CI/CD / Containers / Security

How to Install the SonarQube Security Analysis Platform

22 Feb 2021 2:29pm, by

SonarQube is a web-based software analysis platform with open source roots that can go a long way to delivering cleaner, issue-free code. SonarQube includes features like bug and vulnerability detection and code tracking. SonarQube can integrate into GitHub, Azure DevOps, Bitbucket, GitLab, and Docker.

Let’s get SonarQube installed. I’ll be demonstrating on the community edition (which includes static code analysis for 15 languages and a number of other features). If you find this tool of value, you might then consider upselling yourself into one of the three other editions (Developer, Enterprise, or Data Center), each of which has an associated cost (find out more on the SonarQube download page).

SonarQube can be installed on Linux, macOS, and Windows. For the purpose of this tutorial, I’ll demonstrate the installation process on Ubuntu Server 20.04.

Prepare the Environment

The first thing we must do is modify the kernel system limits. For this we must set the following:

  • vm.max_map_count must be greater than or equal to 524288
  • fs.file-max must be greater than or equal to 131072
  • The SonarQube user must be able to open at least 131072 file descriptors
  • The SonarQube user must be able to open at least 8192 threads

This is actually easier than it looks. Open the necessary file in the nano editor with the command:

sudo nano /etc/sysctl.conf

Scroll to the bottom of the file and paste the following:

Save and close the file with the [Ctrl]+[x] keyboard combination.

Next, open the limits.conf file with the command:

sudo nano /etc/security/limits.conf

Scroll to the bottom of this file and paste the following:

Save and close the file with the [Ctrl]+[x] keyboard combination.

In order for these changes to take effect, reboot the system with the command:

sudo reboot

Install OpenJDK 11

SonarQube depends on Java. For that, we’ll install OpenJDK 11, which can be done with the command:

sudo apt-get install openjdk-11-jdk -y

That was easy. Let’s move on.

Install and Configure the Database

On Linux, SonarQube only works with PostgreSQL, which means we have to take a few extra steps to get it installed. First, download the PostgreSQL GPG key with the command:

wget -q https://www.postgresql.org/media/keys/ACCC4CF8.asc -O - | sudo apt-key add -

Next, add the PostgreSQL apt repository by running the command:

sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt/ lsb_release -cs-pgdg main" >> /etc/apt/sources.list.d/pgdg.list'

Update apt with the command:

sudo apt-get update

Install PostgreSQL with by issuing:

sudo apt install postgresql postgresql-contrib -y

Once the installation completes, start the PostgreSQL service with the command:

sudo systemctl start postgresql

Enable the service to start at boot with the command:

sudo systemctl enable  postgresql

Now we must set a password for the PostgreSQL user with the command:

sudo passwd postgres

Type and verify a new password.

Switch to the postgres user with the command:

su - postgres

Let’s create a new database user:

createuser sonar

We can now create our database. To do so, first log into the PostgreSQL console:

psql

Set a password for the sonar user with the command:

ALTER USER sonar WITH ENCRYPTED PASSWORD 'PWORD';

Where PWORD is a strong/unique password.

Create the SonarQube database with the command:

CREATE DATABASE sonarqube OWNER sonar;

Modify the privileges, such that the sonar user can access/use/modify the data with the command:

GRANT ALL PRIVILEGES ON DATABASE sonarqube to sonar;

Exit the database console with the command:

\q

Type exit to leave the postres user.

Download and Unpack SonarQube

For this tutorial, we’ll be installing SonarQube 8.6.1.40680. You’ll want to check the official SonarQube download page to make sure you’re installing the latest version.

Download SonarQube with the command:

wget https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-8.6.1.40680.zip

Install zip with the command:

sudo apt-get install zip -y

Unpack the downloaded file with the command:

unzip sonarqube*.zip

Move (and rename) the newly created file with the command:

sudo mv sonarqube-XXX /opt/sonarqube

Where XXX is the release number of SonarQube.

Create a New User and Group

For our next trick, we’ll create a new group and user. First, create the group with the command:

sudo groupadd sonar

Now we can create the user, set the user’s home directory to /opt/sonarqube, and add them to the new group with the command:

sudo useradd -c "SonarQube - User" -d /opt/sonarqube/ -g sonar sonar

Change the ownership of the sonarqube directory with the command:

sudo chown -R sonar:sonar /opt/sonarqube/

Configure SonarQube

We’re ready to configure SonarQube. Open the configuration file with the command:

sudo nano /opt/sonarqube/conf/sonar.properties

Remove the # character and modify the following lines so they reflect the changes below:

  • sonar.jdbc.username=sonar
  • sonar.jdbc.password=PASSWORD
  • sonar.jdbc.url=jdbc:postgresql://localhost/sonarqube
  • sonar.search.javaOpts=-Xmx512m -Xms512m -XX:MaxDirectMemorySize=256m -XX:+HeapDumpOnOutOfMemoryError

Where PASSWORD is the PostgreSQL user password.

Finally, make sure to edit the following lines so they look like what you see here:

  • sonar.web.host=SERVER
  • sonar.web.port=9000
  • sonar.web.javaAdditionalOpts=-server
  • sonar.search.javaOpts=-Xmx512m -Xms512m -XX:+HeapDumpOnOutOfMemoryError
  • sonar.log.level=INFO
  • sonar.path.logs=logs

Where SERVER is the IP address or Domain of the hosting server.

If your lines differ from what you see above, make sure to change them.

Save and close the sonar.properties file.

Next, we need to change the user that will run the SonarQube server. Issue the command:

sudo nano /opt/sonarqube/bin/linux-x86-64/sonar.sh

At the bottom of that file, make sure the RUN_AS_USER line looks like:

Save and close the file.

Create a Startup File

As it stands, the system has no way of knowing how to start SonarQube. To fix that, we must create a systemd startup file. Do that with the command:

sudo nano /etc/systemd/system/sonarqube.service

In this new file, paste the following contents:

 

Save and close the file with the [Ctrl]+[x] keyboard shortcut.

You can now start and enable the SonarQube service with the following two commands:

sudo systemctl start sonarqube

sudo systemctl enable sonarqube

Install and Configure NGINX

We’re not done yet. Remember, SonarQube is a web-based tool, so we need a web server. For this, we’ll use NGINX. To install the NGINX web server, issue the command:

sudo apt-get install nginx -y

Start the NGINX web server with the command:

sudo systemctl start nginx

Enable NGINX to run at system start with the command:

sudo systemctl enable nginx

In order for NGINX to know about SonarQube, we must create a configuration file with the command:

sudo nano /etc/nginx/sites-enabled/sonarqube.conf

In the new configuration file, paste the following:

Save and close the file with the [Ctrl]+[x] keyboard combination.

Restart NGINX with the command:

sudo systemctl restart nginx

Access SonarQube

Your installation of SonarQube is now ready to be accessed. Open a web browser and point it to http://SERVER:9000 (Where SERVER is the IP address or Domain of the hosting server). If you get an error, wait a bit before you refresh, as it takes a while for the SonarQube service to start.

You should eventually see a login screen, where you’ll use the default credentials of admin/admin. Upon successful authentication, you’ll be required to change the default password. Once you’ve taken care of that, you’ll find yourself at the SonarQube main page:

Figure 1:The SonarQube main window is ready for action.

Congratulations! You can now start checking your code for issues and vulnerabilities, without having to do so manually. Be on the lookout for later posts, where I’ll demonstrate how to use SonarQube to inspect your code.

The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Docker, Real.

A newsletter digest of the week’s most important stories & analyses.