Install SonarQube code inspection tool in CentOS 7

You can download this article in PDF format via the link below to support us.
Download the guide in PDF formatshut down

SonarQube® is an automated code review tool that detects errors, vulnerabilities and code smells in the code. It can be integrated with your existing workflow (e.g. Jenkins) to perform continuous code checks in your project branches and pull requests.

In this short guide, we will install this excellent open source tool so that you have the opportunity to inspect the code in your team before it goes into production. By detecting outdated software used and making appropriate recommendations in real time, it will help simplify your application and improve its security.

prerequisites

  • SonarQube is built on Java, so we will make sure that Java 11 is installed.
  • Another user runs elastic search from the root directory, so run SonarQube
  • PostgreSQL

To install this tool in a CentOS 7 box, follow the steps shared below:

Step 1: Update and install the required tools and complete the system settings

In this step, make sure that the server has been updated correctly and all the tools required during the installation process have been installed. We will also adjust system settings such as SELinux, max_map_count and fs.file-max. Run the following command to update the server.

sudo yum update
sudo yum install vim wget curl -y

Configure SELinux to allow

This can be done by running the following command:

sudo setenforce 0
sudo sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config

Adjust max_map_count and fs.file-max

From Linux kernel documentation, This file contains the maximum number of memory-mapped regions that a process may have. The memory-mapped area is directly used as a side effect of calling malloc by mmap, mprotect, and madvise, and is also used when loading shared libraries.

To adjust the settings to meet the requirements of SonarQube, open the “/etc/sysctl.conf” file and add the settings as shown below:

$ sudo vim /etc/sysctl.conf
vm.max_map_count=262144
fs.file-max=65536

Create a sonar user

It is recommended to create a separate user to run SonarQube. Let’s create one as follows:

sudo useradd sonar

Then set a password for the user

sudo passwd sonar

Step 2: Install Java 11 on CentOS 7

As mentioned in the introduction section, SonarQube is written in Java and requires Java to be installed (especially 11 in this setup).To install Java 11 in CentOS 7, follow the guide in the following blog

Install Java 11 on CentOS 7

Step 3: Install and configure PostgreSQL

In this example guide, we will install the PostgreSQL 11 server on the same server where SonarQube will reside. You can host it on other servers as needed.To install PostgreSQL 11 on CentOS 7 server, please follow the steps below to install and run quickly

Add PostgreSQL Yum repository

Add the PostgreSQL Yum Repository to your CentOS 7 system by running the sharing command below.

sudo yum install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-7-x86_64/pgdg-redhat-repo-latest.noarch.rpm

Install PostgreSQL server and client software packages

After adding the PostgreSQL Yum repository, install the PostgreSQL server/client package:

sudo yum -y install postgresql11-server postgresql11

After installation, initialize the database and enable automatic startup

Now that the database software package has been installed, initialize the database by running the following command

sudo /usr/pgsql-11/bin/postgresql-11-setup initdb

Then start and enable the service to start at boot

sudo systemctl start postgresql-11
sudo systemctl enable postgresql-11

After installing the PostgreSQL server, please follow the steps below to configure it. Open the pg_hba.conf file and change “peer” to “trust” and “idnet” to “md5”.

$ sudo vim /var/lib/pgsql/11/data/pg_hba.conf

##Change this

local   all             all                                     peer
# IPv4 local connections:
host    all             all             127.0.0.1/32            ident
# IPv6 local connections:
host    all             all             ::1/128                 ident
# Allow replication connections from localhost, by a user with the
# replication privilege.
local   replication     all                                     peer
host    replication     all             127.0.0.1/32            ident
host    replication     all             ::1/128                 ident

##To this:

local   all             all                                     trust
# IPv4 local connections:
host    all             all             127.0.0.1/32            md5
# IPv6 local connections:
host    all             all             ::1/128                 md5
# Allow replication connections from localhost, by a user with the
# replication privilege.
local   replication     all                                     peer
host    replication     all             127.0.0.1/32            md5
host    replication     all             ::1/128                 md5

Enable remote access to PostgreSQL

If your application is located at a remote location, then you will need to allow it to access the database as follows:

Edit the file /var/lib/pgsql/11/data/postgresql.conf and set the “listening address” of all servers to the server IP address or “*”.

$ sudo vim /var/lib/pgsql/11/data/postgresql.conf
listen_addresses = '10.38.87.160'

Then add the following to the “pg_hba.conf” file

$ sudo vim /var/lib/pgsql/11/data/pg_hba.conf

# Accept from anywhere
host    all             all             0.0.0.0/0            md5

# Or accept from trusted subnet
host    all             all             10.38.87.0/24        md5

Restart the PostgreSQL service

sudo systemctl restart postgresql-11

Set up PostgreSQL administrator user

We will need to change the password of the admin postgres user as follows:

$ sudo su - postgres
-bash-4.2$
-bash-4.2$: psql 
postgres=# alter user postgres with password 'StrongPassword';
ALTER ROLE
postgres=#

Create SonarQube user and database

Next, we will create a user for SonarQube. Before exiting the database, proceed as shown below.

postgres=# createuser sonar;
postgres=# createdb sonar_db owner sonar;
postgres=# grant all privileges on database sonar_db to sonar;

Set password for sonar user

postgres=# ALTER USER sonar WITH ENCRYPTED password 'StrongPassword';

Step 4: Extract and install SonarQube

Now, we have been waiting for a long time. We will download the long-term version of SonarQube and install it on our server. Please follow the steps below to install our SonarQube.

