Skip to content

Latest commit

 

History

History
96 lines (52 loc) · 4.27 KB

step-8-sonar.md

File metadata and controls

96 lines (52 loc) · 4.27 KB
Raw

Step 8 – Creating a custom SonarQube rule

The company is concerned about the Sea Lions committing trade secrets. In true Dilbert fashion, they decided the solution was to ban the word "secret" from method and variable names.

Conveniently, we had a developer (Jeanne) handy to write the rule. You can browse the source code at

https://github.com/boyarsky/OracleCodeOne2018-HOL-Automating-Stack-Groovy/tree/master/sonar-custom-rule

(SecretNotAllowedRule.java is the most interesting class)

8.1 - Deploying a custom rule

  1. Copy the snapshot jar of this rule to a directory on your machine. You can use Maven to build sonar-custom-rule or use the pre-built version from

https://github.com/boyarsky/OracleCodeOne2018-HOL-Automating-Stack-Groovy/blob/master/sonar-custom-rule-0.0.1-SNAPSHOT.jar

  1. cd to the directory where you downloaded (or built) the jar.

  2. docker cp sonar-custom-rule-0.0.1-SNAPSHOT.jar sonarqube:/opt/sonarqube/extensions/plugins/sonar-custom-rule-0.0.1-SNAPSHOT.jar

  3. docker restart sonarqube

8.2 - Add this rule to the default quality profile

  1. Go to http://localhost:9000 (remember it could take a minute so refresh if you don't see the screen)

  2. Login (admin/admin)

  3. Close the tutorial popup by clicking the Skip button

  4. Click "Quality Profiles" in the top navigation

  5. Click "Create" on the upper right

  6. Enter a name of your choosing and select "Java" from the pulldown new quality profile

  7. Click "Create"

  8. Note your quality profile has zero rules

  9. Click "Change parent" and choose the "Sonar way (Built-in)" quality profile parent

  10. Note how many rules are in the quality profile now. (It was 299 active rules when we tested)

  11. Click "Activate More"

  12. Search for "secret" search secret

  13. Click "Activate"

  14. Leave the default of "Critical" and choose "Activate" again. activate rule

  15. Click "Quality Profiles" in the top navigation and observe one more rule is active.

8.3 - Run a scan with this custom rule

For this step you will need to have completed Section 7.1 - "Download and Build sea-lion Project", in which the sea-lion project was built using the local Nexus repository.

The sea-lion-project directory referred to in Steps 5 and 6 assume you are running it in the directory where the sea-lions project was previously built.

  1. Download the CLI for your operating system from https://docs.sonarqube.org/display/SCAN/Analyzing+with+SonarQube+Scanner

  2. Extract the files to a new directory and make sure to write down where you placed it, since you will need the full path later, such as:

~/Downloads/sonar-scanner-1.2.3

  1. Navigate to the /conf directory of the extracted files, open the sonar-scanner.properties file with your favorite text editor, and uncomment the # in the following line:

sonar.host.url=http://localhost:9000

  1. Save the properties file.

  2. Navigate (cd) into the sea-lion-project folder

  3. Run the /bin/sonar-scanner executable from the extracted folder in the sea-lion-project directory. You'll need the full path you created in Step 2. The following example demonstrates this, although your paths may vary locally:

$ cd OracleCodeOne2018-HOL-Automating-Stack-

Groovy/sea-lion-project

$ ~/Downloads/sonar-scanner-1.2.3_/bin/sonar-scanner_

  1. The process should finish with the message EXECUTION SUCCESS.

  2. Go back into Sonar in the browser and search for "sea lion" in the top-right search box. Select "Sea Lion Project".

  3. Go to the project and note that now there is one vulnerability. one vulnerability

  4. Click it to see the details. It's our 'secret' rule! secret rule