Definitive Getting Started Guide for SonarQube on Linux

Published:1 June 2022 - 8 min. read

Securing the code you’re writing or pushing into your repository is crucial. But how do you keep your code safe and have no vulnerabilities? Luckily, SonarQube can help with code quality and code security.

SonarQube is an open-source tool that allows you to scan your source code to look for potential bugs, vulnerabilities, and maintainability issues. And in this tutorial, you’ll learn how to install the SonarQube on Ubuntu and verify code quality by testing a sample code.

Empower yourself with SonarQube for code quality analysis and reporting today!

Prerequisites

This tutorial will be a step-by-step demonstration. To follow along, be sure you have an Ubuntu 14.04.4 LTS Linux machine or greater. This tutorial uses an Ubuntu 20.04.4 LTS machine.

Installing Java Version 11 on Ubuntu

Before you dive into the installation of SonarQube, you need Java to be present on the system, as SonarQube is based on the Java language. You can use multiple Java implementations to work with Jenkins, but OpenJDK is the most popular, which you will install and use in this tutorial. Let’s install Java!

1. Log in to your Ubuntu machine using your favorite SSH client.

2. Next, run the apt update command below to update your system packages.

sudo apt update
Updating System Packages
Updating System Packages

3. Once updated, run the following commands to create a directory named ~/install_sonarqube_demo and switch to that directory.

mkdir ~/install_sonarqube_demo
cd ~/install_sonarqube_demo

4. Now, run the apt install command below to install Java on your machine. The below command installs the Open JDK 11 version.

# Installing Java Version: Java SE 11 (LTS)
sudo apt install default-jdk 
Installing Java Version: Java SE 11 (LTS)
Installing Java Version: Java SE 11 (LTS)

5. Finally, run the below command to check the version of installed Java on your machine. Doing so ensures that you’ve successfully installed Java.

java -version
Checking the Installed Java Version
Checking the Installed Java Version

Installing SonarQube on Ubuntu

Now that you have Java installed on your Ubuntu machine, you’re ready to install SonarQube on the same machine. Installing SonarQube is similar to installing other packages.

SonarQube works on different operating systems, such as Windows and Linux. But for this demo, you’ll run SonarQube on an Ubuntu server.

1. Run the following commands to create a dedicated user with a password you’ll use to install SonarQube. You can define your own user, but this tutorial’s choice is sonaruser.

sudo useradd sonaruser
sudo passwd sonaruser
Adding the SonarQube User and Password
Adding the SonarQube User and Password

2. Next, run the wget command below to download the SonarQube software to your system. Your version of SonarQube may be different than the one demonstrated here.

wget https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-9.4.0.54424.zip
Downloading the SonarQube Zip file
Downloading the SonarQube Zip file

3. Run each command below to install the unzip package and unzip the SonarQube zip file on your machine (sonarqube-9.4.0.54424.zip).

# Install the unzip package
sudo apt -y install unzip
# Unzip the SonarQube zip file
sudo unzip sonarqube-9.4.0.54424.zip
Unzipping the SonarQube Package
Unzipping the SonarQube Package

4. Lastly, run the chown command below to make sure the user and the group of the SonarQube directory is the user (sonaruser) you created in step one.

Be sure to change the home directory (/home/ubuntu/) with your own.

sudo chown -R sonaruser:sonaruser /home/ubuntu/install_sonarqube_demo/sonarqube-9.4.0.54424

Setting up a Database for SonarQube

You’ve successfully installed SonarQube on your machine, but to configure the SonarQube, you’ll need a database to store the data. How? For this tutorial, you’ll install the Postgres database and create a database for SonarQube.

1. Run the wget command below to add the Postgres public key (apt-key) to your system.

Adding the public key allows the Postgres site to download the Postgres official repository or any required packages.

wget -q https://www.postgresql.org/media/keys/ACCC4CF8.asc -O- | sudo apt-key add -
Adding the Postgres Public Key to the System
Adding the Postgres Public Key to the System

2. Next, run the following commands to add the Postgres official repository to your system and update your system.

echo "deb [arch=amd64] http://apt.postgresql.org/pub/repos/apt/ focal-pgdg main" | sudo tee /etc/apt/sources.list.d/postgresql.list
sudo apt update
Adding the Postgres Official Repository and Updating the System Packages
Adding the Postgres Official Repository and Updating the System Packages

3. After the update, run each command below to install the Postgres package and verify the installation.

# Install Postgres
sudo apt install postgresql-13
# Verify Postgres installation
sudo systemctl status postgresql
Installing Postgres Software
Installing Postgres Software
Verifying Postgres Database Installation
Verifying Postgres Database Installation

4. Now, run each command and query to create a database (sonardb) and a user (sonaruser) in the database.

# Set the Postgres user password (passwd postgres). 
# By default, Postgres runs using the postgres user.
sudo passwd postgres
# Switch to postgres user
su - postgres
# Create a user in the database, which will be used in SonarQube.
createuser sonaruser
# Switch to postgres command-line
psql
# Sets password for the sonaruser
ALTER USER sonaruser WITH ENCRYPTED password 'password';
# Create the database (sonardb)
CREATE DATABASE sonardb OWNER sonaruser;
Creating a Database (sonardb) on Postgres DB
Creating a Database (sonardb) on Postgres DB

5. Run the below command or press Ctrl+D to exit from the Postgres command line.

\q
Exiting Postgres Command-Line
Exiting Postgres Command-Line

6. Finally, run the command below or press Ctrl+D to logout from the postgres user.

logout
Logging Out from the postgres User
Logging Out from the postgres User

Configuring SonarQube

At this point, you’ve created a database to store data. Now, it’s time to create a configuration file with correct database details and run SonarQube as a service.

Note that editing configuration files throughout this section requires sudo access.

1. Create a SonarQube’s configuration file (/home/ubuntu/install_sonarqube_demo/sonarqube-9.4.0.54424/conf/sonar.properties) in your preferred text editor.

Be sure to change /home/ubuntu with your home directory.

2. Update the SonarQube with the following, save the changes and close the file:

  • sonar.jdbc.username – Set the sonar username (sonaruser).
  • sonar.jdbc.password – Sets the sonaruser’s password (password).
  • sonar.jdbc.url – Sets the database (sonardb) where SonarQube will store data.
Updating Sonar Cube Configuration
Updating Sonar Cube Configuration

3. Next, open the /etc/systemd/system/sonar.service file in your text editor and add the code below. But be sure to change /home/ubuntu with your own home directory, save the changes and close the editor.

This code creates the SonarQube service, which always runs in the background even when your system restart.

[Unit]
Description=SonarQube
After=syslog.target network.target
[Service]
Type=forking
ExecStart=/home/ubuntu/install_sonarqube_demo/sonarqube-9.4.0.54424/bin/linux-x86-64/sonar.sh start
ExecStop=/home/ubuntu/install_sonarqube_demo/sonarqube-9.4.0.54424/bin/linux-x86-64/sonar.sh stop
LimitNOFILE=131072
LimitNPROC=8192
User=sonaruser
Group=sonaruser
Restart=on-failure
[Install]
WantedBy=multi-user.target

4. Now, run the below systemctl command to reload the daemon (daemon-reload). This command doesn’t provide output but sets the service you created load in the system and runs in the next system reboot.

sudo systemctl daemon-reload

5. Run each command below to enable and start the sonar service, and verify the service is running.

# Enabling the sonar service
sudo systemctl enable sonar.service
# Starting the sonar service
sudo systemctl start sonar
# Verifying the sonar service
sudo systemctl status sonar

The default operating system limits on mmap counts are too low. This behavior may result in out-of-memory exceptions. If your service stops, run the below command to solve it: sudo sysctl -w vm.max_map_count=262144

Viewing the SonarQube Service’s Status
Viewing the SonarQube Service’s Status

Accessing SonarQube and Scanning Code

SonarQube is now installed, and the service is running. But how do you know that SonarQube is actually running? With the service started, verify the server is correctly running by accessing SonarQube’s default web page on your browser.

1. Open your favorite web browser and navigate to your IP address followed by port 9000 (i.e., 52.15.72.168:9000). If all goes well, you’ll see SonarQube’s login page below.

Log in to SonarQube using admin for both the username and password.

Accessing SonarQube
Accessing SonarQube

2. Once you log in successfully, enter the old (admin) and new password (anything you like) when prompted, and click Update to change the current password.

After updating the password, you’ll see the SonarQube home page (step three).

Updating Password
Updating Password

3. Next, click Manually as you’ll create the project on your Ubuntu machine rather than taking it from any repository.

Initiating Creating a Project Manually
Initiating Creating a Project Manually

4. Now, define the project details, as shown below, and click on Set Up. This tutorial uses ATA-Learning for the Project display name and the Project key.

Take note of the project key, as you’ll need it when you run the scan later.

Specifying the Project Name
Specifying the Project Name

5. Select the Locally option since you’re creating your project on your local machine.

Locally option
Locally option

6. Next, generate a token with the following:

  • Select the Generate a token option.
  • Enter a name for the token. In this case, name the token the same as your project’s name (ATA-Learning) you set in step four.
  • Click on Generate to generate a token associated with your project.
Generating Token for ATA-Learning Project
Generating Token for ATA-Learning Project

7. Note down the generated token, and click on Continue. You’ll need this token for scanning your code or local files later.

Noting Down the Generated Token
Noting Down the Generated Token

8. Now, run the following commands to download the SonarQube Scanner client zip file on your machine and unzip the file.

# Download the SonarQube Scanner client zip
wget https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.7.0.2747-linux.zip
# Unzip the SonarQube Scanner client zip file
unzip sonar-scanner-cli-4.7.0.2747-linux.zip
Downloading the SonarQube Scanner
Downloading the SonarQube Scanner
Unzipping the SonarQube Scanner
Unzipping the SonarQube Scanner

9. Run the following command while in the /home/ubuntu/install_sonarqube_demo/sonar-scanner-4.7.0.2747-linux/bin directory to run the scanner.

Replace the following accordingly:

  • ATA-Learning – Your actual project key.
  • http://54.145.237.10:9000 – The URL you use to access SonarQube.
  • token - The token you noted down in step seven.
./sonar-scanner  \
>   -Dsonar.projectKey=ATA-Learning \
>   -Dsonar.sources=. \
>   -Dsonar.host.url=http://54.145.237.10:9000 \
>   -Dsonar.login=token
Running the Scan
Running the Scan
Viewing the Scan Result
Viewing the Scan Result

10. Finally, hop over to your SonarQube dashboard, click on the Projects tab, and see the first execution (scan) for your project (ATA-Learning) Passed.

Checking the Scan Result via the SonarQube Dashboard
Checking the Scan Result via the SonarQube Dashboard

Conclusion

In this tutorial, you’ve learned how to set up a SonarQube and scan the data stored in your project. Scanning lets you catch tricky bugs to prevent a heavy impact on end-users.

SonarQube realizes vulnerabilities that compromise your app and offers cleaner and safer code writing. And since you now have a fully functional SonarQube installed in your machine, what do you plan to scan in your next project?

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

Looks like you're offline!