Sonarqube Setup on Ubuntu (Node)
Sonarqube is an automatic code review tool to detect bugs, vulnerabilities, and code smells in your code. It can integrate with your existing workflow to enable continuous code inspection across your project branches and pull requests.
Essential requirements:
-> JDK Version > 8
Lets’s jump into Sonarqube:
Sonarqube consists of three components
- Sonarqube web server (step-1)
- Database (step-2)
- Sonarqube scanner (step-3)
Step- 1 — Sonarqube web server
- Sonarqube web server is responsible for serving the application on port 9000 by default.
- We need to download the zip file of this first. Download the appropriate edition of sonarqube by following this link: https://www.sonarqube.org/downloads/
- After downloading, extract the zip and open the following path /sonarqube/bin/linux-x84–64/
- Now run the following command to run the sonarqube application.
./sonar.sh start
- If you want to check all the supported commands view help by following command.
./sonar.sh — help
Notes:
-> Make sure to run sonarqube as a non-admin user.
-> the user should be the owner of the directory and has all privileges.
Step-2 — Database setup
- Sonarqube supports 3 databases at present.
- Oracle
- PostgreSQL
- Microsoft SQL Server
In this tutorial i will show you how to integrate with PostgreSQL
- First install the PostgreSQL by following the below link
https://www.digitalocean.com/community/tutorials/how-to-install-and-use-postgresql-on-ubuntu-20-04
Once PostgreSQL is installed, open the psql bash shell and run the below commands
CREATE USER sonar ;
// name should be same as your ubuntu non-admin username on which // you are running the sonarqube-web-serverALTER USER sonar WITH PASSWORD ‘PASSWORD’;
CREATE DATABASE sonardb WITH ENCODING ‘UTF8’;
ALTER DATABASE sonardb OWNER TO sonar;
ALTER USER sonar SET search_path TO public; //optional
Now, we need to configure the database we had created with
sonarqube-web-server.
Open sonar.properties file located in the location sonarqube/config
(downloaded in step-1 ) and do the following changes
sonar.jdbc.username=sonar
sonar.jdbc.password=PASSWORD sonar.jdbc.url=jdbc:postgresql://localhost:5432/sonardb
That’s it, Database configuration is done. Lets see how to scan your project using Sonarqube to identify security threats and code smells.
Step-3 — Sonarqube scanner
- This will help to scan our code and generate the report.
- For node projects we can install the sonarqube scanner by using the following command.
$ npm install -g sonarqube-scanner
- For any other project, check the scanners section in official documentation.
- Once we installed the sonarqube-scanner globally using the above command, we can use sonarqube-scanner globally anywhere.
- Open your project repository now and create a file named sonar-project.properties and provide the necessary configuration
# required metdata
sonar.projectKey=ProjectName or ProjectId
sonar.projectVersion=1.0
sonar.sourceEncoding=UTF-8
sonar.language=js
sonar.eslint.eslintconfigpath=./eslintrc.json# path to srouce directories
sonar.sources=.
# sonar.tests=./test/integration/api/# excludes
sonar.exclusions=./node_modules/*,./coverage/lcov-report/*#login credentials
sonar.login=admin (default, optional)
sonar.password=admin (default, optional)
Now, we can start scanning our project using by using following command.
$ Sonar-scanner
Once the scan is completed, we can check the report at http://localhost:9000/