SonarQube is primarily a code quality scanner, but it has many capabilities that also make it a useful code vulnerability scanner. Using SonarQube to scan a Java project can be tricky, however, because the Java plugin for SonarQube has extra requirements. This articles describes how to work with SonarQube in the context of using the ZeroNorth platform to scan Java projects.
Prerequisites
- A fully built Java project (SonarQube cannot scan Java source code, for example, straight off a code repository)
- ZeroNorth platform license and credentials
- The SonarQube Agent Scenario has been activated–see this article for details
- A Jenkins server with the Docker Pipeline plugin (see this article) OR a Docker container daemon (see this article)
Using SonarQube Agent for Java
Normally, the SonarQube Agent can scan the source files for a project. However, with Java projects, SonarQube also requires the compiled binaries (.class) and any libraries (.jar) that the project references. Even if the .class and the .jar files are included in the project, SonarQube must be told explicitly where to find them.
When invoking SonarQube Agent via ZeroNorth, the recommended approach is to supply this information as additional parameters called SONAR_JAVA_LIBRARY_DIR and SONAR_JAVA_BINARY_DIR to the Docker command.
The below examples are based on the popular WebGoat project, which, when built with Maven, has multiple modules, each with its own src and target directories, and with libraries as JAR files found in two directories.
Jenskinsfile example
The image.inside(…) command should look like:
image.inside("-v ${workspace}:/code -v ${workspace}:/results -e SCENARIO=${scenario} -e CYBRIC_USER=${ZeroNorthUsername} -e CYBRIC_PASSWORD=${ZeroNorthPassword} -e SONAR_JAVA_LIBRARY_DIR='webgoat-container/target/classes/static/js/libs,webgoat-container/src/main/resources/static/js/libs' -e SONAR_JAVA_BINARY_DIR='webwolf,webgoat-container,webgoat-lessons,webgoat-server' ")
Note that the paths supplied to the two additional parameters are specified relative to ${workspace} . Specifically, they are relative to the /code mount to Docker.
docker run command example
If you are invoking ZeroNorth directly from Docker, the command should then look like:
sudo docker run -v "/home/foobar/GitHub/WebGoat":/code -v "/tmp/zn":/results -e CYBRIC_USER='<username>' -e CYBRIC_PASSWORD='<password>' -e SONAR_JAVA_LIBRARY_DIR="webgoat-container/target/classes/static/js/libs,webgoat-container/src/main/resources/static/js/libs" -e SONAR_JAVA_BINARY_DIR="webwolf,webgoat-container,webgoat-lessons,webgoat-server" -e PROJECT_NAME='OWASP-WebGoat' -e SCENARIO="sonarqube-agent" zeronorth/integration:latest python cybric.py
HINT
When invoking ZeroNorth via Jenkins or Docker, you can use your ZeroNorth API Key instead of your username and password. Replace the CYBRIC_USER and CYBRIC_PASSWORD parameters with CYBRIC_API_KEY . See this article for obtaining your ZeroNorth API Key.