最近领导让我调研一下代码审计的开源工具,发现sonarqube这个系统能够满足我们的需求,可以与gitlab联动进行代码审计。
一、代码审计需求及方案
满足gitlab一旦提交代码则进行一次代码检测,sonarqube+sonar-scanner+gitlab-runner+gitlab架构设计图
1、RD提交代码到gitlab
2、触发gitlab-ci,启动gitlab-runner docker准备运行测试
3、gitlab-ci触发sonar_runner docker镜像启动,并进行代码分析
4、代码分析结果在commit记录作一次comment
5、gitlab管理员合并代码至develop或master分支
6、触发gitlab-ci,启动gitlab-runner docker准备运行测试
7、gitlab-ci触发sonar_runner docker镜像启动,并进行代码分析
8、代码分析结果保存至SonarQube平台数据库中
9、安全访问web站点,查看分析结果
二、环境部署
采用docker快速部署,但我们所使用的gitlab8 和最新的gitlab-runner docker不兼容。故部署这个https://gitlab-ci-multi-runner-downloads.s3.amazonaws.com/v1.11.2/index.html
为了性能最优,将不同模块部署在不同的机器上:
192.168.226.130:sonarqube docker
192.168.226.131:gitlab-runner、sonar-scanner、maven
192.168.226.132:postgresql
sonarqube docker 安装
下载插件包 sonar-gitlab-plugin-4.1.0-SNAPSHOT.jar(gitlab插件)、sonar-l10n-zh-plugin-1.27.jar(汉化包)
#vim Dockerfile
写入:
FROM sonarqube
ADD sonar-l10n-zh-plugin-1.27.jar /opt/sonarqube/extensions/plugins/
ADD sonar-gitlab-plugin-4.1.0-SNAPSHOT.jar /opt/sonarqube/extensions/plugins
#docker pull sonarqube
#docker build -t sonarqube:zh .
#docker run -d --name sonarqube -p 9000:9000 -p 9092:9092 -e SONARQUBE_JDBC_USERNAME=sonar -e SONARQUBE_JDBC_PASSWORD=xxx -e SONARQUBE_JDBC_URL=jdbc:postgresql://192.168.226.132:5432/sonar --add-host=database:192.168.226.132 sonarqube:zh
访问:http://192.168.226.130:9000/sessions/new?return_to=%2F 并修改默认密码
配置--配置–权限–开启force user authentication
如果需要上传文件到容器中的话
docker cp 本地文件 容器ID:上传目录
gitlab-runner 安装
#wget -O /usr/local/bin/gitlab-runner https://gitlab-ci-multi-runner-downloads.s3.amazonaws.com/v1.11.2/binaries/gitlab-ci-multi-runner-linux-amd64
#chmod +x /usr/local/bin/gitlab-runner
#useradd --comment 'GitLab Runner' --create-home gitlab-runner --shell /bin/bash
#gitlab-runner install --user=gitlab-runner --working-directory=/home/gitlab-runner
#gitlab-runner start
#gitlab-runner register
根据提示进行注册
注册成功提示:Runner registered successfully. Feel free to start it, but if it's running already the config should be automatically reloaded!
