Tag: SonarQube tutorial

How can we do the security analysis using SonarQube?

by scmgalaxy KSonarQubeLeave a Comment on How can we do the security analysis using SonarQube?

security-analysis-using-sonarqube

How can we do the Security analysis using SonarQube?

For Security analysis purposes, a source code security analyzer
– examines source code to
– detect and report weaknesses that can lead to security vulnerabilities.

 

They are one of the last lines of defense to eliminate software vulnerabilities during development or after deployment. A Source Code Security Analysis Tool Functional Specification is available.

 

The SonarQube Quality Model has three different types of rules: Reliability (bug), Vulnerability (security), and Maintainability (code smell) rules. But divided another way, there are only two types: security rules, and all the rest.

 

To be clear, the standard for most rules implemented in SonarQube language plugins is very strict: no false positives. For normal rules, you should be able to be confident that whatever is reported to you as an issue really is an issue.

 

The vast majority of security-related rules originate from established standards: CWE, SANS Top 25, and OWASP Top 10. To find rules that relate to any of these standards, you can search rules either by tag or by text.

 

CWE – Common Weakness Enumeration (CWE™) is a formal list or dictionary of common software weaknesses that can occur in software’s architecture, design, code or implementation that can lead to exploitable security vulnerabilities.

 

SANS Top 25 – The SANS Top 25 list is a collection of the 25-most dangerous errors listed in the CWE, as compiled by the SANS organization.

 

OWASP Top 10 – OWASP stands for Open Web Application Security Project.The OWASP Top 10 is a list of broad categories of weaknesses, each of which can map to many individual rules.

 

XANITIZER – XANITIZER provides an integration with the code quality management platform SonarQube. It transfers all security relevant XANITIZER findings to SonarQube. It is possible to display this data in the SonarQube dashboard and the corresponding drilldown pages and time machines.

 

Reference
Tagged : / / / /

SonarQube Upgrade, Backup and Restore Process | SonarQube Tutorial

by scmgalaxy KSonarQubeLeave a Comment on SonarQube Upgrade, Backup and Restore Process | SonarQube Tutorial

sonarqube-upgrade-backup-and-restore-process

 

SonarQube Upgrade, Backup and Restore Process

 

Today I will share the steps to upgrade from the SonarQube version 5.X to SonarQube version 6.X. We have upgrade guide which can be found http://docs.sonarqube.org/display/SONAR/Upgrading but its not complete guide thus I am sharing the steps as follows which can be followed for the production server as well.  As practice shared on the oficial guide that before upgrading to the next major release, you must upgrade to know LTS e.g
Example 1 : 4.2 -> 6.1, migration path is 4.2 -> 4.5.7 LTS -> 5.6 LTS -> 6.1
Example 2 : 5.1 -> 5.6, migration path is 5.1 -> 5.6

 

Upgrading across multiple versions is handled automatically. However, if in your migration path you have an LTS version, you must first migrate to this LTS and then migrate to your target version.

 

Remember that SonarQube upgrade procedure does not have a rollback procedure, so it is mandatory that you take a full backup of the system before performing the upgrade.

 

Process 1: Steps to Take a Full Backup of SonarQube Server?

Step 1 – Stop the production server
Windows
%SONARQUBE_HOME%/bin/windows-x86-32/StopNTService.bat
Linux
$SONAR_HOME/bin/linux-x86-64/sonar.sh stop
Step 2 – Backup the production database e.g mysql db
> mysqldump –opt -Q -h localhost -u username–password=’password’ databasename | gzip -9 > databasename.gz
Also, there is one tool which has been available to take the backup of database.
Step 3 – Backup the $SONAR_HOME directory
> zip -r Sonar_home.zip $SONAR_HOME
Step 4 – List of plugins installed
Be mindful that $SONAR_HOME/extensions/plugins directory where you can get the list of plugins installed.
Step 5 – List of custom coding rules installed
Be mindful that $SONAR_HOME/extensions/rules directory where you can get the list of custom coding rules.
Step 6 – List of configurations used
Be mindful that $SONAR_HOME/config directory where you can get sonar.properties and wrapper.conf file which has all the current configurations and setup.
Step 7 – Re-start the production server
Windows
%SONARQUBE_HOME%/bin/windows-x86-32/StartSonar.bat
Linux
$SONAR_HOME/bin/linux-x86-64/sonar.sh start
Step 8: Keep the Sonar_home.zip and databasename.gz to the safe location.

 

Process 2: SonarQube server Upgrade process.

