SonarQube is a very popular static analysis tool that scans code for quality and security issues. SonarQube has community and commercial versions with a wide range of support for various coding languages.
This Uleska Platform integrates with your instance of SonarQube Community or Professional editions by setting up a connection to your instance of SonarQube and scanning your source code with it to return security vulnerabilities.
Note that if you wish to use the commercial version of SonarQube, or an instance of SonarQube in your environment, you can use the SonarQube Scanner adaptor.
|Security Stage||SAST (Static Code Analysis)|
|Type||Community and Commercial|
|1||You'll need a Git Address to scan|
|2||You'll need a SonarQube instance to connect to|
There are three steps to setting up SonarQube with your instance:
To connect your SonarQube instance and the Uleska Platform, you'll need a user API token. See the SonarQube instructions at https://docs.sonarqube.org/latest/user-guide/user-token/ to set this up.
Now that you have your access user and token, you can setup a connection configuration.
To run sonar server go to sonar and find the project you want to get the vulnerabilities for and copy the Project Key. Note that the project needs to already exist in SonarQube, this Uleska adaptor will start the security scanning and retrieve the subsequent results, but will not generate the initial project entry in SonarQube.
Enter this project key in the cog of the SonarQube Server
Note that the Application Name will be used as the default component key if you do not enter one.
Now you can add SonarQube Server testing to your toolkit. You will add this testing tool to a version (security stage) that is set up to run static code analysis tests.
Now any time you click 'Test Now' for that application stage of testing, or make a request over the Uleska API or CLI for that stage, the SonarQube tool will be included in the test run and any results added to your vulnerabilities list.