Using Your Own SonarQube Server

While ZeroNorth hosts and maintains a SonarQube server for our customers to use, you may want to use your own SonarQube server for reasons specific to your needs. If so, the location and connectivity to your SonarQube server determines how you set up a SonarQube Policy for your project.

Your SonarQube Server is Accessible to ZeroNorth

If your SonarQube server is publicly accessible, or is made accessible to ZeroNorth via a connectivity solution such as VPN or IP-whitelisting, then no special considerations apply. Follow the instructions in the article Activate Scenario - SonarQube Agent Scanner and then proceed with setting up a Policy as you’d with any other repository or artifact scan.

Your SonarQube Server is NOT Accessible to ZeroNorth

There are a few ways to utilize a SonarQube server in your private network. The common thread among the below approaches is that ZeroNorth’s SonarQube agent has access to the SonarQube server.

For .NET Projects

Scanning a .NET project with SonarQube requires the use of Sonar Scanner for MSBuild , which works by being a proxy between your MSBuild and a SonarQube server. Therefore, the procedure described in the article Integration Guide - SonarQube and C#/.NET Projects applies equally to using your own SonarQube server and using the ZeroNorth-hosted SonarQube server.

For Projects of All Other Languages

To use your own SonarQube server with projects such as NodeJS, Java, C++, PHP, Python, etc., you will need to use ZeroNorth’s zeronorth/integration Docker image.

NOTE : The instructions below can be used to perform onprem build artifact scans using other SAST and SCA scanners.

Docker preparation:

  • Ensure you have a host with Docker 17.12 or later installed.
  • The host must have at minimum 1 CPU, 4 GB RAM, and 100 GB storage.
  • Obtain access to pull ZeroNorth’s “on-prem” Docker images – contact providing your Docker Hub username.
  • Once the above are set:

docker pull zeronorth/integration:latest
docker pull zeronorth/sonarqube-agent-job-runner:latest

Your Docker environment is now set.

Create a Policy:

Next, create a suitable Policy, making the following adjustments for your Artifact Policy (we do not yet support direct repository scans using your SonarQube server):

  1. Scenario - Activate the “sonarqube-agent” Scenario pointing to your SonarQube server.

  2. Integration - Create an “Artifact” type Integration set to Initiate Scan From “Customer’s Environment”:

  3. This tells ZeroNorth that any Targets associated with this Integration expects local execution (in your environment) so that it has access to your SonarQube server.

  4. Target - Create a Target of type “Artifact” using the Integration from step 2.

  5. Policy - Create a Policy using the items from the above 3 steps.

Running the Scan:

To run the scan using the Policy you created:

docker run -v /var/run/docker.sock:/var/run/docker.sock -v "/tmp/zn":/results -e WORKSPACE="/path/to/my/project/" -e CYBRIC_API_KEY=<your api key> -e SONAR_JAVA_LIBRARY_DIR="<comma-delimited list of libaries folders>" -e SONAR_JAVA_BINARY_DIR="<comma-delimted list of binaries folders>" -e POLICY_ID=<policy id> zeronorth/integration:latest python

The environment variables SONAR_JAVA_LIBRARY_DIR and SONAR_JAVA_LIBRARY_DIR are used only for scanning Java projects. Refer to the article Integration Guide - SonarQube and Java Projects for more details and examples.

Expected Output:

When you first run the “docker run …” command, you will see:

You can then follow the log messages of the Sonar Agent Runner container using the “docker logs -f” command like this: