Primeiro Projeto
Como servidor instalado está disponível somente local durante esse curso minicurso devemos fazer o scanner de um app e enviar o relatório para localhost:9000 ou para trocando a porta 9000 pela porta de encaminhado para o serviço escolhida utilizada no kubernetes.
O scanner precisa de um token para enviar os relatórios.
Vamos criar um projeto manual só para receber os relatório de um projeto que esta na nossa própria máquina.
Observe que irá pedir o tempo de validade do token. Vamos colocar aqui para nunca expirar por enquanto.
Depois de copiar o token ele irá perguntar qual a linguagem está sendo utilizada no código que será analisado. Neste momento vou escolher outros.
O comando dado é parecido com o comando abaixo. Observe que precisamos do sonar-scanner instalado para dar o comando abaixo.
sonar-scanner \
# nome do projeto no sonarqube que recebará o relatório
-Dsonar.projectKey=devsecops \
# o path para o código do projeto a partir do local que você esta executando
-Dsonar.sources=. \
# a url do servidor
-Dsonar.host.url=http://localhost:33217 \
# o token
-Dsonar.token=xxxxxxxxxxxxxxxxxxxxxxxxxx
Em uma pipeline você precisaria do desse scanner disponível. Github-Actions já temos uma action que te entrega pronto. Quando criar o projeto verás que mora como fazer a integração com vários tipos de pipeline.
Podemos usar uma imagem docker com o scanner pré instalado e somente passar os mesmo parâmetros.
Como estou rodando isso localmente no projeto que eu quero preciso disponibilizar a pasta raiz do projeto dentro do container em /usr/src. Network foi definido como host pois estou rodando na minha própria infra o sonarqube então para que ele encontre a url localhost:33217 é preciso colocar. O restante são as mesma variáveis de ambiente que o container precisa e o nome da imagem.
docker run --rm -v $(pwd):/usr/src --network=host sonarsource/sonar-scanner-cli \
sonar-scanner \
-Dsonar.projectKey=devsecops \
-Dsonar.sources=. \
-Dsonar.host.url=http://localhost:33217 \
-Dsonar.token=sqp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Teremos uma saída parecida com a saída abaixo. Farei comentários nesta saída.
INFO: Scanner configuration file: /opt/sonar-scanner/conf/sonar-scanner.properties
INFO: Project root configuration file: NONE
# Mostrando a versão do scanner e do java instalado
INFO: SonarScanner 5.0.1.3006
INFO: Java 17.0.11 Alpine (64-bit)
INFO: Linux 6.5.0-45-generic amd64
INFO: User cache: /opt/sonar-scanner/.sonar/cache
INFO: Analyzing on SonarQube server 10.6.0.92116
INFO: Default locale: "en_US", source code encoding: "UTF-8" (analysis is platform dependent)
INFO: Load global settings
INFO: Load global settings (done) | time=192ms
INFO: Server id: EA8D9556-AZEzZfCH5j11BErNX0-Z
INFO: Loading required plugins
INFO: Load plugins index
INFO: Load plugins index (done) | time=87ms
INFO: Load/download plugins
INFO: Load/download plugins (done) | time=582ms
INFO: Process project properties
INFO: Process project properties (done) | time=6ms
INFO: Project key: devsecops
# Exatamente o local que temos o nosso código disponível
INFO: Base dir: /usr/src
INFO: Working dir: /tmp/.scannerwork
INFO: Load project settings for component key: 'devsecops'
INFO: Load project settings for component key: 'devsecops' (done) | time=54ms
# Como nunca criamos um profile e regras, estamos utilizando a default chamada sonar way
INFO: Load quality profiles
INFO: Load quality profiles (done) | time=86ms
INFO: Load active rules
INFO: Load active rules (done) | time=2289ms
INFO: Load analysis cache
INFO: Load analysis cache (404) | time=7ms
INFO: Preprocessing files...
INFO: 4 languages detected in 990 preprocessed files
INFO: 34674 files ignored because of scm ignore settings
INFO: Loading plugins for detected languages
INFO: Load/download plugins
INFO: Load/download plugins (done) | time=399ms
INFO: Load project repositories
INFO: Load project repositories (done) | time=53ms
INFO: Indexing files...
