SonarQube is an excellent application that will capture, analyze, and visualize the functional bugs and Security Vulnerabilities. We discussed how to perform static Analysis with Jenkins and before that, we discussed how to implement Security testing in IDE and capture the Vulnerabilities. For both the cases, SonarQube provides an excellent solution with Jenkins to capture and Visualize even trigger certain events like notification. So, in this article, we will see how to integrate Jenkins SAST to SonarQube.
Table of Contents
So Far!
In our previous article, we have discussed how to perform static Analysis with Jenkins and Tutorial for implementing security Testing in IDE at developers end.
In this tutorial, I am using a simple python flask application to perform Static Analysis SAST process and discuss how to integrate Jenkins SAST to SonarQube.
SonarQube Setup
SonarQube Instance
Before proceeding with the integration, we will setup SonarQube Instance. Choice of the platform is yours. In this Tutorial, we are using SonarQube Docker Container.
$ docker run -d -p 9000:9000 sonarqube
In the above command, we are forwarding port 9000 of the container to the port 9000 of the host machine as SonarQube is will run on port 9000. Then, from the browser, enter http://localhost:9000. After That, you will see the SonarQube is running. Then, login using default credentials (admin:admin).
Generate User Token
Now, we need to get the SonarQube user token to make connection between Jenkins and SonarQube. For the same, go to User > My Account > Security and then, from the bottom of the page you can create new tokens by clicking the Generate Button. Copy the Token and keep it safe.
Add necessary plugin
In this Tutorial, we are following a Python-based application. So, we need to add a python plugin in the SonarQube so that it will collect the Bugs and Static code analysis from Jenkins. For the same, go to Administration > Marketplace > Plugins. Then in the search box, search for Python. Then, you will see Python Code Quality and Security (Code Analyzer for Python). Just install. That’s all from the SonarQube side.
Configuring SonarQube in Codebase.
In the Movie Database Application code base from the GitHub (https://github.com/PrabhuVignesh/movie-crud-flask ), we will add the soanr-project.properties file and add the following code inside the file.
sonar.projectKey=movie-crud-flask sonar.projectName=movie-crud-flask sonar.projectVersion=1.0 sonar.projectBaseDir=. sonar.python.bandit.reportPaths=/report/banditResult.json
This will basically tell the sonar scanner to send the analysis data in the project name with the mentioned project key. Along with this, we are using python Bandit to scan the Python Dependency vulnerability and more. So, we are adding the report of the same in the proprieties file.
Jenkins Setup for SonarQube
Now, we need to add SonarQube plugins and setup in the Jenkins. Let’s discuss one by one.
SonarQube plugin in Jenkins.
Before all, we need to install the SonarQube Scanner plugin in Jenkins. For the same, go to Manage Jenkins > Plugin Manager > Available. From here, type SonarQube Scanner then select and install.
Tool Configuration SonarQube Scanner
Now, we need to configure the Jenkins plugin for SonarQube Scanner to make a connection with the SonarQube Instance. For that, got to Manage Jenkins > Configure System > SonarQube Server. Then, Add SonarQube. In this, give the Installation Name, Server URL then Add the Authentication token in the Jenkins Credential Manager and select the same in the configuration.
Then, we need to set-up the SonarQube Scanner to scan the source code in the various stage. For the same, go to Manage Jenkins > Global Tool Configuration > SonarQube Scanner. Then, Click Add SonarQube Scanner Button. From there, give some name of the scanner type and Add Installer of your choice. In this case, I have selected SonarQube Scanner from Maven Central.
SonarQube Scanner in Jenkins Pipeline
Now, It’s time to integrate the SonarQube Scanner in the Jenkins Pipeline. For the same, we are going to add one more stage in the Jenkinsfile called sonar-publish and inside that, I am adding the following code.
stage ("sonar-publish"){
steps {
echo "===========Performing Sonar Scan============"
sh "${tool("sonarqube")}/bin/sonar-scanner"
}
}Were this will collect the SonarQube Server information from the sonar-project.properties file and publish the collected information to the SonarQube Server. So, the overall code will look like the below snippet.
pipeline {
agent any
stages {
stage ("Git checkout"){
steps {
git branch: "master",
url: "https://github.com/PrabhuVignesh/movie-crud-flask.git"
sh "ls"
}
}
stage ("Python Flask Prepare"){
steps {
sh "pip3 install -r requirements.txt"
}
}
stage ("Unit Test"){
steps{
sh "python3 test_basic.py"
}
}
stage ("Python Bandit Security Scan"){
steps{
sh "cat report/banditResult.json"
sh "sh run_bandit.sh || true"
sh "ls"
}
}
stage ("Dependency Check with Python Safety"){
steps{
sh "docker run --rm --volume \$(pwd) pyupio/safety:latest safety check"
sh "docker run --rm --volume \$(pwd) pyupio/safety:latest safety check --json > report.json"
}
}
stage ("Static Analysis with python-taint"){
steps{
sh "docker run --rm --volume \$(pwd) vickyrajagopal/python-taint-docker pyt ."
}
}
stage ("sonar-publish"){
steps {
echo "===========Performing Sonar Scan============"
sh "${tool("sonarqube")}/bin/sonar-scanner"
}
}
}
}
Once we execute the Jenkins Pipeline for this project, we will get the following output
Where it will just execute the SonarQube Scanner and collect the SAST information and Python bandit report in the format of JSON. Then, it will publish the same in the SonarQube Server. If you login to the SonarQube and visit the Dashboard, you will see the Analysis of the project there.
Since we have both Jenkins and SonarQube in the Enterprise standard, we have a lot of features including the alert system. Where we can configure the Email, or Instance message Notification system for the findings in the SonarQube or Jenkins. In the best case, we can auto convert certain bugs or findings as ticket and assign to the respective developer.
Conclusion
Always, Analysis ends in collection and Visualization. The same goes here, where we collect Static Analysis and Vulnerability analysis reports while integrating the project. Then we have sent the data to the SonarQube to Visualize so that we can analyze the source code more. In this article, we have discussed how to integrate Jenkins SAST to SonarQube. The tools we used to scan the source code in this article is more specifically for python, every platform has its own tools and software that will help you perform Static Analysis SAST for the platform of your choice. In our upcoming article, we will discuss more on Dynamic Analysis DAST and Automating the same in our CICD process. Stay tuned and subscribe DigitalVarys for more articles and study materials on DevOps, Agile, DevSecOps, and App Development.
Experienced DevSecOps Practitioner, Tech Blogger, Expertise in Designing Solutions in Public and Private Cloud. Opensource Community Contributor.
