SonarQube® is an automated code review tool that detects errors, vulnerabilities and code smells in the code. It can be integrated with your existing workflow (e.g. Jenkins) to perform continuous code checks in your project branches and pull requests.
In this short guide, we will install this excellent open source tool so that you have the opportunity to inspect the code in your team before it goes into production. By detecting outdated software used and making appropriate recommendations in real time, it will help simplify your application and improve its security.
- SonarQube is built on Java, so we will make sure that Java 11 is installed.
- Another user runs elastic search from the root directory, so run SonarQube
To install this tool in a CentOS 7 box, follow the steps shared below:
Step 1: Update and install the required tools and complete the system settings
In this step, make sure that the server has been updated correctly and all the tools required during the installation process have been installed. We will also adjust system settings such as SELinux, max_map_count and fs.file-max. Run the following command to update the server.
sudo yum update sudo yum install vim wget curl -y
Configure SELinux to allow
This can be done by running the following command:
sudo setenforce 0 sudo sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config
Adjust max_map_count and fs.file-max
From Linux kernel documentation, This file contains the maximum number of memory-mapped regions that a process may have. The memory-mapped area is directly used as a side effect of calling malloc by mmap, mprotect, and madvise, and is also used when loading shared libraries.
To adjust the settings to meet the requirements of SonarQube, open the “/etc/sysctl.conf” file and add the settings as shown below:
$ sudo vim /etc/sysctl.conf vm.max_map_count=262144 fs.file-max=65536
Create a sonar user
It is recommended to create a separate user to run SonarQube. Let’s create one as follows:
sudo useradd sonar
Then set a password for the user
sudo passwd sonar
Step 2: Install Java 11 on CentOS 7
As mentioned in the introduction section, SonarQube is written in Java and requires Java to be installed (especially 11 in this setup).To install Java 11 in CentOS 7, follow the guide in the following blog
Install Java 11 on CentOS 7
Step 3: Install and configure PostgreSQL
In this example guide, we will install the PostgreSQL 11 server on the same server where SonarQube will reside. You can host it on other servers as needed.To install PostgreSQL 11 on CentOS 7 server, please follow the steps below to install and run quickly
Add PostgreSQL Yum repository
Add the PostgreSQL Yum Repository to your CentOS 7 system by running the sharing command below.
sudo yum install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-7-x86_64/pgdg-redhat-repo-latest.noarch.rpm
Install PostgreSQL server and client software packages
After adding the PostgreSQL Yum repository, install the PostgreSQL server/client package:
sudo yum -y install postgresql11-server postgresql11
After installation, initialize the database and enable automatic startup
Now that the database software package has been installed, initialize the database by running the following command
sudo /usr/pgsql-11/bin/postgresql-11-setup initdb
Then start and enable the service to start at boot
sudo systemctl start postgresql-11 sudo systemctl enable postgresql-11
After installing the PostgreSQL server, please follow the steps below to configure it. Open the pg_hba.conf file and change “peer” to “trust” and “idnet” to “md5”.
$ sudo vim /var/lib/pgsql/11/data/pg_hba.conf ##Change this local all all peer # IPv4 local connections: host all all 127.0.0.1/32 ident # IPv6 local connections: host all all ::1/128 ident # Allow replication connections from localhost, by a user with the # replication privilege. local replication all peer host replication all 127.0.0.1/32 ident host replication all ::1/128 ident ##To this: local all all trust # IPv4 local connections: host all all 127.0.0.1/32 md5 # IPv6 local connections: host all all ::1/128 md5 # Allow replication connections from localhost, by a user with the # replication privilege. local replication all peer host replication all 127.0.0.1/32 md5 host replication all ::1/128 md5
Enable remote access to PostgreSQL
If your application is located at a remote location, then you will need to allow it to access the database as follows:
Edit the file /var/lib/pgsql/11/data/postgresql.conf and set the “listening address” of all servers to the server IP address or “*”.
$ sudo vim /var/lib/pgsql/11/data/postgresql.conf listen_addresses = '10.38.87.160'
Then add the following to the “pg_hba.conf” file
$ sudo vim /var/lib/pgsql/11/data/pg_hba.conf # Accept from anywhere host all all 0.0.0.0/0 md5 # Or accept from trusted subnet host all all 10.38.87.0/24 md5
Restart the PostgreSQL service
sudo systemctl restart postgresql-11
Set up PostgreSQL administrator user
We will need to change the password of the admin postgres user as follows:
$ sudo su - postgres -bash-4.2$ -bash-4.2$: psql postgres=# alter user postgres with password 'StrongPassword'; ALTER ROLE postgres=#
Create SonarQube user and database
Next, we will create a user for SonarQube. Before exiting the database, proceed as shown below.
postgres=# createuser sonar; postgres=# createdb sonar_db owner sonar; postgres=# grant all privileges on database sonar_db to sonar;
Set password for sonar user
postgres=# ALTER USER sonar WITH ENCRYPTED password 'StrongPassword';
Step 4: Extract and install SonarQube
Now, we have been waiting for a long time. We will download the long-term version of SonarQube and install it on our server. Please follow the steps below to install our SonarQube.
