DevSecOps-1: Installing and Running SonarQube, and Creating a SonarQube Project

9 min readNov 12, 2023

In this article series, I will talk about the installation, concepts, and usage of SonarQube, Trivy, OWASP Dependency Check, OWASP ZAP, and JaCoCo. Also, I will show you step-by-step how to use them in practice, with hands-on.

In this article, we will install SonarQube Server with Postgresql Database into an Ubuntu server in the cloud, and then create SonarQube project in order to integrate to Azure Pipeline that runs a microservice Java application in it. I will also talk about the installation, concepts, and usage of SonarQube in the introduction part of the article.

Topics we will cover:

What is SonarQube?
1. a. Components of the SonarQube Platform
1. b. Using of SonarQube
Installing SonarQube Server with Postgresql Database
2. a. Prerequisite
2. b. Installation of SonarQube
2. c. Running SonarQube
2. d. Creating a SonarQube Project
As a result
Next post: “Integrating and Running SonarQube into Azure Pipelines, and Examining The Test Results from The Sonarqube Dashboard”
References

If you like the article, I will be happy if you click the Medium Follow button to encourage me to write more, and not miss future articles.

Your clapping, following, or subscribing helps my articles to reach a broader audience. Thank you in advance for them.

In this article series, I will talk about the installation, concepts, and usage of SonarQube, Trivy, OWASP Dependency Check, and JaCoCo. To talk about them briefly;

SonarQube is a leading code quality and security tool used by over 400,000 organizations worldwide. The tool supports 30+ programming languages and offers a range of code analysis features, including static code analysis, security testing, and tracking of best practices (1a). It is a self-managed, automatic code review tool that helps for Clean Code (1b). It is an open-source platform for continuous code quality inspection that includes static code analysis for identifying security vulnerabilities, as a Static Application Security Testing (SAST) tool (1). It also provides a dashboard for metrics and integration with development pipelines.

Trivy is a comprehensive and versatile security scanner (2). It is an open-source vulnerability scanner for containers and other artifacts, such as operating system packages and application dependencies. It scans container images and provides detailed reports on any vulnerabilities detected, including their severity and remediation steps (1). I will use Trivy as a Container Security Tool in this article series. It identifies security vulnerabilities in container images and file systems, supporting multiple package managers and CI/CD integration for enhanced container security (3). It also finds vulnerabilities & IaC misconfigurations, SBOM discovery, Cloud scanning, Kubernetes security risks, and more.

OWASP Dependency Check is a Software Composition Analysis (SCA) tool that attempts to detect publicly disclosed vulnerabilities contained within a project’s dependencies (4) and identifies known vulnerabilities in project dependencies (1). It scans project dependencies for known vulnerabilities and generates reports, helping developers address security issues in third-party libraries.

OWASP ZAP: is a free Dynamic Application Security Testing (DAST) tool. OWASP ZAP (Zed Attack Proxy) is an open-source web application security scanner that helps you identify and find security vulnerabilities in web applications (1).

JaCoCo stands for “Java Code Coverage”. It is a tool for measuring and reporting code coverage reports for Java projects. JaCoCo uses class file instrumentation to record execution coverage data. Class files are instrumented on the fly using a so-called Java agent (5). It based on Java byte code and therefore works also without source files.

1. What is SonarQube?

SonarQube is a self-managed, automatic code review tool that systematically helps you deliver Clean Code. SonarQube integrates into your existing workflow and detects issues in your code to help you perform continuous code inspections of your projects. The tool analyses 30+ different programming languages (Java, C#, JavaScript, TypeScript, CloudFormation, Terraform, Kotlin, Ruby, Go, Scala, Flex, Python, PHP, HTML, CSS, XML and VB.NET, etc.) Also, depending on the version we use, the rule sets of the languages come as predefined. It integrates them into your CI pipeline and DevOps platform to ensure that your code meets high-quality standards. (6)

SonarQube will help to increase the quality of the code going to the production environment by comparing the existing code in the CI flow with the previous code and static code.

The methods SonarQube uses to analyze the source code are;

Architecture Design
Unit Tests
Duplicate Code
Potential bugs
Complex code
Coding standards
Clean code

Sonar’s Clean as You Code approach eliminates many of the troubles that arise from reviewing code at a late stage in the development process. “Clean as You Code: No pain, lots to gain” (Bob Marley’s song came to my mind here, “No Woman, No Cry” :-)

1. a. Components of the SonarQube Platform

The SonarQube Platform is made of 4 components, as shown in Figure 1.

1. One SonarQube Server starting 3 main processes:

Web Server for developers, managers to browse quality snapshots and configure the SonarQube instance,
Search Server based on Elasticsearch to back searches from the UI,
Compute Engine Server in charge of processing code analysis reports and saving them in the SonarQube Database.

2. One SonarQube Database to store; the configuration of the SonarQube instance (security, plugins settings, etc.) and the quality snapshots of projects, views, etc.

