How to Analyze Code and Find Vulnerabilities with SonarQube – InApps Technology is an article under the topic Software Development Many of you are most interested in today !! Today, let’s InApps.net learn How to Analyze Code and Find Vulnerabilities with SonarQube – InApps Technology in today’s post !

Read more about How to Analyze Code and Find Vulnerabilities with SonarQube – InApps Technology at Wikipedia



You can find content about How to Analyze Code and Find Vulnerabilities with SonarQube – InApps Technology from the Wikipedia website

SonarQube is a web-based tool that can help developers produce code free from security issues, bugs, vulnerabilities, smells, and general issues. If you’re working on a small project, that might be an easy feat. You could carefully work through your code to find any issues. But when you’re working on a larger project (or numerous smaller projects), you probably don’t have time to comb through every line of code you’ve written.

Back in February, I wrote a piece on installing the SonarQube code analysis platform. This time around, I want to show you how to use that tool, so you can trust the code you’re working with (be it written by you or someone else).

Although you’ve installed a very nice web-based tool, using Sonarqube isn’t nearly as straightforward as you might think. If you dive into the documentation, you might find it to be less than enlightening.

Fear not, I’m going to walk you through the process of scanning the tried and true Hello, World! application (written in Java) with Sonarqube. And because our original installation was on Ubuntu Server 20.04, I’ll be sticking with that platform. If you’re using Sonarqube on a different OS, you’ll need to make the necessary adjustments.

Read More:   Containers All the Way Down – InApps 2022

Are you ready?

Let’s do this.

Installing Sonar-scanner

This is where most users would get lost. Before you do anything with Sonarqube, you have to have the sonar-scanner application installed on the machine housing your project. I’m going to make this even easier and install it on the same server hosting Sonarqube. Here’s how you’d do that.

Log into the server hosting Sonarqube and install a few dependencies with the command:

sudo apt-get update && sudo apt-get install unzip wget nodejs -y

Once those dependencies are installed, create a new directory with the command:

mkdir sonarqube

Change into that directory with the command:

cd sonarqube

Download the sonar-scan file:

wget https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.2.0.1873-linux.zip

Unzip the downloaded file:

unzip sonar-scanner-cli-4.2.0.1873-linux.zip

Finally, move the newly-created folder with the command:

sudo mv sonar-scanner-4.2.0.1873-linux /opt/sonar-scanner

Next, we need to create a sonar-scan configuration file with the command:

sudo nano /opt/sonar-scanner/conf/sonar-scanner.properties

In that file, paste the following:

Where SERVER is the IP address of the hosting server.

Save and close the file.

Now we’ll create another configuration file, one that will set the necessary $PATH variables. Issue the command:

sudo nano /etc/profile.d/sonar-scanner.sh

In that file, paste the following:

Save and close the file.

Add sonar-scanner to your path with the command:

source /etc/profile.d/sonar-scanner.sh

Verify sonar-scanner is working with the command:

sonar-scanner -v

You should see the version numbers of a few tools. Success! You’re ready to run your first scan.

How to Scan Your Code

Let’s create a Hello, World! application example. Create a new directory with the command:

mkdir java

Change into that folder with the command:

cd java

Create the code file with the command:

nano helloworld.java

In that file, paste the following:

Save and close the file.

Now, go back to the Sonarqube web interface and create a new project (Figure 1).

Figure 1: Click Create new project to begin the process.

In the resulting window (Figure 2), give the new project a name for both the key and the display.

Figure 2: Naming your new project in Sonarqube.

In the next window (Figure 3), you must generate a token for the project. Give the token a name and click Generate.

Figure 3: Generating a token for the new project.

You will then have to give the token yet another name and click Generate. This will display the token for you. Copy and save that token (as you will need it for later scans).

Click Continue to move on to the next step. In this window (Figure 4), select the build technology for the project (we’ll select Other).

Figure 4: Selecting the build technology for your project.

You will then be prompted for the OS you’re using for the scan. In our case, we’ll select Linux. Once you’ve made your selection, you’ll be presented with the command to be run on the machine with the sonar-scanner command (Figure 5). Move back to the terminal window and paste that command into the window.

Figure 5: Sonarqube presents the command you use for the scan.

Run the scan from within your project directory and it will do its thing. After a bit (depending on how large your project is) it will finish and the results of the scan will appear in the Sonarqube web GUI (Figure 6).

Figure 6: The results of our scan show a pretty clean project.

Understand, this was a simple Hello, World! example. If your project is larger, it will take considerably longer to scan and your results might not come up as production-ready. So go through the Sonarqube report and address any issues it reports.

Read More:   Engage Meaningfully in Open Source Communities – InApps 2022

This is a great way to make sure your code is as clean and issue-free as possible. Don’t depend on yourself to take on this task alone. With just a few extra steps, you can empower yourself with a platform that can do the job faster and more reliably.



Source: InApps.net

Rate this post
As a Senior Tech Enthusiast, I bring a decade of experience to the realm of tech writing, blending deep industry knowledge with a passion for storytelling. With expertise in software development to emerging tech trends like AI and IoT—my articles not only inform but also inspire. My journey in tech writing has been marked by a commitment to accuracy, clarity, and engaging storytelling, making me a trusted voice in the tech community.

Let’s create the next big thing together!

Coming together is a beginning. Keeping together is progress. Working together is success.

Let’s talk

Get a custom Proposal

Please fill in your information and your need to get a suitable solution.

    You need to enter your email to download

      Success. Downloading...