sonarqube
一、概述
| 常用的漏扫工具 |
|---|
| sonarqube |
| openvas |
| nessus |
| OWASP |
| appscan |
1.什么是SonarQube
SonarQube是一个开源的代码质量管理系统,用于检测代码中的错误,漏洞和代码规范。它可以现有的Gitlab、Jenkins集成,以便在项目拉 取后进行连续的代码检查。
2.使用SonarQube前提环境要求
SonarQube服务器的小型(个人或小型团队)实例需要至少2GB的RAM才能高效运行,操作系统需要1GB的空闲RAM。
1.SonarQube基于Java开发,所以需要安装Open JDK8版本。
2.SonarQube需要依赖MySQL数据库,至少5.6版本以上。
3.SonarQube的小型实例至少需要4GB内存,如果是大型实例需要16GB
3.软件要求
Sonarqube 7.7 jdk 1.8 MySQL数据库
Sonarqube 8.9 lts jdk 11 PostgreSQL
数据库从7.9后支持MySQL 支持PostgreSQL PSQL Oracle ....
二、SonarQube服务安装-8.9 lts (PostgreSQL)
1.环境准备
[root@sonarqube ~]# systemctl stop firewalld
[root@sonarqube ~]# systemctl disable firewalld
[root@sonarqube ~]# setenforce 0
2.安装Sonarqube依赖工具
[root@sonarqube ~]# yum install -y java-11 unzip wget
3.安装Sonarqube 使用的数据库-PSQL
#01. 配置源
[psql]
name=psql repo
baseurl=https:mirror.tuna.tsinghua.edu.cn/postgresql/repos/yum/9.6/redhat/rhel-7.9-x86_64/
enabled=1
gpgcheck=0
#02. 安装
yum install -y postgresql96-server
#03. 初始化数据库
postgresql-9.6-setup initdb
systemctl start postgresql-9.6.service
ss -lntup |grep post #5432 端口
#04. 创建用户 创建数据库
[root@sonarqube ~]# tail -1 /etc/passwd
postgres:x:26:26:PostgreSQL
Server:/var/lib/pgsql:/bin/bash
[root@sonarqube ~]# su - postgres
[postgres@sonarqube ~]$
[postgres@sonarqube ~]$ psql
psql (9.2.24)
Type "help" for help.
CREATE USER sonar WITH PASSWORD 'oldboy';
CREATE DATABASE sonar OWNER sonar;
GRANT ALL PRIVILEGES ON DATABASE sonar TO sonar;
#修改配置文件 pqsql
/var/lib/pgsql/9.6/data/pg_hba.conf
# "local" is for Unix domain socket connections only
local all all md5
# IPv4 local connections:
host all all 127.0.0.1/32 md5
#修改es配置
文件描述符 增大
ulimit -n65536
/bin/echo ' * - nofile 65535' >>/etc/security/limits.conf
#修改内核参数
echo 'vm.max_map_count=262144' /etc/sysctl.conf
sysctl -p
4.sonarqube部署
#01 . 解压
unzip sonarqube-8.9.2.46101.zip -d /usr/local/
useradd sonar
#02. 创建软连接
ln -s /usr/local/sonarqube-8.9.2.46101/ /usr/local/sonarqube
#03. 修改权限
chown -R sonar.sonar /usr/local/sonarqube/
三、SonarQube服务安装-7.7 (MySQL5.7)
| 机器 | 主机名 | ||
|---|---|---|---|
| gitlab | gitlab | 4G | 10.0.0.71/172.16.1.71 |
| jenkins | jenkins | 4G | 10.0.0.72/172.16.1.72 |
| sonarqube | sonarqube | 3G | 10.0.0.73/172.16.1.73 |
1.安装jdk
[root@sonar ~]# yum install -y java
2.安装数据库
#yum安装
[root@sonarqube ~]# cat /etc/yum.repos.d/mysql.repo
