Skip to main content

Primer Proyecto

Como el servidor instalado está disponible solo localmente durante este minicurso, debemos escanear una aplicación y enviar el informe a localhost:9000 o reemplazando el puerto 9000 con el puerto de reenvío para el servicio elegido utilizado en Kubernetes.

El escáner necesita un token para enviar los informes.

Vamos a crear un proyecto manual solo para recibir los informes de un proyecto que está en nuestra propia máquina.

alt text

alt text

alt text

Observa que pedirá el tiempo de validez del token. Vamos a ponerlo aquí para que nunca caduque por ahora.

alt text

Después de copiar el token, preguntará qué lenguaje se está utilizando en el código a analizar. En este momento voy a elegir otros.

El comando proporcionado es similar al comando siguiente. Observa que necesitamos el sonar-scanner instalado para ejecutar el comando siguiente.

sonar-scanner \
  # nombre del proyecto en sonarqube que recibirá el informe
  -Dsonar.projectKey=devsecops \
  # la ruta al código del proyecto desde donde estás ejecutando
  -Dsonar.sources=. \
  # la url del servidor
  -Dsonar.host.url=http://localhost:33217 \
  # el token
  -Dsonar.token=xxxxxxxxxxxxxxxxxxxxxxxxxx

En un pipeline necesitarías este escáner disponible. GitHub Actions ya tiene una action que lo entrega listo. Cuando crees el proyecto verás que muestra cómo integrar con varios tipos de pipelines.

Podemos utilizar una imagen Docker con el escáner preinstalado y simplemente pasar los mismos parámetros.

Como estoy ejecutando esto localmente en el proyecto que quiero, necesito poner disponible la carpeta raíz del proyecto dentro del contenedor en /usr/src. La red se configuró como host porque estoy ejecutando SonarQube en mi propia infraestructura, por lo que para que encuentre la URL localhost:33217 es necesario ponerlo. El resto son las mismas variables de entorno que el contenedor necesita y el nombre de la imagen.

docker run --rm -v $(pwd):/usr/src --network=host sonarsource/sonar-scanner-cli \
  sonar-scanner \
  -Dsonar.projectKey=devsecops \
  -Dsonar.sources=. \
  -Dsonar.host.url=http://localhost:33217 \
  -Dsonar.token=sqp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Tendremos una salida similar a la salida siguiente. Haré comentarios en esta salida.

INFO: Scanner configuration file: /opt/sonar-scanner/conf/sonar-scanner.properties
INFO: Project root configuration file: NONE
# Mostrando la versión del escáner y del java instalado
INFO: SonarScanner 5.0.1.3006
INFO: Java 17.0.11 Alpine (64-bit)
INFO: Linux 6.5.0-45-generic amd64
INFO: User cache: /opt/sonar-scanner/.sonar/cache
INFO: Analyzing on SonarQube server 10.6.0.92116
INFO: Default locale: "en_US", source code encoding: "UTF-8" (analysis is platform dependent)
INFO: Load global settings
INFO: Load global settings (done) | time=192ms
INFO: Server id: EA8D9556-AZEzZfCH5j11BErNX0-Z
INFO: Loading required plugins
INFO: Load plugins index
INFO: Load plugins index (done) | time=87ms
INFO: Load/download plugins
INFO: Load/download plugins (done) | time=582ms
INFO: Process project properties
INFO: Process project properties (done) | time=6ms
INFO: Project key: devsecops
# Exactamente donde tenemos nuestro código disponible
INFO: Base dir: /usr/src
INFO: Working dir: /tmp/.scannerwork
INFO: Load project settings for component key: 'devsecops'
INFO: Load project settings for component key: 'devsecops' (done) | time=54ms
# Como nunca creamos un perfil y reglas, estamos utilizando el predeterminado llamado sonar way
INFO: Load quality profiles
INFO: Load quality profiles (done) | time=86ms
INFO: Load active rules
INFO: Load active rules (done) | time=2289ms
INFO: Load analysis cache
INFO: Load analysis cache (404) | time=7ms
INFO: Preprocessing files...
INFO: 4 languages detected in 990 preprocessed files
INFO: 34674 files ignored because of scm ignore settings
INFO: Loading plugins for detected languages
INFO: Load/download plugins
INFO: Load/download plugins (done) | time=399ms
INFO: Load project repositories
INFO: Load project repositories (done) | time=53ms
INFO: Indexing files...
INFO: Project configuration:
INFO: 990 files indexed
INFO: Quality profile for css: Sonar way
INFO: Quality profile for js: Sonar way
INFO: Quality profile for json: Sonar way
INFO: Quality profile for yaml: Sonar way
INFO: ------------- Run sensors on module devsecops
INFO: Load metrics repository
INFO: Load metrics repository (done) | time=66ms
INFO: Sensor HTML [web]
INFO: Sensor HTML [web] (done) | time=3ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: 'sonar.coverage.jacoco.xmlReportPaths' is not defined. Using default locations: target/site/jacoco/jacoco.xml,target/site/jacoco-it/jacoco.xml,build/reports/jacoco/test/jacocoTestReport.xml
INFO: No report imported, no coverage information will be imported by JaCoCo XML Report Importer
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=1ms
INFO: Sensor IaC CloudFormation Sensor [iac]
INFO: 0 source files to be analyzed
INFO: 0/0 source files have been analyzed
INFO: Sensor IaC CloudFormation Sensor [iac] (done) | time=47ms
INFO: Sensor IaC Kubernetes Sensor [iac]
INFO: 2 source files to be analyzed
INFO: 2/2 source files have been analyzed
INFO: Sensor IaC Kubernetes Sensor [iac] (done) | time=107ms
INFO: Sensor IaC AzureResourceManager Sensor [iac]
INFO: 0 source files to be analyzed
INFO: 0/0 source files have been analyzed
INFO: Sensor IaC AzureResourceManager Sensor [iac] (done) | time=37ms
INFO: Sensor Java Config Sensor [iac]
INFO: 0 source files to be analyzed
INFO: 0/0 source files have been analyzed
INFO: Sensor Java Config Sensor [iac] (done) | time=6ms
INFO: Sensor JavaScript/TypeScript analysis [javascript]
INFO: Detected os: Linux arch: amd64 alpine: true. Platform: UNSUPPORTED
INFO: Using Node.js executable: 'node'.
INFO: Memory configuration: OS (31820 MB), Node.js (4144 MB).
INFO: Found 0 tsconfig.json file(s): []
INFO: Creating TypeScript program
INFO: TypeScript configuration file /tmp/tmp-91-yel3JrC1hBfH
INFO: 19 source files to be analyzed
INFO: Starting analysis with current program
INFO: Analyzed 19 file(s) with current program
INFO: 19/19 source files have been analyzed
INFO: Hit the cache for 0 out of 19
INFO: Miss the cache for 19 out of 19: ANALYSIS_MODE_INELIGIBLE [19/19]
INFO: Sensor JavaScript/TypeScript analysis [javascript] (done) | time=6018ms
INFO: Sensor JavaScript inside YAML analysis [javascript]
INFO: No input files found for analysis
INFO: Hit the cache for 0 out of 0
INFO: Miss the cache for 0 out of 0
INFO: Sensor JavaScript inside YAML analysis [javascript] (done) | time=18ms
INFO: Sensor CSS Rules [javascript]
INFO: 3 source files to be analyzed
INFO: 3/3 source files have been analyzed
INFO: Hit the cache for 0 out of 0
INFO: Miss the cache for 0 out of 0
INFO: Sensor CSS Rules [javascript] (done) | time=153ms
INFO: Sensor CSS Metrics [javascript]
INFO: Sensor CSS Metrics [javascript] (done) | time=8ms
INFO: Sensor IaC Docker Sensor [iac]
INFO: 0 source files to be analyzed
INFO: 0/0 source files have been analyzed
INFO: Sensor IaC Docker Sensor [iac] (done) | time=14ms
INFO: Sensor TextAndSecretsSensor [text]
INFO: Available processors: 24
INFO: Using 24 threads for analysis.
INFO: The property "sonar.tests" is not set. To improve the analysis accuracy, we categorize a file as a test file if any of the following is true:
  * The filename starts with "test"
  * The filename contains "test." or "tests."
  * Any directory in the file path is named: "doc", "docs", "test" or "tests"
  * Any directory in the file path has a name ending in "test" or "tests"

INFO: Using git CLI to retrieve untracked files
INFO: Analyzing language associated files and files included via "sonar.text.inclusions" that are tracked by git
INFO: 90 source files to be analyzed
INFO: 90/90 source files have been analyzed
INFO: Sensor TextAndSecretsSensor [text] (done) | time=1792ms
INFO: ------------- Run sensors on project
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=7ms
INFO: SCM Publisher SCM provider for this project is: git
INFO: SCM Publisher 24 source files to be analyzed
INFO: SCM Publisher 24/24 source files have been analyzed (done) | time=164ms
INFO: CPD Executor 15 files had no CPD blocks
INFO: CPD Executor Calculating CPD for 4 files
INFO: CPD Executor CPD calculation finished (done) | time=8ms
INFO: SCM revision ID '8a2fe2a3013c79421f72e48a74d4bb65237a266d'
INFO: Analysis report generated in 35ms, dir size=267.9 kB
INFO: Analysis report compressed in 37ms, zip size=77.1 kB
INFO: Analysis report uploaded in 63ms
INFO: ANALYSIS SUCCESSFUL, you can find the results at: http://localhost:33217/dashboard?id=devsecops
INFO: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
INFO: More about the report processing at http://localhost:33217/api/ce/task?id=cc4d87c0-4d45-4647-acd2-0c52501dd8f4
INFO: Analysis total time: 13.137 s
INFO: ------------------------------------------------------------------------
INFO: EXECUTION SUCCESS
INFO: ------------------------------------------------------------------------
INFO: Total time: 14.939s
INFO: Final Memory: 18M/96M
INFO: ------------------------------------------------------------------------

Solo para ilustrar el Perfil de Calidad Sonar Way que es el predeterminado de SonarQube

alt text