Difference between revisions of "Sonar"

(Add plugins)
 
(4 intermediate revisions by the same user not shown)
Line 2: Line 2:
 
[[Category:Linux]]
 
[[Category:Linux]]
  
The following instructions are for Ubuntu.
 
  
 +
This page describes '''how to setup SonarQube''':
 +
* Application installation
 +
* Post-install settings
 +
 +
 +
History:
 
* 2016-12-25 : update for Ubuntu 16.10
 
* 2016-12-25 : update for Ubuntu 16.10
 
* 2019-03-26 : update for SonarQube 7.x on CentOs 7.x ; with PostgreSQL server
 
* 2019-03-26 : update for SonarQube 7.x on CentOs 7.x ; with PostgreSQL server
Line 11: Line 16:
  
  
=Requirements: database server=
 
  
==MySQL==
 
  
You need to have a MySQL server available.
 
  
 +
=Requirement: PostgreSQL DB server=
  
Create an empty DB and MySQL user "sonarqube"
+
You need a DB server to use SonarQube. The default H2 engine is (very) slow. The SonarQube team recommends PostgreSQL-
  
<syntaxhighlight lang="sql">
 
mysql -u root -p
 
  
CREATE USER 'sonarqube'@'localhost' IDENTIFIED BY 'password';
+
==Setup PostgreSQL==
CREATE DATABASE IF NOT EXISTS sonarqube;
 
GRANT ALL PRIVILEGES ON sonarqube.* TO 'sonarqube'@'localhost';
 
FLUSH PRIVILEGES;
 
</syntaxhighlight>
 
  
 +
<syntaxhighlight lang="bash">
 +
# Add repository
 +
sudo wget https://download.postgresql.org/pub/repos/yum/11/redhat/rhel-7-x86_64/pgdg-centos11-11-2.noarch.rpm -P /tmp
 +
sudo yum install /tmp/pgdg-centos11-11-2.noarch.rpm epel-release
 +
sudo yum update
  
==PostgreSQL==
 
 
 
===Setup===
 
 
<syntaxhighlight lang="bash">
 
 
# Setup server
 
# Setup server
sudo yum install postgresql-server postgresql-contrib
+
sudo yum install postgresql11-server postgresql11-contrib postgresql11
  
 
# Init Postgres database
 
# Init Postgres database
 
#  > default user: postgres
 
#  > default user: postgres
#  > create a database for SonarQube (db name: sonarqube)
+
sudo /usr/pgsql-11/bin/postgresql-11-setup initdb
sudo postgresql-setup initdb
 
 
</syntaxhighlight>
 
</syntaxhighlight>
  
  
===Remote access===
+
==Active remote access==
  
 
Adjust configuration to enable remote access
 
Adjust configuration to enable remote access
  
*Postgresql.conf*
 
  
 +
'''Postgresql.conf'''
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
vim /var/lib/pgsql/data/postgresql.conf
+
sudo cp /var/lib/pgsql/11/data/postgresql.conf /var/lib/pgsql/11/data/postgresql.conf.backup
 +
sudo vim /var/lib/pgsql/11/data/postgresql.conf
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Line 62: Line 58:
 
</syntaxhighlight>
 
</syntaxhighlight>
  
# Adjust configuration to enable remote acces
 
sudo cp /var/lib/pgsql/data/postgresql.conf /var/lib/pgsql/data/postgresql.conf.backup
 
sudo cp $ASSETS_PATH/postgres.conf /var/lib/pgsql/data/postgresql.conf
 
  
>Set:
+
'''PG_HBA'''
 +
<syntaxhighlight lang="bash">
 +
sudo cp /var/lib/pgsql/11/data/pg_hba.conf /var/lib/pgsql/11/data/pg_hba.conf.backup
 +
sudo vim /var/lib/pgsql/11/data/pg_hba.conf
 +
</syntaxhighlight>
 +
 
