sonarqube简介
what is sonarqube
SonarQube® is an automatic code review tool to detect bugs, vulnerabilities, and code smells in your code. It can integrate with your existing workflow to enable continuous code inspection across your project branches and pull requests.
sonarqube在devops的ci/cd流程中的位置:
- gitlab负责代码的存储,分支管理等;
- jenkins负责代码的构建、打包等;
- sonarqube被jenkins调用,负责代码质量的检测;并生成代码质量报告给开发者,形成闭环,使得代码不断迭代;
sonarqube可以检查的代码质量有如下方面:
- 代码的复杂度:复杂度过高难以理解;
- 重复代码:
- 单元测试统计:
- 代码规则检查:
- 注释率:
- 潜在的bug:
- 结构与设计:
sonarqube部署
sonarqube依赖环境部署
sonarqube依赖mysql数据库存储代码分析结果,需要java环境来运行;(但需要注意:sonarqube 7.x版本后不再支持mysql数据库,本实验采用sonarqube 6.7版本)
sonarqube6.7版本的3个主要依赖:
https://docs.sonarqube.org/6.7/Requirements.html
- mysql需要5.6或5.7
- jdk需要jdk8版本
- 内核参数设置
mysql安装
-
配置mysql5.7的yum源
rpm -ivh https://dev.mysql.com/get/mysql57-community-release-el7-11.noarch.rpm
-
安装mysql5.7
[root@jenkins-1 src]# yum -y install mysql-community-server [root@jenkins-1 src]# systemctl start mysqld
-
找到生成的临时密码,启动mysql5.7并连接测试
[root@jenkins-1 src]# grep "temp" /var/log/mysqld.log 2020-12-22T10:45:40.852071Z 1 [Note] A temporary password is generated for root@localhost: bbwp9ytKy*q( 2020-12-22T10:45:43.300975Z 0 [Note] InnoDB: Creating shared tablespace for temporary tables
-
执行安全加固脚本
[root@jenkins-1 src]# mysql_secure_installation [root@jenkins-1 src]# mysql -uroot -p新密码
-
修改my.cnf中默认的数据库编码为utf-8,重启mysql
[root@jenkins-1 src]# vim /etc/my.cnf [mysqld] collation-server = utf8_unicode_ci init-connect='SET NAMES utf8' character-set-server = utf8 [root@jenkins-1 src]# systemctl restart mysqld
-
创建sonar数据库,供给sonarqube使用
mysql> create database sonar default character set utf8 collate utf8_general_ci;
-
创建sonar账户,授予对sonar库的所有权限
mysql> grant all on sonar.* to 'sonar'@'%' identified by '123456'; # 实验中:123456无法通过密码复杂度验证,需换个复杂的;
-
用sonar账户连接测试
[root@jenkins-1 ~]# mysql -usonar -p123456 mysql: [Warning] Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 4 Server version: 5.7.32 MySQL Community Server (GPL) mysql> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | sonar | +--------------------+
jdk安装
- 安装openjdk1.8
- 配置java_home环境变量
- 此处采用jenkins同台机器,所以jdk环境已经存在
内核参数调整
参考:https://docs.sonarqube.org/6.7/Requirements.html#src-11634463_Requirements-Kernelparameters
[root@jenkins-1 ~]# vim /etc/sysctl.conf
vm.max_map_count=262144
fs.file-max=65536
[root@jenkins-1 ~]# vim /etc/security/limits.conf
sonarqube - nofile 65536
sonarqube - nproc 2048
安装sonarqube
sonarqube需要elasticsearch做代码的检索,且默认以普通用户启动
-
下载sonarqube6.7版本的程序包;
wget https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-6.7.7.zip
-
解压并做软链接;
[root@jenkins-1 src]# unzip sonarqube-6.7.7.zip [root@jenkins-1 src]# ln -sv /usr/local/src/sonarqube-6.7.7 /usr/local/sonar ‘/usr/local/sonar’ -> ‘/usr/local/src/sonarqube-6.7.7’
-
创建sonarqube用户,更改目录属主为sonarqube
[root@jenkins-1 ~]# useradd -s /bin/bash -m sonarqube [root@jenkins-1 ~]# id sonarqube uid=1000(sonarqube) gid=1000(sonarqube) groups=1000(sonarqube) [root@jenkins-1 src]# chown -R sonarqube.sonarqube /usr/local/src/sonarqube-6.7.7
-
切换为sonarqube用户
[root@jenkins-1 src]# su - sonarqube
-
并修改配置文件,配置mysql连接信息;
[sonarqube@jenkins-1 ~]$ vim /usr/local/sonar/conf/sonar.properties sonar.jdbc.username=sonar sonar.jdbc.password=123456 sonar.jdbc.url=jdbc:mysql://localhost:3306/sonar?useUnicode=true&characterEncoding=utf8&rewriteBatchedStatements=true&useConfigs=maxPerformance&useSSL=false
