Introduction
SonarQube is an open-source tool for code quality analysis. It can scan source code for potential bugs and vulnerabilities and generates a report which allows you to identify issues. It scans up to 30 programming languages.
SonarQube has two parts: a scanner application on the local machine to scan the code and a server application for keeping records.
This guide explains how you can install and use SonarQube on a Ubuntu 22.04 server.
Prerequisites
Deploy a Ubuntu 22.04 server with at least 2GB of RAM and one vCPU core.
Create a non-root user with sudo privileges.
Update the server.
A fully-qualified domain name (sonarqube.example.com) pointing to your server.
1. Configure Firewall
SonarQube web tool needs HTTP and HTTPS ports to work.
Open them using the Uncomplicated Firewall (UFW).
$ sudo ufw allow http
$ sudo ufw allow https
Check the firewall status.
$ sudo ufw status
2. Install OpenJDK
Install OpenJDK 11.
$ sudo apt install openjdk-11-jdk
3. Install PostgreSQL
Import the PostgreSQL repository key.
$ curl https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/apt.postgresql.org.gpg >/dev/null
Add the PostgreSQL repository.
$ sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'
Update the system repository list.
$ sudo apt update
Install PostgreSQL 14.
$ sudo apt install postgresql postgresql-contrib
Check the status of the PostgreSQL service.
$ sudo systemctl status postgresql
4. Configure PostgreSQL
Log in to the PostgreSQL shell.
$ sudo -u postgres psql
Create the sonaruser
role.
postgres=# CREATE ROLE sonaruser WITH LOGIN ENCRYPTED PASSWORD 'your_password';
Create the sonarqube
database.
postgres=# CREATE DATABASE sonarqube;
Grant all privileges on the sonarqube
database to the sonaruser
role.
postgres=# GRANT ALL PRIVILEGES ON DATABASE sonarqube to sonaruser;
Exit the shell.
postgres=# \q
Return to your default user account.
$ exit
5. Install Sonarqube
Copy the URL of the latest version of the community edition from the SonarQube downloads page.
Download SonarQube using the URL copied above.
$ wget https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-9.6.1.59531.zip
Unzip the downloaded archive.
$ unzip -q sonarqube-9.6.1.59531.zip
Move the files to the /opt/sonarqube
directory.
$ sudo mv sonarqube-9.6.1.59531 /opt/sonarqube
Delete the downloaded archive.
$ rm sonarqube-9.6.1.59531.zip
6. Create SonarQube User
Create a system user along with the group for SonarQube.
$ sudo adduser --system --no-create-home --group --disabled-login sonarqube
Give Sonar user permissions to the /opt/sonarqube
directory.
$ sudo chown sonarqube:sonarqube /opt/sonarqube -R
7. Configure SonarQube Server
Open the SonarQube configuration file for editing.
$ sudo nano /opt/sonarqube/conf/sonar.properties
Find the following lines.
#sonar.jdbc.username=
#sonar.jdbc.password=
Uncomment them by removing the hash in front of them and adding the database credentials created in step 4.
sonar.jdbc.username=sonaruser
sonar.jdbc.password=your_password
Find the following line.
#sonar.jdbc.url=jdbc:postgresql://localhost/sonarqube?currentSchema=my_schema
Uncomment it and replace the existing value with the following.
sonar.jdbc.url=jdbc:postgresql://localhost:5432/sonarqube
Find the following lines.
#sonar.web.javaAdditionalOpts=-server
#sonar.web.host=0.0.0.0
Configure the following settings, so SonarQube listens to localhost only because Nginx handles the external connections.
sonar.web.javaAdditionalOpts=-server
sonar.web.host=127.0.0.1
Save the file by pressing CTRL+X, then Y.
Increase the virtual memory on the system for Elasticsearch to function. Open the sysctl.conf
file for editing.
$ sudo nano /etc/sysctl.conf
Paste the following lines at the end of the file.
vm.max_map_count=524288
fs.file-max=131072
Save the file by pressing CTRL+X, then Y.
Create the file /etc/security/limits.d/99-sonarqube.conf
and open it for editing.
$ sudo nano /etc/security/limits.d/99-sonarqube.conf
Paste the following lines to increase the file descriptors and threads that the sonarqube
user can open.
sonarqube - nofile 131072
sonarqube - nproc 8192
Save the file by pressing CTRL+X, then Y.
