DevOps- SonarQube

SonarQube:

→It is a SAST(static application security testing) tool.

→ It is a open source, free to use but it is commercial for some features.

→ It is used for continuous inspection of code quality

→ SonarQube provides detailed reports and dashboard maintained the errors, so that can be useful for the developers for referring.

→ It supports for Mutiple languages nearly 27.

→ SonarQube integrates well with continuous integration tools like jenkins, Git lab.

→ By automating the code reviews, SonarQube save time and effort compared to the manual code inspection.

→ vendor - sonar

→ lastest version - 9.x

→ OS - It supports to any Operating System

→ It is downloaded in zip files that can be extracted after the software installation, it is not downloaded as the .exe software.

→After the security check is done then only we can install and deploy the packages.

→ SonarQube is developed in Java.

→ If we want to change port and data related things that can be done in conf/sonar.properties

→ SonarQube latest version 25.6

left shift : Process of finding and fixing the bugs in early stage of the development life cycle.

Quality gates: SonarQube uses quality gates to define the standards that your code must meet in order to pas the analysis.

The similar tools for quality check-SonarQube is

veeracode

PMD

checkmarx

Components Of SonarQube:

→ Rules - Rules are predefined instructions and best practices that helps you write clean, maintainable code.

→ Database - The database stores the analysis results, includes bugs, test vulnerable.

→ Web interface - The web interface is where we can view and interact with your code analysis results. It provides an easy to understand dashboard like charts, tables and graphs.

→ Sonar Scanner - The sonar scanner is a command line tool that collects the code, analysis data and sends it to the SonarQube server. It can be installed on any system where our code resides.

Why should we use SonarQube:

1. Improved Code Quality:

→ Bug detection-

→ security Vulnerabilities-

→ code duplication-

→ Code Smells-

2. Increases code productivity

3. Visual Reporting

4. Customizable rules and profiles

5. Code coverage and test reports

SonarQube installation :

→ Create instance server, while creating it change the instance as t2.medium, port to 9000

→ SSH to the server by using GIT Bash or Mobex stem

→change the directory to opt

cd /opt/

→check java installed or not, if not install the java

sudo wget https://download.java.net/openjdk/jdk17.0.0.1/ri/openjdk-17.0.0.1+2_linux-x64_bin.tar.gz

sudo tar -xvzf openjdk-17.0.0.1+2_linux-x64_bin.tar.gz

sudo rm openjdk-17.0.0.1+2_linux-x64_bin.tar.gz

sudo mv jdk-17.0.0.1 java-17

sudo ln -s /opt/java-17/bin/java /usr/bin/java

echo 'export JAVA_HOME=/opt/java-17' | sudo tee -a /etc/profile

echo 'export PATH=$PATH:$JAVA_HOME/bin' | sudo tee -a /etc/profile

source /etc/profile

→Now install the SonarQube using below command

sudo wget https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-25.6.0.109173.zip

sudo unzip sonarqube-25.6.0.09173.zip

The SonarQube is downloaded in zip format we need to unzip it, then move it to opt directory

→ Create the user

sudo useradd -r -M sonar

and assign the access to it

sudo chown -R sonar:sonar /opt/sonarqube-25.6.0.09173

→ start the sonar with this command

sudo -u sonar /opt/sonarqube-25.6.0.09173/bin/linux-x86-64/sonar.sh start

→ or we can start the process in another way also

→ create a systemd service

sudo vi /etc/systemd/system/sonarqube.service

add

[Unit]

Description=SonarQube 25.6.0

After=network.target

[Service]

Type=forking

User=sonar

Group=sonar

ExecStart=/opt/sonarqube/bin/linux-x86-64/sonar.sh start

ExecStop=/opt/sonarqube/bin/linux-x86-64/sonar.sh stop

LimitNOFILE=65536

Restart=always

[Install]

WantedBy=multi-user.target

Enable and start:

sudo systemctl daemon-reload

sudo systemctl enable sonarqube

sudo systemctl start sonarqube

SonarQube Access

URL: http://<your-ip>:9000
Default login: admin / admin