 +
<syntaxhighlight lang="bash">
 
# IPv4 local connections:
 
# IPv4 local connections:
 
host    all            all            0.0.0.0/0              md5
 
host    all            all            0.0.0.0/0              md5
 
# IPv6  local connections:
 
# IPv6  local connections:
 
host    all            all            ::/0                    md5
 
host    all            all            ::/0                    md5
 +
</syntaxhighlight>
  
sudo cp /var/lib/pgsql/data/pg_hba.conf /var/lib/pgsql/data/pg_hba.conf.backup
 
sudo cp $ASSETS_PATH/pg_hba.conf /var/lib/pgsql/data/pg_hba.conf
 
  
        echo -e " "
+
==start PSQL==
        echo -e "$YELLOW ... Start Postgres server$WHITE"
 
        echo -e " "
 
        sudo systemctl start postgresql
 
  
        echo -e " "
+
<syntaxhighlight lang="bash">
        echo -e "$YELLOW ... Set 'postgres' LINUX user password (${WHITE}recommandation:${CYAN} postgres)$WHITE"
+
# Start Postgres server
        echo -e " "
+
sudo systemctl enable postgresql-11.service
        sudo passwd postgres
+
sudo systemctl start postgresql-11.service
  
        echo -e " "
 
        echo -e "$YELLOW ... Set 'postgres' SQL DB ADMIN user password (${WHITE}recommandation:${CYAN} postgres)$WHITE"
 
        # Ask for user input
 
        read "      > Enter and SQL DB ADMIN login: " userSqlPwd
 
        # Prepare home folder
 
        sudo mkdir -p /home/postgres
 
        sudo chmod -R 777 /home/postgres
 
        sudo chown -R postgres:users /home/postgres
 
        localFolder=`pwd`
 
        # Change password
 
        cd /home/postgres
 
        sudo -u postgres bash -c "psql -d template1 -c \"ALTER USER postgres WITH PASSWORD '${userSqlPwd}';\""
 
        cd $localFolder
 
  
        echo -e " "
+
# Set 'postgres' LINUX user password (recommandation: postgres)
        echo -e "$YELLOW ... Start Postgres on boot$WHITE"
+
sudo passwd postgres
        echo -e " "
 
        sudo systemctl enable postgresql
 
  
 +
# ... Set 'postgres' SQL DB ADMIN user password (recommandation: postgres)
 +
# Prepare home folder
 +
sudo mkdir -p /home/postgres
 +
sudo chmod -R 777 /home/postgres
 +
sudo chown -R postgres:users /home/postgres
 +
localFolder=`pwd`
 +
# Change password
 +
cd /home/postgres
 +
sudo -u postgres bash -c "psql -d template1 -c \"ALTER USER postgres WITH PASSWORD 'newPassword';\""
 +
cd $localFolder
  
        ###########################
+
# Start Postgres on boot
        # Register Firewall rules #
+
sudo systemctl enable postgresql
        ###########################
+
</syntaxhighlight>
        echo -e " "
 
        echo -e "$YELLOW ... Add firewall rules for Postgres$WHITE"
 
        echo -e " "
 
        # Remove previous rules, if any
 
        sudo firewall-cmd --permanent --disable-port=$POSTGRES_DEFAULT_PORT/tcp
 
        sudo firewall-cmd --permanent --remove-port=$POSTGRES_DEFAULT_PORT/tcp
 
        sudo firewall-cmd --permanent --remove-service=postgres --zone=trusted
 
        sudo firewall-cmd --permanent --remove-service=postgres
 
  
        # Add new rules
 
        sudo firewall-cmd --permanent --new-service=postgres
 
        sudo firewall-cmd --permanent --service=postgres --set-short="Postgresql database server"
 
        sudo firewall-cmd --permanent --service=postgres --set-description="Postgres database server"
 
        sudo firewall-cmd --permanent --service=postgres --add-port=$POSTGRES_DEFAULT_PORT/tcp
 
        sudo firewall-cmd --permanent --add-service=postgres --zone=trusted
 
  
        # Enable redirection (port forwarding)
+
==Centos firewall==
        #sudo firewall-cmd --permanent --zone=trusted --add-forward-port=port=$POSTGRES_DEFAULT_PORT:proto=tcp:toport=$POSTGRES_DEFAULT_PORT
 
