machine Learning Transformed Fowl Task
Nov 9th 2023 10:28am, by Loraine Lawson
The 2023 State of Kubernetes in Production
Nov 7th 2023 8:10am, by Jennifer Riggins
Edge AI: How to Make the Magic Happen with Kubernetes
Sep 14th 2023 4:00am, by Saad Malik
Why Testing Must Shift Left for Microservices
Dec 6th 2023 8:28am, by Arjun Iyer
Securing Microservices Communication with mTLS in Kubernetes
Nov 28th 2023 3:00am, by Robert Kimani
AppMap Releases Runtime Code Review as a GitHub Action
Nov 21st 2023 3:00am, by Susan Hall
Why Microservices Aren’t Working for You
Nov 20th 2023 6:34am, by Ned Harris
The Struggle for Microservice Integration Testing
Nov 10th 2023 6:30am, by Nočnica Mellifera
Why Is IPv6 Adoption Slow?
Nov 13th 2023 9:20am, by Tucker Preston
Effective Traffic Management with Kubernetes Gateway API Policies
Nov 7th 2023 3:00am, by Robert Kimani
Enhancing Kubernetes Networking with the Gateway API
Nov 3rd 2023 3:30am, by Robert Kimani
Cilium CNCF Graduation Could Mean Better Observability, Security with eBPF
Oct 13th 2023 4:00am, by B. Cameron Gain
Performant and Programmable Telco Networking with eBPF
Aug 11th 2023 10:00am, by Bill Mulligan
State of Serverless Computing and Event Streaming in 2024
Dec 4th 2023 7:17am, by Tun Shwe
Netlify Launches Composable Web Platform for Enterprise Devs
Oct 19th 2023 9:00am, by Richard MacManus
4 Factors of a WebAssembly Native World
Oct 12th 2023 9:00am, by Liam Crilly
Raising the Serverless Bar: Infrastructure APIs Unleash More Value for Enterprises
Oct 10th 2023 10:00am, by Tyson Trautmann
The Security-First Mindset to Unlocking the AWS Opportunity 
Aug 9th 2023 8:14am, by David Melamed
DynamoDB vs. ScyllaDB: A Price Performance Comparison
Dec 7th 2023 8:30am, by Eliran Sinvani
Amazon S3 Express One Zone Introduces Near-Real Time Object Storage
Nov 28th 2023 1:20pm, by Joab Jackson
How Epic Games Revs up Unreal Engine 'Cook Time' for Devs
Nov 28th 2023 7:20am, by Cynthia Dunlop
How to Get Data Warehouse Performance on the Data Lakehouse
Nov 20th 2023 9:00am, by Sida Shen
MongoDB vs. ScyllaDB: A Comparison of Database Architectures
Nov 13th 2023 1:06pm, by Daniel Seybold
AI Frontend Development Software Development TypeScript WebAssembly Cloud Services Data Security
AWS Goes Deep on AI, Chip Power... and Cost Savings
Dec 7th 2023 9:20am, by
JetBrains Launches New AI Assistant Powered by Multiple LLMs
Dec 7th 2023 7:27am, by
AI Will Create Demand and Empower Developers, Not Replace Them
Dec 6th 2023 8:54am, by
2024 Forecast: What Can Developers Expect in the New Year?
Dec 6th 2023 7:38am, by
Decoding Amazon’s Generative AI Strategy
Dec 6th 2023 5:00am, by
JetBrains Launches New AI Assistant Powered by Multiple LLMs
Dec 7th 2023 7:27am, by
Vercel Adds New Features Designed to Support Monorepos
Dec 6th 2023 1:01pm, by
The Pros and Cons of Using React Today
Dec 4th 2023 8:48am, by
Dev News: Astro 4.0 Beta, Rust / Kotlin AWS SDKs, Deno Cron
Dec 2nd 2023 7:00am, by
Tackling AI's Black Box: Howso Challenges PyTorch and JAX
Nov 30th 2023 3:00am, by
Vercel Adds New Features Designed to Support Monorepos
