SonarQube® 是一种自动代码审查工具,用于检测代码中的错误、漏洞和代码异味。它可以与您现有的工作流程集成,以支持跨项目分支和拉取请求的持续代码检查。
安装服务器
实例组件
-
SonarQube 服务器运行以下进程:
-
为 SonarQube 用户界面提供服务的 Web 服务器。
-
基于 Elasticsearch 的搜索服务器。
-
负责处理代码分析报告并将其保存在 SonarQube 数据库中的计算引擎。
-
-
存储以下内容的数据库:
-
代码扫描期间生成的代码质量和安全性指标和问题。
-
SonarQube 实例配置。
-
-
在您的构建或持续集成服务器上运行的一个或多个扫描器来分析项目。
安装 SonarQube
SonarQube 不能像root在基于 Unix 的系统上一样运行,因此如有必要,请为 SonarQube 创建一个专用用户帐户。
$SONARQUBE-HOME(如下)指的是 SonarQube 发行版解压后的目录路径。
设置对数据库的访问
编辑$SONARQUBE-HOME/conf/sonar.properties以配置数据库设置。模板可用于每个受支持的数据库。只需取消注释并配置您需要的模板并注释掉专用于 H2 的行:
Example for PostgreSQL
sonar.jdbc.username=sonarqube
sonar.jdbc.password=mypassword
sonar.jdbc.url=jdbc:postgresql://localhost/sonarqube
添加 JDBC 驱动程序
已提供支持的数据库(Oracle 除外)的驱动程序。不要更换提供的驱动程序;他们是唯一支持的。
对于 Oracle,将 JDBC 驱动程序复制到$SONARQUBE-HOME/extensions/jdbc-driver/oracle 中。
配置 Elasticsearch 存储路径
默认情况下,Elasticsearch 数据存储在$SONARQUBE-HOME/data 中,但不建议将其用于生产实例。相反,您应该将此数据存储在其他地方,最好是在具有快速 I/O 的专用卷中。除了保持可接受的性能外,这样做还可以简化 SonarQube 的升级。
编辑$SONARQUBE-HOME/conf/sonar.properties以配置以下设置:
sonar.path.data=/var/sonarqube/data
sonar.path.temp=/var/sonarqube/temp
用于启动 SonarQube 的用户必须对这些目录具有读写权限。
启动 Web 服务器
默认端口为“9000”,上下文路径为“/”。这些值可以在$SONARQUBE-HOME/conf/sonar.properties 中更改:
sonar.web.host=192.168.0.1
sonar.web.port=80
sonar.web.context=/sonarqube
执行以下脚本来启动服务器:
-
在 Linux 上:bin/linux-x86-64/sonar.sh start
-
在 macOS 上:bin/macosx-universal-64/sonar.sh start
-
在 Windows 上:bin/windows-x86-64/StartSonar.bat
可以在浏览 SonarQube (默认系统管理员凭据是admin/ admin)
Java 安装
服务器上安装了多个版本的 Java,需要明确定义使用哪个版本的 Java。
可以更改 SonarQube 使用的 Java JVM,请编辑$SONARQUBE-HOME/conf/wrapper.conf并更新以下行:
wrapper.java.command=/path/to/my/jdk/bin/java
从 Docker 镜像安装 SonarQube
请按照以下步骤进行首次安装:
-
创建以下目录有助于防止在更新到新版本或升级到更高版本时丢失信息:
-
sonarqube_data– 包含数据文件,例如嵌入式 H2 数据库和 Elasticsearch 索引 -
sonarqube_logs– 包含有关访问、Web 进程、CE 进程和 Elasticsearch 的 SonarQube 日志 -
sonarqube_extensions– 将包含您安装的任何插件和必要时的 Oracle JDBC 驱动程序。
使用以下命令创建卷:
$> docker volume create --name sonarqube_data
$> docker volume create --name sonarqube_logs
$> docker volume create --name sonarqube_extensions -
2.已提供支持的数据库(Oracle 除外)的驱动程序。如果您使用的是 Oracle 数据库,则需要将 JDBC 驱动程序添加到sonar_extensions卷中。去做这个:
一个。使用嵌入式 H2 数据库启动 SonarQube 容器:
$ docker run --rm \
-p 9000:9000 \
-v sonarqube_extensions:/opt/sonarqube/extensions \
<image_name>
将 Oracle JDBC 驱动程序复制到sonarqube_extensions/jdbc-driver/oracle.
3.使用使用 -e 环境变量标志定义的数据库属性运行映像:
$> docker run -d --name sonarqube \
-p 9000:9000 \
-e SONAR_JDBC_URL=... \
-e SONAR_JDBC_USERNAME=... \
-e SONAR_JDBC_PASSWORD=... \
-v sonarqube_data:/opt/sonarqube/data \
-v sonarqube_extensions:/opt/sonarqube/extensions \
-v sonarqube_logs:/opt/sonarqube/logs \
<image_name>
Docker Compose 配置示例
version"3"
services
sonarqube
imagesonarqubecommunity
depends_on
db
environment
SONAR_JDBC_URLjdbcpostgresql//db5432/sonar
SONAR_JDBC_USERNAMEsonar
SONAR_JDBC_PASSWORDsonar
volumes
sonarqube_data:/opt/sonarqube/data
sonarqube_extensions:/opt/sonarqube/extensions
sonarqube_logs:/opt/sonarqube/logs
ports
"9000:9000"
db
imagepostgres12
environment
POSTGRES_USERsonar
POSTGRES_PASSWORDsonar
volumes
postgresql:/var/lib/postgresql
postgresql_data:/var/lib/postgresql/data
volumes
sonarqube_data
sonarqube_extensions
sonarqube_logs
postgresql
postgresql_data
将服务器安装为集群
只有数据中心版才能将 SonarQube 作为集群运行
Data Center Edition 的默认配置包括五台服务器、一个负载均衡器和一个数据库服务器:
-
两个应用节点负责处理来自用户的 Web 请求(WebServer 进程)和处理分析报告(ComputeEngine 进程)。您可以添加应用程序节点以提高计算能力。
-
三个搜索节点,托管将存储数据索引的 Elasticsearch 进程。对于这些节点,SSD 的性能明显优于 HDD。
-
反向代理/负载均衡器,用于在两个应用程序节点之间对流量进行负载均衡。安装组织必须提供此硬件或软件组件。
-
PostgreSQL、Oracle 或 Microsoft SQL Server 数据库服务器。该软件必须由安装组织提供。
通过这种配置,可以在不影响用户的情况下丢失一个应用程序节点和一个搜索节点。以下是默认拓扑图:
要求
所有服务器,包括数据库服务器,必须位于同一区域内。
所有应用程序和搜索节点都应具有静态 IP 地址(不支持通过主机名引用)。不应限制应用程序和搜索节点之间的网络流量。
服务器
您至少需要五台服务器(两个应用程序节点和三个搜索节点)才能形成一个 SonarQube 应用程序集群。服务器可以是虚拟机;没有必要使用物理机器。您还可以添加应用程序节点以增加计算能力。
sonarqube安装配置
创建sonar用户
SonarQube不能使用root用户启动,需创建普通用户
useradd sonar
passwd sonar
安装SonarQube需要的包
jdk、数据库
例如:
dnf -y install java-11-openjdk postgresql-server postgresql postgresql-contrib unzip
下载安装SonarQube
wget https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-6.x.zip
unzip -d /opt sonarqube-6.x.zip
chown -R sonar:sonar /opt/sonarqube-6.x.
配置数据库
配置mysql,创建sonar数据库
CREATE DATABASE `sonar` CHARACTER SET 'utf8' COLLATE 'utf8_general_ci';
alter user 'root'@'localhost' identified by '123456';
授权命令
grant all privileges on *.* to 'root'@'%' identified by '123456';
#刷新授权:
flush privileges;
# 创建sonar用户
create user sonar;
# 设置sonar用户密码(否则会导致连不上数据库)
alter user sonar with password '123456';
#更改sonar数据库拥有者(这一步是必须的,否则会sonarqube会连接失败)
alter database sonar owner to sonar;
配置postgresql,创建sonar数据库
postgresql-setup initdb
systemctl enable postgresql
systemctl start postgresql
修改/opt/sonarqube/conf/sonar.properties
打开防火墙TCP 9000端口
firewall-cmd --permanent --add-port=9000/tcp
firewall-cmd --reload
修改/etc/sysctl.conf
在文件末尾加入如下配置
vm.max_map_count=262144
fs.file-max=65536
修改/etc/security/limits.conf
修改完后重启系统
启动SonarQube
su - sonar
cd /opt/sonarqube/bin/linux-x86-64
./sonar.sh start
浏览器访问http://192.168.137.32:9000
mvn sonar:sonar \
-Dsonar.host.url=http://192.168.137.32:9000 \
-Dsonar.login=24c5de3af80af0b13d5137e6c7685c6631ab0e05
window
sonar-scanner.bat \
-Dsonar.projectKey=24c5de3af80af0b13d5137e6c7685c6631ab0e05 \
-Dsonar.sources=. \
-Dsonar.host.url=http://192.168.137.32:9000 \
-Dsonar.login=24c5de3af80af0b13d5137e6c7685c6631ab0e05
sonar-scanner \
-Dsonar.projectKey=24c5de3af80af0b13d5137e6c7685c6631ab0e05 \
-Dsonar.sources=. \
-Dsonar.host.url=http://192.168.137.32:9000 \
-Dsonar.login=24c5de3af80af0b13d5137e6c7685c6631ab0e05
sonarqube使用手册
SonarQube 汉化/SonarQube 中文包安装
SonarQube使用
IDEA集成
新建项目
-
登录sonarqube,新建项目
-
设置token
-
选择maven
2、idea安装SonarLint插件
-
File->Settings->plugins-搜索SonarLint
-
如果无法通过idea安装插件,,下载完成后,将包直接拖入idea进行安装并重启
3、配置插件,连接到sonarqube
-
token为上面新建项目的token
4、使用copy的命令,提交检测到服务器上
5、登录sonar管理后台 
6、maven项目配置
maven/conf/settings.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied. See the License for the
specific language governing permissions and limitations
under the License.