        # Add a rule for localhost / aliases
 
        #sudo firewall-cmd --permanent --direct --add-rule ipv4 nat OUTPUT 0 -p tcp -o lo --dport $POSTGRES_DEFAULT_PORT -j REDIRECT --to-ports $POSTGRES_DEFAULT_PORT
 
  
        sudo firewall-cmd --reload
+
For Debian IPTABLES just open the port TCP 5234
        sudo firewall-cmd --list-all
 
    fi
 
  
  
 +
<syntaxhighlight lang="bash">
 +
POSTGRES_DEFAULT_PORT=5234
  
 +
# Remove previous FW rules, if any
 +
sudo firewall-cmd --permanent --disable-port=$POSTGRES_DEFAULT_PORT/tcp
 +
sudo firewall-cmd --permanent --remove-port=$POSTGRES_DEFAULT_PORT/tcp
 +
sudo firewall-cmd --permanent --remove-service=postgres --zone=trusted
 +
sudo firewall-cmd --permanent --remove-service=postgres
  
 +
# Add new FW rules
 +
sudo firewall-cmd --permanent --new-service=postgres
 +
sudo firewall-cmd --permanent --service=postgres --set-short="Postgresql database server"
 +
sudo firewall-cmd --permanent --service=postgres --set-description="Postgres database server"
 +
sudo firewall-cmd --permanent --service=postgres --add-port=$POSTGRES_DEFAULT_PORT/tcp
 +
sudo firewall-cmd --permanent --add-service=postgres --zone=trusted
  
Source: [https://www.linode.com/docs/databases/postgresql/how-to-install-postgresql-relational-databases-on-centos-7/ Linode tutorial]
+
# Reload FW rules
 +
sudo firewall-cmd --reload
 +
sudo firewall-cmd --list-all
 +
</syntaxhighlight>
  
  
 +
Some helpful Source: [https://www.linode.com/docs/databases/postgresql/how-to-install-postgresql-relational-databases-on-centos-7/ Linode tutorial]
  
=Installation=
 
  
I advise you to use the manual set-up and update. Experience proved that it can be cumbersome to upgrade SonarQube.
 
  
  
==Get SonarQube and SonarRunner==
 
  
* '''SonarQube''' == Application to detect issues and display them (web-based)
+
=Setup SONARQUBE application=
* '''SonarRunner''' == Command line tool to interact with SonarQube. This is required for Jenkins and other tools.
 
  
  
Download the latest version (or the LTS) on http://www.sonarqube.org/downloads/
+
==Requirement: create user / group==
 +
 
 +
You cannot run SONAR as "root". It must run as a user
 +
 
 +
<syntaxhighlight lang="bash">
 +
sudo adduser sonar
 +
sudo groupadd sonar
 +
</syntaxhighlight>
 +
 
 +
 
 +
==Get SonarQube==
 +
 
 +
'''As a sudoer user''', download the latest version (or the LTS) on http://www.sonarqube.org/downloads/
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
Line 158: Line 154:
  
 
# SonarQube
 
# SonarQube
wget https://sonarsource.bintray.com/Distribution/sonarqube/sonarqube-5.1.2.zip
+
# 2019-05: current version is 7.7
unzip sonarqube-5.1.2.zip
+
wget https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-7.7.zip
ln -s /opt/sonarqube-5.1.2 /opt/sonarqube
+
unzip sonarqube-7.7.zip
 +
ln -s /opt/sonarqube-7.7 /opt/sonarqube
  
# SonarRunner
+
# Adjust rights
wget http://repo1.maven.org/maven2/org/codehaus/sonar/runner/sonar-runner-dist/2.4/sonar-runner-dist-2.4.zip
+
chown -R sonar:sonar /opt/sonarqube-7.7
unzip sonar-runner-dist-2.4.zip
+
chown -R sonar:sonar /opt/sonarqube
ln -s /opt/sonar-runner-2.4/ /opt/sonar-runner
 
 
 
# Make the SonarRunner available from anywhere
 
ln -s /opt/sonar-runner/bin/sonar-runner /usr/bin/sonar-runner
 
 
</syntaxhighlight>
 
</syntaxhighlight>
 
  
 
(i) It's always good to use a symlink. This make the update and rollback a bit easier.  
 