Dec 6th 2023 1:01pm, by
AI Will Create Demand and Empower Developers, Not Replace Them
Dec 6th 2023 8:54am, by
Why Testing Must Shift Left for Microservices
Dec 6th 2023 8:28am, by
2024 Forecast: What Can Developers Expect in the New Year?
Dec 6th 2023 7:38am, by
Think Like a Developer to Help Dev Teams Ship Faster
Dec 6th 2023 5:57am, by
How to Get Advantages of TypeScript in JavaScript
Oct 27th 2023 10:51am, by
Dev News: Udemy's New Docker Program, Plus TypeScript Beta
Oct 7th 2023 5:01am, by
The Angular Renaissance: Why Frontend Devs Should Revisit It
Sep 26th 2023 8:15am, by
Dev News: A 'Nue' Frontend Dev Tool; Panda and Bun Updates
Sep 16th 2023 4:00am, by
Dev News: Svelte 5 vs. VanillaJS and Google’s Project IDX
Aug 12th 2023 8:00am, by
JetBrains Developer Survey Tracks Rapid Adoption of AI
Dec 5th 2023 8:30am, by
Why WebAssembly Is a Good Fit for Extensible Control Planes
Nov 29th 2023 1:36pm, by
Dev News: Vite Rust-ifies, Roc Language, JS Framework SDKs
Nov 24th 2023 7:30am, by
WebAssembly's Status in Computing
Nov 14th 2023 11:14am, by
Who's Leading WebAssembly Adoption? So Far, Vendors
Nov 6th 2023 6:00am, by
AWS Goes Deep on AI, Chip Power... and Cost Savings
Dec 7th 2023 9:20am, by
Decoding Amazon’s Generative AI Strategy
Dec 6th 2023 5:00am, by
State of Serverless Computing and Event Streaming in 2024
Dec 4th 2023 7:17am, by
4 Guidelines to Tame Your Hybrid Cloud Migration
Nov 30th 2023 8:00am, by
Amazon Q, a GenAI to Understand AWS (and Your Business Docs)
Nov 29th 2023 8:47am, by
Piiano Flows Scans for Sensitive Data Leaks in Git Code
Dec 7th 2023 10:30am, by
DynamoDB vs. ScyllaDB: A Price Performance Comparison
Dec 7th 2023 8:30am, by
What Is Operational Resilience?
Dec 5th 2023 9:57am, by
How DoorDash Migrated from Aurora Postgres to CockroachDB
Dec 5th 2023 3:00am, by
Baserow: A No Code, Open Source Alternative to Airtable
Dec 2nd 2023 6:00am, by
Piiano Flows Scans for Sensitive Data Leaks in Git Code
Dec 7th 2023 10:30am, by
2024 Forecast: What Can Developers Expect in the New Year?
Dec 6th 2023 7:38am, by
Stytch Takes the Hassle out of Passkey Authentication
Dec 5th 2023 5:00am, by
Akin to SBOM, Trivy Adds KBOM Vulnerability Scanning to K8s
Dec 4th 2023 12:16pm, by
Mitigate OWASP Security Top Threats with an API Gateway
Nov 29th 2023 10:40am, by
Platform Engineering Operations CI/CD Tech Life DevOps Kubernetes Observability Service Mesh
The Hype Train Is Over. Platform Engineering Is Here to Stay
Dec 4th 2023 10:07am, by Carrie Tang
Demo: Self-Service Kubernetes with Rafay’s Backstage Plugins
Dec 4th 2023 6:44am, by Richard Gall
Cloud Migration and Platform Engineering at Large Organizations
Dec 4th 2023 3:00am, by Jennifer Riggins
Measuring the Impact of Your Platform Engineering Strategy
Nov 30th 2023 9:30am, by David Williams
How to Mature Your DevOps Automation Practices
Nov 30th 2023 6:32am, by Saif Gunja
DynamoDB vs. ScyllaDB: A Price Performance Comparison
Dec 7th 2023 8:30am, by Eliran Sinvani
What Is Operational Resilience?
Dec 5th 2023 9:57am, by Robert Kimani