Following are the steps to be followed to upgrade the SonarQube server.
Step 1: Stop your old SonarQube Server.
Step 2: Install/Configure a most latest version of SonarQube 
Install/Configure a most latest version of SonarQube Server in another location. The instructions is shared here (https://docs.sonarqube.org/display/SONAR/Installing+the+Server)
Step 3: Install the your required plugins/extensions compatible with your version of SonarQube. The Instructions is shared here.(https://docs.sonarqube.org/display/SONAR/Installing+a+Plugin)
Step 4: Update the contents of sonar.properties and wrapper.conf files (in NEW_SONARQUBE_HOME/conf) with the settings of the related files in the OLD_SONARQUBE_HOME/conf directory (web server URL, database, ldap settings, etc.). Do not copy-paste the old files.
If you are using the Oracle DB, copy its JDBC driver into NEW_SONARQUBE_HOME/extensions/jdbc-driver/oracle
Step 5: Start your new SonarQube Server
Windows
%SONARQUBE_HOME%/bin/windows-x86-32/StartSonar.bat
Linux
$SONAR_HOME/bin/linux-x86-64/sonar.sh start
Step 7: Verify the SonarQube Upgrade.

 

Note – SonarQube as a Linux or Windows Service
If you use external configuration, such as a script or Windows Service to control your server, you’ll need to update it to point to NEW_SONARQUBE_HOME.
In case you used the InstallNTService.bat to install SonarQube as a Windows Service, run the OLD_SONARQUBE_HOME/bin/…/UninstallNTService.bat before running the InstallNTService.bat of the NEW_SONARQUBE_HOME.
If you install SonarQube with Sql Server, it is better to chose Latin1_General_CS_AS as collation to avoid problems.

 

Some Well known Troubleshooting after upgrades.
Issues – Sonarqube upgrade 5.6 to 6.1, test coverage measue is missing
Solution – You might be missing the sonar.java.binaries. Sonar-5.6 did not need those.
Issues – Some unknown issues
Solution – Whenever you have problem with SonarQube do not forget to read the log, because only in the log you can understand the real cause of errors.

 

Reference
Tagged : / / / / / / /

What is SonarQube and What is not?

by scmgalaxy KSonarQubeLeave a Comment on What is SonarQube and What is not?

what-is-sonarqube

 

What is SonarQube?

It’s a code quality management platform that allows developer teams to manage, track and eventually improve the quality of the source code.  It’s a web based application that keeps historical data of a variety of metrics and gives trends of leading and lagging indicators for all seven deadly sins of developers.
Sonar is an open source platform used by development teams to manage source code quality. Sonar has been developed with a main objective in mind: make code quality management accessible to everyone with minimal effort.

As such, Sonar provides code analyzers, reporting tools, defects hunting modules and TimeMachine as core functionality. But it also embarks a plugin mechanism enabling the community to extend the functionality (more than 35 plugins available), making Sonar the one-stop-shop for source code quality by addressing not only developers but also managers needs.


Main Feature of SonarQube

Continuous Inspection
SonarQube provides the capability to not only show health of an application but also to highlight issues newly introduced. With a Quality Gate in place, you can fix the leak and therefore improve code quality mechanically.
Detect Tricky Issues
Our code analyzers are equipped powerful path sensitive dataflow engines to detect tricky issues such as null-pointers dereferences, logic errors, resource leaks
Centralize Quality
One place to provide a shared vision of code quality for developers, tech leads, managers and executives in charge of a few to a few thousands projects and also to act as a toll gate for application promotion or release.
DevOps Integration
SonarQube integrates with the entire DevOps toolchain including build systems, CI engines, promotion pipelines… using webhooks and its comprehensive RestAPI.
20+ Programming Languages
With SonarQube comes a code analyzer for each major programming language. Each analyzer provides numerous rules to spot general and language-specific quality issues.

 

What SonarQube is Not?

SonarQube is NOT a build tool. Period. There are several tools out there like Maven, Ant, Gradle etc. that do a perfect job on that field. SonarQube expects that before you analyze a project it has been already compiled and built by your favorite build tool.
SonarQube is NOT (only) a static code analyzer : It’s not a replacement for FindBugs or CPPCheck or any other similar tool. On the contrary, not only it offers its own static code analysis mechanism that detects coding rules violations but at the same time it’s integrated with external tools like the ones I mentioned. The result is that you can get, homogenized, in a single report all issues detected by a variety of static and dynamic analysis tools.
SonarQube is NOT a code coverage tool : Clearly NOT. Again it’s integrated with the most popular test coverage tools like JaCoCo, Cobertura, PHPUnit etc. but it doesn’t compute code coverage itself. It reads pre-generated unit test report files and displays them in an extremely convenient dasboard.
SonarQube is NOT a code formatter. It’s not allowed to modify your code in any way. However you can get formatting suggestions by enabling the CheckStyle, CPPCheck, ScalaStyle rules you want to follow.
SonarQube is NOT a continuous integration system to run your nightly builds : You can integrate it with the most popular CI Engines to apply Continuous Inspection but it’s not their replacement.

SonarQube is NOT just another manual code review tool. Indeed SonarQube offers a very powerful mechanism that facilitates code reviews but this is not a standalone features. It’s tight to the issues detection mechanism so every code review can be easily associated to the exact part of the problematic code and the developer that caused it.

Reference
https://www.sonarqube.org/
http://softwaregarden.io/sonarqube/

 

Tagged : / / / / / / /