(i) It's always good to use a symlink. This make the update and rollback a bit easier.  
 
  
  
Line 187: Line 178:
 
===Database===
 
===Database===
  
Disable embedded H2DB and enable MySQL database, lines 20 to 40:
+
Disable embedded H2DB and enable PSQL, lines 20 to 40:
  
 
<syntaxhighlight lang="apache">
 
<syntaxhighlight lang="apache">
 
sonar.jdbc.username=sonarqube              
 
sonar.jdbc.username=sonarqube              
 
sonar.jdbc.password=sonarqube
 
sonar.jdbc.password=sonarqube
sonar.jdbc.url=jdbc:mysql://localhost:3306/sonarqube?useUnicode=true&characterEncoding=utf8&rewriteBatchedStatements=true
+
# postgreSQL
 +
sonar.jdbc.url=jdbc:postgresql://localhost/sonarqube
 
</syntaxhighlight>
 
</syntaxhighlight>
  
Line 198: Line 190:
 
===Port number and root context===
 
===Port number and root context===
  
Adjust port number and context (~ line 107)
+
Adjust port number and context
  
 
<syntaxhighlight lang="apache">
 
<syntaxhighlight lang="apache">
Line 222: Line 214:
 
ln -s /opt/sonarqube/logs/access.log /var/log/sonar/access.log
 
ln -s /opt/sonarqube/logs/access.log /var/log/sonar/access.log
 
</syntaxhighlight>
 
</syntaxhighlight>
 
  
  
Line 239: Line 230:
  
  
 +
==Start SonarQube==
  
==Apply changes==
+
'''As "sonar" user''' you can start SonarQube.
 
 
You must start Sonar to use the new settings.
 
  
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
 +
sudo su sonar
 
sonarqube restart
 
sonarqube restart
 
</syntaxhighlight>
 
</syntaxhighlight>
  
 
... wait for some times on 1st start (5 to 7 mn) !! Logs are in  
 
... wait for some times on 1st start (5 to 7 mn) !! Logs are in  
 
  
  
 
Check that Sonar is up:
 
Check that Sonar is up:
 
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
 
netstat -pl --numeric | grep 9000
 
netstat -pl --numeric | grep 9000
Line 265: Line 254:
  
 
==Bug fix==
 
==Bug fix==
 
 
If the port 9000 is already used by PHP you must remove PHP7 FPM
 
If the port 9000 is already used by PHP you must remove PHP7 FPM
  
Line 271: Line 259:
 
sudo apt-get remove php7.0-fpm
 
sudo apt-get remove php7.0-fpm
 
</syntaxhighlight>
 
</syntaxhighlight>
 
  
  
Line 279: Line 266:
  
  
 +
 +
==Startup script==
 +
 +
(i) See official documentation at:
 +
 +
'''As a sudoer user''', create a new startup script in <code>/etc/systemd/system</code>
 +
 +
<syntaxhighlight lang="bash">
 +
vim /etc/systemd/system/sonarqube.service
 +
</syntaxhighlight>
 +
 +
 +
Put the following content:
 +
 +
<syntaxhighlight lang="bash">
 +
[Unit]
 +
Description=SonarQube service
 +
After=syslog.target network.target
 +
 +
[Service]
 +
Type=simple
 +
User=sonar
 +
Group=sonar
 +
PermissionsStartOnly=true
 +
ExecStart=/opt/sonarqube/bin/linux-x86-64/sonar.sh start
 +
ExecStop=/opt/sonarqube/bin/linux-x86-64/sonar.sh stop
 +
StandardOutput=syslog
 +
LimitNOFILE=65536
 +
LimitNPROC=8192
 +
TimeoutStartSec=5
 +
Restart=always
 +
 +
[Install]
 +
WantedBy=multi-user.target
 +
</syntaxhighlight>
 +
 +
 +
Register service:
 +
 +
<syntaxhighlight lang="bash">
 +
sudo systemctl enable sonarqube.service
 +
</syntaxhighlight>
 +
 +
Run service:
 +
 +
<syntaxhighlight lang="bash">
 +
sudo systemctl restart sonarqube.service
 +
</syntaxhighlight>
  
  
=Apache2 proxy=
 
  
Instead of opening port 9000, it's better to access Sonar through Apache2 proxy.
 