Reboot the system to apply the changes.
$ sudo reboot
8. Setup Sonar Service
Create the systemd service file for Sonar and open it for editing.
$ sudo nano /etc/systemd/system/sonarqube.service
Paste the following code in it.
[Unit]
Description=SonarQube service
After=syslog.target network.target
[Service]
Type=forking
ExecStart=/opt/sonarqube/bin/linux-x86-64/sonar.sh start
ExecStop=/opt/sonarqube/bin/linux-x86-64/sonar.sh stop
User=sonarqube
Group=sonarqube
PermissionsStartOnly=true
Restart=always
StandardOutput=syslog
LimitNOFILE=131072
LimitNPROC=8192
TimeoutStartSec=5
SuccessExitStatus=143
[Install]
WantedBy=multi-user.target
Save the file by pressing CTRL+X, then Y.
Start the SonarQube service.
$ sudo systemctl start sonarqube
Check the status of the service.
$ sudo systemctl status sonarqube
Enable the service to start automatically at boot.
$ sudo systemctl enable sonarqube
Verify if the Sonarqube server is functioning properly.
$ curl http://127.0.0.1:9000
Look for the following text in the HTML response.
<script>
window.baseUrl = '';
window.serverStatus = 'UP';
window.instance = 'SonarQube';
window.official = true;
</script>
This confirms everything is working fine.
9. Install Nginx
Install dependencies required to install Nginx.
$ sudo apt install curl gnupg2 ca-certificates lsb-release ubuntu-keyring -y
Import Nginx's GPG signing key.
$ curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \
| sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
Add a repository for Nginx's stable version.
$ echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg arch=amd64] \
http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" \
| sudo tee /etc/apt/sources.list.d/nginx.list
Update the system repository list.
$ sudo apt update
Install Nginx.
$ sudo apt install nginx
Start the Nginx server.
$ sudo systemctl start nginx
10. Install SSL
Issue the following commands to ensure that you have the latest version of snapd
required to install Certbot.
$ sudo snap install core
$ sudo snap refresh core
Install Certbot.
$ sudo snap install --classic certbot
Create a symlink for Certbot to the /usr/bin
directory.
$ sudo ln -s /snap/bin/certbot /usr/bin/certbot
Issue the SSL Certificate.
$ sudo certbot certonly --nginx --agree-tos --no-eff-email --staple-ocsp --preferred-challenges http -m name@example.com -d sonarqube.example.com
Generate a Diffie-Hellman group certificate.
$ sudo openssl dhparam -dsaparam -out /etc/ssl/certs/dhparam.pem 4096
Do a dry run of the SSL renewal process to ensure it works.
$ sudo certbot renew --dry-run
11. Configure Nginx
Open the file nginx.conf
for editing.
$ sudo nano /etc/nginx/nginx.conf
Find the line include /etc/nginx/conf.d/*.conf;
and paste the following code below it.
server_names_hash_bucket_size 64;
Save the file by pressing CTRL+X, then Y.
Create the Sonar configuration file for Nginx and open it for editing.
$ sudo nano /etc/nginx/conf.d/sonar.conf
Paste the following code in it.
# Redirect HTTP to HTTPS
server {
listen 80 default_server;
server_name sonarqube.example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name sonarqube.example.com;
http2_push_preload on; # Enable HTTP/2 Server Push
ssl_certificate /etc/letsencrypt/live/sonarqube.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/sonarqube.example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/sonarqube.example.com/chain.pem;
ssl_session_timeout 1d;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
access_log /var/log/nginx/sonarqube.access.log main;
error_log /var/log/nginx/sonarqube.error.log;
location / {
proxy_set_header Connection "";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_http_version 1.1;
proxy_pass http://127.0.0.1:9000;
}
}
Save the file by pressing CTRL+X, then Y.
Verify Nginx configuration syntax.
$ sudo nginx -t
Restart the Nginx service.
$ sudo systemctl restart nginx
12. Secure SonarQube
Visit the URL https://sonarqube.example.com
and log in using the username and password admin
.
Change your password on the next page.
Click the Administration tab, select Security from the list, and click the Users drop-down option.
To improve security, create another user to use for scanning code by clicking the Create User button.
Click the button in the Tokens column against the newly created user.
Click the Update Tokens button, enter the token name, and click the Generate button to create a new token for the user. Copy and save the token.
