Difference between revisions of "Sonar"

(Add plugins)
Line 416: Line 416:
You can add more plugins from the [SonarQube marketplace http://www.sonarplugins.com/]. Download and install:
'''Download OWASP dependency check for SonarQube 7.6+'''
* official website: https://github.com/SonarSecurityCommunity/dependency-check-sonar-plugin
* Last version of the extension: https://github.com/SonarSecurityCommunity/dependency-check-sonar-plugin/releases
* Download (2019-05): wget https://github.com/SonarSecurityCommunity/dependency-check-sonar-plugin/releases/download/1.1.4/sonar-dependency-check-plugin-1.1.4.jar
* Copy the plugin (jar file) to $SONAR_INSTALL_DIR/extensions/plugins
* Restart SonarQube
==Quality profile==
==Quality profile==

Latest revision as of 10:06, 15 May 2019

This page describes how to setup SonarQube:

  • Application installation
  • Post-install settings


  • 2016-12-25 : update for Ubuntu 16.10
  • 2019-03-26 : update for SonarQube 7.x on CentOs 7.x ; with PostgreSQL server

You can find all these instructions and more on the Official how-to

Requirement: PostgreSQL DB server

You need a DB server to use SonarQube. The default H2 engine is (very) slow. The SonarQube team recommends PostgreSQL-

Setup PostgreSQL

# Add repository
sudo wget https://download.postgresql.org/pub/repos/yum/11/redhat/rhel-7-x86_64/pgdg-centos11-11-2.noarch.rpm -P /tmp
sudo yum install /tmp/pgdg-centos11-11-2.noarch.rpm epel-release
sudo yum update

# Setup server
sudo yum install postgresql11-server postgresql11-contrib postgresql11

# Init Postgres database
#   > default user: postgres
 sudo /usr/pgsql-11/bin/postgresql-11-setup initdb

Active remote access

Adjust configuration to enable remote access


sudo cp /var/lib/pgsql/11/data/postgresql.conf /var/lib/pgsql/11/data/postgresql.conf.backup
sudo vim /var/lib/pgsql/11/data/postgresql.conf


listen_addresses = '*'


sudo cp /var/lib/pgsql/11/data/pg_hba.conf /var/lib/pgsql/11/data/pg_hba.conf.backup
sudo vim /var/lib/pgsql/11/data/pg_hba.conf
# IPv4 local connections:
host    all             all                  md5
# IPv6  local connections:
host    all             all             ::/0                    md5

start PSQL

# Start Postgres server
sudo systemctl enable postgresql-11.service
sudo systemctl start postgresql-11.service

# Set 'postgres' LINUX user password (recommandation: postgres)
sudo passwd postgres

# ... Set 'postgres' SQL DB ADMIN user password (recommandation: postgres)
# Prepare home folder
sudo mkdir -p /home/postgres
sudo chmod -R 777 /home/postgres
sudo chown -R postgres:users /home/postgres
# Change password
cd /home/postgres
sudo -u postgres bash -c "psql -d template1 -c \"ALTER USER postgres WITH PASSWORD 'newPassword';\""
cd $localFolder

# Start Postgres on boot
sudo systemctl enable postgresql

Centos firewall

For Debian IPTABLES just open the port TCP 5234


# Remove previous FW rules, if any
sudo firewall-cmd --permanent --disable-port=$POSTGRES_DEFAULT_PORT/tcp
sudo firewall-cmd --permanent --remove-port=$POSTGRES_DEFAULT_PORT/tcp
sudo firewall-cmd --permanent --remove-service=postgres --zone=trusted
sudo firewall-cmd --permanent --remove-service=postgres

# Add new FW rules
sudo firewall-cmd --permanent --new-service=postgres
sudo firewall-cmd --permanent --service=postgres --set-short="Postgresql database server"
sudo firewall-cmd --permanent --service=postgres --set-description="Postgres database server"
sudo firewall-cmd --permanent --service=postgres --add-port=$POSTGRES_DEFAULT_PORT/tcp
sudo firewall-cmd --permanent --add-service=postgres --zone=trusted

# Reload FW rules
sudo firewall-cmd --reload
sudo firewall-cmd --list-all

Some helpful Source: Linode tutorial

Setup SONARQUBE application

Requirement: create user / group

You cannot run SONAR as "root". It must run as a user

sudo adduser sonar
sudo groupadd sonar

Get SonarQube

As a sudoer user, download the latest version (or the LTS) on http://www.sonarqube.org/downloads/

cd /opt

# SonarQube
# 2019-05: current version is 7.7
wget  https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-7.7.zip
unzip sonarqube-7.7.zip
ln -s /opt/sonarqube-7.7 /opt/sonarqube

# Adjust rights
chown -R sonar:sonar /opt/sonarqube-7.7
chown -R sonar:sonar /opt/sonarqube

(i) It's always good to use a symlink. This make the update and rollback a bit easier.