-->
<!--
| This is the configuration file for Maven. It can be specified at two levels:
|
| 1. User Level. This settings.xml file provides configuration for a single user,
| and is normally provided in ${user.home}/.m2/settings.xml.
|
| NOTE: This location can be overridden with the CLI option:
|
| -s /path/to/user/settings.xml
|
| 2. Global Level. This settings.xml file provides configuration for all Maven
| users on a machine (assuming they're all using the same Maven
| installation). It's normally provided in
| ${maven.conf}/settings.xml.
|
| NOTE: This location can be overridden with the CLI option:
|
| -gs /path/to/global/settings.xml
|
| The sections in this sample file are intended to give you a running start at
| getting the most out of your Maven installation. Where appropriate, the default
| values (values used when the setting is not specified) are provided.
|
|-->
<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 http://maven.apache.org/xsd/settings-1.0.0.xsd">
<!-- localRepository
| The path to the local repository maven will use to store artifacts.
|
| Default: ${user.home}/.m2/repository
<localRepository>/path/to/local/repo</localRepository>
-->
<localRepository>d:\\repos</localRepository>
<!-- interactiveMode
| This will determine whether maven prompts you when it needs input. If set to false,
| maven will use a sensible default value, perhaps based on some other setting, for
| the parameter in question.
|
| Default: true
<interactiveMode>true</interactiveMode>
-->
<!-- offline
| Determines whether maven should attempt to connect to the network when executing a build.
| This will have an effect on artifact downloads, artifact deployment, and others.
|
| Default: false
<offline>false</offline>
-->
<!-- pluginGroups
| This is a list of additional group identifiers that will be searched when resolving plugins by their prefix, i.e.
| when invoking a command line like "mvn prefix:goal". Maven will automatically add the group identifiers
| "org.apache.maven.plugins" and "org.codehaus.mojo" if these are not already contained in the list.
|-->
<pluginGroups>
<!-- pluginGroup
| Specifies a further group identifier to use for plugin lookup.
<pluginGroup>com.your.plugins</pluginGroup>
-->
</pluginGroups>
<!-- proxies
| This is a list of proxies which can be used on this machine to connect to the network.
| Unless otherwise specified (by system property or command-line switch), the first proxy
| specification in this list marked as active will be used.
|-->
<proxies>
<!-- proxy
| Specification for one proxy, to be used in connecting to the network.
|
<proxy>
<id>optional</id>
<active>true</active>
<protocol>http</protocol>
<username>proxyuser</username>
<password>proxypass</password>
<host>proxy.host.net</host>
<port>80</port>
<nonProxyHosts>local.net|some.host.com</nonProxyHosts>
</proxy>
-->
</proxies>
<!-- servers
| This is a list of authentication profiles, keyed by the server-id used within the system.
| Authentication profiles can be used whenever maven must make a connection to a remote server.
|-->
<servers>
<!-- server
| Specifies the authentication information to use when connecting to a particular server, identified by
| a unique name within the system (referred to by the 'id' attribute below).
|
| NOTE: You should either specify username/password OR privateKey/passphrase, since these pairings are
| used together.
|
<server>
<id>deploymentRepo</id>
<username>repouser</username>
<password>repopwd</password>
</server>
-->
<!-- Another sample, using keys to authenticate.