  
  
To use the proxy rule, the target '''/sonar''' must match the root URL (see sonar.properties)
+
 
 +
=Apache2 proxy=
 +
 
 +
Instead of opening port 9000, it's better to access Sonar through Apache2 proxy. To use the proxy rule, the target '''/sonar''' must match the root URL (see <code>$sonar/conf/sonar.properties</code>)
  
  
Line 295: Line 331:
 
<syntaxhighlight lang="bash">
 
<syntaxhighlight lang="bash">
 
vim /etc/apache2/mods-enabled/proxy.conf
 
vim /etc/apache2/mods-enabled/proxy.conf
 
 
#or
 
#or
 
 
vim /etc/apache2/sites-enabled/mySite.conf
 
vim /etc/apache2/sites-enabled/mySite.conf
 
</syntaxhighlight>
 
</syntaxhighlight>
Line 303: Line 337:
  
 
Set the following:
 
Set the following:
 
 
<syntaxhighlight lang="apache">
 
<syntaxhighlight lang="apache">
 
# Proxy to a Java application running over Tomcat, with IP filter
 
# Proxy to a Java application running over Tomcat, with IP filter
Line 332: Line 365:
  
  
=Logs=
 
 
Sonar logs are in:
 
 
 
<syntaxhighlight lang="bash">
 
/opt/sonar/logs/sonar.log
 
</syntaxhighlight>
 
 
 
=Sonar Runner=
 
 
 
==Configuration==
 
 
Edit the Sonar-Runner configuration file
 
 
<syntaxhighlight lang="bash">
 
vim /opt/sonar-runner/conf/sonar-runner.properties
 
</syntaxhighlight>
 
 
 
Enable MySQL database:
 
 
!! (i) note that I'm using '''sonarqube''' instead of ''sonar'' !!
 
  
<syntaxhighlight lang="apache">
+
=Sonar application configuration=
sonar.jdbc.url=jdbc:mysql://localhost:3306/sonarqube?useUnicode=true&characterEncoding=utf8&rewriteBatchedStatements=true
 
  
sonar.jdbc.username=sonarqube            
+
Default credentials are "admin" / "admin"
sonar.jdbc.password=sonarqube
 
</syntaxhighlight>
 
  
  
==Environment variable==
+
==Create user accounts==
  
Create a new environment variable <code>SONAR_RUNNER_HOME</code>
+
* Go to "Administration" menu > "Security" > "Users"
 +
* Create new User(s)
  
 +
* Go to "Administration" menu > "Security" > "Groups"
 +
* Click on the "sonar administrators" group
 +
* Add user(s)
  
<syntaxhighlight lang="bash">
 
vim /etc/environment
 
</syntaxhighlight>
 
  
 +
==Global configuration==
  
<syntaxhighlight lang="apache">
+
Go to "Administration" menu > "configuration" > "General"
SONAR_RUNNER_HOME="/opt/sonar-runner"
 
</syntaxhighlight>
 
  
  
 +
'''DNS name'''
 +
* Set the server base URL to DNS name if possible (property: <code>sonar.core.serverBaseURL</code>)
  
=Start SonarQube on boot=
 
  
==Adjust sonar.sh==
+
'''Keep analysis longer '''
 +
* Set "keep only one analysis a week after" : 12  (default is 4, property: <code>sonar.dbcleaner.weeksBeforeKeepingOnlyOneSnapshotByWeek</code>)
  
(i) you must do that on each update as well
 
  
 +
'''Email alerts'''
 +
Configure the email notifications:
 +
* Email From (<code>email.fromName</code>)
 +
* SMTP secure connection (<code>email.smtp_secure_connection.secured</code>)
 +
* SMTP host (<code>email.smtp_host.secured</code>)
 +
* SMTP password (<code>email.smtp_password.secured</code>)
 +
* SMTP port (<code>email.smtp_port.secured</code>)
 +
* SMTP username (<code>email.smtp_username.secured</code>)
  
You need to update the SonarQube bin exec so Debian|ubuntu can start it on boot.
 