JetBrains Developer Survey Tracks Rapid Adoption of AI
Dec 5th 2023 8:30am, by Lawrence E Hecht
How to Know If You’re Building the Right Internal Tools
Dec 5th 2023 7:16am, by Heather Joslyn
How Meta Patches Linux at Hyperscale
Dec 1st 2023 3:00am, by Steven J. Vaughan-Nichols
How to Observe Your CI/CD Pipelines with OpenTelemetry
Nov 28th 2023 7:40am, by Adriana Villela and Reese Lee
How to Use Databases Inside GitHub Actions
Nov 9th 2023 9:40am, by Gerald Venzl
Securing CI/CD Pipelines: A Comprehensive Approach Is Vital
Oct 25th 2023 6:06am, by Noah Simon
Continuous Release: Move Faster without Breaking Things
Oct 19th 2023 10:55am, by Karishma Irani
No Workflow Is an Island
Oct 13th 2023 7:09am, by Mark Fussell
Hundreds of Employees Face Layoffs in Wake of Broadcom-VMware Merger
Dec 5th 2023 10:58am, by Chris J. Preimesberger
As a Manager, You’re the Referee, Not the Coach
Dec 5th 2023 7:43am, by Kevin Clark
How to Know If You’re Building the Right Internal Tools
Dec 5th 2023 7:16am, by Heather Joslyn
2023's Gift Ideas for the Programmer in Your Life
Dec 3rd 2023 6:00am, by David Cassel
Tech Works: How to Build a Life-Long Career in Engineering
Dec 1st 2023 5:00am, by Jennifer Riggins
AI Will Create Demand and Empower Developers, Not Replace Them
Dec 6th 2023 8:54am, by Tony Graham
The Hype Train Is Over. Platform Engineering Is Here to Stay
Dec 4th 2023 10:07am, by Carrie Tang
Breaking Down the Wall in DevOps
Dec 1st 2023 5:30am, by Laura Santamaria
Top 5 Best Practices for Naming OpenTelemetry Attributes
Dec 1st 2023 4:00am, by Carl Brahms
Thinking in Systems: A Sociotechnical Approach to DevOps
Nov 30th 2023 8:22am, by Tao Hansen
How AWS Supports Open Source Work in the Kubernetes Universe
Dec 7th 2023 2:26pm, by Heather Joslyn
Reimagining Multicluster Kubernetes with k0s/k0smotron
Dec 6th 2023 10:00am, by Jussi Nummelin
Akin to SBOM, Trivy Adds KBOM Vulnerability Scanning to K8s
Dec 4th 2023 12:16pm, by Itay Shakury
HPC Kubernetes: AI Training on 3,500 GPUs
Dec 4th 2023 10:20am, by Joab Jackson
Demo: Self-Service Kubernetes with Rafay’s Backstage Plugins
Dec 4th 2023 6:44am, by Richard Gall
Real Talk: Why Is Datadog So Expensive?
Dec 7th 2023 6:00am, by Rachel Dines
How to Know If You’re Building the Right Internal Tools
Dec 5th 2023 7:16am, by Heather Joslyn
Top 5 Best Practices for Naming OpenTelemetry Attributes
Dec 1st 2023 4:00am, by Carl Brahms
Hey Programming Language Developer — Get over Yourself
Nov 30th 2023 12:30pm, by Alex Williams
OpenTelemetry for Go Is Almost a Go
Nov 29th 2023 7:22am, by B. Cameron Gain
Using JWTs to Authenticate Services Unravels API Gateways
Nov 8th 2023 6:53am, by Christian Posta and Peter Jausovec
Enhancing Kubernetes Networking with the Gateway API
Nov 3rd 2023 3:30am, by Robert Kimani
Linkerd Enterprise Creators: Keep the Sidecar Mesh
Oct 31st 2023 7:05am, by B. Cameron Gain
Scaling Environments with OpenTelemetry and Service Mesh
Oct 17th 2023 11:13am, by Anirudh Ramanathan
Kubernetes 1.28 Accommodates the Service Mesh, Sudden Outages
Aug 18th 2023 10:08am, by Joab Jackson
CI/CD / Containers / Security