Get SonarQube LTS version

You can visit SonarQube download page Check out their various products. We will download the long-term version (LTS)SonarQube download page

cd /opt/
sudo wget https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-7.9.5.zip

Then unzip the file

sudo unzip sonarqube-7.9.5.zip

After that, rename the folder to sonarqube

sudo mv sonarqube-7.9.5 sonarqube

Step 5: Configure SonarQube

After extracting the files to the /opt/ directory, you can configure the application.

Open the “/opt/sonarqube/conf/sonar.properties” file and add the database details as shown below. Otherwise, find the shared line and uncomment it.

$ sudo vim /opt/sonarqube/conf/sonar.properties

##Database details
sonar.jdbc.username=sonar
sonar.jdbc.password=StrongPassword
sonar.jdbc.url=jdbc:postgresql://localhost/sonar_db

##How you will access SonarQube Web UI
sonar.web.host=10.38.87.160
sonar.web.port=9000

##Java options
sonar.web.javaOpts=-server -Xms512m -Xmx512m -XX:+HeapDumpOnOutOfMemoryError
sonar.search.javaOpts=-server -Xms512m -Xmx512m -XX:+HeapDumpOnOutOfMemoryError

##Also add the following Elasticsearch storage paths
sonar.path.data=/var/sonarqube/data
sonar.path.temp=/var/sonarqube/temp

Grant the ownership of the SonarQube file to the sonar user we created in step 1.

sudo chown -R sonar:sonar /opt/sonarqube

If you cannot find Java in the default location, you must specify the SonarQube binary file to find it. You can specify the location of java in the “/opt/sonarqube/conf/wrapper.conf” file. Look for the “wrapper.java.command” line and place your Java location next to it.

$ sudo vim /opt/sonarqube/conf/wrapper.conf
wrapper.java.command=/usr/local/jdk-11.0.2/bin/java

Add SonarQube SystemD service file

Finally, we will ensure that the SonarQube application can be managed through Systemd so that it can be started and stopped like other services in the server.

$ sudo vim /etc/systemd/system/sonarqube.service
[Unit]
Description=SonarQube service
After=syslog.target network.target

[Service]
Type=forking
ExecStart=/opt/sonarqube/bin/linux-x86-64/sonar.sh start
ExecStop=/opt/sonarqube/bin/linux-x86-64/sonar.sh stop
LimitNOFILE=65536
LimitNPROC=4096
User=sonar
Group=sonar
Restart=on-failure

[Install]
WantedBy=multi-user.target

After editing the systemd files, we must reload them so that they can be read and loaded.

sudo systemctl daemon-reload

Then start and enable the service

sudo systemctl start sonarqube.service
sudo systemctl enable sonarqube.service

Check its status to see if it has successfully started and is running.

sudo systemctl status sonarqube.service

Step 6: Change firewall rules to allow SonarQube access

At this point, the sonarqube service should be running.If you cannot access the web interface, please access the log file in “/opt/sonarqube/logs”, in this file you will find

  • elasticsearch log (es.log)
  • Sonar log (sonar.log)
  • Web log (web.log)
  • Access log (access.log)
  • And others

We enable SonarQube Web to listen on port 9000 and this should be allowed on the firewall.Continue to perform the following shared operations

sudo firewall-cmd --permanent --add-port=9000/tcp && sudo firewall-cmd --reload

Step 7: Access the web user interface

The time we have been waiting for finally appeared. Now, we are ready to access the SonarQube interface and begin to evaluate the security of our code. To access this interface, open your favorite browser and point it to https:// server-ip-or-fqdn:9000. You should see a page similar to the following page.sonarqube first page

Step 8: Login

To log in, just click “log in“Button (as shown in the picture above), you will enter a page similar to the following legend. Use the user name as”administrative“, the password is”administrative“.sonarqube login page

And you should be directed to the main area as shown in the image belowSonar behind the login page

in conclusion

Now, we have our automated code inspection tool, which you can use to scan various applications before approving them for production. It is simple, comprehensive, and can meet your organization’s security needs. Give it a try.

Otherwise, we thank you for coming and thank you for your continued support. Other guides you might like include:

Cybersecurity trends, threats and protection methods in 2021

10 application security trends that should be considered when securing applications

How to improve the safety of website visitors

You can download this article in PDF format via the link below to support us.
Download the guide in PDF formatshut down

Related Posts