-
修改监听端口(可选)
sonar.web.host=0.0.0.0 sonar.web.port=9000
-
以sonarqube用户身份,启动sonarqube
[sonarqube@jenkins-1 ~]$ /usr/local/sonar/bin/linux-x86-64/sonar.sh start
-
查看日志,验证是否成功启动
实验中:因内存不足,启动失败一次;调整内存后,重启启动成功;
[root@jenkins-1 ~]# tailf /usr/local/sonar/logs/sonar.log Launching a JVM... 2020.12.22 19:07:03 INFO app[][o.s.a.SchedulerImpl] Process[ce] is up 2020.12.22 19:07:03 INFO app[][o.s.a.SchedulerImpl] SonarQube is up
-
-
登陆web界面;默认用户名密码:admin/admin
-
安装中文插件
方法1:界面安装,
方法2:后台安装,直接将jar包下载到sonarqube的插件目录,然后重启即可
[sonarqube@jenkins-1 plugins]$ cd /usr/local/sonar/extensions/plugins/ [sonarqube@jenkins-1 plugins]$ wget https://github.com/xuhuisheng/sonar-l10n-zh/releases/download/sonar-l10n-zh-plugin-1.11/sonar-l10n-zh-plugin-1.11.jar [sonarqube@jenkins-1 plugins]$ /usr/local/sonar/bin/linux-x86-64/sonar.sh restart
-
重启sonarqube,确认已经更换到中文
-
加入到开机启动中
[root@jenkins-1 ~]# tailf /etc/rc.local su - sonarqube -c "/usr/local/sonar/bin/linux-x86-64/sonar.sh start"
-
安装其他插件:(sonarqube依靠插件实现对代码的扫描功能)如java、php、python、
根据需要搜索,安装即可
安装sonar-scanner
sonarqube调用sonar-scanner对代码进行质量分析,
安装sonar-scanner
-
下载sonar-scanner的包
1,下载,解压,做软链接 [root@jenkins-1 src]# wget https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.0.0.1744-linux.zip unzip sonar-scanner-cli-4.0.0.1744-linux.zip ln -sv /usr/local/src/sonar-scanner-4.0.0.1744-linux/ /usr/local/sonar-scanner 2,进入解压后目录,修改配置文件,指明sonar服务器的地址和编码2项 cd /usr/local/sonar-scanner/ vim conf/sonar-scanner.properties #----- Default SonarQube server sonar.host.url=http://localhost:9000 #----- Default source code encoding sonar.sourceEncoding=UTF-8 3,配置sonar的命令到PATH变量中; vim /etc/profile.d/sonar-scanner.sh [root@jenkins-1 sonarqube-scanner]# cat /etc/profile.d/sonar-scanner.sh export PATH=/usr/local/sonar-scanner/bin:$PATH source /etc/profile.d/sonar-scanner.sh 4,验证sonar-scanner命令, sonar-scanner命令要在具有sonar-project.properties,和src目录的目录下直接执行即可开始扫描目录下代码,(一般情况) [root@jenkins-1 sonarqube-scanner]# sonar-scanner -h INFO: INFO: usage: sonar-scanner [options] INFO: INFO: Options: INFO: -D,--define <arg> Define property INFO: -h,--help Display help information INFO: -v,--version Display version information INFO: -X,--debug Produce execution debug output
准备测试代码
-
下载测试代码
wget https://github.com/SonarSource/sonar-scanning-examples/archive/master.zip unzip master.zip [root@jenkins-1 src]# pwd /usr/local/src [root@jenkins-1 src]# ll -rt drwxr-xr-x 12 root root 4096 Dec 22 16:06 sonar-scanning-examples-master -rw-r--r-- 1 root root 254870 Dec 23 14:49 master.zip # 进入解压后目录,找到sonar-project.properties文件所在目录,即是用来执行sonar-scanner进行扫描的目录 [root@jenkins-1 src]# cd sonar-scanning-examples-master/sonarqube-scanner [root@jenkins-1 sonarqube-scanner]# ls copybooks coverage-report sonar-project.properties src
执行扫描
-
进入sonar-project.properties配置文件所在目录,按照需要修改该配置文件
