最近領(lǐng)導(dǎo)讓我調(diào)研一下代碼審計(jì)的開源工具，發(fā)現(xiàn)sonarqube這個系統(tǒng)能夠滿足我們的需求，可以與gitlab聯(lián)動進(jìn)行代碼審計(jì)。

一、代碼審計(jì)需求及方案

滿足gitlab一旦提交代碼則進(jìn)行一次代碼檢測，sonarqube+sonar-scanner+gitlab-runner+gitlab架構(gòu)設(shè)計(jì)圖

1、RD提交代碼到gitlab

2、觸發(fā)gitlab-ci，啟動gitlab-runner docker準(zhǔn)備運(yùn)行測試

3、gitlab-ci觸發(fā)sonar_runner docker鏡像啟動，并進(jìn)行代碼分析

4、代碼分析結(jié)果在commit記錄作一次comment

5、gitlab管理員合并代碼至develop或master分支

6、觸發(fā)gitlab-ci，啟動gitlab-runner docker準(zhǔn)備運(yùn)行測試

7、gitlab-ci觸發(fā)sonar_runner docker鏡像啟動，并進(jìn)行代碼分析

8、代碼分析結(jié)果保存至SonarQube平臺數(shù)據(jù)庫中

9、安全訪問web站點(diǎn)，查看分析結(jié)果

二、環(huán)境部署

采用docker快速部署，但我們所使用的gitlab8 和最新的gitlab-runner docker不兼容。故部署這個https://gitlab-ci-multi-runner-downloads.s3.amazonaws.com/v1.11.2/index.html

為了性能最優(yōu)，將不同模塊部署在不同的機(jī)器上：

192.168.226.130：sonarqube docker

192.168.226.131：gitlab-runner、sonar-scanner、maven

192.168.226.132：postgresql

sonarqube docker 安裝

下載插件包?sonar-gitlab-plugin-4.1.0-SNAPSHOT.jar（gitlab插件）、sonar-l10n-zh-plugin-1.27.jar（漢化包）

#vim Dockerfile

寫入：

FROM sonarqube

ADD sonar-l10n-zh-plugin-1.27.jar /opt/sonarqube/extensions/plugins/

ADD sonar-gitlab-plugin-4.1.0-SNAPSHOT.jar /opt/sonarqube/extensions/plugins

#docker pull sonarqube

#docker build -t sonarqube:zh .

#docker run -d --name sonarqube -p 9000:9000 -p 9092:9092 -e SONARQUBE_JDBC_USERNAME=sonar -e SONARQUBE_JDBC_PASSWORD=xxx -e SONARQUBE_JDBC_URL=jdbc:postgresql://192.168.226.132:5432/sonar?--add-host=database:192.168.226.132 sonarqube:zh

訪問：http://192.168.226.130:9000/sessions/new?return_to=%2F?并修改默認(rèn)密碼

配置--配置–權(quán)限–開啟force user authentication

如果需要上傳文件到容器中的話

docker cp 本地文件 容器ID:上傳目錄

gitlab-runner 安裝

#wget -O /usr/local/bin/gitlab-runner?https://gitlab-ci-multi-runner-downloads.s3.amazonaws.com/v1.11.2/binaries/gitlab-ci-multi-runner-linux-amd64

#chmod +x /usr/local/bin/gitlab-runner

#useradd --comment 'GitLab Runner' --create-home gitlab-runner --shell /bin/bash

#gitlab-runner install --user=gitlab-runner --working-directory=/home/gitlab-runner

#gitlab-runner start

#gitlab-runner register

根據(jù)提示進(jìn)行注冊

注冊成功提示：Runner registered successfully. Feel free to start it, but if it's running already the config should be automatically reloaded!?

在gitlab上查看

sonar-scanner 安裝

# wget?https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-3.3.0.1492-linux.zip

# unzip?sonar-scanner-cli-3.3.0.1492-linux.zip

# mv sonar-scanner-3.3.0.1492-linux/ sonar-scanner-3.3.0/

# vi?sonar-scanner-3.3.0/conf/sonar-scanner.properties

sonar.host.url=http://192.168.226.130:9000

sonar.login=admin

sonar.password=xxx

# vi /etc/profile

export SONAR_SCANNER_HOME=/opt/sonar-scanner-3.3.0

export PATH=${SONAR_SCANNER_HOME}/bin:$PATH

# source /etc/profile

maven 安裝

wget?http://mirrors.tuna.tsinghua.edu.cn/apache/maven/maven-3/3.6.1/binaries/apache-maven-3.6.1-bin.tar.gz

