W 700: SonarQube Code Scanner (15 pts)

What You Need

Purpose

To use a code scanner and find coding flaws and vulnerabilities.

Install Docker

In an SSH shell or Terminal window, execute these commands, one at a time. Approve the execution as you are prompted to. 
sudo apt update

sudo apt install apt-transport-https ca-certificates \
  gnupg2 software-properties-common curl
  
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -

sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"

sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"

sudo apt install docker-ce

sudo systemctl status docker
Docker is active, as shown below.

Press Q to exit the status display.

Installing the SonarQube Server

In an SSH shell or Terminal window, execute these commands, one at a time. 
sudo docker pull sonarqube:10.4.0-community

sudo docker network create sonar-network

sudo docker run -d --name sonar-db --network sonar-network \
  -e POSTGRES_USER=sonar -e POSTGRES_PASSWORD=sonar ]
  -e POSTGRES_DB=sonar postgres:9.6

sudo docker run -d --name sonar -p 9000:9000 --network sonar-network \
  -e SONARQUBE_JDBC_URL=jdbc:postgresql://sonar-db:5432/sonar \
  -e SONAR_JDBC_USERNAME=sonar -e SONAR_JDBC_PASSWORD=sonar sonarqube

sudo ss -pant
You see "docker-proxy" listening on port 9000, as shown below.

Finding your Linux Server's IP Address

On your Debian machine, in a Terminal or SSH window, execute this command: 
ip a
Make a note of your Linux server's IP address. You'll need it later.

Launching the Dashboard

In a Web browser, go to the address of your server on port 9000. When I did it, I used this URL:
http://172.16.123.132:9000
Log in with the username admin and a password of admin

Choose a new password, such as P@ssw0rd

The dashboard appears, as shown below.

Creating a New Project

Click "Create a local project".

Enter a display name of W700, as shown below.

Click Next.

On the "Set up project for Clean as You Code" page, click the "Use the global setting" button and click the "Create project" button.

On the "Analysis Method" page, click Locally.

On the "Analyze your project" page, as shown below, click Generate.

Your token appears, as shown below. Copy it to a text editor so you can use it later.

Click Continue.

In the "Run analysis on your project" section, click the Other button, outlined in red in the image below.

Select the OS of your local machine (the machine you are opening Web pages on) and follow the instructions that appear to download and install the Scanner, as shown below.

Download and unzip the sonar scanner. On my Mac, I downloaded and unzipped this file:

sonar-scanner-cli-5.0.1.3006-macosx.zip

I moved the sonar-scanner-cli-5.0.1.3006-macosx folder to my home directory and renamed it sonar-scanner.

Make a note of the complete path to the executable sonar-scanner file.

On my system, it was:

/Users/sambowne/sonar-scanner/bin/sonar-scanner

Downloading and Scanning Vulnerable Code

On your host system, in a command prompt, execute these commands making these changes to the second one: 
git clone https://github.com/OWASP/OWASPWebGoatPHP.git

/Users/sambowne/sonar-scanner/bin/sonar-scanner \
  -Dsonar.projectKey=W700 \
  -Dsonar.sources=OWASPWebGoatPHP \
  -Dsonar.host.url=http://172.16.123.132:9000 \
  -Dsonar.token=sqp_b05100f00211b0b9013ea3527eecaf6ba93c95df
It analyzes over 700 files, as shown below.

Viewing Results

An Overview page opens in the browser, as shown below.

Flag W 700.1: Vulnerability (15 pts)

In the Overview page, in the Security section, click the number 1.

Click the blue text saying "Use secure mode and padding scheme".

Click the "How can I fix it?" tab.

The flag is the word covered by a green rectangle in the image below.

References

How to Setup SonarQube locally on Mac
Setup SonarQube in a Docker Container
Docker CLI Cheat Sheet
Install Sonar using Docker

Posted 12-13-23
Minor updates 2-26-24