  
<syntaxhighlight lang="bash">
+
==Add plugins==
vim /opt/sonarqube/bin/linux-x86-64/sonar.sh
 
</syntaxhighlight>
 
  
 +
* Go to "Administration" menu > "marketplace"
 +
* Search and install:
 +
** Checkstyle
 +
** Code smells
 +
** Findbugs
 +
** PMD
  
Add the following lines right after the <code>#!/bin/sh</code>
+
/!\ You must reboot the SonarQube instance after setup
  
<syntaxhighlight lang="bash">
 
### BEGIN INIT INFO
 
# Provides:            sonarqube
 
# Required-Start:      $all
 
# Required-Stop:
 
# Default-Start:        4 5
 
# Default-Stop:        0 1 6
 
# Short-Description:    Sonarqube code quality analysis
 
### END INIT INFO
 
</syntaxhighlight>
 
 
 
 
==Register sonarqube to boot sequence==
 
 
(i) You just need to do that once.
 
 
<syntaxhighlight lang="bash">
 
cd /etc/init.d/
 
update-rc.d sonarqube defaults
 
</syntaxhighlight>
 
  
  
 +
You can add more plugins from the [SonarQube marketplace http://www.sonarplugins.com/]. Download and install:
  
 +
'''Download OWASP dependency check for SonarQube 7.6+'''
 +
* official website: https://github.com/SonarSecurityCommunity/dependency-check-sonar-plugin
 +
* Last version of the extension: https://github.com/SonarSecurityCommunity/dependency-check-sonar-plugin/releases
 +
* Download (2019-05): wget https://github.com/SonarSecurityCommunity/dependency-check-sonar-plugin/releases/download/1.1.4/sonar-dependency-check-plugin-1.1.4.jar
 +
* Copy the plugin (jar file) to $SONAR_INSTALL_DIR/extensions/plugins
 +
* Restart SonarQube
  
=Sonar Maven plugin=
+
==Quality profile==
  
See http://docs.sonarqube.org/display/SONAR/Installing+and+Configuring+Maven
+
* Go to "Quality profiles" menu
 +
* Under "JAVA"
 +
* Set as default the JAVA ruleset you'd like to use
  
  
Line 433: Line 438:
  
 
Sometimes when there are a lot of changes the new sonar version required some database change.  
 
Sometimes when there are a lot of changes the new sonar version required some database change.  
 
+
* The service will not be available until you go to '''http://myServer/sonarqube/setup'''
 
+
* You have to agree to the terms and upgrade database
The service will not be available until you go to '''http://myServer/sonarqube/setup'''
 
 
 
 
 
You have to agree to the terms and upgrade database
 

Latest revision as of 09:06, 15 May 2019


This page describes how to setup SonarQube:

  • Application installation
  • Post-install settings


History:

  • 2016-12-25 : update for Ubuntu 16.10
  • 2019-03-26 : update for SonarQube 7.x on CentOs 7.x ; with PostgreSQL server


You can find all these instructions and more on the Official how-to



Requirement: PostgreSQL DB server

You need a DB server to use SonarQube. The default H2 engine is (very) slow. The SonarQube team recommends PostgreSQL-


Setup PostgreSQL

# Add repository
sudo wget https://download.postgresql.org/pub/repos/yum/11/redhat/rhel-7-x86_64/pgdg-centos11-11-2.noarch.rpm -P /tmp
sudo yum install /tmp/pgdg-centos11-11-2.noarch.rpm epel-release
sudo yum update

# Setup server
sudo yum install postgresql11-server postgresql11-contrib postgresql11

# Init Postgres database
#   > default user: postgres
 sudo /usr/pgsql-11/bin/postgresql-11-setup initdb


Active remote access

Adjust configuration to enable remote access


Postgresql.conf

sudo cp /var/lib/pgsql/11/data/postgresql.conf /var/lib/pgsql/11/data/postgresql.conf.backup
sudo vim /var/lib/pgsql/11/data/postgresql.conf


Set:

listen_addresses = '*'


