sudo apt update
sudo apt install apt-transport-https ca-certificates \
gnupg2 software-properties-common curl
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
sudo apt update
sudo apt install docker-ce
sudo systemctl status docker
Docker is active,
as shown below.
Press Q to exit the status display.
sudo docker pull sonarqube:10.4.0-community
sudo docker network create sonar-network
sudo docker run -d --name sonar-db --network sonar-network \
-e POSTGRES_USER=sonar -e POSTGRES_PASSWORD=sonar \
-e POSTGRES_DB=sonar postgres:9.6
sudo docker run -d --name sonar -p 9000:9000 --network sonar-network \
-e SONARQUBE_JDBC_URL=jdbc:postgresql://sonar-db:5432/sonar \
-e SONAR_JDBC_USERNAME=sonar -e SONAR_JDBC_PASSWORD=sonar sonarqube
sudo ss -pant
You see "docker-proxy" listening on port 9000,
as shown below.
Troubleshooting
If your Linux machine crashes, and you need to recreate the docker containers, first delete the old ones with this process:Execute this command to view all your containers:
Then delete them one by one, using the name that appears at the right end of each row, such as "sonar" below:
sudo docker ps -a
sudo docker rm sonar
ip a
Make a note of your Linux server's IP address.
You'll need it later.
http://172.16.123.132:9000Log in with the username admin and a password of admin
Choose a new password, such as P@ssw0rd
The dashboard appears, as shown below.
Enter a display name of W700, as shown below.
Click Next.
On the "Set up project for Clean as You Code" page, click the "Use the global setting" button and click the "Create project" button.
On the "Analysis Method" page, click Locally.
On the "Analyze your project" page, as shown below, click Generate.
Your token appears, as shown below. Copy it to a text editor so you can use it later.
Click Continue.
In the "Run analysis on your project" section, click the Other button, outlined in red in the image below.
Select the OS of your local machine (the machine you are opening Web pages on) and follow the instructions that appear to download and install the Scanner, as shown below.
Download and unzip the sonar scanner. On my Mac, I downloaded and unzipped this file:
sonar-scanner-cli-5.0.1.3006-macosx.zip
I moved the sonar-scanner-cli-5.0.1.3006-macosx folder to my home directory and renamed it sonar-scanner.
Make a note of the complete path to the executable sonar-scanner file.
On my system, it was:
/Users/sambowne/sonar-scanner/bin/sonar-scanner
git clone https://github.com/OWASP/OWASPWebGoatPHP.git
/Users/sambowne/sonar-scanner/bin/sonar-scanner \
-Dsonar.projectKey=W700 \
-Dsonar.sources=OWASPWebGoatPHP \
-Dsonar.host.url=http://172.16.123.132:9000 \
-Dsonar.token=sqp_b05100f00211b0b9013ea3527eecaf6ba93c95df
It analyzes over 700 files,
as shown below.
Flag W 700.1: Vulnerability (15 pts)
In the Overview page, in the Security section, click the number 1.Click the blue text saying "Use secure mode and padding scheme".
Click the "How can I fix it?" tab.
The flag is the word covered by a green rectangle in the image below.
Posted 12-13-23
Minor updates 2-26-24
Stray ] changed to backslash and missing "sudo apt update" and "docker rm" tip added 7-17-24