integrating with SonarQube to show vulnerabilities metrics

Author: newlight77

pom.xml

@@ -7,11 +7,19 @@
   <version>0.0.1-SNAPSHOT</version>
   <name>JavaVulnerableLab Maven Webapp</name>
   <url>http://maven.apache.org</url>
+  <properties>
+      <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+      <jetty-version>9.4.0.v20161208</jetty-version>
+      <spring.version>4.0.2.RELEASE</spring.version>
+      <tomcat.version>8.0.28</tomcat.version>
+      <maven.compiler.source>1.8</maven.compiler.source>
+      <maven.compiler.target>1.8</maven.compiler.target>
+  </properties>
   <dependencies>
     <dependency>
       <groupId>junit</groupId>
       <artifactId>junit</artifactId>
-      <version>3.8.1</version>
+      <version>4.12</version>
       <scope>test</scope>
     </dependency>
     <dependency>

sonar-project.properties

@@ -0,0 +1,14 @@
+sonar.projectKey=org.cysecurity:JavaVulnerableLab
+sonar.projectName=pJavaVulnerableLab
+sonar.projectVersion=0.0.1-SNAPSHOT
+sonar.sources=src/main/java
+sonar.sourceEncoding=UTF-8
+sonar.binaries=target/classes
+sonar.java.binaries=target/classes
+sonar.tests=src/test/java
+sonar.scm.provider=git
+
+#Java report only
+sonar.language=java
+
+sonar.zaproxy.reportPath=${WORKSPACE}/zaproxy-report.xml

sonarqube/Dockerfile

@@ -0,0 +1,10 @@
+
+FROM sonarqube:lts
+USER root
+RUN apt-get update && apt-get install -y wget
+
+USER sonarqube
+RUN wget https://github.com/Coveros/zap-sonar-plugin/releases/download/sonar-zap-plugin-1.2.0/sonar-zap-plugin-1.2.0.jar -O /opt/sonarqube/extensions/plugins/sonar-zap-plugin-1.2.0.jar
+
+ENTRYPOINT ["./bin/run.sh"]
+

sonarqube/Java-SonarQube-OWASP-Vulnerabilities.png

@@ -0,0 +1,30 @@
+#!/bin/sh
+
+set -e
+
+if [ "${1:0:1}" != '-' ]; then
+  exec "$@"
+fi
+
+#chown -R sonarqube:sonarqube $SONARQUBE_HOME
+exec
+  java -jar lib/sonar-application-$SONAR_VERSION.jar \
+  -Dsonar.log.console=true \
+  -Dsonar.jdbc.username="$SONARQUBE_JDBC_USERNAME" \
+  -Dsonar.jdbc.password="$SONARQUBE_JDBC_PASSWORD" \
+  -Dsonar.jdbc.url="$SONARQUBE_JDBC_URL" \
+  -Dsonar.security.realm="$SONARQUBE_SECURITY_REALM" \
+  -Dsonar.security.savePassword="$SONARQUBE_SECURITY_SAVEPASSWORD" \
+  -Dldap.bindDn="$SONARQUBE_LDAP_BINDDN" \
+  -Dldap.bindPassword="$SONARQUBE_LDAP_BINDPASSWORD" \
+  -Dldap.url="$SONARQUBE_LDAP_URL" \
+  -Dldap.user.baseDn="$SONARQUBE_LDAP_USER_BASEDN" \
+  -Dldap.user.request="$SONARQUBE_LDAP_USER_REQUEST" \
+  -Dldap.user.realNameAttribute="$SONARQUBE_LDAP_USER_REALNAMEATTRIBUTE" \
+  -Dldap.group.baseDn="$SONARQUBE_LDAP_GROUP_BASEDN" \
+  -Dldap.group.request="$SONARQUBE_LDAP_GROUP_REQUEST" \
+  -Dldap.group.idAttribute="$SONARQUBE_LDAP_GROUP_IDATTRIBUTE" \
+  -Dsonar.ce.javaOpts="$SONARQUBE_CE_JVM_OPTS" \
+  -Dsonar.web.javaOpts="$SONARQUBE_WEB_JVM_OPTS" \
+  -Dsonar.web.javaAdditionalOpts="-Djava.security.egd=file:/dev/./urandom" \
+  "$@"

sonarqube/run.sh

@@ -0,0 +1,53 @@
+
+## Add configuration
+
+We need to add sonar configuration for the project to let mvn scan it.
+
+```sh
+echo "
+sonar.projectKey=org.cysecurity:JavaVulnerableLab
+sonar.projectName=pJavaVulnerableLab
+sonar.projectVersion=0.0.1-SNAPSHOT
+sonar.sources=src/main/java
+sonar.sourceEncoding=UTF-8
+sonar.binaries=target/classes
+sonar.java.binaries=target/classes
+sonar.tests=src/test/java
+sonar.scm.provider=git
+
+#Java report only
+sonar.language=java
+
+sonar.zaproxy.reportPath=${WORKSPACE}/zaproxy-report.xml
+" > ./sonar-project.properties
+```
+
+The line below indicates to the Maven Sonar plugin to use the ZAP-Proxy plugin when do a scan in the project codebase : 
+
+```
+sonar.zaproxy.reportPath=${WORKSPACE}/zaproxy-report.xml
+```
+
+## ZAP Sonar plugin
+
+We can use a plugin that has been developed by Gene Gotimer ([zap-sonar-plugin](https://github.com/Coveros/zap-sonar-plugin)). And for information, as per the time this is being tested, that plugin requires SonarQube 7.9.
+
+## SonarQube instance
+
+In order to be able to scan the code for vulnerabilities as well as for code qualimetry (coverage, duplication...), we need a running instance of SonarQube. Here we are using Docker to provide that instance, and by the way we do have to create a Dockerfile adding the Zap-Proxy plugin jar on top of SonarQube docker image `sonarqube:lts`. The Current LTS version is 7.9.
+
+## Run a scan
+
+Run this command to analyse the codebase :
+
+```sh
+mvn sonar:sonar
+```
+
+It connected to the SonarQube server to retrieve informations, such as rules and plugins to apply while scanning the code.
+
+## Quality Metrics
+
+Once this is done, we can see the metrics on SonarQube [Dashboard](http://127.0.0.1:9000/project/issues?id=org.cysecurity%3AJavaVulnerableLab&resolved=false&sonarsourceSecurity=sql-injection&types=SECURITY_HOTSPOT)
+
+![Alt Text](./Java-SonarQube-OWASP-Vulnerabilities.png)