Skip to content

Commit

Permalink
Merge pull request #22 from asanchezr/master
Browse files Browse the repository at this point in the history
Use upstream/official SonarQube 8 image
  • Loading branch information
WadeBarnes authored Mar 26, 2020
2 parents 6a5701e + d8b63af commit fd0a991
Show file tree
Hide file tree
Showing 5 changed files with 38 additions and 64 deletions.
52 changes: 20 additions & 32 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,24 +1,14 @@
FROM jboss/base-jdk:11
FROM sonarqube:8-community

MAINTAINER Erik Jacobs <[email protected]>
MAINTAINER Siamak Sadeghianfar <[email protected]>
MAINTAINER Roland Stens ([email protected])
MAINTAINER Wade Barnes ([email protected])
MAINTAINER Emiliano Sune ([email protected])

# Define Plug-in Versions
ARG SONAR_ZAP_PLUGIN_VERSION=1.2.0

ENV SONAR_VERSION=7.9.1 \
SONARQUBE_HOME=/opt/sonarqube \
SONARQUBE_JDBC_USERNAME=sonar \
SONARQUBE_JDBC_PASSWORD=sonar \
SONARQUBE_JDBC_URL=

ENV SONARQUBE_PLUGIN_DIR=$SONARQUBE_HOME/extensions/plugins
MAINTAINER Alejandro Sanchez ([email protected])

ENV SUMMARY="SonarQube for bcgov OpenShift" \
DESCRIPTION="This image creates the SonarQube image for use at bcgov/OpenShift"
DESCRIPTION="This image creates the SonarQube image for use at bcgov/OpenShift"

LABEL summary="$SUMMARY" \
description="$DESCRIPTION" \
Expand All @@ -28,32 +18,30 @@ LABEL summary="$SUMMARY" \
io.openshift.tags="sonarqube" \
release="$SONAR_VERSION"

USER root
EXPOSE 9000
ADD root /
# Define Plug-in Versions
ARG SONAR_ZAP_PLUGIN_VERSION=1.2.0
ENV SONARQUBE_PLUGIN_DIR="$SONARQUBE_HOME/extensions/plugins"

RUN set -x \
&& cd /opt \
&& curl -o sonarqube.zip -fSL https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-$SONAR_VERSION.zip \
&& unzip sonarqube.zip \
&& mv sonarqube-$SONAR_VERSION sonarqube \
&& rm sonarqube.zip* \
&& rm -rf $SONARQUBE_HOME/bin/*
# Switch to root for package installs
USER 0

# ================================================================================================================================================================================
# Bundle Plug-in(s)
# --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

# sonar-zap-plugin
# https://github.com/Coveros/zap-sonar-plugin
ADD https://github.com/Coveros/zap-sonar-plugin/releases/download/sonar-zap-plugin-$SONAR_ZAP_PLUGIN_VERSION/sonar-zap-plugin-$SONAR_ZAP_PLUGIN_VERSION.jar $SONARQUBE_PLUGIN_DIR
# sonar-zap-plugin - https://github.com/Coveros/zap-sonar-plugin
RUN set -x \
&& cd "$SONARQUBE_PLUGIN_DIR" \
&& curl -o "sonar-zap-plugin-$SONAR_ZAP_PLUGIN_VERSION.jar" -fsSL "https://github.com/Coveros/zap-sonar-plugin/releases/download/sonar-zap-plugin-$SONAR_ZAP_PLUGIN_VERSION/sonar-zap-plugin-$SONAR_ZAP_PLUGIN_VERSION.jar"

WORKDIR $SONARQUBE_HOME
COPY run.sh $SONARQUBE_HOME/bin/

RUN useradd -r sonar
RUN /usr/bin/fix-permissions $SONARQUBE_HOME \
&& chmod 775 $SONARQUBE_HOME/bin/run.sh
# In order to drop the root user, we have to make some directories world
# writable as OpenShift default security model is to run the container under
# random UIDs.
RUN chown -R 1001:0 "$SONARQUBE_HOME" \
&& chgrp -R 0 "$SONARQUBE_HOME" \
&& chmod -R g+rwX "$SONARQUBE_HOME" \
&& chmod 775 "$SONARQUBE_HOME/bin/run.sh"

USER sonar
ENTRYPOINT ["./bin/run.sh"]
USER 1001
24 changes: 16 additions & 8 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ title: SonarQube on OpenShift
description: Documentation and resources (complete with examples) required to deploy a SonarQube server instance into a BCGov OpenShift pathfinder environment, and integrate SonarQube and ZAP scanning into your Jenkins pipeline. With SonarQube you can perform and report on code quality, and code coverage, and scan for known vulnerabilities and security issues.
author: WadeBarnes
resourceType: Components
personas:
personas:
- Developer
- Product Owner
- Designer
Expand Down Expand Up @@ -39,25 +39,33 @@ SonarQube server images are now available on DockerHub:
- [bcgovimages/sonarqube](https://hub.docker.com/r/bcgovimages/sonarqube/)

## Building the SonarQube Server Image
The SonarQube server image (`bcgovimages/sonarqube:7.9.1`) is already available on DockerHub, so **you do not have to repeat this step** unless you are building a customized or updated version of the SonarQube Server.

The SonarQube server image (`bcgovimages/sonarqube:8.2`) is already available on DockerHub, so **you do not have to repeat this step** unless you are building a customized or updated version of the SonarQube Server.

Logon to your `tools` project and run the following command:

oc new-build https://github.com/BCDevOps/sonarqube --name=sonarqube --to=sonarqube:7.9.1
```bash
oc new-build https://github.com/BCDevOps/sonarqube --strategy=docker --name=sonarqube --to=sonarqube:8.2
```

## Deploy on OpenShift

The [sonarqube-postgresql-template](./sonarqube-postgresql-template.yaml) has been provided to allow you to quickly and easily deploy a fully functional instance of the SonarQube server, complete with persistent storage, into your `tools` project. The template will create all of the necessary resources for you.

Logon to your `tools` project and run the following command:

oc new-app -f sonarqube-postgresql-template.yaml --param=SONARQUBE_VERSION=7.9.1

```bash
oc new-app -f sonarqube-postgresql-template.yaml --param=SONARQUBE_VERSION=8.2
```

## Change the Default Admin Password
When the SonarQube server is first deployed it is using a default `admin` password. For security, it is **highly** recommended you change it. The [UpdateSqAdminPw](./provisioning/updatesqadminpw.sh) script has been provided to make this easy. The script will generate a random password, store it in an OpenShift secret named `sonarqube-admin-password`, and update the admin password of the SonarQube server instance.

Logon to your `tools` project and run the following command from the [provisioning](./provisioning) directory:

updatesqadminpw.sh
```bash
updatesqadminpw.sh
```

To login to your SonarQube server as admin, browse to the **sonarqube-admin-password** secret in your OpenShift `tools` project, reveal the password and use it to login.

Expand Down Expand Up @@ -104,7 +112,7 @@ You can now browse your project report on the SonarQube server site. To find th
Now that you have static scanning, you'll probably notice your code coverage results are at 0% since no unit tests are being executed during the scan. You'll likely what to integrate unit tests into the scans so you get code coverage metrics to help you determine how well you are testing your code. **As you journey down this road, please contribute your experience back to this project to make it better for the whole community.**

### Integrate OWASP ZAP Security Vulnerability Scanning into SonarQube
To make the results of your ZAP security vulnerability scanning accessible and therefore more actionable, you can integrate the scan results into a SonarQube project report. To accomplish this you can use the [ZAP Plugin for SonarQube](https://github.com/Coveros/zap-sonar-plugin), which is bundled in the `bcgovimages/sonarqube:7.9.1` image.
To make the results of your ZAP security vulnerability scanning accessible and therefore more actionable, you can integrate the scan results into a SonarQube project report. To accomplish this you can use the [ZAP Plugin for SonarQube](https://github.com/Coveros/zap-sonar-plugin), which is bundled in the `bcgovimages/sonarqube:8.2` image.

The [SonarQube-Integrated-ZapScan-Jenkinsfile](./jenkins/SonarQube-Integrated-ZapScan-Jenkinsfile) example shows you how to utilize ZAP and the plug-in together to perform a ZAP security vulnerability scan on your application, and then publish the report with SonarQube.

Expand Down Expand Up @@ -162,5 +170,5 @@ If you have found this project helpful, please contribute back to the project as

If you would like to contribute, please see our [CONTRIBUTING](./CONTRIBUTING.md) guidelines.

Please note that this project is released with a [Contributor Code of Conduct](./CODE_OF_CONDUCT.md).
Please note that this project is released with a [Contributor Code of Conduct](./CODE_OF_CONDUCT.md).
By participating in this project you agree to abide by its terms.
7 changes: 0 additions & 7 deletions root/usr/bin/fix-permissions

This file was deleted.

15 changes: 0 additions & 15 deletions run.sh

This file was deleted.

4 changes: 2 additions & 2 deletions sonarqube-postgresql-template.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -316,7 +316,7 @@ parameters:
- displayName: SonarQube version
name: SONARQUBE_VERSION
required: true
value: "7.9.1"
value: "8.2"
- description: Password for SonarQube Server PostgreSQL backend
displayName: SonarQube's PostgreSQL Password
from: "[a-zA-Z0-9]{16}"
Expand All @@ -325,7 +325,7 @@ parameters:
required: true
- description: Password for SonarQube Admin
displayName: SonarQube's Admin Password
from: "[a-zA-Z0-9]{8}"
from: "[a-zA-Z0-9]{16}"
generate: expression
name: SONARQUBE_ADMIN_PASSWORD
required: true
Expand Down

0 comments on commit fd0a991

Please sign in to comment.