How to Install the SonarQube Security Analysis Platform

How to install Solarq
Feb 22nd, 2021 2:29pm by
Featued image for: How to Install the SonarQube Security Analysis Platform

SonarQube is a web-based software analysis platform with open source roots that can go a long way to delivering cleaner, issue-free code. SonarQube includes features like bug and vulnerability detection and code tracking. SonarQube can integrate into GitHub, Azure DevOps, Bitbucket, GitLab, and Docker.

Let’s get SonarQube installed. I’ll be demonstrating on the community edition (which includes static code analysis for 15 languages and a number of other features). If you find this tool of value, you might then consider upselling yourself into one of the three other editions (Developer, Enterprise, or Data Center), each of which has an associated cost (find out more on the SonarQube download page).

SonarQube can be installed on Linux, macOS, and Windows. For the purpose of this tutorial, I’ll demonstrate the installation process on Ubuntu Server 20.04.

Prepare the Environment

The first thing we must do is modify the kernel system limits. For this we must set the following:

  • vm.max_map_count must be greater than or equal to 524288
  • fs.file-max must be greater than or equal to 131072
  • The SonarQube user must be able to open at least 131072 file descriptors
  • The SonarQube user must be able to open at least 8192 threads

This is actually easier than it looks. Open the necessary file in the nano editor with the command:

sudo nano /etc/sysctl.conf

Scroll to the bottom of the file and paste the following:


Save and close the file with the [Ctrl]+[x] keyboard combination.

Next, open the limits.conf file with the command:

sudo nano /etc/security/limits.conf

Scroll to the bottom of this file and paste the following:


Save and close the file with the [Ctrl]+[x] keyboard combination.

In order for these changes to take effect, reboot the system with the command:

sudo reboot

Install OpenJDK 11

SonarQube depends on Java. For that, we’ll install OpenJDK 11, which can be done with the command:

sudo apt-get install openjdk-11-jdk -y

That was easy. Let’s move on.

Install and Configure the Database

On Linux, SonarQube only works with PostgreSQL, which means we have to take a few extra steps to get it installed. First, download the PostgreSQL GPG key with the command:

wget -q https://www.postgresql.org/media/keys/ACCC4CF8.asc -O - | sudo apt-key add -

Next, add the PostgreSQL apt repository by running the command:

sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt/ lsb_release -cs-pgdg main" >> /etc/apt/sources.list.d/pgdg.list'

Update apt with the command:

sudo apt-get update

Install PostgreSQL with by issuing:

sudo apt install postgresql postgresql-contrib -y

Once the installation completes, start the PostgreSQL service with the command:

sudo systemctl start postgresql

Enable the service to start at boot with the command:

sudo systemctl enable  postgresql

Now we must set a password for the PostgreSQL user with the command:

sudo passwd postgres

Type and verify a new password.

Switch to the postgres user with the command:

su - postgres

Let’s create a new database user:

createuser sonar

We can now create our database. To do so, first log into the PostgreSQL console:

psql

Set a password for the sonar user with the command:

ALTER USER sonar WITH ENCRYPTED PASSWORD 'PWORD';

Where PWORD is a strong/unique password.

Create the SonarQube database with the command:

CREATE DATABASE sonarqube OWNER sonar;

Modify the privileges, such that the sonar user can access/use/modify the data with the command:

GRANT ALL PRIVILEGES ON DATABASE sonarqube to sonar;

Exit the database console with the command:

\q

Type exit to leave the postres user.

Download and Unpack SonarQube

For this tutorial, we’ll be installing SonarQube 8.6.1.40680. You’ll want to check the official SonarQube download page to make sure you’re installing the latest version.

Download SonarQube with the command:

wget https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-8.6.1.40680.zip

Install zip with the command:

sudo apt-get install zip -y

Unpack the downloaded file with the command:

unzip sonarqube*.zip

Move (and rename) the newly created file with the command:

sudo mv sonarqube-XXX /opt/sonarqube

Where XXX is the release number of SonarQube.

