Product
Pricing
Resources
Docs
Product
Pricing
Resources
Docs

SonarQube Server

What is SonarQube Server?

SonarQube is a very popular static analysis tool that scans code for quality and security issues. SonarQube has community and commercial versions with a wide range of support for various coding languages.

This Uleska Platform integrates with your instance of SonarQube Community or Professional editions by setting up a connection to your instance of SonarQube and scanning your source code with it to return security vulnerabilities.

Note that if you wish to use the commercial version of SonarQube, or an instance of SonarQube in your environment, you can use the SonarQube Scanner adaptor.

Security Stage SAST (Static Code Analysis)
Type Community and Commercial
Languages Java, Javascript, C#, TypeScript, Kotlin, Ruby, Go, Scala, Flex, Python, PHP, HTML, CSS, VB, C, C++, Swift, SQL
Site https://www.sonarqube.org/

 

Pre-requisites

1 You'll need a Git Address to scan
2 You'll need a SonarQube instance to connect to

How do I set it up?

There are three steps to setting up SonarQube with your instance:

  1. Creating a user and token in your instance of SonarQube
  2. Creating a connection configuration in the Uleska Platform for your instance of SonarQube
  3. Setting your application and version (stage) to run SonarQube testing.

Creating a user and token in your instance of SonarQube

To connect your SonarQube instance and the Uleska Platform, you'll need a user API token. See the SonarQube instructions at https://docs.sonarqube.org/latest/user-guide/user-token/ to set this up.

 

Creating a connection configuration in the Uleska Platform for your instance of SonarQube

Now that you have your access user and token, you can setup a connection configuration.

  • In the Uleska Platform, click on the Configuration menu and select the 'Connections' tab
  • Click on 'Add Connection'
  • From the drop down list, select 'SonarQube'
  • Add the URL of your SonarQube instance, which is the root address of your SonarQube instance. This needs to be accessible on the internet and use public SSL/TLS certificates.
  • For the Username enter the SonarQube account which can access the project you want.
  • For the Password, enter the password for that user account.
  • To check the credentials and access are okay, you can click on the 'Test' button to ensure connectivity.
  • Click 'Save'

Untitled (10)

To run sonar server go to sonar and find the project you want to get the vulnerabilities for and copy the Project Key. Note that the project needs to already exist in SonarQube, this Uleska adaptor will start the security scanning and retrieve the subsequent results, but will not generate the initial project entry in SonarQube.

Enter this project key in the cog of the SonarQube Server

Untitled (11)

Untitled (12)

Note that the Application Name will be used as the default component key if you do not enter one.

 

Setting your application and version (stage) to run SonarQube testing

Now you can add SonarQube Server testing to your toolkit. You will add this testing tool to a version (security stage) that is set up to run static code analysis tests.

  • Click on the application you wish to add the tool for, and edit the version (stage) configuration.

VeracodeEditStage

  • Ensure that the version's 'Git Address' is set to the Git URL of the repo being tested (either through the Uleska UI, or via the CLI/API). This will include the branch and auth details needed.

SASTSetup-1

  • Go to the 'Test Tools' tab and click 'Add Tool' for the 'Sonar-Scanner' tool.

SonarServerSetup

  • Click Save.

Now any time you click 'Test Now' for that application stage of testing, or make a request over the Uleska API or CLI for that stage, the SonarQube tool will be included in the test run and any results added to your vulnerabilities list.

Notes

None