Configuration (sonar.properties)

Edit the SonarQube configuration file

vim /opt/sonarqube/conf/sonar.properties


Disable embedded H2DB and enable PSQL, lines 20 to 40:

# postgreSQL

Port number and root context

Adjust port number and context

#sonar.web.port:             9000
sonar.web.context:           /sonarqube

!!! This is VERY important that you uncomment and set the sonar.web.context !!! Without it you cannot use Apache2 proxy.

Sonar symlink

The default path to manage SonarQube is, in that example: /opt/sonarqube/bin/linux-x86-64/sonar.sh idem for the logs...

ln -s /opt/sonarqube/bin/linux-x86-64/sonar.sh /usr/bin/sonarqube
ln -s /opt/sonarqube/bin/linux-x86-64/sonar.sh /etc/init.d/sonarqube

mkdir -p /var/log/sonar
ln -s /opt/sonarqube/logs/sonar.log /var/log/sonar/sonar.log
ln -s /opt/sonarqube/logs/access.log /var/log/sonar/access.log

Configuration (wrapper.properties)

There is a new configuration file to edit since 5.x. Edit the WRAPPER configuration file

vim /opt/sonarqube/conf/wrapper.properties

Adjust your JVM path, if required, on the first line. This should point to a JDK.


Start SonarQube

As "sonar" user you can start SonarQube.

sudo su sonar
sonarqube restart

... wait for some times on 1st start (5 to 7 mn) !! Logs are in

Check that Sonar is up:

netstat -pl --numeric | grep 9000

You should have:

tcp        0      0  *               LISTEN      xxxxx/java

Bug fix

If the port 9000 is already used by PHP you must remove PHP7 FPM

sudo apt-get remove php7.0-fpm

Access SonarQube


Startup script

(i) See official documentation at:

As a sudoer user, create a new startup script in /etc/systemd/system

vim /etc/systemd/system/sonarqube.service

Put the following content:

Description=SonarQube service
After=syslog.target network.target

ExecStart=/opt/sonarqube/bin/linux-x86-64/sonar.sh start
ExecStop=/opt/sonarqube/bin/linux-x86-64/sonar.sh stop


Register service:

sudo systemctl enable sonarqube.service

Run service:

sudo systemctl restart sonarqube.service

Apache2 proxy

Instead of opening port 9000, it's better to access Sonar through Apache2 proxy. To use the proxy rule, the target /sonar must match the root URL (see $sonar/conf/sonar.properties)

Apache2 configuration

Edit configuration file: module or virtual host

vim /etc/apache2/mods-enabled/proxy.conf
vim /etc/apache2/sites-enabled/mySite.conf

Set the following:

# Proxy to a Java application running over Tomcat, with IP filter
<Location /sonarqube >
	ProxyPass http://localhost:9000/sonarqube/
	ProxyPassReverse http://localhost:9000/sonarsonarqube/

        #Require all denied
        #AllowOverride none
        Require local
        Require ip 192.168.1
        Require host

        #Require all granted
        #Satisfy any

Test Sonar

The default user and password are “admin” and “admin“.

Sonar application configuration

Default credentials are "admin" / "admin"

Create user accounts

  • Go to "Administration" menu > "Security" > "Users"
  • Create new User(s)
  • Go to "Administration" menu > "Security" > "Groups"
  • Click on the "sonar administrators" group
  • Add user(s)

Global configuration

Go to "Administration" menu > "configuration" > "General"

DNS name

  • Set the server base URL to DNS name if possible (property: sonar.core.serverBaseURL)

Keep analysis longer

  • Set "keep only one analysis a week after" : 12 (default is 4, property: sonar.dbcleaner.weeksBeforeKeepingOnlyOneSnapshotByWeek)

Email alerts Configure the email notifications:

  • Email From (email.fromName)
  • SMTP secure connection (email.smtp_secure_connection.secured)
  • SMTP host (email.smtp_host.secured)
  • SMTP password (email.smtp_password.secured)
  • SMTP port (email.smtp_port.secured)
  • SMTP username (email.smtp_username.secured)

Add plugins

  • Go to "Administration" menu > "marketplace"
  • Search and install:
    • Checkstyle
    • Code smells
    • Findbugs
    • PMD

/!\ You must reboot the SonarQube instance after setup

You can add more plugins from the [SonarQube marketplace http://www.sonarplugins.com/]. Download and install:

Download OWASP dependency check for SonarQube 7.6+

Quality profile

  • Go to "Quality profiles" menu
  • Under "JAVA"
  • Set as default the JAVA ruleset you'd like to use

Upgrade Sonar

Sometimes when there are a lot of changes the new sonar version required some database change.