[mysql-connectors-community]
name=MySQL Connectors Community
baseurl=https://mirrors.tuna.tsinghua.edu.cn/mysql/yum/mysql-connectors-community-el7-$basearch/
enabled=1
gpgcheck=0
gpgkey=https://repo.mysql.com/RPM-GPG-KEY-mysql
[mysql-5.7-community]
name=MySQL 5.7 Community Server
baseurl=https://mirrors.tuna.tsinghua.edu.cn/mysql/yum/mysql-5.7-community-el7-$basearch/
enabled=1
gpgcheck=0
gpgkey=https://repo.mysql.com/RPM-GPG-KEY-mysql
[mysql-8.0-community]
name=MySQL 8.0 Community Server
baseurl=https://mirrors.tuna.tsinghua.edu.cn/mysql/yum/mysql-8.0-community-el7-$basearch/
enabled=0
gpgcheck=0
gpgkey=https://repo.mysql.com/RPM-GPG-KEY-mysql
[root@sonarqube ~]# yum install -y mysql-community-server mysqlcommunity-devel mysql-community-client
#rpm安装
[root@sonar ~]# ll
total 486392
-rw-r--r-- 1 root root 225167470 Mar 29 15:24 mysql-5.7-rpms.tar.gz
[root@sonar ~]# tar xf mysql-5.7-rpms.tar.gz
[root@sonar ~]# ll
total 486392
drwxr-xr-x 2 root root 332 Mar 29 15:22 mysql-5.7
-rw-r--r-- 1 root root 225167470 Mar 29 15:24 mysql-5.7-rpms.tar.gz
[root@sonar ~]# cd mysql-5.7/
[root@sonar ~/mysql-5.7]# yum -y localinstall *.rpm
#启动mysql
[root@sonar ~/mysql-5.7]# systemctl enable mysqld
[root@sonar ~/mysql-5.7]# systemctl start mysqld
#查看初始化密码
[root@sonar ~/mysql-5.7]# grep -i 'password' /var/log/mysqld.log
2023-03-29T12:31:29.729678Z 1 [Note] A temporary password is generated for root@localhost: 6JP<*>&&m;1?
#这个就是密码
#初始化
[root@sonar ~/mysql-5.7]# mysql_secure_installation
Securing the MySQL server deployment.
Enter password for user root: #输入上边的密码
The existing password for the user account root has expired. Please set a new password.
New password: #输入新的密码,一定要大小写数字特殊符号
Re-enter new password:
The 'validate_password' plugin is installed on the server.
The subsequent steps will run with the existing configuration
of the plugin.
Using existing password for root.
Estimated strength of the password: 100
Change the password for root ? ((Press y|Y for Yes, any other key for No) : 回车即可
Remove anonymous users? (Press y|Y for Yes, any other key for No) : y
Disallow root login remotely? (Press y|Y for Yes, any other key for No) : y
Remove test database and access to it? (Press y|Y for Yes, any other key for No) : y
Reload privilege tables now? (Press y|Y for Yes, any other key for No) : y
Success.
All done!
