During one of the last evenings I decided to read and learn more about static source code review. In the past I had a pleasure to create (more or less) 'automated' tools to do it. This time I decided to not to start "from the beginning" but instead of: to learn more about SAST and SonarQube scanning scenarios. Here we go...
Today we'll start here:
TL;DR:
For this excercise I used simple environment:
- Ubuntu 20 VM
- Docker
- SonarQube (I tried versions: from 6.5 to 8.9-community).
My initial goal was to prepare a working plugin for SonarQube ("step by step" ;)).
After a while (~2days with with Maven and SonarQube manuals) I decided to check for the solution that ("maybe") is 'already available online'.
And that's how I found this page.
When your 'working environment' is ready (finally I used version 8.9-community) you can continue with the plugin called FindBugs.
To use it with our SonarQube, let's start a docker image:
In the next step I created a 'New Project':
Follow the steps to see page similar to the one presented below (I decided to use 'Other source' and 'Linux'):
Next (in a 2nd console window) let's run /bin/bash to upload our new plugin to ./extensions/plugins/ directory:
After we'll restart the docker - we should be ready to use uploaded plugin to scan our source code directory:
We are looking for something like this:
As an 'example source directory' I used DVWA (found here - thanks!) but feel free to use it against 'your own source repository' ;)
I started sonar-scanner also from docker, like this:
Work in progress...
After a while you should see results in the SonarQube's Dashboard (of course for our case - we're looking for the 'Security Hotspots' ;)), for example:
I believe now it's the time when The Real DevTeam should work to prepare something "more interesting and detailed" for automated source code scan.
As you can see the results are not 'the best' - so there is always "something to fix" or some regex to add... ;)
Have fun!
Brak komentarzy:
Prześlij komentarz