3. Multiple SonarQube Plugins installed on the server, possibly including language, SCM, integration, authentication, and governance plugins

4. One or more SonarScanners running on your Build / Continuous Integration Servers to analyze projects

1. b. Using of SonarQube

The following schema shows how SonarQube integrates with other ALM (Application Lifecycle Management) tools and where the various components of SonarQube are used, as shown in Figure 2. (8)

Developers code in their IDEs.
Developers push their code into their favorite SCM: git, SVN, TFVC, …
The Continuous Integration Server triggers an automatic build, and the execution of the SonarScanner required to run the SonarQube analysis.
The analysis report is sent to the SonarQube Server for processing.
SonarQube Server processes and stores the analysis report results in the SonarQube Database, and displays the results in the UI.
Developers review, comment, and challenge their issues to manage and reduce their Technical Debt through the SonarQube UI.
Managers receive Reports from the analysis.

2. Installing SonarQube

2. a. Prerequisite

You must be able to install Java (Oracle JRE or OpenJDK) on the machine where you plan to run SonarQube. You can download it from here.

2. b. Installation of SonarQube

Before starting the installation, make the following settings, as shown in Figure 3.

sudo vi /etc/sysctl.conf
# Add the following lines to the bottom of that file;
vm.max_map_count=262144
fs.file-max=65536
# To make sure changes are getting into effect with the following command;
sudo sysctl -p
# Perform System update with the following command;
sudo apt update

Note: If Docker-Compose is not installed, install Docker-Compose with the following command;

sudo apt install docker-compose -y

Now, you can install Sonarqube using the Docker-compose.yml file below. (9)

version: "3"
services:
  sonarqube:
    image: sonarqube:community
    depends_on:
      - db
    environment:
      SONAR_JDBC_URL: jdbc:postgresql://db:5432/sonar
      SONAR_JDBC_USERNAME: sonar
      SONAR_JDBC_PASSWORD: sonar
    volumes:
      - sonarqube_data:/opt/sonarqube/data
      - sonarqube_extensions:/opt/sonarqube/extensions
      - sonarqube_logs:/opt/sonarqube/logs
    ports:
      - "9000:9000"
  db:
    image: postgres:12
    environment:
      POSTGRES_USER: sonar
      POSTGRES_PASSWORD: sonar
    volumes:
      - postgresql:/var/lib/postgresql
      - postgresql_data:/var/lib/postgresql/data
volumes:
  sonarqube_data:
  sonarqube_extensions:
  sonarqube_logs:
  postgresql:
  postgresql_data:

Copy and save the entire content above, then execute the compose file using the Docker compose command below, as shown in Figure 4.

sudo docker-compose up -d

When the installation is completed you will see the following screen, as shown in Figure 5.

Make sure SonarQube is up and running by checking the logs by following the command:

sudo docker-compose logs --follow

When you see the message below, SonarQube is been installed successfully, as shown in Figure 6. To quit press “control + C”.

2. c. Running SonarQube

Now access sonarQube UI by going to the browser and entering the public DNS name with port 9000, as shown in Figure 7.

http://your_SonarQube_publicdns_name:9000/

Click Log In and use the default “admin” as the username and password. Then, update your password, as shown in Figure 8.

SonarQube’s home page is opened, as shown in Figure 9.

2. d. Creating a SonarQube Project

Click + in the upper right corner → “Create project”, as shown in Figure 10. (or below in the left corner → “Create project manually”, as shown in Figure 9.)

Enter the project key sonar-aks-projects and the project name sonar-aks-projects and click Next button, as shown in Figure 11.

Select “Use the global setting” and click Create Projectbutton, as shown in Figure 12.

Our project has been created. Now, select “With Azure Pipeline” in the window that opens, as shown in Figure 13.

The page with instructions about the project is opened, as shown in Figure 14. All the steps required to analyze your project by using SonarQube in Azure DevOps Pipelines are explained on this page that opens.

When we click on the project button as shown in Figure 14, we can see that the project has been created, as shown in Figure 15. However, to integrate with Azure DevOps Pipelines, we need to complete the steps mentioned in the next article.

3. As a result

We learned detailed information about the SonarQube Server and installed the SonarQube with the Postgresql Database into the Ubuntu in the cloud. Finally, we ran SonarQube and created a SonarQube project.

If you liked the article, I would be happy if you click on the Medium Following button to encourage me to write and not miss future articles.

Your clap, follow, or subscribe, they help my articles to reach the broader audience. Thank you in advance for them.

For more info and questions, please contact me on Linkedin or Medium.

4. Next post

In the next post, “DevSecOps-2: Integrating and Running SonarQube into Azure Pipelines, and Examining The Test Results from The Sonarqube Dashboard”, as shown in Figure 16. We will integrate the SonarQube Server into the Azure Pipeline that runs a microservice Java application in it. Then, we will create and run the Azure pipeline for SonarQube analysis. Finally, we will examine and evaluate the test results in the Sonarqube dashboard. We will do them practically and step by step.