PG_HBA

sudo cp /var/lib/pgsql/11/data/pg_hba.conf /var/lib/pgsql/11/data/pg_hba.conf.backup
sudo vim /var/lib/pgsql/11/data/pg_hba.conf
# IPv4 local connections:
host    all             all             0.0.0.0/0               md5
# IPv6  local connections:
host    all             all             ::/0                    md5


start PSQL

# Start Postgres server
sudo systemctl enable postgresql-11.service
sudo systemctl start postgresql-11.service


# Set 'postgres' LINUX user password (recommandation: postgres)
sudo passwd postgres

# ... Set 'postgres' SQL DB ADMIN user password (recommandation: postgres)
# Prepare home folder
sudo mkdir -p /home/postgres
sudo chmod -R 777 /home/postgres
sudo chown -R postgres:users /home/postgres
localFolder=`pwd`
# Change password
cd /home/postgres
sudo -u postgres bash -c "psql -d template1 -c \"ALTER USER postgres WITH PASSWORD 'newPassword';\""
cd $localFolder

# Start Postgres on boot
sudo systemctl enable postgresql


Centos firewall

For Debian IPTABLES just open the port TCP 5234


POSTGRES_DEFAULT_PORT=5234

# Remove previous FW rules, if any
sudo firewall-cmd --permanent --disable-port=$POSTGRES_DEFAULT_PORT/tcp
sudo firewall-cmd --permanent --remove-port=$POSTGRES_DEFAULT_PORT/tcp
sudo firewall-cmd --permanent --remove-service=postgres --zone=trusted
sudo firewall-cmd --permanent --remove-service=postgres

# Add new FW rules
sudo firewall-cmd --permanent --new-service=postgres
sudo firewall-cmd --permanent --service=postgres --set-short="Postgresql database server"
sudo firewall-cmd --permanent --service=postgres --set-description="Postgres database server"
sudo firewall-cmd --permanent --service=postgres --add-port=$POSTGRES_DEFAULT_PORT/tcp
sudo firewall-cmd --permanent --add-service=postgres --zone=trusted

# Reload FW rules
sudo firewall-cmd --reload
sudo firewall-cmd --list-all


Some helpful Source: Linode tutorial



Setup SONARQUBE application

Requirement: create user / group

You cannot run SONAR as "root". It must run as a user

sudo adduser sonar
sudo groupadd sonar


Get SonarQube

As a sudoer user, download the latest version (or the LTS) on http://www.sonarqube.org/downloads/

cd /opt

# SonarQube
# 2019-05: current version is 7.7
wget  https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-7.7.zip
unzip sonarqube-7.7.zip
ln -s /opt/sonarqube-7.7 /opt/sonarqube

# Adjust rights
chown -R sonar:sonar /opt/sonarqube-7.7
chown -R sonar:sonar /opt/sonarqube

(i) It's always good to use a symlink. This make the update and rollback a bit easier.


Configuration (sonar.properties)

Edit the SonarQube configuration file

vim /opt/sonarqube/conf/sonar.properties


Database

Disable embedded H2DB and enable PSQL, lines 20 to 40:

sonar.jdbc.username=sonarqube			            
sonar.jdbc.password=sonarqube
# postgreSQL
sonar.jdbc.url=jdbc:postgresql://localhost/sonarqube


Port number and root context

Adjust port number and context

#sonar.web.host:             0.0.0.0
#sonar.web.port:             9000
sonar.web.context:           /sonarqube

!!! This is VERY important that you uncomment and set the sonar.web.context !!! Without it you cannot use Apache2 proxy.


