Scan Java code with SonarQube source code static security scan tool

SonarQube source code static security scanning tool

Using reference articles: www.toutiao.com/a6939022228…

Take a look at the above article to see the basic operations

Download address: www.sonarqube.org/downloads/

After the tool is started, visit http://127.0.0.1:9000

Chinese plugin: github.com/xuhuisheng/…

Copy a repository using gitee gitee.com/shizhaochu/…

Git Clone gitee.com/shizhaochu/…

Run MVN install in the sonar-l10n-zh directory

Get the jar package from the target directory and place it under sonarqube-8.9.1.44547\ Extensions \plugins

Then restart the tool

The following 1, 2 and 3 are some pre-operations summarized after various error reports

1, You need to make a global configuration in Maven’s Setting configuration file. Place the following configuration in your configuration file

<settings>
    <pluginGroups>
        <pluginGroup>org.sonarsource.scanner.maven</pluginGroup>
    </pluginGroups>
    <profiles>
        <profile>
            <id>sonar</id>
            <activation>
                <activeByDefault>true</activeByDefault>
            </activation>
            <properties>
                <! -- Optional URL to server. Default value is http://localhost:9000 -->
                <sonar.host.url>
                  http://127.0.0.1:9000
                </sonar.host.url>
            </properties>
        </profile>
     </profiles>
</settings>
Copy the code

2, also need to be in the project root directory (make sure the project root directory has.git, later tried several times, this is not necessary)

If not, execute git init in the project root directory

Add dependencies to the project’s top-level POM file

<plugin>
    <groupId>org.sonarsource.scanner.maven</groupId>
    <artifactId>sonar-maven-plugin</artifactId>
    <version>3.9.0.2155</version>
</plugin>
Copy the code

4. Create a scan project

Create a token to log in to 127.0.0.1:9000

This token needs to be text saved, because it only appears once and you won’t find it in the tool the next time

Token: used to login to the test: 36 f11edb6a821200b4f213a724c1a43a8546b442Copy the code

Analyze your project -> What build techniques are used

Java is built using Maven

The tool then provides a command

Execute the command at the root of our project

mvn clean
mvn install
mvn sonar:sonar -Dsonar.login=36f11edb6a821200b4f213a724c1a43a8546b442
Copy the code

After the execution, you can view it on the page