Get SonarQube LTS version
You can visit SonarQube download page Check out their various products. We will download the long-term version (LTS)SonarQube download page
cd /opt/ sudo wget https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-7.9.5.zip
Then unzip the file
sudo unzip sonarqube-7.9.5.zip
After that, rename the folder to sonarqube
sudo mv sonarqube-7.9.5 sonarqube
Step 5: Configure SonarQube
After extracting the files to the /opt/ directory, you can configure the application.
Open the “/opt/sonarqube/conf/sonar.properties” file and add the database details as shown below. Otherwise, find the shared line and uncomment it.
$ sudo vim /opt/sonarqube/conf/sonar.properties ##Database details sonar.jdbc.username=sonar sonar.jdbc.password=StrongPassword sonar.jdbc.url=jdbc:postgresql://localhost/sonar_db ##How you will access SonarQube Web UI sonar.web.host=10.38.87.160 sonar.web.port=9000 ##Java options sonar.web.javaOpts=-server -Xms512m -Xmx512m -XX:+HeapDumpOnOutOfMemoryError sonar.search.javaOpts=-server -Xms512m -Xmx512m -XX:+HeapDumpOnOutOfMemoryError ##Also add the following Elasticsearch storage paths sonar.path.data=/var/sonarqube/data sonar.path.temp=/var/sonarqube/temp
Grant the ownership of the SonarQube file to the sonar user we created in step 1.
sudo chown -R sonar:sonar /opt/sonarqube
If you cannot find Java in the default location, you must specify the SonarQube binary file to find it. You can specify the location of java in the “/opt/sonarqube/conf/wrapper.conf” file. Look for the “wrapper.java.command” line and place your Java location next to it.
$ sudo vim /opt/sonarqube/conf/wrapper.conf wrapper.java.command=/usr/local/jdk-11.0.2/bin/java
Add SonarQube SystemD service file
Finally, we will ensure that the SonarQube application can be managed through Systemd so that it can be started and stopped like other services in the server.
$ sudo vim /etc/systemd/system/sonarqube.service [Unit] Description=SonarQube service After=syslog.target network.target [Service] Type=forking ExecStart=/opt/sonarqube/bin/linux-x86-64/sonar.sh start ExecStop=/opt/sonarqube/bin/linux-x86-64/sonar.sh stop LimitNOFILE=65536 LimitNPROC=4096 User=sonar Group=sonar Restart=on-failure [Install] WantedBy=multi-user.target
After editing the systemd files, we must reload them so that they can be read and loaded.
sudo systemctl daemon-reload
Then start and enable the service
sudo systemctl start sonarqube.service sudo systemctl enable sonarqube.service
Check its status to see if it has successfully started and is running.
sudo systemctl status sonarqube.service
Step 6: Change firewall rules to allow SonarQube access
At this point, the sonarqube service should be running.If you cannot access the web interface, please access the log file in “/opt/sonarqube/logs”, in this file you will find
- elasticsearch log (es.log)
- Sonar log (sonar.log)
- Web log (web.log)
- Access log (access.log)
- And others
We enable SonarQube Web to listen on port 9000 and this should be allowed on the firewall.Continue to perform the following shared operations
sudo firewall-cmd --permanent --add-port=9000/tcp && sudo firewall-cmd --reload
Step 7: Access the web user interface
The time we have been waiting for finally appeared. Now, we are ready to access the SonarQube interface and begin to evaluate the security of our code. To access this interface, open your favorite browser and point it to http:// server-ip-or-fqdn:9000. You should see a page similar to the following page.
Step 8: Login
To log in, just click “log in“Button (as shown in the picture above), you will enter a page similar to the following legend. Use the user name as”administrative“, the password is”administrative“.
And you should be directed to the main area as shown in the image below
Now, we have our automated code inspection tool, which you can use to scan various applications before approving them for production. It is simple, comprehensive, and can meet your organization’s security needs. Give it a try.
Otherwise, we thank you for coming and thank you for your continued support. Other guides you might like include:
Cybersecurity trends, threats and protection methods in 2021
10 application security trends that should be considered when securing applications
How to improve the safety of website visitors