Limited Time Offer!

For Less Than the Cost of a Starbucks Coffee, Access All DevOpsSchool Videos on YouTube Unlimitedly.
Master DevOps, SRE, DevSecOps Skills!

Enroll Now

How can we do the security analysis using SonarQube?

security-analysis-using-sonarqube

How can we do the Security analysis using SonarQube?

For Security analysis purposes, a source code security analyzer
– examines source code to
– detect and report weaknesses that can lead to security vulnerabilities.

 

They are one of the last lines of defense to eliminate software vulnerabilities during development or after deployment. A Source Code Security Analysis Tool Functional Specification is available.

 

The SonarQube Quality Model has three different types of rules: Reliability (bug), Vulnerability (security), and Maintainability (code smell) rules. But divided another way, there are only two types: security rules, and all the rest.

 

To be clear, the standard for most rules implemented in SonarQube language plugins is very strict: no false positives. For normal rules, you should be able to be confident that whatever is reported to you as an issue really is an issue.

 

The vast majority of security-related rules originate from established standards: CWE, SANS Top 25, and OWASP Top 10. To find rules that relate to any of these standards, you can search rules either by tag or by text.

 

CWE – Common Weakness Enumeration (CWE™) is a formal list or dictionary of common software weaknesses that can occur in software’s architecture, design, code or implementation that can lead to exploitable security vulnerabilities.

 

SANS Top 25 – The SANS Top 25 list is a collection of the 25-most dangerous errors listed in the CWE, as compiled by the SANS organization.

 

OWASP Top 10 – OWASP stands for Open Web Application Security Project.The OWASP Top 10 is a list of broad categories of weaknesses, each of which can map to many individual rules.

 

XANITIZER – XANITIZER provides an integration with the code quality management platform SonarQube. It transfers all security relevant XANITIZER findings to SonarQube. It is possible to display this data in the SonarQube dashboard and the corresponding drilldown pages and time machines.

 

Reference
Tagged : / / / /

SonarQube Upgrade, Backup and Restore Process | SonarQube Tutorial

sonarqube-upgrade-backup-and-restore-process

 

SonarQube Upgrade, Backup and Restore Process

 

Today I will share the steps to upgrade from the SonarQube version 5.X to SonarQube version 6.X. We have upgrade guide which can be found http://docs.sonarqube.org/display/SONAR/Upgrading but its not complete guide thus I am sharing the steps as follows which can be followed for the production server as well.  As practice shared on the oficial guide that before upgrading to the next major release, you must upgrade to know LTS e.g
Example 1 : 4.2 -> 6.1, migration path is 4.2 -> 4.5.7 LTS -> 5.6 LTS -> 6.1
Example 2 : 5.1 -> 5.6, migration path is 5.1 -> 5.6

 

Upgrading across multiple versions is handled automatically. However, if in your migration path you have an LTS version, you must first migrate to this LTS and then migrate to your target version.

 

Remember that SonarQube upgrade procedure does not have a rollback procedure, so it is mandatory that you take a full backup of the system before performing the upgrade.

 

Process 1: Steps to Take a Full Backup of SonarQube Server?

Step 1 – Stop the production server
Windows
%SONARQUBE_HOME%/bin/windows-x86-32/StopNTService.bat
Linux
$SONAR_HOME/bin/linux-x86-64/sonar.sh stop
Step 2 – Backup the production database e.g mysql db
> mysqldump –opt -Q -h localhost -u username–password=’password’ databasename | gzip -9 > databasename.gz
Also, there is one tool which has been available to take the backup of database.
Step 3 – Backup the $SONAR_HOME directory
> zip -r Sonar_home.zip $SONAR_HOME
Step 4 – List of plugins installed
Be mindful that $SONAR_HOME/extensions/plugins directory where you can get the list of plugins installed.
Step 5 – List of custom coding rules installed
Be mindful that $SONAR_HOME/extensions/rules directory where you can get the list of custom coding rules.
Step 6 – List of configurations used
Be mindful that $SONAR_HOME/config directory where you can get sonar.properties and wrapper.conf file which has all the current configurations and setup.
Step 7 – Re-start the production server
Windows
%SONARQUBE_HOME%/bin/windows-x86-32/StartSonar.bat
Linux
$SONAR_HOME/bin/linux-x86-64/sonar.sh start
Step 8: Keep the Sonar_home.zip and databasename.gz to the safe location.

 

Process 2: SonarQube server Upgrade process.

Following are the steps to be followed to upgrade the SonarQube server.
Step 1: Stop your old SonarQube Server.
Step 2: Install/Configure a most latest version of SonarQube 
Install/Configure a most latest version of SonarQube Server in another location. The instructions is shared here (https://docs.sonarqube.org/display/SONAR/Installing+the+Server)
Step 3: Install the your required plugins/extensions compatible with your version of SonarQube. The Instructions is shared here.(https://docs.sonarqube.org/display/SONAR/Installing+a+Plugin)
Step 4: Update the contents of sonar.properties and wrapper.conf files (in NEW_SONARQUBE_HOME/conf) with the settings of the related files in the OLD_SONARQUBE_HOME/conf directory (web server URL, database, ldap settings, etc.). Do not copy-paste the old files.
If you are using the Oracle DB, copy its JDBC driver into NEW_SONARQUBE_HOME/extensions/jdbc-driver/oracle
Step 5: Start your new SonarQube Server
Windows
%SONARQUBE_HOME%/bin/windows-x86-32/StartSonar.bat
Linux
$SONAR_HOME/bin/linux-x86-64/sonar.sh start
Step 7: Verify the SonarQube Upgrade.

 

Note – SonarQube as a Linux or Windows Service
If you use external configuration, such as a script or Windows Service to control your server, you’ll need to update it to point to NEW_SONARQUBE_HOME.
In case you used the InstallNTService.bat to install SonarQube as a Windows Service, run the OLD_SONARQUBE_HOME/bin/…/UninstallNTService.bat before running the InstallNTService.bat of the NEW_SONARQUBE_HOME.
If you install SonarQube with Sql Server, it is better to chose Latin1_General_CS_AS as collation to avoid problems.

 

Some Well known Troubleshooting after upgrades.
Issues – Sonarqube upgrade 5.6 to 6.1, test coverage measue is missing
Solution – You might be missing the sonar.java.binaries. Sonar-5.6 did not need those.
Issues – Some unknown issues
Solution – Whenever you have problem with SonarQube do not forget to read the log, because only in the log you can understand the real cause of errors.

 

Reference
Tagged : / / / / / / /