SonarQube comes with the ability to encrypt settings and passwords. Visit Administration >> Configuration >> Encryption and click the Generate Secret Key button to generate a unique secret key. Copy the saved key to use later.
Open the Sonar configuration file for editing.
$ sudo /opt/sonarqube/conf/sonar.properties
Enter the following line at the end of the file.
sonar.secretKeyPath=/opt/sonarqube/conf/sonar-secret.txt
Save the file by pressing CTRL+X, then Y.
Create the Sonar secret key file and open it for editing.
$ sudo nano /opt/sonarqube/conf/sonar-secret.txt
Paste your secret key into it. Save the file by pressing CTRL+X, then Y.
Restrict the secret file to the sonarqube
user.
$ sudo chown sonarqube:sonarqube /opt/sonarqube/conf/sonar-secret.txt
Restart the SonarQube server.
$ sudo systemctl restart sonarqube
Visit the Administration >> Configuration >> Encryption section again and fill in your database password. Press the Encrypt button to generate the encrypted password.
Replace the actual password in the sonar.properties
file with the encrypted version, and restart the server. Repeat the process with any other property you want to encrypt.
13. Install SonarQube's Code Scanner
SonarQube provides various scanners depending on the programming language. Install the Command line version of the Sonarscanner.
Download the scanner.
$ wget https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.7.0.2747-linux.zip
Extract the archive.
$ sudo unzip sonar-scanner-cli-4.7.0.2747-linux.zip
Move the directory to /opt/sonarscanner
.
$ sudo mv sonar-scanner-4.7.0.2747-linux /opt/sonarscanner
Switch to the directory.
$ cd /opt/sonarscanner
Open the sonar-scanner.properties
file for editing.
$ sudo nano conf/sonar-scanner.properties
Find the following line and un-comment it.
#sonar.host.url=http://localhost:9000
Change its value and replace it with the server URL.
sonar.host.url=https://sonarqube.example.com
Save the file by pressing CTRL+X, then Y.
Make the scanner binary file executable.
$ sudo chmod +x bin/sonar-scanner
Create a symbolic link to the binary to make it accessible from anywhere.
$ sudo ln -s /opt/sonarscanner/bin/sonar-scanner /usr/local/bin/sonar-scanner
14. Scan SonarQube Example Projects
You can test the scanner by running it on SonarQube example projects.
Create a new directory for project testing and switch to it.
$ mkdir ~/sonar-example-test && cd ~/sonar-example-test
Download the example project.
$ wget https://github.com/SonarSource/sonar-scanning-examples/archive/master.zip
Extract the project files.
$ unzip master.zip
Switch to the example project directory.
$ cd sonar-scanning-examples-master/sonarqube-scanner
Run the scanner on the code. Pass the token you created before.
$ sonar-scanner -D sonar.login=<YourLoginToken>
You get the following output after the scan is complete.
INFO: Analysis total time: 20.621 s
INFO: ------------------------------------------------------------------------
INFO: EXECUTION SUCCESS
INFO: ------------------------------------------------------------------------
INFO: Total time: 39.678s
INFO: Final Memory: 27M/94M
INFO: ------------------------------------------------------------------------
Visit the SonarQube dashboard to view the project report.
15. Scan Your Code
Transfer the project to your server.
Switch to your project's root directory.
$ cd ~/myproject
Create and open the SonarQube configuration file.
$ nano sonar-project.properties
Define a project key for your project. The chosen key should be unique for your SonarQube instance.
# Unique ID for the project
sonar.projectKey=MyProject:Key1
Enter the project name and version to show up in the SonarQube dashboard.
sonar.projectName=First Project
sonar.projectVersion=1.0
sonar.projectDescription=My First Project
Enter the location of the project files. The location is relative to the directory in which the configuration file is present.
sonar.sources=src
Enter the location of the files you don't want to scan.
sonar.tests=tests
Set the level of logs produced by the scanner. You can skip the property if you want to use the default INFO
log level.
sonar.log.level=DEBUG
If you are hosting the project on your server, paste the following line to disable checking for a Source Code Management (SCM) provider.
sonar.scm.disabled=true
Save the file by pressing CTRL+X, then Y.
Run the code scanner by passing your login token.
$ sonar-scanner -D sonar.login=<YourLoginToken>
Conclusion
You have successfully installed and used SonarQube on your Ubuntu 22.04 server. For details, you can check out the following resources.