Last active
May 3, 2022 10:17
-
-
Save sbe-arg/5c23150d72c71215f0502f2a33557799 to your computer and use it in GitHub Desktop.
Docker SonarQube community scanner for local repositories.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# to change password probably advised to nuke container and start fresh? | |
# the password must be basic as who cares? | |
SONAR_PASS="newAdminPassword" | |
SONAR_VERSION="9.3.0" | |
SONAR_VERSION_TYPE="community" | |
# fyi sonar community does not support swift so you should use mobsf | |
# sudo docker run --detach --restart no --name mobsf -p 7000:8000 --add-host host.docker.internal:127.0.0.1 opensecurity/mobile-security-framework-mobsf:latest \ # no auth | |
# check if is a git repo | |
if [ -d .git ] | |
then | |
FLAG_SONAR_EXISTS='false' | |
FLAG_SONAR_FRUN='true' | |
# if the image exists probably the user alreadt set it up | |
if sudo docker image inspect sonarqube:${SONAR_VERSION}-${SONAR_VERSION_TYPE} 2>&1 1>/dev/null | |
then | |
echo "$(date '+%Y/%m/%d %H:%M:%S'): Docker for sonarqube already found on system." | |
FLAG_SONAR_EXISTS='true' | |
fi | |
# get fresh sonarqube-community | |
echo "$(date '+%Y/%m/%d %H:%M:%S'): Checking if sonarqube is running else getting it up and running..." | |
sudo docker start sonarqube-${SONAR_VERSION_TYPE} 2>&1 1>/dev/null || FLAG_SONAR_EXISTS='true' | |
sudo docker run --detach --restart no --name sonarqube-${SONAR_VERSION_TYPE} -p 9000:9000 sonarqube:${SONAR_VERSION}-${SONAR_VERSION_TYPE} 2>&1 2>/dev/null || FLAG_SONAR_FRUN='false' | |
if | |
[ $FLAG_SONAR_EXISTS = 'false' ] || | |
[ $FLAG_SONAR_FRUN = 'true' ] | |
then | |
echo "$(date '+%Y/%m/%d %H:%M:%S'): Wait for sonar to start properly..." | |
sleep 1m | |
echo "$(date '+%Y/%m/%d %H:%M:%S'): Changing the default admin:admin password to admin:$SONAR_PASS..." | |
curl -s -u admin:admin -X POST "http://localhost:9000/api/users/change_password?login=admin&previousPassword=admin&password=${SONAR_PASS}" | |
fi | |
PROJECT_NAME=$(basename "$PWD") | |
# run scanner | |
echo "$(date '+%Y/%m/%d %H:%M:%S'): Running sonar-scanner-cli..." | |
SONAR_IP=$(sudo docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' sonarqube-${SONAR_VERSION_TYPE}) | |
sudo docker run --rm \ | |
-e SONAR_HOST_URL="http://${SONAR_IP}:9000" \ | |
-v $(pwd):/usr/src \ | |
sonarsource/sonar-scanner-cli \ | |
-D sonar.login=admin \ | |
-D sonar.password=${SONAR_PASS} \ | |
-D sonar.projectKey=${PROJECT_NAME} \ | |
-D sonar.c.file.suffixes=- \ | |
-D onar.cpp.file.suffixes=- \ | |
-D sonar.objc.file.suffixes=- \ | |
2>&1 1>/dev/null | |
# get project status | |
echo "$(date '+%Y/%m/%d %H:%M:%S'): Waiting for results to be ready in the local api..." | |
sleep 10s # the results sometimes take time in the tiny container | |
echo "$(date '+%Y/%m/%d %H:%M:%S'): Getting ${PROJECT_NAME} security resport..." | |
SONAR_PROJ_STATUS=$(curl -s -u admin:${SONAR_PASS} \ | |
-X POST "http://localhost:9000/api/measures/component?metricKeys=security_rating,vulnerabilities,security_hotspots&component=${PROJECT_NAME}" | jq '.component.measures[]') | |
declare -A sonar_sec_scores=( | |
["1.0"]="[A] 0 Vulnerabilities" \ | |
["2.0"]="[B] at least 1 Minor Vulnerability" \ | |
["3.0"]="[C] at least 1 Major Vulnerability" \ | |
["4.0"]="[D] at least 1 Critical Vulnerability" \ | |
["5.0"]="[E] at least 1 Blocker Vulnerability" \ | |
) | |
MEASURE_SEC_SCORE=$(echo $SONAR_PROJ_STATUS | jq -r '. | select(.metric | contains("security_rating")).value') | |
MEASURE_SEC_VULNERABILITIES=$(echo $SONAR_PROJ_STATUS | jq -r '. | select(.metric | contains("vulnerabilities")).value') | |
MEASURE_SEC_HOSPOTS=$(echo $SONAR_PROJ_STATUS | jq -r '. | select(.metric | contains("security_hotspots")).value') | |
echo "Security Score: ${sonar_sec_scores[${MEASURE_SEC_SCORE}]}, [${MEASURE_SEC_VULNERABILITIES}] Vulnerabilities, [${MEASURE_SEC_HOSPOTS}] Hospots." | |
echo "Details here: http://localhost:9000/dashboard?id=${PROJECT_NAME}" | |
else | |
echo "$(date '+%Y/%m/%d %H:%M:%S'): $(pwd) is not a git repo. Check your location." | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment