Setting Up SonarQube on an Unix Device

 Setting Up SonarQube on a Unix VM


Prerequisite:

  • A Unix VM with at least 4GB of RAM (8GB recommended)(link)

Shopping List:

  • SonarQube Web Server "Community Edition" (link)
  • SonarQube Scanner (link)

Abstract:

In this blog post, we will go through the steps to set up a SonarQube instance to analyze the source code of an application on an Ubuntu VM.

If you're unfamiliar with SonarQube, it is an excellent open-source SAST tool designed to integrate with various CI/CD platforms.

Once we have a fully functional Ubuntu VM with at least 4GB of RAM (I recommend using 8GB if possible), we need to set up both the SonarQube web server and the SonarQube scanner.


Installing the SonarQube Web Server:


  1. Let's download the SonarQube Web Server by visiting the link showed above and clicking on the highlighted button:
    https://www.sonarsource.com/products/sonarqube/downloads/

  2.                  Let's close the pop-up to start the download clicking on the highlited button:
    https://www.sonarsource.com/products/sonarqube/downloads/success-download-community-edition/

  3. Run the following command to unzip the downloaded file:
    unzip <filename>

  4. Since SonarQube requires OpenJDK 17, install it using:
    sudo apt update && sudo apt install openjdk-17*

  5. Give the correct perimissions to the sonar.sh file:
     chmod +x /your/path/sonar.sh

  6.  Start the SonarQube web server in console mode to check for any issues: 
    /your/path/sonar.sh console

  7. Log in using the default credentials (admin:admin) at: http://127.0.0.1:9000
    127.0.0.1:9000


  8. Upon the first login, you will be prompted to change your password.

  9. After changing it, you will be guided through a brief tutorial.
Congratulations! You have successfully set up the SonarQube web server. However, we still need to configure the SonarQube scanner.

Let's procede with installing the SonarQube Scanner:

  1.  Let's visit the SonarScanner CLI documentation page and click on the download link to start the download of the sonar-cube CLI tools
    https://docs.sonarsource.com/sonarqube-server/latest/analyzing-source-code/scanners/sonarscanner/

  2.                                              Once the download is complete, unzip the file:
    unzip <filename>

  3.                                      Move the extracted folder to /opt/sonar-scanner:


    sudo mv ./<filename>/ /opt/sonar-scanner

  4. Edit your .bashrc file to include the SonarScanner binary in your PATH variable:
    export PATH=$PATH:/opt/sonar-scanner/bin

  5. Apply the changes:
    source /your/path

  6. Check if SonarScanner is working properly:
    sonar-scanner -v

Congratulations! You are now ready to run Static Application Security Testing (SAST) with SonarQube. 



Commenti

Posta un commento

Post popolari in questo blog

Case of Study : Hide PowerUp.ps1 from MS Defender

Immagine
Hide PowerUp.ps1 from MS Defender PowerUp.ps1 is a well-known script among pentesters for escalating local privileges. However, since it is fairly old and quite popular, Microsoft Defender detects it as malicious. To use it, we need to either create a custom version of the script or obfuscate the one available online. In this guide, we will use a minimal obfuscation approach. By making small changes to the script, we can bypass Microsoft Defender’s detection and use the script without any issues. What We need A Windows VM with the AV Signatures Updated The PowerUp.ps1 Script ( here ) The Tool DefenderCheck made by matterpreter ( here ) Notepad Let's Start The first step is to disable Microsoft Defender temporarily so we can download the PowerUp.ps1 script without interference. After disabling Windows Defender, go to the GitHub page that contains the raw version of PowerUp.ps1. Copy the content and save it in Notepad with a .ps1 extension. Once you have downloaded both the PowerUp ...
Continua a leggere

Unveiling CVE-2024-44777, CVE-2024-44778, and CVE-2024-44779

Immagine
Unveiling CVE-2024-44777 , CVE-2024-44778 , and CVE-2024-44779 How Curiosity and Boredom Can Lead to Discovering Unknown Vulnerabilities In this discussion, I will focus on vTiger CRM 7.4.0, an older version of the CRM platform that, despite its age, remains an important research target.  I discovered a Reflected XSS vulnerability in this version, which is especially concerning since there is no public CVE associated with it.so many users are likely unaware of this security risk.
Continua a leggere

C++ Reverse Shell attempting obfuscation while dynamically loading API.

Immagine
 C++ Reverse Shell Attempting Obfuscation While Dynamically Loading Windows API This time, I wrote a Reverse Shell in C++, attempting to bypass AV by loading Windows APIs dynamically. Sadly, this time I could not use antiscan.me to test this Shell since that site is not working anymore. The Reverse Shell uses the following Windows API: LoadLibraryA GetProcAddress WSAStartup WSASocketA WSAConnectA CreateProcessA ExitProcess Every API has been loaded dynamically to try to bypass AV controls. Loading Windows API Dynamically: How to Read the Following Paragraph // Creating the signature of the function // Creating an instance of the function // Calling the function  LoadLibraryA Becomes loader using loader = HMODULE(__stdcall*)(LPCSTR); loader loader_a = reinterpret_cast<loader>((FARPROC)GetProcAddress(LoadLibraryA(x), "LoadLibraryA")); getter getter_a = reinterpret_cast<getter>((FARPROC)GetProcAddress(loade...
Continua a leggere