Easier scanning with Sonar-scanner-cli
Due to common certificate errors, it is not that easy to use the sonar scanner in a local system with self-signed certificates.
To avoid installing a whole stack of SCM Manager, Jenkins, etc., it is easier to modify a Sonar scanner with your own certificate:
-
Generate a SonarQube token, e.g., at https://example.invalid/sonar/account/security.
- In this example:
sqa_3ffb7e36dee85c27ab1b3cca58e0dea400068f70
- In this example:
- Select the codebase to be scanned
-
Copy the certificate to a file and store it in the codebase's file system
- CES-VM:
etcdctl get /config/_global/certificate/server.crt > /vagrant/ces.pem
- CES-VM:
- Copy the certificate to the codebase directory
-
From the codebase directory (
$PWD -> /usr/src/)- Start Sonar scanner,
- Import the certificate, and
- Scan
- Scan a second time for good measure, because SonarQube is weird and hates first scans
docker run \
--rm -u 0 \
-e SONAR_HOST_URL="https://example.invalid/sonar" \
-e SONAR_TOKEN="sqa_3ffb7e36dee85c27ab1b3cca58e0dea400068f70" \
-v "${PWD}:/usr/src" -it --entrypoint sh \
sonarsource/sonar-scanner-cli
# You will be taken to a shell. Here we continue:
cd /usr/lib/jvm/java-17-openjdk/lib/security
keytool -import -trustcacerts -noprompt -alias sonarqube -file /usr/src/ces.pem -keystore cacerts -storepass changeit
cd -
sonar-scanner
exit # This leaves the container, which is now being deleted. Everything must be repeated for the next scanMinimal example of a codebase
To find out if and how SonarQube and Sonarcarp work, two or three files are sufficient:
-
go.modmkdir test cd test go mod init test -
main.gopackage main
import ( "fmt" "path/filepath" )
func main() { a, err := filepath.Abs("asdf") // error here fmt.Println("hello world", a) }
- sonar-project.propertiessonar.projectKey=test sonar.sources=. sonar.exclusions=/*_test.go,/vendor/,/target/,/mocks/,/mock.go,resources/test//index.html,/mock,/build/make/** sonar.tests=. sonar.test.inclusions=**/_test.go sonar.test.exclusions=/vendor/,/target/