<server>
<id>siteServer</id>
<privateKey>/path/to/private/key</privateKey>
<passphrase>optional; leave empty if not used.</passphrase>
</server>
-->
<!--
<server>
<id>rdc-releases</id>
<username>5f03eaf4cc3021d7e3b3706e</username>
<password>W33jKbmKcapV</password>
</server>
<server>
<id>rdc-snapshots</id>
<username>5f03eaf4cc3021d7e3b3706e</username>
<password>W33jKbmKcapV</password>
</server>
-->
<server>
<id>maven-releases</id>
<username>admin</username>
<password>admin123</password>
</server>
<server>
<id>maven-snapshots</id>
<username>admin</username>
<password>admin123</password>
</server>
</servers>
<!-- mirrors
| This is a list of mirrors to be used in downloading artifacts from remote repositories.
|
| It works like this: a POM may declare a repository to use in resolving certain artifacts.
| However, this repository may have problems with heavy traffic at times, so people have mirrored
| it to several places.
|
| That repository definition will have a unique id, so we can create a mirror reference for that
| repository, to be used as an alternate download site. The mirror site will be the preferred
| server for that repository.
|-->
<mirrors>
<!-- mirror
| Specifies a repository mirror site to use instead of a given repository. The repository that
| this mirror serves has an ID that matches the mirrorOf element of this mirror. IDs are used
| for inheritance and direct lookup purposes, and must be unique across the set of mirrors.
|
-->
<mirror>
<id>mirrorId</id>
<mirrorOf>repositoryId</mirrorOf>
<name>Human Readable Name for this Mirror.</name>
<url>http://my.repository.com/repo/path</url>
</mirror>
<mirror>
<id>alimaven</id>
<name>aliyun maven</name>
<url>http://maven.aliyun.com/nexus/content/groups/public/</url>
<mirrorOf>central</mirrorOf>
</mirror>
<mirror>
<id>jboss-public-repository-group</id>
<mirrorOf>central</mirrorOf>
<name>JBoss Public Repository Group</name>
<url>http://repository.jboss.org/nexus/content/groups/public</url>
</mirror>
<mirror>
<id>central</id>
<name>Maven Repository Switchboard</name>
<url>http://repo1.maven.org/maven2/</url>
<mirrorOf>central</mirrorOf>
</mirror>
<mirror>
<id>repo2</id>
<mirrorOf>central</mirrorOf>
<name>Human Readable Name for this Mirror.</name>
<url>http://repo2.maven.org/maven2/</url>
</mirror>
<!--
<mirror>
<id>maven-releases</id>
<name>helsys releases</name>
<url>http://192.168.2.199:9081/repository/maven-public/</url>
<mirrorOf>*</mirrorOf>
</mirror>
<mirror>
<id>maven-snapshots</id>
<name>helsys snapshots</name>
<url>http://192.168.2.199:9081/repository/maven-snapshots/</url>
<mirrorOf>*</mirrorOf>
</mirror> -->
</mirrors>
<!-- profiles
| This is a list of profiles which can be activated in a variety of ways, and which can modify
| the build process. Profiles provided in the settings.xml are intended to provide local machine-
| specific paths and repository locations which allow the build to work in the local environment.
|
| For example, if you have an integration testing plugin - like cactus - that needs to know where
| your Tomcat instance is installed, you can provide a variable here such that the variable is
| dereferenced during the build process to configure the cactus plugin.
|
| As noted above, profiles can be activated in a variety of ways. One way - the activeProfiles
| section of this document (settings.xml) - will be discussed later. Another way essentially
| relies on the detection of a system property, either matching a particular value for the property,
| or merely testing its existence. Profiles can also be activated by JDK version prefix, where a
| value of '1.4' might activate a profile when the build is executed on a JDK version of '1.4.2_07'.
| Finally, the list of active profiles can be specified directly from the command line.
|
| NOTE: For profiles defined in the settings.xml, you are restricted to specifying only artifact
| repositories, plugin repositories, and free-form properties to be used as configuration
| variables for plugins in the POM.
|
|-->
<profiles>
<!-- profile
| Specifies a set of introductions to the build process, to be activated using one or more of the
| mechanisms described above. For inheritance purposes, and to activate profiles via <activatedProfiles/>
| or the command line, profiles have to have an ID that is unique.
|
| An encouraged best practice for profile identification is to use a consistent naming convention
| for profiles, such as 'env-dev', 'env-test', 'env-production', 'user-jdcasey', 'user-brett', etc.
| This will make it more intuitive to understand what the set of introduced profiles is attempting
| to accomplish, particularly when you only have a list of profile id's for debug.
|
| This profile example uses the JDK version to trigger activation, and provides a JDK-specific repo.
