In this brief guide we are going to take advantage of SonarQube to scan PHP or JavaScript or other programming language apart from Java via the sonar scanner client. How this works is that sonar scanner connects to SonarQube and scans your application located in your server in a different location. For this example, we are going to use sonar scanner and a Jenkins instance then use it to scan applications during a CI/CD pipeline.
Pre-requisites
In order for this guide to be complete, we assume that you have SonarQube and Jenkins installed, and successful integration has been done. In case you have not done so, the guides below will help you:
- How To Integrate SonarQube with Jenkins
- Install SonarQube on Rocky Linux 8 / CentOS 8
- How To Install Jenkins on Rocky Linux 8
- How To Use Multi-Branch Pipeline in Jenkins
We will follow a couple of steps to achieve this. Once you are ready, the following are the steps.
Step 1: Install Sonar Scanner
Since we need Sonar Scanner as our main application for this, we will have to install it and let Jenkins Server know where to find it. We preferred installing it the manual way instead of using Jenkins automatic installer. It is a choice you have to make. Anyhow, let us proceed and get sonar scanner installed.
Download Sonar scanner binary from the official website.
wget https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.8.0.2856-linux.zip
unzip sonar-scanner-cli-*-linux.zip
mv sonar-scanner-*-linux/ sonar-scanner
sudo cp -rv sonar-scanner /opt/sonarqube/
Then add sonar-scanner binaries to $PATH
$ sudo vim /etc/profile.d/scanner.sh
export PATH=$PATH:/opt/sonarqube/sonar-scanner/bin/After adding the file, source it to apply changes to the system variables.
source /etc/profile.d/scanner.shThen confirm if everything went well by running “which” command.
$ which sonar-scanner
/opt/sonarqube/sonar-scanner/bin/sonar-scannerStep 2: Let Jenkins know where to find sonar scanner
In this step, we are going to inform Jenkins that sonar scanner is installed and giving it direction to its home directory. To have this done, login to your Jenkins server with a user having admin privileges then click “Manage Jenkins” > “Global Tool Configuration”.
Scroll down to “SonarQube Scanner” section then click on “Add SonarQube Scanner“. You will be presented with form-like mini-page where you can enter details. Give it a name you prefer, uncheck Automatic Installation then enter SONAR_RUNNER_HOME value which is where we installed sonar-scanner as “/opt/sonarqube/sonar-scanner/bin/“. Screenshot is shared below.
Step 3: Update your Jenkinsfile
Once sonar scanner is installed and its home directory is added to Jenkins server, it is time to add the scanning step to your Jenkinsfile so that code is scanned and report delivered before it is deployed.
For Scripted Jenkinsfile
node('master') {
def projectName = 'testProject'
stage("Sonar Scan") {
withEnv(["PATH=/usr/bin:/usr/local/jdk-11.0.2/bin:/opt/sonarqube/sonar-scanner/bin/"]) {
withSonarQubeEnv(installationName: 'sonarqube-Server', credentialsId: 'sonarqubeSecret') {
sh "sonar-scanner \
-Dsonar.projectKey=${projectName} \
-Dsonar.sources=. \
-Dsonar.host.url=${env.SONAR_HOST_URL} \
-Dsonar.login=${env.SONAR_AUTH_TOKEN} \
-Dsonar.projectName=${projectName} \
-Dsonar.projectVersion=${env.BUILD_ID}"
}
}
}
}
For Declarative Jenkinsfile
pipeline {
agent any
environment {
projectName = "test-project"
}
stages {
stage ("SonarQube Scan") {
steps {
withEnv(["PATH=/usr/bin:/usr/local/jdk-11.0.2/bin:/opt/sonarqube/sonar-scanner/bin/"]) {
withSonarQubeEnv(installationName: 'sonarqube-Server', credentialsId: 'sonarqubeSecret') {
sh "sonar-scanner \
-Dsonar.projectKey=${projectName} \
-Dsonar.sources=. \
-Dsonar.host.url=${env.SONAR_HOST_URL} \
-Dsonar.login=${env.SONAR_AUTH_TOKEN} \
-Dsonar.projectName=${projectName} \
-Dsonar.projectVersion=${env.BUILD_ID}"
}
}
}
}
}
}
The withEnv option will help Jenkinsfile find sonar scanner from $PATH in your server. In case you get the error “sonar-scanner command not found“, kindly consider adding this option as in the code above.
You will also notice that we are not using any login keys and projects created on SonarQube. All this is handled by the token we generated while integrating Jenkins with SonarQube. The wrapper withSonarQubeEnv does this job for us with the credential we already added in Jenkins. withSonarQubeEnv exposes “${env.SONAR_AUTH_TOKEN}” and “${env.SONAR_HOST_URL}” environment variables which are injected into sonar-scanner. The “${projectName}” variable can be set in your Jenkinsfile as it has been illustrated above.
Step 4: Add Missing Plugins for various Programming languages in SonarQube
To scan JavaScript, C#, CSS, Visual Basic, HTML, PHP, Python, etc. source code, SonarQube requires plugins for the various languages to be installed. SonarQube comes with most of these modules installed. In case one or the other is not installed yet, do the following. Login to SonarQube with administrator credentials then click on “Administration” > “Marketplace“,
then search the plugin in the “Plugins” section as shared below.
Step 5: Start the building process
Hoping every aspect is working well and beautifully integrated, we can confidently start the pipeline. You can trigger it from your sources in GitHub or GitLab or you can manually build it in Jenkins. You should see the report of failure or success once the scanning is complete as shared below:
Conclusion
Sonar scanner in combination with SonarQube make the best tag team in your Security toolkit. Have them work for you in your CI/CD journey and minimize chances of deploying code dented with the misfortunes of avoidable security flaws.
Lastly, we hope the guide was useful and solved something for you today. We continue to receive tremendous support, comments and good vibes. We do not take that for granted. Have yourself an amazing last quarter of this tumultous year as you continue to keep safe.
Recommended books to read:
- Best Books to learn Web Development – PHP, HTML, CSS, JavaScript and jQuery
- Best Books To Master Web Design
- Best Books To Learn CSS & CSS3
- Best Books To Learn HTML & HTML5
- Best Apache and Nginx reference Books
Other people also read:
- Separate Jenkinsfiles from Sources and Prevent unwarranted editing
- Automatically clean up Jenkins Workspace after Builds Complete
- How To Add Multiple Kubernetes Clusters to Jenkins
- How To Install Jenkins Server on Kubernetes | OpenShift
