Friday, December 27, 2024
Google search engine
HomeData Modelling & AIScan PHP|JavaScript|C#|HTML using Sonar Scanner and Jenkins

Scan PHP|JavaScript|C#|HTML using Sonar Scanner and Jenkins

.tdi_3.td-a-rec{text-align:center}.tdi_3 .td-element-style{z-index:-1}.tdi_3.td-a-rec-img{text-align:left}.tdi_3.td-a-rec-img img{margin:0 auto 0 0}@media(max-width:767px){.tdi_3.td-a-rec-img{text-align:center}}

In this brief guide we are going to take advantage of SonarQube to scan PHP or JavaScript or other programming language apart from Java via the sonar scanner client. How this works is that sonar scanner connects to SonarQube and scans your application located in your server in a different location. For this example, we are going to use sonar scanner and a Jenkins instance then use it to scan applications during a CI/CD pipeline.

Pre-requisites

In order for this guide to be complete, we assume that you have SonarQube and Jenkins installed, and successful integration has been done. In case you have not done so, the guides below will help you:

We will follow a couple of steps to achieve this. Once you are ready, the following are the steps.

.tdi_2.td-a-rec{text-align:center}.tdi_2 .td-element-style{z-index:-1}.tdi_2.td-a-rec-img{text-align:left}.tdi_2.td-a-rec-img img{margin:0 auto 0 0}@media(max-width:767px){.tdi_2.td-a-rec-img{text-align:center}}

Step 1: Install Sonar Scanner

Since we need Sonar Scanner as our main application for this, we will have to install it and let Jenkins Server know where to find it. We preferred installing it the manual way instead of using Jenkins automatic installer. It is a choice you have to make. Anyhow, let us proceed and get sonar scanner installed.

Download Sonar scanner binary from the official website.

wget https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.8.0.2856-linux.zip
unzip sonar-scanner-cli-*-linux.zip
mv sonar-scanner-*-linux/ sonar-scanner
sudo cp -rv sonar-scanner /opt/sonarqube/

Then add sonar-scanner binaries to $PATH

$ sudo vim /etc/profile.d/scanner.sh
export PATH=$PATH:/opt/sonarqube/sonar-scanner/bin/

After adding the file, source it to apply changes to the system variables.

source /etc/profile.d/scanner.sh

Then confirm if everything went well by running “which” command.

$ which sonar-scanner
/opt/sonarqube/sonar-scanner/bin/sonar-scanner

Step 2: Let Jenkins know where to find sonar scanner

In this step, we are going to inform Jenkins that sonar scanner is installed and giving it direction to its home directory. To have this done, login to your Jenkins server with a user having admin privileges then click “Manage Jenkins” > “Global Tool Configuration”.

jenkins manage jenkins
click global tool configuration

Scroll down to “SonarQube Scanner” section then click on Add SonarQube Scanner. You will be presented with form-like mini-page where you can enter details. Give it a name you prefer, uncheck Automatic Installation then enter SONAR_RUNNER_HOME value which is where we installed sonar-scanner as “/opt/sonarqube/sonar-scanner/bin/“. Screenshot is shared below.

sonarqube scanner section

Step 3: Update your Jenkinsfile

Once sonar scanner is installed and its home directory is added to Jenkins server, it is time to add the scanning step to your Jenkinsfile so that code is scanned and report delivered before it is deployed.

For Scripted Jenkinsfile

node('master') {
    def projectName = 'testProject'

stage("Sonar Scan") {
          withEnv(["PATH=/usr/bin:/usr/local/jdk-11.0.2/bin:/opt/sonarqube/sonar-scanner/bin/"]) {
            withSonarQubeEnv(installationName: 'sonarqube-Server', credentialsId: 'sonarqubeSecret') {  
            sh "sonar-scanner \
                -Dsonar.projectKey=${projectName} \
                -Dsonar.sources=. \
                -Dsonar.host.url=${env.SONAR_HOST_URL} \
                -Dsonar.login=${env.SONAR_AUTH_TOKEN} \
                -Dsonar.projectName=${projectName} \
                -Dsonar.projectVersion=${env.BUILD_ID}"
         }
      }
    }
  }

For Declarative Jenkinsfile

pipeline {
    agent any
    environment {
        projectName = "test-project"
    }

stages {
    stage ("SonarQube Scan") {
       steps {
          withEnv(["PATH=/usr/bin:/usr/local/jdk-11.0.2/bin:/opt/sonarqube/sonar-scanner/bin/"]) {
             withSonarQubeEnv(installationName: 'sonarqube-Server', credentialsId: 'sonarqubeSecret') { 
               sh "sonar-scanner \
                 -Dsonar.projectKey=${projectName} \
                 -Dsonar.sources=. \
                 -Dsonar.host.url=${env.SONAR_HOST_URL} \
                 -Dsonar.login=${env.SONAR_AUTH_TOKEN} \
                 -Dsonar.projectName=${projectName} \
                 -Dsonar.projectVersion=${env.BUILD_ID}"
           }
         }
       }
     }
  }
}

The withEnv option will help Jenkinsfile find sonar scanner from $PATH in your server. In case you get the error “sonar-scanner command not found“, kindly consider adding this option as in the code above.

You will also notice that we are not using any login keys and projects created on SonarQube. All this is handled by the token we generated while integrating Jenkins with SonarQube. The wrapper withSonarQubeEnv does this job for us with the credential we already added in Jenkins. withSonarQubeEnv exposes “${env.SONAR_AUTH_TOKEN}” and “${env.SONAR_HOST_URL}” environment variables which are injected into sonar-scanner. The “${projectName}” variable can be set in your Jenkinsfile as it has been illustrated above.

Step 4: Add Missing Plugins for various Programming languages in SonarQube

To scan JavaScript, C#, CSS, Visual Basic, HTML, PHP, Python, etc. source code, SonarQube requires plugins for the various languages to be installed. SonarQube comes with most of these modules installed. In case one or the other is not installed yet, do the following. Login to SonarQube with administrator credentials then click on “Administration” > “Marketplace“,

sonarqube Click Administration
sonarqube click marketplace then search for plugin

then search the plugin in the “Plugins” section as shared below.

sonarqube click marketplace then search for plugin

Step 5: Start the building process

Hoping every aspect is working well and beautifully integrated, we can confidently start the pipeline. You can trigger it from your sources in GitHub or GitLab or you can manually build it in Jenkins. You should see the report of failure or success once the scanning is complete as shared below:

sonarqube gradle results

Conclusion

Sonar scanner in combination with SonarQube make the best tag team in your Security toolkit. Have them work for you in your CI/CD journey and minimize chances of deploying code dented with the misfortunes of avoidable security flaws.

Lastly, we hope the guide was useful and solved something for you today. We continue to receive tremendous support, comments and good vibes. We do not take that for granted. Have yourself an amazing last quarter of this tumultous year as you continue to keep safe.

Recommended books to read:

Other people also read:

.tdi_4.td-a-rec{text-align:center}.tdi_4 .td-element-style{z-index:-1}.tdi_4.td-a-rec-img{text-align:left}.tdi_4.td-a-rec-img img{margin:0 auto 0 0}@media(max-width:767px){.tdi_4.td-a-rec-img{text-align:center}}

RELATED ARTICLES

Most Popular

Recent Comments