Sonar symlink

The default path to manage SonarQube is, in that example: /opt/sonarqube/bin/linux-x86-64/sonar.sh idem for the logs...

ln -s /opt/sonarqube/bin/linux-x86-64/sonar.sh /usr/bin/sonarqube
ln -s /opt/sonarqube/bin/linux-x86-64/sonar.sh /etc/init.d/sonarqube

mkdir -p /var/log/sonar
ln -s /opt/sonarqube/logs/sonar.log /var/log/sonar/sonar.log
ln -s /opt/sonarqube/logs/access.log /var/log/sonar/access.log


Configuration (wrapper.properties)

There is a new configuration file to edit since 5.x. Edit the WRAPPER configuration file

vim /opt/sonarqube/conf/wrapper.properties


Adjust your JVM path, if required, on the first line. This should point to a JDK.

wrapper.java.command=/usr/lib/jvm/java-8-oracle/bin/java


Start SonarQube

As "sonar" user you can start SonarQube.

sudo su sonar
sonarqube restart

... wait for some times on 1st start (5 to 7 mn) !! Logs are in


Check that Sonar is up:

netstat -pl --numeric | grep 9000

You should have:

tcp        0      0 0.0.0.0:9000            0.0.0.0:*               LISTEN      xxxxx/java


Bug fix

If the port 9000 is already used by PHP you must remove PHP7 FPM

sudo apt-get remove php7.0-fpm


Access SonarQube

http://myserver:9000/sonarqube


Startup script

(i) See official documentation at:

As a sudoer user, create a new startup script in /etc/systemd/system

vim /etc/systemd/system/sonarqube.service


Put the following content:

[Unit]
Description=SonarQube service
After=syslog.target network.target

[Service]
Type=simple
User=sonar
Group=sonar
PermissionsStartOnly=true
ExecStart=/opt/sonarqube/bin/linux-x86-64/sonar.sh start
ExecStop=/opt/sonarqube/bin/linux-x86-64/sonar.sh stop
StandardOutput=syslog
LimitNOFILE=65536
LimitNPROC=8192
TimeoutStartSec=5
Restart=always

[Install]
WantedBy=multi-user.target


Register service:

sudo systemctl enable sonarqube.service

Run service:

sudo systemctl restart sonarqube.service




Apache2 proxy

Instead of opening port 9000, it's better to access Sonar through Apache2 proxy. To use the proxy rule, the target /sonar must match the root URL (see $sonar/conf/sonar.properties)


Apache2 configuration

Edit configuration file: module or virtual host

vim /etc/apache2/mods-enabled/proxy.conf
#or
vim /etc/apache2/sites-enabled/mySite.conf


Set the following:

# Proxy to a Java application running over Tomcat, with IP filter
<Location /sonarqube >
	ProxyPass http://localhost:9000/sonarqube/
	ProxyPassReverse http://localhost:9000/sonarsonarqube/

        #Require all denied
        #AllowOverride none
        
        Require local
        Require ip 192.168.1
        Require host 193.12.118.196

        #Require all granted
        #Satisfy any
</Location>


Test Sonar

The default user and password are “admin” and “admin“.



Sonar application configuration

Default credentials are "admin" / "admin"


Create user accounts

  • Go to "Administration" menu > "Security" > "Users"
  • Create new User(s)
  • Go to "Administration" menu > "Security" > "Groups"
  • Click on the "sonar administrators" group
  • Add user(s)


Global configuration

Go to "Administration" menu > "configuration" > "General"


DNS name

  • Set the server base URL to DNS name if possible (property: sonar.core.serverBaseURL)


Keep analysis longer

  • Set "keep only one analysis a week after" : 12 (default is 4, property: sonar.dbcleaner.weeksBeforeKeepingOnlyOneSnapshotByWeek)


Email alerts Configure the email notifications:

  • Email From (email.fromName)
  • SMTP secure connection (email.smtp_secure_connection.secured)
  • SMTP host (email.smtp_host.secured)
  • SMTP password (email.smtp_password.secured)
  • SMTP port (email.smtp_port.secured)
  • SMTP username (email.smtp_username.secured)


Add plugins

  • Go to "Administration" menu > "marketplace"
  • Search and install:
    • Checkstyle
    • Code smells
    • Findbugs
    • PMD

/!\ You must reboot the SonarQube instance after setup


You can add more plugins from the [SonarQube marketplace http://www.sonarplugins.com/]. Download and install:

Download OWASP dependency check for SonarQube 7.6+

Quality profile

  • Go to "Quality profiles" menu
  • Under "JAVA"
  • Set as default the JAVA ruleset you'd like to use



Upgrade Sonar

Sometimes when there are a lot of changes the new sonar version required some database change.