Static Application Security Testing using SonarQube



In this blog are going to see how to set up SonarQube and conduct Static Application Security testing using SonarQube.

Please refer to recent blogs to learn more about Static Application Security Testing.


What is SonarQube?


SonarQube SAST (static application security testing) is a tool that is used to detect security vulnerabilities (require immediate action) and security hotspots (human review is needed to know for sure) in the source code of an application. It typically identifies vulnerabilities such as buffer overflows, format string vulnerabilities, race conditions, etc.


Steps to conduct Static Application Security Testing using SonarQube


Step 1: Pull SonarQube docker image from Docker Hub
docker pull sonarqube{codeBox}

 



Step 2: Create Docker volumes for SonarQube Data, Logs, and Extensions
docker volume create --name sonarqube_data
docker volume create --name sonarqube_logs
docker volume create --name sonarqube_extensions{codeBox}

 



Step 3: Run SonarQube Docker Container
docker run -d --name sonarqube -p <Local Host Port>:9000 -v sonarqube_data:/opt/sonarqube/data -v sonarqube_extensions:/opt/sonarqube/extensions -v sonarqube_logs:/opt/sonarqube/logs sonarqube{codeBox}



Step 4: Once the container is up and running, open any browser and open sonarqube URL (http://localhost:<localhost port>)



Step 4: Login SonarQube using the default username and password (admin:admin)

Step 5: Once login, change the default password



Step 6: Click on the manually button to create a new project for testing



Step 7: enter the project name and project key (a unique identifier for your project)



Step 8: In the project dashboard, click on locally button to analyze the project locally.



Step 9: Enter the name of the token to analyze the current project, set expire date and click generate



Step 10: Once the token the generated, Copy the token and click continue



Step 11: Select the option best describes your build. For the demo purpose, I am selecting Other, then selecting the OS, after this sonarqube will provide the documentation and command to Run Scan



Step 12: Download the SonarScanner and unzip it to run the scan locally
Link: https://docs.sonarqube.org/latest/analyzing-source-code/scanners/sonarscanner/



Step 13: Navigate to the sonar scanner bin folder and add it to the PATH environment variable



Step 14: Navigate to the folder that contains the source code and runs the scan using the command that we get from the SonarQube documentation



Step 15: once the scan is completed, go to the sonarqube dashboard and check the result in Security Hotspots and Vulnerability category in the issues




Sahil Gupta

Application Security | DevSecOps | Secure SDLC | Penetration Tester (Web and API) | CEHv10 | IBM Certified Cybersecurity Analyst Professional

Previous Post Next Post

Contact Form