In this blog are going to see how to set up SonarQube and conduct Static Application Security testing using SonarQube.
What is SonarQube?
SonarQube SAST (static application security testing) is a tool that is used to detect security vulnerabilities (require immediate action) and security hotspots (human review is needed to know for sure) in the source code of an application. It typically identifies vulnerabilities such as buffer overflows, format string vulnerabilities, race conditions, etc.
Steps to conduct Static Application Security Testing using SonarQube
Step 1: Pull SonarQube docker image from Docker Hub
Step 2: Create Docker volumes for SonarQube Data, Logs, and Extensions
Step 3: Run SonarQube Docker Container
Step 4: Once the container is up and running, open any browser and open sonarqube URL (http://localhost:<localhost port>)
Step 4: Login SonarQube using the default username and password (admin:admin)
docker pull sonarqube{codeBox}
Step 2: Create Docker volumes for SonarQube Data, Logs, and Extensions
docker volume create --name sonarqube_data
docker volume create --name sonarqube_logs
docker volume create --name sonarqube_extensions{codeBox}
Step 3: Run SonarQube Docker Container
docker run -d --name sonarqube -p <Local Host Port>:9000 -v sonarqube_data:/opt/sonarqube/data -v sonarqube_extensions:/opt/sonarqube/extensions -v sonarqube_logs:/opt/sonarqube/logs sonarqube{codeBox}
Step 4: Once the container is up and running, open any browser and open sonarqube URL (http://localhost:<localhost port>)
Step 4: Login SonarQube using the default username and password (admin:admin)
Step 5: Once login, change the default password
Step 6: Click on the manually button to create a new project for testing
Step 7: enter the project name and project key (a unique identifier for your project)
Step 8: In the project dashboard, click on locally button to analyze the project locally.
Step 9: Enter the name of the token to analyze the current project, set expire date and click generate
Step 10: Once the token the generated, Copy the token and click continue
Step 11: Select the option best describes your build. For the demo purpose, I am selecting Other, then selecting the OS, after this sonarqube will provide the documentation and command to Run Scan
Step 12: Download the SonarScanner and unzip it to run the scan locally
Link: https://docs.sonarqube.org/latest/analyzing-source-code/scanners/sonarscanner/
Step 13: Navigate to the sonar scanner bin folder and add it to the PATH environment variable
Step 14: Navigate to the folder that contains the source code and runs the scan using the command that we get from the SonarQube documentation
Step 15: once the scan is completed, go to the sonarqube dashboard and check the result in Security Hotspots and Vulnerability category in the issues
Tags:
SAST