🧩 What is SonarQube?
SonarQube is an open-source platform developed by SonarSource that is used to inspect and continuously analyze the quality of source code. It helps developers identify bugs, code smells, vulnerabilities, and security issues in their code across multiple programming languages.
It integrates with CI/CD pipelines (like Jenkins, GitLab CI, Azure DevOps, etc.) to automatically analyze code every time a change is made.
⚙️ Main Features
-
Static Code Analysis: Detects bugs, code smells, and security vulnerabilities.
-
Multi-Language Support: Supports 25+ languages including Java, C#, Python, JavaScript, Go, PHP, etc.
-
Quality Gates: Enforces minimum quality standards before merging code.
-
Security Reports: Checks for OWASP Top 10 vulnerabilities.
-
Integration: Works with Jenkins, GitHub, Bitbucket, GitLab, and more.
-
Dashboards: Visual reports and metrics for maintainability, reliability, and security.
🌟 Benefits of SonarQube
| Benefit | Description |
|---|---|
| 1. Improved Code Quality | Detects bad practices and enforces coding standards automatically. |
| 2. Early Bug Detection | Finds bugs during development rather than after deployment. |
| 3. Enhanced Security | Identifies vulnerabilities like SQL injection, XSS, etc. |
| 4. Continuous Integration Support | Seamlessly integrates with CI/CD tools for automated checks. |
| 5. Multi-Language Support | Works across many programming languages in the same project. |
| 6. Technical Debt Measurement | Calculates how much effort is needed to fix issues. |
| 7. Custom Quality Gates | You can define thresholds to block builds if quality criteria fail. |
| 8. Easy Reporting | Provides clear dashboards and reports for developers and managers. |
This post walks through a reproducible SonarQube installation on Rocky Linux 8 using PostgreSQL, and shows how to update your Maven pom.xml and run a Sonar scan using the Maven Sonar plugin. Replace example values (versions, hostnames, passwords, tokens) to match your environment. The Sonar HTTP URL used in examples is exactly: http://son01.darole.org:9000
Prerequisites and recommendations
- Root or sudo access on the Rocky Linux 8 host.
- Internet access to download packages.
- Recommended memory: 4 GB minimum for test, 8+ GB for production.
- Recommended disk: 10+ GB free.
- Pick SonarQube version (example uses 9.9 LTS). Ensure matching Java version (Java 17 for SonarQube 9.9+).
- Use a secure password and secure Sonar token in production (examples below use placeholders).
- SonarQube server installed under /opt/sonarqube (run by user sonar).
- PostgreSQL as backing DB (database sonarqube, user sonar).
- Elasticsearch is bundled; kernel parameter vm.max_map_count must be tuned.
- Systemd used to run SonarQube as a service.
Java 17 install and verification
# dnf install -y java-17-openjdk-devel
# java -version
# dnf install -y java-17-openjdk-devel
# java -version
PostgreSQL install, initialize and basic DB creation
# dnf install -y postgresql-server postgresql-contrib
# postgresql-setup --initdb --unit postgresql
# systemctl enable --now postgresql
# dnf install -y postgresql-server postgresql-contrib
# postgresql-setup --initdb --unit postgresql
# systemctl enable --now postgresql
Create DB user and DB (replace password with a secure one)
# sudo -u postgres psql -c "CREATE USER sonar WITH ENCRYPTED PASSWORD 'redhat';"
# sudo -u postgres psql -c "CREATE DATABASE sonarqube OWNER sonar ENCODING 'UTF8' LC_COLLATE='en_US.utf8' LC_CTYPE='en_US.utf8' TEMPLATE template0;"
# sudo -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE sonarqube TO sonar;"
pg_hba.conf: ensure password auth for SonarQube
find active file
find active file
# sudo -u postgres psql -t -c "SHOW hba_file;"
Edit /var/lib/pgsql/data/pg_hba.conf and add or move:
# vi /var/lib/pgsql/data/pg_hba.conf
local all sonar md5
host all sonar 127.0.0.1/32 md5
host all sonar ::1/128 md5
Reload postgres after edit
# sudo systemctl reload postgresql
Reset sonar password to match sonar.properties
# sudo -u postgres psql -c "ALTER USER sonar WITH ENCRYPTED PASSWORD 'redhat';"
Download and install SonarQube to /opt
# cd /opt
# dnf install -y unzip curl
# curl -L -O https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-9.9.0.65466.zip
# unzip sonarqube-9.9.0.65466.zip
# mv sonarqube-9.9.0.65466 sonarqube
Create sonar user, ownership and permissions
# groupadd sonar
# useradd -r -s /sbin/nologin -g sonar sonar
# chown -R sonar:sonar /opt/sonarqube
# chmod -R u+rwX,go-rwx /opt/sonarqube
# groupadd sonar
# useradd -r -s /sbin/nologin -g sonar sonar
# chown -R sonar:sonar /opt/sonarqube
# chmod -R u+rwX,go-rwx /opt/sonarqube
Add the below lines to set JDBC, web host for sonar.properties
# vi /opt/sonarqube/conf/sonar.properties
sonar.jdbc.username=sonar
sonar.jdbc.password=redhat
sonar.jdbc.url=jdbc:postgresql://127.0.0.1:5432/sonarqube
sonar.web.host=0.0.0.0
sonar.web.port=9000
sonar.jdbc.username=sonar
sonar.jdbc.password=redhat
sonar.jdbc.url=jdbc:postgresql://127.0.0.1:5432/sonarqube
sonar.web.host=0.0.0.0
sonar.web.port=9000
Make systemd use Java 17 for SonarQube (drop-in)
# mkdir -p /etc/systemd/system/sonarqube.service.d
# cat > /etc/systemd/system/sonarqube.service.d/java.conf <<'EOF'
[Service]
Environment="JAVA_HOME=/usr/lib/jvm/java-17-openjdk"
Environment="PATH=/usr/lib/jvm/java-17-openjdk/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin"
EOF
[Service]
Environment="JAVA_HOME=/usr/lib/jvm/java-17-openjdk"
Environment="PATH=/usr/lib/jvm/java-17-openjdk/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin"
EOF
# systemctl daemon-reload
Create a systemd unit for SonarQube
# vi /etc/systemd/system/sonarqube.service
[Unit]
Description=SonarQube service
After=syslog.target network.target postgresql.service
[Service]
Type=forking
ExecStart=/opt/sonarqube/bin/linux-x86-64/sonar.sh start
ExecStop=/opt/sonarqube/bin/linux-x86-64/sonar.sh stop
User=sonar
Group=sonar
LimitNOFILE=65536
LimitNPROC=4096
TimeoutStartSec=300
Restart=on-failure
[Install]
WantedBy=multi-user.target
Description=SonarQube service
After=syslog.target network.target postgresql.service
[Service]
Type=forking
ExecStart=/opt/sonarqube/bin/linux-x86-64/sonar.sh start
ExecStop=/opt/sonarqube/bin/linux-x86-64/sonar.sh stop
User=sonar
Group=sonar
LimitNOFILE=65536
LimitNPROC=4096
TimeoutStartSec=300
Restart=on-failure
[Install]
WantedBy=multi-user.target
Elasticsearch kernel tuning
# sysctl -w vm.max_map_count=262144
#cat > /etc/sysctl.d/99-sonarqube.conf <<'EOF'
vm.max_map_count=262144
EOF
vm.max_map_count=262144
EOF
# sysctl --system
Start and check SonarQube
# systemctl enable --now sonarqube
# journalctl -u sonarqube -f
or run interactive for debugging
#sudo -u sonar /opt/sonarqube/bin/linux-x86-64/sonar.sh console
test HTTP
# curl -v http://127.0.0.1:9000/
http://son01.darole.org:9000/
User name: admin
Password: admin
Change the username and password after first login.
Below is dash board of maven
Generate Token and keep safe
Token: sqa_361fedc9dc911e16f5cc6dd1f4a3b3145318c97f
Login to tomd01 servers
Go to project file and update the plugin in pom.xml in plugins sessions.
root@tomd01:/git/tomcat-war# cat pom.xml
.
<plugin>
<groupId>org.sonarsource.scanner.maven</groupId>
<artifactId>sonar-maven-plugin</artifactId>
<version>3.9.1.2184</version>
</plugin>
<artifactId>sonar-maven-plugin</artifactId>
<version>3.9.1.2184</version>
</plugin>
</plugins>
</build>
</project>
Maven command to run a Sonar analysis using a token
root@tomd01:/git/tomcat-war# mvn clean verify sonar:sonar \
-Dsonar.host.url=http://son01.darole.org:9000 \
-Dsonar.login=sqa_361fedc9dc911e16f5cc6dd1f4a3b3145318c97f
root@tomd01:/git/tomcat-war# mvn clean verify sonar:sonar \
-Dsonar.host.url=http://son01.darole.org:9000 \
-Dsonar.login=sqa_361fedc9dc911e16f5cc6dd1f4a3b3145318c97f
# cp /git/tomcat-war/target/SimpleTomcatWebApp.war /opt/tomcat/webapps/
http://tomd01.darole.org:8080/SimpleTomcatWebApp/
Tips for Maven/Sonar usage
- Use a Sonar token (generated in SonarQube user account > Security) instead of a username/password. Keep the token secret.
- You can store sonar.host.url and sonar.login in ~/.m2/settings.xml or CI pipeline environment variables to avoid exposing tokens on the command line.
- For multi-module projects, run the mvn sonar:sonar from the project root. Consider setting sonar.projectKey and sonar.projectName via properties or in the root pom.
Troubleshooting checklist
- If SonarQube fails to start: check /opt/sonarqube/logs/{sonar.log,web.log,es.log,ce.log,nohup.log}.
- Java wrong version: UnsupportedClassVersionError → install Java 17 and set JAVA_HOME.
- Elasticsearch bootstrap failure: vm.max_map_count too low → set to 262144.
- DB connection errors: check pg_hba.conf ordering (first match wins), ensure md5/scram for localhost and that sonar.jdbc.* in sonar.properties matches DB user/password. Test with:
# PGPASSWORD=<your_password> psql -h 127.0.0.1 -U sonar -d sonarqube -c "SELECT 1;"
- Port 9000 not responding: verify Sonar web server started successfully in web.log and that firewall allows access.
Conclusion and next steps
- SonarQube provides code-quality and security analysis for many languages. After installation and Maven integration, tune quality profiles, configure projects, and integrate the scanner into CI for automated code analysis.
- If you want, I can generate a single runnable shell script to perform the full install and basic configuration for Rocky Linux 8, or show an example CI pipeline step for GitLab/GitHub Actions to run Sonar scans securely.
No comments:
Post a Comment