SonarQube® is an automatic code review tool to detect bugs, vulnerabilities, and code smells in your code. It can integrate with your existing workflow such as Jenkins to enable continuous code inspection across your project branches and pull requests.
In this brief guide, we shall be installing this fantastic Open Source tool so that you can have the opportunity to review your team’s code before they are deployed in production. It will help in streamlining your applications as well as improving in their security by detecting outdated software used and making apt recommendations on the fly.
- SonarQube is built on Java, so we shall ensure that Java 11 is installed
- Another user apart ffrom root to run elasticsearch hence SonarQube
To have this tool installed in your CentOS 7 box, follow the steps shared below:
Step 1: Update and install required tools and fulfill system settings
In this step, ensure that your server is well updated as well as install all tools you will require during the installation process. We shall also tweak system settings such as SELinux, max_map_count and fs.file-max. Run the commands below to update your server.
sudo yum update sudo yum install vim wget curl -y
Configure SELinux as Permissive
This can be done by running the commands below:
sudo setenforce 0 sudo sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config
Tweak max_map_count and fs.file-max
From Linux Kernel Documentation, this file contains the maximum number of memory map areas a process may have. Memory map areas are used as a side-effect of calling malloc, directly by mmap, mprotect, and madvise, and also when loading shared libraries.
To tweak the settings to befit SonarQube requirements, open “/etc/sysctl.conf” file and add the settings as shown below:
$ sudo vim /etc/sysctl.conf vm.max_map_count=262144 fs.file-max=65536
Create a user for sonar
It is recommended that a seperate user is created to run SonarQube. Let us create one as follows:
sudo useradd sonar
Then set a password for the user
sudo passwd sonar
Step 2: Install Java 11 on CentOS 7
As it had been mentioned in the introductory section, SonarQube is written in Java and it needs Java installed (11 particularly in this setup). To install Java 11 in CentOS 7, follow the guide below in our blog
Step 3: Install and configure PostgreSQL
In this example guide, we are going to install PostgreSQL 11 server on the same sever SonarQube will reside. You can host it in a different server depending on your needs. To install PostgreSQL 11 on your CentOS 7 Server, follow the steps below to get it up and running real quick
Add PostgreSQL Yum Repository
Add PostgreSQL Yum Repository to your CentOS 7 system by running the shared command below.
sudo yum install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-7-x86_64/pgdg-redhat-repo-latest.noarch.rpm
Install PostgreSQL Server and Client packages
After adding PostgreSQL Yum Repository, install PostgreSQL Server/Client packages:
sudo yum -y install postgresql11-server postgresql11
After installation, initialize the database and enable automatic start
Now that the database packages have been installed, Initialize the database by running the following command
sudo /usr/pgsql-11/bin/postgresql-11-setup initdb
Then start and enable the service to start on boot
sudo systemctl start postgresql-11 sudo systemctl enable postgresql-11
After you have installed PostgreSQL server, proceed to configure it as follows. Open pg_hba.conf file and change “peer” to “trust” and “idnet” to “md5“.
$ sudo vim /var/lib/pgsql/11/data/pg_hba.conf ##Change this local all all peer # IPv4 local connections: host all all 127.0.0.1/32 ident # IPv6 local connections: host all all ::1/128 ident # Allow replication connections from localhost, by a user with the # replication privilege. local replication all peer host replication all 127.0.0.1/32 ident host replication all ::1/128 ident ##To this: local all all trust # IPv4 local connections: host all all 127.0.0.1/32 md5 # IPv6 local connections: host all all ::1/128 md5 # Allow replication connections from localhost, by a user with the # replication privilege. local replication all peer host replication all 127.0.0.1/32 md5 host replication all ::1/128 md5
Enable remote Access to PostgreSQL
In case your application is on a remote location, then you will need to allow it to access your database as follows:
Edit the file /var/lib/pgsql/11/data/postgresql.conf and set Listen address to your server IP address or “*” for all interfaces.
$ sudo vim /var/lib/pgsql/11/data/postgresql.conf listen_addresses = '10.38.87.160'
Then add the following to “pg_hba.conf” file
$ sudo vim /var/lib/pgsql/11/data/pg_hba.conf # Accept from anywhere host all all 0.0.0.0/0 md5 # Or accept from trusted subnet host all all 10.38.87.0/24 md5
Restart PostgreSQL service
sudo systemctl restart postgresql-11
Set PostgreSQL admin user
We will need to change the password for the admin postgres user as shown below:
$ sudo su - postgres -bash-4.2$ -bash-4.2$: psql postgres=# alter user postgres with password 'StrongPassword'; ALTER ROLE postgres=#
Create a SonarQube user and database
Next, we are going to create a user for SonarQube. Proceed as shown below before exiting your database.
postgres=# createuser sonar; postgres=# createdb sonar_db owner sonar; postgres=# grant all privileges on database sonar_db to sonar;
Set a password for sonar user
postgres=# ALTER USER sonar WITH ENCRYPTED password 'StrongPassword';
Step 4: Fetch and install SonarQube
Now we are at the point we have been waiting to arrive at for a long time. We shall download Long Term Release of SonarQube then install in our Server. Proceed as follows to get our SonarQube installed.
