diff --git a/Dockerfile b/Dockerfile index 184babb..a7b8a30 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,7 @@ -FROM sonarqube:8.2-community +FROM sonarqube:9.9.1-community + +# if you're upgrading from 8.2.2 you'll need this intermediate image to do the DB upgrade. See docs/upgrading-lts.md +# FROM sonarqube:8.9.10-community MAINTAINER Erik Jacobs MAINTAINER Siamak Sadeghianfar @@ -19,7 +22,7 @@ LABEL summary="$SUMMARY" \ release="$SONAR_VERSION" # Define Plug-in Versions -ARG SONAR_ZAP_PLUGIN_VERSION=1.2.0 +ARG SONAR_ZAP_PLUGIN_VERSION=2.3.0 ENV SONARQUBE_PLUGIN_DIR="$SONARQUBE_HOME/extensions/plugins" # Switch to root for package installs @@ -27,20 +30,6 @@ USER 0 RUN apt-get update && \ apt-get install -y curl zip -# =============================================================================================== -# Mitigation for CVE-2021-44228 and CVE-2021-45046 -# - Set LOG4J_FORMAT_MSG_NO_LOOKUPS=true -# - Remove JndiLookup.class from the classpath. -# -# References: -# - https://logging.apache.org/log4j/2.x/security.html -# -# Search for jars containing JndiLookup.class: -# - find / -name log4j-core*.jar -exec unzip -vl {} \; 2>/dev/null | grep JndiLookup.class -# ----------------------------------------------------------------------------------------------- -ENV LOG4J_FORMAT_MSG_NO_LOOKUPS=true -RUN find / -name log4j-core*.jar -exec zip -q -d {} org/apache/logging/log4j/core/lookup/JndiLookup.class \; 2>/dev/null -# =============================================================================================== # ================================================================================================================================================================================ # Bundle Plug-in(s) @@ -58,7 +47,9 @@ WORKDIR $SONARQUBE_HOME # random UIDs. RUN chown -R 1001:0 "$SONARQUBE_HOME" \ && chgrp -R 0 "$SONARQUBE_HOME" \ - && chmod -R g+rwX "$SONARQUBE_HOME" \ - && chmod 775 "$SONARQUBE_HOME/bin/run.sh" + && chmod -R g+rwX "$SONARQUBE_HOME" + +EXPOSE 9000 +# this sets the default user for running in openshift USER 1001 diff --git a/README.md b/README.md index eeee565..efd6a2a 100644 --- a/README.md +++ b/README.md @@ -46,12 +46,12 @@ SonarQube server images are now available on DockerHub: ### Building the SonarQube Server Image -The SonarQube server image (`bcgovimages/sonarqube:8.2.2`) is already available on DockerHub, so **you do not have to repeat this step** unless you are building a customized or updated version of the SonarQube Server. +The SonarQube server image (`bcgovimages/sonarqube:9.9.1`) is already available on DockerHub, so **you do not have to repeat this step** unless you are building a customized or updated version of the SonarQube Server. Logon to your `tools` project and run the following command: ```bash -oc new-build https://github.com/BCDevOps/sonarqube --strategy=docker --name=sonarqube --to=sonarqube:8.2.2 +oc new-build https://github.com/BCDevOps/sonarqube --strategy=docker --name=sonarqube --to=sonarqube:9.9.1 ``` ### Deploy on OpenShift @@ -62,7 +62,7 @@ The [sonarqube-postgresql-template](./sonarqube-postgresql-template.yaml) has be Logon to your `tools` project and run the following command: ```bash -oc new-app -f sonarqube-postgresql-template.yaml --param=SONARQUBE_VERSION=8.2.2 +oc new-app -f sonarqube-postgresql-template.yaml --param=SONARQUBE_VERSION=9.9.1 ``` ### Change the Default Admin Password @@ -126,7 +126,7 @@ You can now browse your project report on the SonarQube server site. To find the Now that you have static scanning, you'll probably notice your code coverage results are at 0% since no unit tests are being executed during the scan. You'll likely what to integrate unit tests into the scans so you get code coverage metrics to help you determine how well you are testing your code. **As you journey down this road, please contribute your experience back to this project to make it better for the whole community.** ### Integrate OWASP ZAP Security Vulnerability Scanning into SonarQube -To make the results of your ZAP security vulnerability scanning accessible and therefore more actionable, you can integrate the scan results into a SonarQube project report. To accomplish this you can use the [ZAP Plugin for SonarQube](https://github.com/Coveros/zap-sonar-plugin), which is bundled in the `bcgovimages/sonarqube:8.2.2` image. +To make the results of your ZAP security vulnerability scanning accessible and therefore more actionable, you can integrate the scan results into a SonarQube project report. To accomplish this you can use the [ZAP Plugin for SonarQube](https://github.com/Coveros/zap-sonar-plugin), which is bundled in the `bcgovimages/sonarqube:9.9.1` image. The [SonarQube-Integrated-ZapScan-Jenkinsfile](./jenkins/SonarQube-Integrated-ZapScan-Jenkinsfile) example shows you how to utilize ZAP and the plug-in together to perform a ZAP security vulnerability scan on your application, and then publish the report with SonarQube. The example can be used as a starting point for your project. diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..cd23263 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,16 @@ +version: "3.7" +services: + sonarqube: + container_name: sonarqube + build: + context: ./ + dockerfile: Dockerfile + network: host + ports: + - 9000:9000 + networks: + - backend + +networks: + backend: + driver: "bridge" \ No newline at end of file diff --git a/docs/upgrading-lts.md b/docs/upgrading-lts.md new file mode 100644 index 0000000..f292e2c --- /dev/null +++ b/docs/upgrading-lts.md @@ -0,0 +1,10 @@ +# Upgrading LTS versions of SonarQube + +If you're running a version of SonarQube several versions behind the current LTS you'll need to systematically upgrade to each LTS version and trigger the DB upgrade. + +Example to upgrade from 8.2.2 to 9.9.1-community you first need to upgrade the an intermediate LTS version 8.9.10-community +The DB upgrade is straight forward. Once 8.9.10-community has been updated in your dockerfile and deployed (remember turn off the pod for your existing sonarqube as only one instance can run at a time) you'll need to navigate to {yourURL}/upgrade and press the button to upgrade the database. + +You'll then do it again with 9.9.1 to upgrade the docker file and the db with the /upgrade url. + +Now, we did have one catch with this upgrade. The base OS on 8.9.10-community is Alpine where the other versions of LTS are Ubuntu. This means the apt-get commands in the docker file will fail and can be replaced with apk commands if you choose. Since it was just an intermediate upgrade we opted not to bother with the apk upgrades. diff --git a/sonarqube-postgresql-template.yaml b/sonarqube-postgresql-template.yaml index 77f4caa..c779289 100644 --- a/sonarqube-postgresql-template.yaml +++ b/sonarqube-postgresql-template.yaml @@ -435,7 +435,7 @@ parameters: - displayName: SonarQube version name: SONARQUBE_VERSION required: true - value: "8.2.2" + value: "9.9.1" - description: Password for SonarQube Server PostgreSQL backend displayName: SonarQube's PostgreSQL Password from: "[a-zA-Z0-9]{16}"