Setting up Jenkins with SonarQube(with DB) on Windows for Source Code Review or SAST for GitHub Repos — Ondemand Scan

Pre-Requisites:

Installed Java — any version

Windows Machine — any version

MS SQL Server

MS SSMS — (SQL Server Management Studio)

Visual Studio — for testing connection to DB

SonarQube

Jenkins

Sonar Scanner Plugin in Jenkins

Internet connection — high speed preferred

P.S: One by one we install and test every Application and finally we’d be able to setup OnDemand Source Code Review using SonarQube(with DB)+Jenkins+Git

Important: Make sure to download latest version of all the Appliactions used in this article.

Blueprint of Architecture:

Blueprint for setting up integration

Explanation: We are setting up integration framework on a Windows machine in which a successful Jenkins job would download repo from git and would run sonarqube for code review, & output would be shown on SonarQube’s dashboard in browser.

Installation of Jenkins:

Download zip file containing Microsoft Installer. Unzip and run the installer. click

Installation of Microsoft SQL Server:

Download & Install MSSQL Express click

Go for Express edition as it is free.

Download & Install

Installation of Microsoft SQL Server Management Studio:

Search for SQLManagement Studio (SSMS), i went for 64-bit English version

SSMS Download

Installation of SonarQube:

Download latest version of SonarQube. click

SonarQube download page

Server name from SSMS:

Copy Server Name & insert it in Visual Studio

Configuring MSSQL using MS-SSMS:

create new db Sonar: In Databases,

1. General tab, Create new database, and name it Sonar.
2. Options tab, set collation as SQL_Latin1_General_CP1_CS_AS

create new login SonarQ: In Security > Login

1. In General tab, Create new Login SonarQ & <password> with SQL Server Authentication
2. In Server Roles tab, select public & sysadmin as server roles.
3. In User Mapping tab, select Sonar

enable SQL Login:

1. Right Click and select Properties

Select Properties

2. In Security tab, select SQL Server and Windows Authentication

Select SQL Server Authentication

Now, In order to make all changes in place, make sure to restart SQL Server service before attempting login via SQL Server Authentication else you would get 18456 error.

1. Go to Administrative Tools > Services

services.msc

2. SQL Server service Right Click and select Restart

Restart Service

3. Select SQL Server Authentication, insert user name SonarQ & <password>

Install Visual Studio:

Install Visual Studio to check data connectivity

Visual Studio Download

Check Connection 1:

Click Tools

Check Connection 2: In case if server name does not appears then copy and paste server name. You can copy server name from SSMS.

Enter Details & Click Test Connection

More Config for SonarQube Integration:

1. Open SQL Server Configuration Manager

Config Manager

2. Right click and select enable

Select Enable if Disabled

3. Double click and Properties open

TCP/IP Properties

Select IP Addresses and insert 1433 as port number

Restart SQL Server Service for changes to take effect.

Click Apply, and now it’s time to configure and run SonarQube.

Starting SonarQube server:

Before starting SonarQube server, make below mentioned changes in: C:\Users\Enterprise-Security\Downloads\sonarqube-7.7\sonarqube-7.7\conf

Insert server name in highlighted portion.

sonar.properties

Or, below config would also work.

C:\Users\Enterprise-Security\Downloads\sonarqube-7.4\sonarqube-7.4\bin\windows-x86–64\

1. StartNTService.bat
2. StartSonar.bat

Setting up Jenkins:

Download & Install Jenkins from msi installer.

After successful installation localhost:8080 would have jenkins dashboard.

1. Double click

Installation in Progress

2. Use command, and login to console then password.

notepad C:\Program Files (x86)\Jenkins\secrets\initialAdminPassword

Start/Stop jenkins service from services.

Install SonarQube Plugin in Jenkins:

Login to Jenkins http://localhost:8080/

Click to Manage Jenkins

Manage Jenkins > Manage Plugins

Browse available plugins & search for Sonar

Available Plugins

Configure Sonar Scanner Plugin:

Follow the link & Generate Token named Jenkins.

Jenkins token

Copy Token & paste it in Sonar Scanner Plugin Config.

Configuring Jenkins for Scanning:

Install Git Plugin for Integration

Install Git Parameter Plugin for Tags selection

Important Git plugins besides other plugins

Browse to Manage Jenkins,

Manage Jenkins

Configure other settings as per your requirement.

1. Setup up SonarQube URL for output to be shown in dashboard

SonarQube

2. Setup Secret Text based authentication

Setup Secret Text based authentication

3. Insert Jenkins URL, in this case it is locally hosted.

Jenkins URL

4. Setting up e-mail notifiction

In Global tools configurations, we setup Java configs,

Global Tools Configuration

Setting up Java Config,

JAVA Config

Setting up Jenkins Job for Automated Code Review:

1. Insert your project URL

General Config

2. Provide repo URL & select/add credentials for Git (in this case username/password was used)

Code Management

3. Analysis properties may vary with different projects.

Analysis Properties

4. Enter e-mail for receiving notification and click save.

5. It’s time to run Job & check outcome.

6. Goto SonarQube dashboard and analyse.

P.S: I succeed by this process as Code Review is done monthly and every commit would create overhead for Devlopers & Security Team to manage, hence on-demand method is used. before rolling out live code, on-demand assessment is carried out.