+420 774 447 953   [email protected]
The cart is empty

Using Code Static Analysis Tools on CentOS 7 to Detect Security Vulnerabilities in Applications Prior to Deployment

Before installing any tools, it's important to ensure that your system is up to date. Open a terminal and run the following command to update your system:

sudo yum update

Installing Static Analysis Tools

There are several static code analysis tools compatible with CentOS 7. Popular choices include SonarQube, Fortify, and Coverity. In this article, we'll focus on installing and using SonarQube, which is freely available and supports many programming languages.

Installing SonarQube

  1. Installing Java: SonarQube requires Java. Install OpenJDK 11 using the following command:

    sudo yum install java-11-openjdk-devel
  2. Download SonarQube: You can obtain the latest version of SonarQube from the SonarQube website. Here's an example command to download: 
    wget https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-8.9.0.43852.zip
​

  3. Extract the downloaded file and move it to an appropriate directory:

    unzip sonarqube-*.zip
sudo mv sonarqube-8.9.0.43852 /opt/sonarqube

Configuring SonarQube

  1. Create a system user: For better security, create a dedicated user for SonarQube:

    sudo useradd -r sonar
sudo chown -R sonar:sonar /opt/sonarqube
  2. Configure the service: Create a systemd service for SonarQube to easily manage the service: 
    echo -e '[Unit]\nDescription=SonarQube service\nAfter=syslog.target network.target\n\n[Service]\nType=forking\nUser=sonar\nGroup=sonar\nExecStart=/opt/sonarqube/bin/linux-x86-64/sonar.sh start\nExecStop=/opt/sonarqube/bin/linux-x86-64/sonar.sh stop\nLimitNOFILE=65536\nLimitNPROC=4096\n\n[Install]\nWantedBy=multi-user.target' | sudo tee /etc/systemd/system/sonar.service
​

    Then, activate and start the SonarQube service:

    sudo systemctl enable sonar
sudo systemctl start sonar

 

Using SonarQube for Code Analysis

  1. Access SonarQube: Open a web browser and navigate to http://<YOUR_SERVER_IP>:9000. Log in using the default credentials: user admin and password admin.

  2. Create a project: Follow the SonarQube web wizard to create a new project and obtain an authentication token.

  3. Code Analysis: Depending on your programming language and environment, install and configure the appropriate SonarQube scanner. Then, run a scan of your project:

    ./sonar-scanner \
-Dsonar.projectKey=<project_name> \
-Dsonar.sources=. \
-Dsonar.host.url=http://<YOUR_SERVER_IP>:9000 \
-Dsonar.login=<token>

 

Static code analysis is an invaluable tool for detecting security vulnerabilities in the software development lifecycle. SonarQube offers a comprehensive solution for various programming languages and platforms, including CentOS 7. By regularly analyzing your code, you can significantly enhance the security and quality of your applications prior to deployment.

Best sellers

2,6 €

1,5 €

29 €

32 €