[root@jenkins-1 sonarqube-scanner]# pwd /usr/local/src/sonar-scanning-examples-master/sonarqube-scanner [root@jenkins-1 sonarqube-scanner]# ls copybooks coverage-report sonar-project.properties src # sonar-project.properties为配置文件,定义如何扫描,扫描的代码路径,该次扫描的名称等 # src为要扫描的源代码目录 # 默认的配置即可使用,也可按需修改 [root@jenkins-1 sonarqube-scanner]# cat sonar-project.properties sonar.projectKey=org.sonarqube:sonarqube-scanner sonar.projectName=Example of SonarQube Scanner Usage sonar.projectVersion=1.0 sonar.sources=src,copybooks sonar.sourceEncoding=UTF-8 ## Cobol Specific Properties # comma-separated paths to directories with copybooks sonar.cobol.copy.directories=copybooks # comma-separated list of suffixes sonar.cobol.file.suffixes=cbl,cpy sonar.cobol.copy.suffixes=cpy ## Flex Specific Properties # retrieve code coverage data from the Cobertura report sonar.flex.cobertura.reportPath=coverage-report/coverage-cobertua-flex.xml # PL/I Specific Properties sonar.pli.marginLeft=2 sonar.pli.marginRight=0
-
执行sonar-scanner命令即可开始扫描
[root@jenkins-1 sonarqube-scanner]# sonar-scanner
-
命令输出结果
[root@jenkins-1 sonarqube-scanner]# sonar-scanner INFO: Scanner configuration file: /usr/local/src/sonar-scanner-4.0.0.1744-linux/conf/sonar-scanner.properties INFO: Project root configuration file: /usr/local/src/sonar-scanning-examples-master/sonarqube-scanner/sonar-project.properties INFO: SonarQube Scanner 4.0.0.1744 INFO: Java 11.0.3 AdoptOpenJDK (64-bit) INFO: Linux 3.10.0-1160.6.1.el7.x86_64 amd64 INFO: User cache: /root/.sonar/cache INFO: SonarQube server 6.7.7 INFO: Default locale: "en_US", source code encoding: "UTF-8" ......... ------------- Scan Example of SonarQube Scanner Usage INFO: Analysis report generated in 218ms, dir size=91 KB INFO: Analysis reports compressed in 63ms, zip size=42 KB INFO: Analysis report uploaded in 500ms INFO: ANALYSIS SUCCESSFUL, you can browse http://localhost:9000/dashboard/index/org.sonarqube:sonarqube-scanner INFO: Note that you will be able to access the updated dashboard once the server has processed the submitted analysis report INFO: More about the report processing at http://localhost:9000/api/ce/task?id=AXaOscnp3z5hMH_aiW9O INFO: Task total time: 9.189 s INFO: ------------------------------------------------------------------------ INFO: EXECUTION SUCCESS INFO: ------------------------------------------------------------------------ INFO: Total time: 13.937s INFO: Final Memory: 7M/27M INFO: ------------------------------------------------------------------------
-
web界面查看扫描结果
Jenkins关联到sonarqube
-
安装sonarqube-scanner插件
-
系统管理-》系统设置-》sonarqube servers:添加配置sonarqube servers的url地址
-
系统管理-》全局工具配置:手动添加sonarqube scanner的扫描器(指明sonar scanner的命令路径)
也可以勾选自动安装,Jenkins会自动下载需要版本的scanner
构建Jenkins项目测试sonar-scanner
-
创建一个Jenkins 自由风格的job,指明一个代码的gitlab仓库地址;
-
正常写构建脚本:构建-》excute shell
cd /var/lib/jenkins/workspace/test-sonar-1 tar -czvf web1.tar.gz index.jsp scp web1.tar.gz root@192.168.80.104:/usr/local/tomcat/webapps/ROOT/ scp web1.tar.gz root@192.168.80.105:/usr/local/tomcat/webapps/ROOT/ ssh root@192.168.80.104 "catalina.sh stop && tar -xf /usr/local/tomcat/webapps/ROOT/web1.tar.gz -C /tmp/ && cp -a /tmp/index.jsp /usr/local/tomcat/webapps/ROOT/index.jsp" ssh root@192.168.80.105 "catalina.sh stop && tar -xf /usr/local/tomcat/webapps/ROOT/web1.tar.gz -C /tmp/ && cp -a /tmp/index.jsp /usr/local/tomcat/webapps/ROOT/index.jsp" ssh root@192.168.80.104 "catalina.sh start" ssh root@192.168.80.105 "catalina.sh start"
-
在配置job时,选择构建-》excute sonarqube scanner,并添加配置文件sonar-project.properties格式
-
保存后点击立即构建
-
查看控制台输出
首次失败,原因如下:报错找不到sonar-scanner,排查控制台输出时可以看到,是之前实验中配置的slave1节点执行的该job,但是slave1节点并没有sonar-scanner环境,所以报错;
删除slave1节点后,使得其只能在具有scanner环境的master节点执行,再次执行就成功,
-
查看生成的sonarqube图标,(链接到该该扫描项目在sonarqube上的url地址)
-
查看tomcat是否更新