INFO: Project configuration:
INFO: 990 files indexed
INFO: Quality profile for css: Sonar way
INFO: Quality profile for js: Sonar way
INFO: Quality profile for json: Sonar way
INFO: Quality profile for yaml: Sonar way
INFO: ------------- Run sensors on module devsecops
INFO: Load metrics repository
INFO: Load metrics repository (done) | time=66ms
INFO: Sensor HTML [web]
INFO: Sensor HTML [web] (done) | time=3ms
INFO: Sensor JaCoCo XML Report Importer [jacoco]
INFO: 'sonar.coverage.jacoco.xmlReportPaths' is not defined. Using default locations: target/site/jacoco/jacoco.xml,target/site/jacoco-it/jacoco.xml,build/reports/jacoco/test/jacocoTestReport.xml
INFO: No report imported, no coverage information will be imported by JaCoCo XML Report Importer
INFO: Sensor JaCoCo XML Report Importer [jacoco] (done) | time=1ms
INFO: Sensor IaC CloudFormation Sensor [iac]
INFO: 0 source files to be analyzed
INFO: 0/0 source files have been analyzed
INFO: Sensor IaC CloudFormation Sensor [iac] (done) | time=47ms
INFO: Sensor IaC Kubernetes Sensor [iac]
INFO: 2 source files to be analyzed
INFO: 2/2 source files have been analyzed
INFO: Sensor IaC Kubernetes Sensor [iac] (done) | time=107ms
INFO: Sensor IaC AzureResourceManager Sensor [iac]
INFO: 0 source files to be analyzed
INFO: 0/0 source files have been analyzed
INFO: Sensor IaC AzureResourceManager Sensor [iac] (done) | time=37ms
INFO: Sensor Java Config Sensor [iac]
INFO: 0 source files to be analyzed
INFO: 0/0 source files have been analyzed
INFO: Sensor Java Config Sensor [iac] (done) | time=6ms
INFO: Sensor JavaScript/TypeScript analysis [javascript]
INFO: Detected os: Linux arch: amd64 alpine: true. Platform: UNSUPPORTED
INFO: Using Node.js executable: 'node'.
INFO: Memory configuration: OS (31820 MB), Node.js (4144 MB).
INFO: Found 0 tsconfig.json file(s): []
INFO: Creating TypeScript program
INFO: TypeScript configuration file /tmp/tmp-91-yel3JrC1hBfH
INFO: 19 source files to be analyzed
INFO: Starting analysis with current program
INFO: Analyzed 19 file(s) with current program
INFO: 19/19 source files have been analyzed
INFO: Hit the cache for 0 out of 19
INFO: Miss the cache for 19 out of 19: ANALYSIS_MODE_INELIGIBLE [19/19]
INFO: Sensor JavaScript/TypeScript analysis [javascript] (done) | time=6018ms
INFO: Sensor JavaScript inside YAML analysis [javascript]
INFO: No input files found for analysis
INFO: Hit the cache for 0 out of 0
INFO: Miss the cache for 0 out of 0
INFO: Sensor JavaScript inside YAML analysis [javascript] (done) | time=18ms
INFO: Sensor CSS Rules [javascript]
INFO: 3 source files to be analyzed
INFO: 3/3 source files have been analyzed
INFO: Hit the cache for 0 out of 0
INFO: Miss the cache for 0 out of 0
INFO: Sensor CSS Rules [javascript] (done) | time=153ms
INFO: Sensor CSS Metrics [javascript]
INFO: Sensor CSS Metrics [javascript] (done) | time=8ms
INFO: Sensor IaC Docker Sensor [iac]
INFO: 0 source files to be analyzed
INFO: 0/0 source files have been analyzed
INFO: Sensor IaC Docker Sensor [iac] (done) | time=14ms
INFO: Sensor TextAndSecretsSensor [text]
INFO: Available processors: 24
INFO: Using 24 threads for analysis.
INFO: The property "sonar.tests" is not set. To improve the analysis accuracy, we categorize a file as a test file if any of the following is true:
* The filename starts with "test"
* The filename contains "test." or "tests."
* Any directory in the file path is named: "doc", "docs", "test" or "tests"
* Any directory in the file path has a name ending in "test" or "tests"
INFO: Using git CLI to retrieve untracked files
INFO: Analyzing language associated files and files included via "sonar.text.inclusions" that are tracked by git
INFO: 90 source files to be analyzed
INFO: 90/90 source files have been analyzed
INFO: Sensor TextAndSecretsSensor [text] (done) | time=1792ms
INFO: ------------- Run sensors on project
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=7ms
INFO: SCM Publisher SCM provider for this project is: git
INFO: SCM Publisher 24 source files to be analyzed
INFO: SCM Publisher 24/24 source files have been analyzed (done) | time=164ms
INFO: CPD Executor 15 files had no CPD blocks
INFO: CPD Executor Calculating CPD for 4 files
INFO: CPD Executor CPD calculation finished (done) | time=8ms
INFO: SCM revision ID '8a2fe2a3013c79421f72e48a74d4bb65237a266d'
INFO: Analysis report generated in 35ms, dir size=267.9 kB
INFO: Analysis report compressed in 37ms, zip size=77.1 kB
INFO: Analysis report uploaded in 63ms
INFO: ANALYSIS SUCCESSFUL, you can find the results at: http://localhost:33217/dashboard?id=devsecops
INFO: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report
INFO: More about the report processing at http://localhost:33217/api/ce/task?id=cc4d87c0-4d45-4647-acd2-0c52501dd8f4
INFO: Analysis total time: 13.137 s
INFO: ------------------------------------------------------------------------
INFO: EXECUTION SUCCESS
INFO: ------------------------------------------------------------------------
INFO: Total time: 14.939s
INFO: Final Memory: 18M/96M
INFO: ------------------------------------------------------------------------
Só para ilustrar o Quality Profile Sonar Way que é o default do SonarQube