tar zvxf?apache-maven-3.6.1-bin.tar.gz

vi /etc/profile

export MAVEN_HOME=/opt/apache-maven-3.6.1

export PATH=${MAVEN_HOME}/bin:$PATH

source /etc/profile

postgresql 安裝

#下載軟件包postgresql-10.1.tar.gz

安裝路徑為/usr/local/pgsql/

#gunzip postgresql-10.1.tar.gz

#tar xf postgresql-10.1.tar

#./configure

#make

#make install

#adduser postgres

#mkdir /usr/local/pgsql/data

#chown postgres /usr/local/pgsql/data

#su - postgres

#/usr/local/pgsql/bin/initdb -D /usr/local/pgsql/data

#/usr/local/pgsql/bin/postgres -D /usr/local/pgsql/data >logfile 2>&1 &

#./pg_ctl start -D /usr/local/pgsql/data

遠(yuǎn)程訪問數(shù)據(jù)庫設(shè)置

#vim /usr/local/pgsql/data/postgresql.conf

listen_addresses=’localhost’ 改為 listen_addresses=’*’

#vim /usr/local/pgsql/data/pg_hba.conf?

添加 IPv4 remote address connections:

host all all 0.0.0.0/0 trust

創(chuàng)建數(shù)據(jù)庫用戶sonar，創(chuàng)建數(shù)據(jù)庫sonar

三、開始使用

sonarqube填入gitlab信息

訪問http://192.168.226.130:9000，在配置--Gitlab中填入URL和token，注意這里的token

從gitlab的user settings -- account -- private token獲得token

填入到sonarqube中

給項(xiàng)目添加.gitlab-ci.yml

security_sonar:? ?

????stage: test

????script:????

??????- sonar-scanner -Dsonar.projectKey=項(xiàng)目名稱

????tags:????

??????- tags名稱

四、報(bào)錯及解決方案匯總

報(bào)錯1：

ERROR: Error during SonarQube Scanner execution

ERROR: You must define the following mandatory properties?for?'Unknown': sonar.projectKey

ERROR:

ERROR: Re-run SonarQube Scanner using the -X?switch?to enable full debug logging.

解決方案1：

根據(jù)報(bào)錯信息修改sonar-scanner.properties?

sonar.host.url=http://192.168.226.130:9000

sonar.sourceEncoding=UTF-8

sonar.jdbc.url=jdbc:postgresql://192.168.226.132:5432/sonar

sonar.jdbc.username=sonar

sonar.jdbc.password=xxx

sonar.projectKey=allProjects

sonar.projectName=allProjects

sonar.projectVersion=1.0.0

sonar.login=admin

sonar.password=xxx

報(bào)錯2：

ERROR: Error during SonarQube Scanner execution

ERROR: com.talanlabs.sonar.plugins.gitlab.CommitPublishPostJob has unsatisfied dependency?'class com.talanlabs.sonar.plugins.gitlab.ReporterBuilder'?for?constructor?'public com.talanlabs.sonar.plugins.gitlab.CommitPublishPostJob(com.talanlabs.sonar.plugins.gitlab.GitLabPluginConfiguration,com.talanlabs.sonar.plugins.gitlab.SonarFacade,com.talanlabs.sonar.plugins.gitlab.CommitFacade,com.talanlabs.sonar.plugins.gitlab.ReporterBuilder)'?from org.sonar.core.platform.ComponentContainer$ExtendedDefaultPicoContainer@5b799640:348<[Immutable]:org.sonar.core.platform.ComponentContainer$ExtendedDefaultPicoContainer@3457cc8d:51<|

ERROR:

ERROR: Re-run SonarQube Scanner using the -X?switch?to enable full debug logging.

解決方案2：

在網(wǎng)上找到https://github.com/gabrie-allaigre/sonar-gitlab-plugin/issues/213，這個只要跟著我上面部署的版本安裝，就不會出錯，需要升級sonar-gitlab-plugin

報(bào)錯3：

ERROR: Error during SonarQube Scanner execution

ERROR: GC overhead limit exceeded

ERROR:

ERROR: Re-run SonarQube Scanner using the -X switch to enable full debug logging.

解決方案3：

增加sonar-scanner的性能，由4c8g擴(kuò)容到8c16g，并且做如下操作：

vi /etc/profile

export?SONAR_SCANNER_OPTS="-Xmx16384m"

source /etc/profile