Create a New User and Group

For our next trick, we’ll create a new group and user. First, create the group with the command:

sudo groupadd sonar

Now we can create the user, set the user’s home directory to /opt/sonarqube, and add them to the new group with the command:

sudo useradd -c "SonarQube - User" -d /opt/sonarqube/ -g sonar sonar

Change the ownership of the sonarqube directory with the command:

sudo chown -R sonar:sonar /opt/sonarqube/

Configure SonarQube

We’re ready to configure SonarQube. Open the configuration file with the command:

sudo nano /opt/sonarqube/conf/sonar.properties

Remove the # character and modify the following lines so they reflect the changes below:

  • sonar.jdbc.username=sonar
  • sonar.jdbc.password=PASSWORD
  • sonar.jdbc.url=jdbc:postgresql://localhost/sonarqube
  • sonar.search.javaOpts=-Xmx512m -Xms512m -XX:MaxDirectMemorySize=256m -XX:+HeapDumpOnOutOfMemoryError

Where PASSWORD is the PostgreSQL user password.

Finally, make sure to edit the following lines so they look like what you see here:

  • sonar.web.host=SERVER
  • sonar.web.port=9000
  • sonar.web.javaAdditionalOpts=-server
  • sonar.search.javaOpts=-Xmx512m -Xms512m -XX:+HeapDumpOnOutOfMemoryError
  • sonar.log.level=INFO
  • sonar.path.logs=logs

Where SERVER is the IP address or Domain of the hosting server.

If your lines differ from what you see above, make sure to change them.

Save and close the sonar.properties file.

Next, we need to change the user that will run the SonarQube server. Issue the command:

sudo nano /opt/sonarqube/bin/linux-x86-64/sonar.sh

At the bottom of that file, make sure the RUN_AS_USER line looks like:


Save and close the file.

Create a Startup File

As it stands, the system has no way of knowing how to start SonarQube. To fix that, we must create a systemd startup file. Do that with the command:

sudo nano /etc/systemd/system/sonarqube.service

In this new file, paste the following contents:



 


Save and close the file with the [Ctrl]+[x] keyboard shortcut.

You can now start and enable the SonarQube service with the following two commands:

sudo systemctl start sonarqube

sudo systemctl enable sonarqube

Install and Configure NGINX

We’re not done yet. Remember, SonarQube is a web-based tool, so we need a web server. For this, we’ll use NGINX. To install the NGINX web server, issue the command:

sudo apt-get install nginx -y

Start the NGINX web server with the command:

sudo systemctl start nginx

Enable NGINX to run at system start with the command:

sudo systemctl enable nginx

In order for NGINX to know about SonarQube, we must create a configuration file with the command:

sudo nano /etc/nginx/sites-enabled/sonarqube.conf

In the new configuration file, paste the following:


Save and close the file with the [Ctrl]+[x] keyboard combination.

Restart NGINX with the command:

sudo systemctl restart nginx

Access SonarQube

Your installation of SonarQube is now ready to be accessed. Open a web browser and point it to http://SERVER:9000 (Where SERVER is the IP address or Domain of the hosting server). If you get an error, wait a bit before you refresh, as it takes a while for the SonarQube service to start.

You should eventually see a login screen, where you’ll use the default credentials of admin/admin. Upon successful authentication, you’ll be required to change the default password. Once you’ve taken care of that, you’ll find yourself at the SonarQube main page:

Figure 1:The SonarQube main window is ready for action.

Congratulations! You can now start checking your code for issues and vulnerabilities, without having to do so manually. Be on the lookout for later posts, where I’ll demonstrate how to use SonarQube to inspect your code.

TRENDING STORIES
Group Created with Sketch.
Jack Wallen is what happens when a Gen Xer mind-melds with present-day snark. Jack is a seeker of truth and a writer of words with a quantum mechanical pencil and a disjointed beat of sound and soul. Although he resides...
Read more from Jack Wallen
SHARE THIS STORY
TRENDING STORIES
TNS owner Insight Partners is an investor in: Enable, Unit, The New Stack, Docker, Real.
TRENDING STORIES
THE NEW STACK UPDATE A newsletter digest of the week’s most important stories & analyses.