#创建数据库和用户
[root@sonar ~/mysql-5.7]# mysql -uroot -p
Enter password:
mysql> create database sonarqube charset utf8;
Query OK, 1 row affected (0.00 sec)
mysql> grant all on sonarqube.* to 'sonarqube'@'localhost' identified by '用户的密码';
Query OK, 0 rows affected, 1 warning (0.00 sec)
3.部署sonar
[root@sonar ~]# mkdir -p /app/tools
[root@sonar ~]# unzip sonarqube-7.7.zip -d /app/tools
[root@sonar /app/tools]# chown -R sonar.sonar /app/tools/sonar
[root@sonar /app/tools]# chown -R sonar.sonar /app/tools/sonar/
#不加斜杠,仅修改这个目录,不会修改下边的文件
[root@sonar /app/tools/sonar]# ll
total 12
drwxr-xr-x 6 sonar sonar 94 Mar 20 2019 bin
drwxr-xr-x 2 sonar sonar 50 Mar 20 2019 conf
-rw-r--r-- 1 sonar sonar 7651 Mar 20 2019 COPYING
drwxr-xr-x 2 sonar sonar 24 Mar 20 2019 data
drwxr-xr-x 7 sonar sonar 131 Mar 20 2019 elasticsearch
drwxr-xr-x 4 sonar sonar 40 Mar 20 2019 extensions
drwxr-xr-x 6 sonar sonar 91 Mar 20 2019 lib
drwxr-xr-x 2 sonar sonar 24 Mar 20 2019 logs
drwxr-xr-x 2 sonar sonar 24 Mar 20 2019 temp
drwxr-xr-x 9 sonar sonar 4096 Mar 20 2019 web
#修改sonarqube连接数据库配置文件
[root@sonar /app/tools/sonar]# egrep -vn '^$|#' /app/tools/sonar/conf/sonar.properties
16:sonar.jdbc.username=sonarqube #刚才在数据库新增的用户
17:sonar.jdbc.password= #刚才在数据库新增的用户的密码
28:sonar.jdbc.url=jdbc:mysql://localhost:3306/sonarqube?useUnicode=true&characterEncoding=utf8&rewriteBatchedStatements=true&useConfigs=maxPerformance&useSSL=false
#设置数据库名字和路径
#使用sonar启动
[root@sonar /app/tools/sonar]# su - sonar -c '/app/tools/sonar/bin/linux-x86-64/sonar.sh start '
Starting SonarQube...
Started SonarQube.
[root@sonar /app/tools/sonar]# ss -lnutp|grep 9000
tcp LISTEN 0 25 [::]:9000 [::]:* users:(("java",pid=3399,fd=124))
#启动比较慢,要等待
http://sonar.cn:9000/
4.安装插件
#因为原有插件和现在包里的插件会重复,所以要删除
[root@sonar ~]# rm -rf /app/tools/sonar/extensions/plugins/*
[root@sonar ~]# tar xf sonarqube_7.7.plugins_new.tar.gz -C /app/tools/sonar/extensions/
[root@sonar ~]# ls /app/tools/sonar/extensions/plugins/ |wc -l
21
[root@sonar ~]# su - sonar -c '/app/tools/sonar/bin/linux-x86-64/sonar.sh restart '
#安装完插件,界面会汉化
故障排查
access.log
ce.log
es.log
sonar.log
web.log
5.登陆
用户名:admin
密码: admin
分析java项目
b1a82e5a7ee98b3827adbee736c6743946867915
mvn sonar:sonar \
-Dsonar.projectKey=sonar-java \
-Dsonar.host.url=http://sonar.cn:9000 \
-Dsonar.login=b1a82e5a7ee98b3827adbee736c6743946867915
6.手动测试
#找一个现有的项目
[root@jenkins /var/lib/jenkins/workspace/hello_word_maven_job]# cat /etc/hosts
172.16.1.73 sonar.cn
[root@jenkins ~]# cd /var/lib/jenkins/workspace/hello_word_maven_job
[root@jenkins /var/lib/jenkins/workspace/hello_word_maven_job]# mvn sonar:sonar \
> -Dsonar.projectKey=sonar-java \
> -Dsonar.host.url=http://sonar.cn:9000 \
> -Dsonar.login=b1a82e5a7ee98b3827adbee736c6743946867915
[INFO] ANALYSIS SUCCESSFUL, you can browse http://sonar.cn:9000/dashboard?id=sonar-java
[INFO] Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
[INFO] More about the report processing at http://sonar.cn:9000/api/ce/task?id=AYctcqhjgnWt632ROvUs
[INFO] Analysis total time: 17.248 s
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 31.382 s
[INFO] Finished at: 2023-03-29T20:58:22+08:00
[INFO] ------------------------------------------------------------------------
7.连接jenkins
clean package sonar:sonar -Dsonar.projectKey=${JOB_BASE_NAME} -Dsonar.projectName=${JOB_BASE_NAME} -Dsonar.host.url=http://sonar.cn:9000 -Dsonar.login=b1a82e5a7ee98b3827adbee736c6743946867915
Dsonar.projectName
Dsonar.projectKey