Fetch SonarQube LTS Version
You can visit SonarQube Downloads Page to view their various offerings. We shall be downloading the Long Term Release (LTS)
cd /opt/ sudo wget https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-7.9.5.zip
Then unzip the file
sudo unzip sonarqube-7.9.5.zip
After that, rename the folder to sonarqube
sudo mv sonarqube-7.9.5 sonarqube
Step 5: Configure SonarQube
Once the files have been extracted to /opt/ directory, it is time to configure the application.
Open “/opt/sonarqube/conf/sonar.properties” file and add database details as shown below. In addition to that, find the lines shared and uncomment them.
$ sudo vim /opt/sonarqube/conf/sonar.properties \##Database details sonar.jdbc.username=sonar sonar.jdbc.password=StrongPassword sonar.jdbc.url=jdbc:postgresql://localhost/sonar_db \##How you will access SonarQube Web UI sonar.web.host=10.38.87.160 sonar.web.port=9000 \##Java options sonar.web.javaOpts=-server -Xms512m -Xmx512m -XX:+HeapDumpOnOutOfMemoryError sonar.search.javaOpts=-server -Xms512m -Xmx512m -XX:+HeapDumpOnOutOfMemoryError \##Also add the following Elasticsearch storage paths sonar.path.data=/var/sonarqube/data sonar.path.temp=/var/sonarqube/temp
Give SonarQube files ownership to the sonar user we created in Step 1.
sudo chown -R sonar:sonar /opt/sonarqube
In case Java cannot be found in the default location, you will have to specify the binary files for SonarQube to find. You can specify where java is located in the “/opt/sonarqube/conf/wrapper.conf” file. Look for “wrapper.java.command” line and place your Java location beside it thus.
$ sudo vim /opt/sonarqube/conf/wrapper.conf wrapper.java.command=/usr/local/jdk-11.0.2/bin/java
Add SonarQube SystemD service file
Finally we are going to ensure that we shall be able to manage our SonarQube application via Systemd so that we can start and stop it like other services in your server
$ sudo vim /etc/systemd/system/sonarqube.service [Unit] Description=SonarQube service After=syslog.target network.target [Service] Type=forking ExecStart=/opt/sonarqube/bin/linux-x86-64/sonar.sh start ExecStop=/opt/sonarqube/bin/linux-x86-64/sonar.sh stop LimitNOFILE=65536 LimitNPROC=4096 User=sonar Group=sonar Restart=on-failure [Install] WantedBy=multi-user.target
After editing systemd files, we have to reload them so that they can be read and loaded.
sudo systemctl daemon-reload
Then start and enable the service
sudo systemctl start sonarqube.service sudo systemctl enable sonarqube.service
Check its status if it successfully started and is running.
sudo systemctl status sonarqube.service
Step 6: Alter Firewall rules to allow SonarQube Access
At this juncture, sonarqube service should be running. In case you cannot access the web interface, visit the log files located in “/opt/sonarqube/logs” where you will find
- elasticsearch logs (es.log)
- Sonar logs (sonar.log)
- web logs (web.log)
- Access logs (access.log)
- And others
We enabled SonarQube web to listen on port 9000 and we should allow this on this on the firewall. Proceed to do this as shared below
sudo firewall-cmd --permanent --add-port=9000/tcp && sudo firewall-cmd --reload
Step 7: Access the Web User Interface
The time we have been waiting for has finally showed up. We are now ready to access SonarQube interface and begin assessing our code for security. To access the interface, open your favorite browser and point it to http://server-ip-or-fqdn:9000. You should see a page similar to the one below.
Step 8: Logging in
To log in, simply click on the “Log In” button as shared above and you should be ushered in a page similar to the one shared below. Use username as “admin” and password as “admin“.
And you should be ushered into the main area as illustrated below
Now we have our automatic code review tool that you can use to scan various applications before they are approved for production. It is simple, thorough and complements your organizational security needs. Try it out.
Otherwise, we appreciate your visit and for the tremendous support you continue to extend. other guides you might enjoy include: