Installer et Configurer SonarQube sur AWS

From My Limbic Wiki

Installer SonarQube sur une EC2 AWS sous Ubuntu 18.04 LTS

/ ! \ Ne fonctionne pas avec AWS t2.micro qui ne sont pas assez puissances

Accès: http://*.ca-central-1.compute.amazonaws.com/

Prerequisites & Java installation - 11 is needed for the last SonarQube version

<source lang="shell"> sudo apt update sudo apt upgrade -y sudo apt-get install -y software-properties-common sudo apt install openjdk-11-jdk -y java -version sudo apt-get install unzip </source>

PostgreSql Installation

<source lang="shell"> sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt/ `lsb_release -cs`-pgdg main" >> /etc/apt/sources.list.d/pgdg.list' wget -q https://www.postgresql.org/media/keys/ACCC4CF8.asc -O - | sudo apt-key add - sudo apt-get -y install postgresql postgresql-contrib

  1. Add secured User to the OS

sudo adduser sonar

  1. PostgreSql Configuration for SonarQube

sudo passwd postgres su - postgres createuser sqube psql ALTER USER sqube WITH ENCRYPTED password 'Alithya123!'; CREATE DATABASE sqube OWNER sqube; \q exit </source>

SonarQube Installation

<source lang="shell"> sudo wget https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-8.2.0.32929.zip sudo unzip sonarqube-8.2.0.32929.zip

  1. SonarQube Server Configuration to use PostgreSql Database

sudo nano sonarqube-8.2.0.32929/conf/sonar.properties sonar.jdbc.username=sqube sonar.jdbc.password=Alithya123! sonar.jdbc.url=jdbc:postgresql://localhost/sqube sonar.web.host=0.0.0.0 sonar.ce.javaAdditionalOpts=-server

  1. SonarQube Security, Run as sonar user with limited rights

sudo nano sonarqube-8.2.0.32929/bin/linux-x86-64/sonar.sh RUN_AS_USER=sonar sudo nano sonarqube-8.2.0.32929/elasticsearch/config/elasticsearch.yml node.name:${hostname} network.host: 0.0.0.0 sudo visudo root ALL=(ALL:ALL) ALL sonar ALL=(ALL) NOPASSWD: ALL

  1. SonarQube files, move to Optional folder

sudo mkdir /opt/sonar/ sudo chown -R sonar:sonar /opt/sonar sudo mv sonarqube-8.2.0.32929 /opt/sonar/ cd /opt/sonar/ sudo chown -R sonar:sonar /opt/sonar

  1. Configure SonarQube - extend allowed virtual memory

su - sonar sudo sysctl -w vm.max_map_count=262144

  1. Start SonarQube and check if it is running as expected using ports 9000 and 9001.

/opt/sonar/sonarqube-8.2.0.32929/bin/linux-x86-64/sonar.sh start sudo netstat -plnt

  1. If any error, Check the logs
  2. cat /opt/sonar/sonarqube-8.2.0.32929/logs/sonar.log
  3. cat /opt/sonar/sonarqube-8.2.0.32929/logs/es.log
  4. cat /opt/sonar/sonarqube-8.2.0.32929/logs/web.log
  5. cat /opt/sonar/sonarqube-8.2.0.32929/logs/access.log

</source>

Apache minimal Installation and Configuration

<source lang="shell">

  1. Apache installation and configuration

sudo apt-get install apache2 -y sudo a2enmod proxy sudo a2enmod proxy_http

  1. Apache creation of a website for SonarQube

sudo nano /etc/apache2/sites-available/sonar.conf <VirtualHost *:80> ServerName sub.domain.com ServerAdmin admin@example.com ProxyPreserveHost On ProxyPass / http://127.0.0.1:9000/ ProxyPassReverse / http://127.0.0.1:9000/ TransferLog /var/log/apache2/sonarm_access.log ErrorLog /var/log/apache2/sonar_error.log </VirtualHost>

  1. apache and the newly created site

sudo a2ensite sonar sudo systemctl restart apache2 </source>

Ajouter le SSL

Créer un certificat

Installer Cerbot

<source lang="shell"> cd wget https://dl.eff.org/certbot-auto sudo mv certbot-auto /usr/local/bin/certbot-auto sudo chown root /usr/local/bin/certbot-auto sudo chmod 0755 /usr/local/bin/certbot-auto /usr/local/bin/certbot-auto --help </source>

Créer les VirtualHosts pour la validation Cerbot

<source lang="shell"> sudo vim /etc/apache2/sites-available/sonar.conf </source>

Ajouter:

<source lang="shell"> <VirtualHost *:80>

       ServerName letsencrypt.org
       ServerAlias acme-v02.api.letsencrypt.org
       ServerAdmin contact@letsencrypt.org
       DocumentRoot /var/www/cerbot/

</VirtualHost> <VirtualHost *:80>

       ServerName sub.domain.com
       ServerAlias sub.domain.com
       ServerAdmin contact@alithya.com
       DocumentRoot /var/www/cerbot/

</VirtualHost> </source>

Redémarrer Apache <source lang="shell">

  1. Restart apache

sudo service apache2 restart </source>

Créer le certificat avec Cerbot

<source lang="shell"> cd /usr/local/bin/ sudo mkdir /var/www/cerbot/ sudo ./certbot-auto --debug -v --server https://acme-v02.api.letsencrypt.org/directory certonly --webroot -w /var/www/cerbot/ -d sub.domain.com -d sub.domain.com

  1. All files are generated here
  2. /etc/letsencrypt/live/sub.domain.com/

</source>

Configurer Apache pour utiliser le SSL

<source lang="shell">

  1. copy files

sudo cp /etc/letsencrypt/live/sonar.bullhubs.com/cert.pem ~/ssl/sonar.bullhubs.com/cert.pem sudo cp /etc/letsencrypt/live/sonar.bullhubs.com/chain.pem ~/ssl/sonar.bullhubs.com/chain.pem sudo cp /etc/letsencrypt/live/sonar.bullhubs.com/fullchain.pem ~/ssl/sonar.bullhubs.com/fullchain.pem sudo cp /etc/letsencrypt/live/sonar.bullhubs.com/privkey.pem ~/ssl/sonar.bullhubs.com/privkey.pem

  1. /!\ Check if the files are fully copied, especially the private key, open it

sudo a2enmod headers #For SSL Headers sudo a2enmod ssl #For SSLEngine </source>

Ajouter le virtual host pour le port 443

<source lang="shell"> <VirtualHost *:80>

       ServerName sub.domain.com
       Redirect permanent / https://sub.domain.com/

</VirtualHost> <VirtualHost *:443>

       ServerName sonar.bullhubs.com
       ServerAdmin contact@alithya.com
       <Proxy *>
               Order deny,allow
               Allow from all
       </Proxy>
       SSLEngine On
       SSLProxyEngine On
       SSLCertificateFile "/home/ubuntu/ssl/sub.domain.com/cert.pem"
       SSLCertificateKeyFile "/home/ubuntu/ssl/sub.domain.com/privkey.pem"
       ProxyRequests Off
       ProxyPreserveHost On
       ProxyPass / http://127.0.0.1:9000/
       ProxyPassReverse / http://127.0.0.1:9000/
       RequestHeader set X_FORWARDED_PROTO "https"
       RequestHeader set X-Forwarded-Port "443"
       SetEnv force-proxy-request-1.0 1
       SetEnv proxy-nokeepalive 1
       TransferLog /var/log/apache2/sonarm_access.log
       ErrorLog /var/log/apache2/sonar_error.log

</VirtualHost> </source>

Redémarrer Apache et le serveur sonarqube

<source lang="shell">

  1. Restart servers

sudo service apache2 restart /opt/sonar/sonarqube-8.2.0.32929/bin/linux-x86-64/sonar.sh restart </source>

Logs Utiles

<source lang="shell">

  1. Usefull Logs

journalctl | tail systemctl status apache2.service journalctl -xe tail -f /var/log/apache2/sonarm_access.log

  1. lets encrypt logs

/var/log/letsencrypt </source>

Configuration AWS de la EC2

Inbound Rules

SSH: 22

HTTP: 80

HTTPS: 443

Accès Sonar-Scanner: 9000

Rôles

Ajouter / modifier un rôle pour autoriser Code Build à lire les valeurs de Secrets Manager sur les bonnes resources:

<source lang="shell"> {

   "Version": "2012-10-17",
   "Statement": [
       {
           "Sid": "VisualEditor0",
           "Effect": "Allow",
           "Action": [
               "secretsmanager:GetResourcePolicy",
               "secretsmanager:GetSecretValue",
               "secretsmanager:DescribeSecret",
               "secretsmanager:ListSecretVersionIds"
           ],
           "Resource": [
               "arn:aws:secretsmanager:ca-central-1:545456465465:secret:stage/sonar-IfKMVF",
               "arn:aws:secretsmanager:ca-central-1:545456465465:secret:dev/sonar-bAEKiI",
               "arn:aws:secretsmanager:ca-central-1:545456465465:secret:prod/sonar-cIyZAC"
           ]
       },
       ........

