Wednesday, 7 October 2020

Tinkering with SonarQube for code-scanning shell scripts ...

I'm having a very quick tinker with a tool called SonarQube for code quality scanning.

One of my colleagues had asked whether SQ can scan scripts e.g. Bash, which made me go "Hmmmm" and start to play ...

As you'd expect, I started with a Docker container: -

docker pull sonarqube

docker run -d --name sonarqube -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -p 9000:9000 sonarqube:latest

which is the bare minimum for getting SQ running, with the internal port 9000 mapped to the host port 9000.

I then hit my Linux virtual server on that port: -

http://10.0.0.10:9000/about

and logged in.

I cribbed the above from the Getting Started guide on the SQ website, and got to a point where I had a project setup, ready for scanning ....

I then downloaded the SQ scanning tool ( for my Linux box ) : -

wget https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.5.0.2216-linux.zip

and extracted it: -

mkdir -p /sonarqube
cd /sonarqube
unzip ~/sonar-scanner-cli-4.5.0.2216-linux.zip 

and added SQ to my PATH: -

export PATH=$PATH:/usr/local/go/bin:$GOPATH/bin:/root/sonarqube/sonar-scanner-4.5.0.2216-linux/bin

I had previously created a dummy "app" comprising a Dockerfile, a Go module and a Bash script: -

cd ~/Dave

ls -al

total 4032
drwxr-xr-x  3 root root    4096 Oct  6 13:23 .
drwx------ 12 root root    4096 Oct  6 13:21 ..
-rwxr-xr-x  1 root root 2068291 Oct  4 16:34 Dave
-rw-r--r--  1 root root     121 Oct  4 16:36 Dockerfile
-rwxr-xr-x  1 root root 2034794 Oct  4 16:44 hello
-rw-r--r--  1 root root      76 Oct  4 16:34 hello.go
-rwxr-xr-x  1 root root      32 Oct  6 13:21 hello.sh

so I was then able to run a scan: -

sonar-scanner   -Dsonar.projectKey=dave_test   -Dsonar.sources=.   -Dsonar.host.url=http://10.0.0.10:9000   -Dsonar.login=hah82889fhqwhabe9173283

and a scan magically appeared in the SQ web UI: -


However, I did notice this message down on the right-hand side: -

Quality Profile: Use 'ShellCheck' (Shell)

which led me to ShellCheck and sonar-shellcheck and yet more shellcheck ..

I installed the Plugin on the SQ server: -



but was still seeing the same "warning"

Only then did I realise that I was missing something on the "client" side i.e. from where I'm running the actual SQ scan.

I installed the requisite binary: -

apt-get install shellcheck

which shellcheck

shellcheck --version

ShellCheck - shell script analysis tool
version: 0.4.6
license: GNU General Public License, version 3
website: http://www.shellcheck.net

and re-ran the scan, which reported, in part: -

INFO: 1 source files to be analyzed
INFO: Load project repositories
INFO: Load project repositories (done) | time=23ms
INFO: 1/1 source files have been analyzed
INFO: Sensor SonarGo [go] (done) | time=418ms
INFO: Sensor ShellCheck Sensor [shellcheck]
INFO: Sensor ShellCheck Sensor [shellcheck] (done) | time=257ms
INFO: Sensor JavaXmlSensor [java]
INFO: Sensor JavaXmlSensor [java] (done) | time=2ms
INFO: Sensor HTML [web]
INFO: Sensor HTML [web] (done) | time=5ms
INFO: ------------- Run sensors on project
INFO: Sensor Zero Coverage Sensor
INFO: Sensor Zero Coverage Sensor (done) | time=11ms
INFO: SCM Publisher No SCM system was detected. You can use the 'sonar.scm.provider' property to explicitly specify it.
INFO: CPD Executor 1 file had no CPD blocks
INFO: CPD Executor Calculating CPD for 0 files
INFO: CPD Executor CPD calculation finished (done) | time=0ms
INFO: Analysis report generated in 132ms, dir size=100 KB
INFO: Analysis report compressed in 25ms, zip size=12 KB
INFO: Analysis report uploaded in 27ms

and now my scan looks lovely: -


Yay!

No comments:

Note to self - use kubectl to query images in a pod or deployment

In both cases, we use JSON ... For a deployment, we can do this: - kubectl get deployment foobar --namespace snafu --output jsonpath="{...