<profile>
<id>jdk-1.4</id>
<activation>
<jdk>1.4</jdk>
</activation>
<repositories>
<repository>
<id>jdk14</id>
<name>Repository for JDK 1.4 builds</name>
<url>http://www.myhost.com/maven/jdk14</url>
<layout>default</layout>
<snapshotPolicy>always</snapshotPolicy>
</repository>
</repositories>
</profile>
-->
<!--
| Here is another profile, activated by the system property 'target-env' with a value of 'dev',
| which provides a specific path to the Tomcat instance. To use this, your plugin configuration
| might hypothetically look like:
|
| ...
| <plugin>
| <groupId>org.myco.myplugins</groupId>
| <artifactId>myplugin</artifactId>
|
| <configuration>
| <tomcatLocation>${tomcatPath}</tomcatLocation>
| </configuration>
| </plugin>
| ...
|
| NOTE: If you just wanted to inject this configuration whenever someone set 'target-env' to
| anything, you could just leave off the <value/> inside the activation-property.
|
<profile>
<id>env-dev</id>
<activation>
<property>
<name>target-env</name>
<value>dev</value>
</property>
</activation>
<properties>
<tomcatPath>/path/to/tomcat/instance</tomcatPath>
</properties>
</profile>
-->
<!--
<profile>
<id>rdc-private-repo</id>
<repositories>
<repository>
<id>rdc-releases</id>
<url>https://packages.aliyun.com/maven/repository/2013277-release-6bmGLh/</url>
</repository>
<repository>
<id>rdc-snapshots</id>
<url>https://packages.aliyun.com/maven/repository/2013277-snapshot-FB7Hl1/</url>
</repository>
</repositories>
</profile>
-->
<profile>
<id>jdk18</id>
<activation>
<jdk>1.8</jdk>
<activeByDefault>true</activeByDefault>
</activation>
<properties>
<maven.compiler.source>1.8</maven.compiler.source>
<maven.compiler.target>1.8</maven.compiler.target>
<maven.compiler.compilerVersion>1.8</maven.compiler.compilerVersion>
</properties>
</profile>
<profile>
<id>sonar</id>
<properties>
<sonar.jdbc.url>jdbc:mysql://192.168.137.254:3306/sonar</sonar.jdbc.url>
<sonar.jdbc.driver>com.mysql.jdbc.Driver</sonar.jdbc.driver>
<sonar.jdbc.username>sonar</sonar.jdbc.username>
<sonar.jdbc.password>123456</sonar.jdbc.password>
<sonar.host.url>http://192.168.137.32:9000</sonar.host.url> <!-- Sonar服务器访问地址 -->
</properties>
</profile>
<!--
<profile>
<id>rdc-public-repo</id>
<repositories>
<repository>
<id>alimaven</id>
<name>aliyun maven</name>
<url>http://maven.aliyun.com/nexus/content/groups/public/</url>
<releases>
<enabled>true</enabled>
</releases>
<snapshots>
<enabled>false</enabled>
</snapshots>
</repository>
</repositories>
</profile>-->
<!--
<profile>
<id>nexus</id>
<repositories>
<repository>
<id>maven-releases</id>
<url>http://192.168.2.199:9081/repository/maven-releases/</url>
<releases><enabled>true</enabled></releases>
<snapshots><enabled>true</enabled></snapshots>
</repository>
<repository>
<id>maven-snapshots</id>
<url>http://192.168.2.199:9081/repository/maven-snapshots/</url>
<releases><enabled>true</enabled></releases>
<snapshots><enabled>true</enabled></snapshots>
</repository>
</repositories>
<pluginRepositories>
<pluginRepository>
<id>central</id>
<url>http://192.168.2.199:9081/repository/maven-public/</url>
<releases><enabled>true</enabled></releases>
<snapshots><enabled>true</enabled></snapshots>
</pluginRepository>
</pluginRepositories>
</profile>
-->
</profiles>
<!-- activeProfiles
| List of profiles that are active for all builds.
|
<activeProfiles>
<activeProfile>alwaysActiveProfile</activeProfile>
<activeProfile>anotherAlwaysActiveProfile</activeProfile>
</activeProfiles>
-->
<activeProfiles>
<activeProfile>nexus</activeProfile>
<activeProfile>sonar</activeProfile>
</activeProfiles>
</settings>
pom.xml
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
<version>2.0.9.RELEASE</version>
<configuration>
<executable>true</executable>
</configuration>
</plugin>
<plugin>
<groupId>org.sonarsource.scanner.maven</groupId>
<artifactId>sonar-maven-plugin</artifactId>
<version>3.4.0.905</version>
</plugin>
</plugins>
</build>