在gitlab上查看
sonar-scanner 安装
# unzip sonar-scanner-cli-3.3.0.1492-linux.zip
# mv sonar-scanner-3.3.0.1492-linux/ sonar-scanner-3.3.0/
# vi sonar-scanner-3.3.0/conf/sonar-scanner.properties
sonar.host.url=http://192.168.226.130:9000
sonar.login=admin
sonar.password=xxx
# vi /etc/profile
export SONAR_SCANNER_HOME=/opt/sonar-scanner-3.3.0
export PATH=${SONAR_SCANNER_HOME}/bin:$PATH
# source /etc/profile
maven 安装
tar zvxf apache-maven-3.6.1-bin.tar.gz
vi /etc/profile
export MAVEN_HOME=/opt/apache-maven-3.6.1
export PATH=${MAVEN_HOME}/bin:$PATH
source /etc/profile
postgresql 安装
#下载软件包postgresql-10.1.tar.gz
安装路径为/usr/local/pgsql/
#gunzip postgresql-10.1.tar.gz
#tar xf postgresql-10.1.tar
#./configure
#make
#make install
#adduser postgres
#mkdir /usr/local/pgsql/data
#chown postgres /usr/local/pgsql/data
#su - postgres
#/usr/local/pgsql/bin/initdb -D /usr/local/pgsql/data
#/usr/local/pgsql/bin/postgres -D /usr/local/pgsql/data >logfile 2>&1 &
#./pg_ctl start -D /usr/local/pgsql/data
远程访问数据库设置
#vim /usr/local/pgsql/data/postgresql.conf
listen_addresses=’localhost’ 改为 listen_addresses=’*’
#vim /usr/local/pgsql/data/pg_hba.conf
添加 IPv4 remote address connections:
host all all 0.0.0.0/0 trust
创建数据库用户sonar,创建数据库sonar
三、开始使用
sonarqube填入gitlab信息
访问http://192.168.226.130:9000,在配置--Gitlab中填入URL和token,注意这里的token
从gitlab的user settings -- account -- private token获得token
填入到sonarqube中
给项目添加.gitlab-ci.yml
security_sonar:
stage: test
script:
- sonar-scanner -Dsonar.projectKey=项目名称
tags:
- tags名称
四、报错及解决方案汇总
报错1:
ERROR: Error during SonarQube Scanner execution
ERROR: You must define the following mandatory properties for 'Unknown': sonar.projectKey
ERROR:
ERROR: Re-run SonarQube Scanner using the -X switch to enable full debug logging.
解决方案1:
根据报错信息修改sonar-scanner.properties
sonar.host.url=http://192.168.226.130:9000
sonar.sourceEncoding=UTF-8
sonar.jdbc.url=jdbc:postgresql://192.168.226.132:5432/sonar
sonar.jdbc.username=sonar
sonar.jdbc.password=xxx
sonar.projectKey=allProjects
sonar.projectName=allProjects
sonar.projectVersion=1.0.0
sonar.login=admin
sonar.password=xxx
报错2:
ERROR: Error during SonarQube Scanner execution
ERROR: com.talanlabs.sonar.plugins.gitlab.CommitPublishPostJob has unsatisfied dependency 'class com.talanlabs.sonar.plugins.gitlab.ReporterBuilder' for constructor 'public com.talanlabs.sonar.plugins.gitlab.CommitPublishPostJob(com.talanlabs.sonar.plugins.gitlab.GitLabPluginConfiguration,com.talanlabs.sonar.plugins.gitlab.SonarFacade,com.talanlabs.sonar.plugins.gitlab.CommitFacade,com.talanlabs.sonar.plugins.gitlab.ReporterBuilder)' from org.sonar.core.platform.ComponentContainer$ExtendedDefaultPicoContainer@5b799640:348<[Immutable]:org.sonar.core.platform.ComponentContainer$ExtendedDefaultPicoContainer@3457cc8d:51<|
ERROR:
ERROR: Re-run SonarQube Scanner using the -X switch to enable full debug logging.
解决方案2:
在网上找到https://github.com/gabrie-allaigre/sonar-gitlab-plugin/issues/213,这个只要跟着我上面部署的版本安装,就不会出错,需要升级sonar-gitlab-plugin
报错3:
ERROR: Error during SonarQube Scanner execution
ERROR: GC overhead limit exceeded
ERROR:
ERROR: Re-run SonarQube Scanner using the -X switch to enable full debug logging.
解决方案3:
增加sonar-scanner的性能,由4c8g扩容到8c16g,并且做如下操作:
vi /etc/profile
export SONAR_SCANNER_OPTS="-Xmx16384m"
source /etc/profile