</source>

Optionnel - Installer Sonar Scanner sur les EC2 Linux

Si l’on veut pouvoir lancer des exécutions de Sonar-Scanner manuellement depuis les l’environnement ElasticBeankStalk, c’est possible

L’api Bullhubs de Alithya l’a installé sur ses environnements de: Dev, Stage, Prod1, Prod2

<source lang="shell"> wget https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.2.0.1873-linux.zip unzip sonar-scanner-cli-4.2.0.1873-linux.zip sudo mv sonar-scanner-4.2.0.1873-linux /opt/sonar-scanner-4.2.0.1873-linux rm sonar-scanner-cli-4.2.0.1873-linux.zip export PATH="$PATH:/opt/sonar-scanner-4.2.0.1873-linux/bin" sudo nano .bashrc export PATH="$PATH:/opt/sonar-scanner-4.2.0.1873-linux/bin" sonar-scanner -h

  1. pour info: sudo nano /opt/sonar-scanner-4.2.0.1873-linux/conf/sonar-scanner.properties

</source>

Optionnel - Installer Sonar-Scanner pour Windows

Télecharger le zip https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/

Extraire dans Program Files

Ajouter le chemin vers Bin dans les variables d'environnement C:\Program Files\Sonar\sonar-scanner-4.2.0.1873-windows\bin

Ouvrir une nouvelle fenêtre de commandes:

<source lang="shell"> sonar-scanner -h </source>

Configurer un Project Java pour intégrer l’exécution SonarQube via le pipeline AWS

Fichier buildspec.yml

Editer le fichier buildspec.yml et ajouter les lignes suivantes:

Les variables à personnaliser sont

Avant de publier, valider le fichier YML ici: http://www.yamllint.com/

<source lang="shell"> env:

 secrets-manager:
   SonarLogin: Template:SecretName:Template:SecretKey
   SonarHostUrl: Template:SecretName:Template:SecretKey
   SonarProjectKey: Template:SecretName:Template:SecretKey

pre_build:

 commands:	  
   - wget https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.2.0.1873-linux.zip
   - unzip ./sonar-scanner-cli-4.2.0.1873-linux.zip
   - export PATH=$PATH:/sonar-scanner-cli-4.2.0.1873-linux/bin/

build:

 commands:
   - mvn sonar:sonar -Dsonar.login=$SonarLogin -Dsonar.host.url=$SonarHostUrl -Dsonar.projectKey=$SonarProjectKey
   - sleep 5
   - curl http://Template:Ec2.ca-central-1.compute.amazonaws.com/api/qualitygates/project_status?projectKey=$SonarProjectKey >result.json
   - cat result.json
   - if [ $(jq -r '.projectStatus.status' result.json) = ERROR ] ; then $CODEBUILD_BUILD_SUCCEEDING -eq 0 ;fi

</source>

Git

Ajouter dans le gitignore

<source lang="shell"> .scannerwork/** </source>

sonar-project.properties

Pour plus de configuration, créer à la racine du projet un fichier: sonar-project.properties. Voici une configuration par exemple

<source lang="shell">

  1. SOURCES

sonar.java.source=8 sonar.sources=src/main/java sonar.java.binaries=target/classes sonar.sourceEncoding=UTF-8

  1. EXCLUSIONS
  2. (exclusion of Lombok-generated stuff comes from the `lombok.config` file)

sonar.coverage.exclusions=**/*Exception.java , **/BullhubsApplication.java

  1. TESTS

sonar.coverage.jacoco.xmlReportPaths=target/site/jacoco/jacoco.xml sonar.junit.reportsPath=target/surefire-reports/TEST-*.xml sonar.tests=src/test/java </source>

Sonar-Scanner

Différentes façon d’utiliser Sonar-Scanner manuellement:

Maven: mvn sonar:sonar

Windows/linux: sonar-scanner

Gradle

Plus d’informations ici: https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/