How to Use SonarQube on Ubuntu 22.04 LTS?

SonarQube is a powerful tool for developers to check their code quality for issues and keep their software safe. They can detect them early to prevent bigger bugs. You can get a clear view of your code’s health for security, bad practices, and errors.

Moreover, it supports many programming languages. The tool gives detailed reports and shows useful suggestions to fix issues. It guides you to write code in a better way.

Well, SonarQube works in two parts – one part scans the code on your computer, and the other part keeps records on a server. So, it becomes easy to track code health over time with this setup.

Furthermore, the dashboard in SonarQube shows you where the code has issues. You can see each file’s status and understand what needs fixing. This tool also allows team collaboration. The whole team can follow one coding standard without much confusion.

SonarQube runs quite smoothly on Ubuntu 22.04 LTS as it is stable and widely trusted by developers. The system handles it well and gives you the support you need for smooth scanning.

However, you need to ensure your system meets some basic requirements to set up SonarQube on Ubuntu 22.04.

What are the Prerequisites?

First, you should have a server with at least 2GB RAM and one vCPU core.

It is also important to create a non-root user with sudo privileges for security.

Further, your server needs to be up to date, and you should have a fully-qualified domain name pointing to your server, like sonarqube.example.com.

Configure the Firewall

Start by configuring the firewall to allow SonarQube to run smoothly. You will need to open port 9000, which SonarQube uses. If you are using a reverse proxy, also open ports 80 and 443 for HTTP and HTTPS traffic. Use these commands to open the necessary ports with the Uncomplicated Firewall (UFW) and check the status:

$ sudo ufw allow http

$ sudo ufw allow https

$ sudo ufw allow 9000/tcp

$ sudo ufw status

Install Java (OpenJDK 11)

SonarQube requires Java to run. Install OpenJDK 11 using the following command:

$ sudo apt install openjdk-11-jdk

Install PostgreSQL

• Next, install PostgreSQL, as it is used to store SonarQube’s data. You will first need to import the repository key and add the PostgreSQL repository:

  $ curl https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor | sudo tee /etc/apt/trusted.gpg.d/apt.postgresql.org.gpg >/dev/null
  $ sudo sh -c 'echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list'

• Update the list with –

  $ sudo apt update
  

• For PostgreSQL 14 installation and status checking of the service run –

  $ sudo apt install postgresql postgresql-contrib
  $ sudo systemctl status postgresql

Configure PostgreSQL

• Now, let’s configure PostgreSQL. Log into the PostgreSQL shell and create a user role and database for SonarQube:

  $ sudo -u postgres psql
  postgres=# CREATE ROLE sonaruser WITH LOGIN ENCRYPTED PASSWORD 'your_password';
  postgres=# CREATE DATABASE sonarqube;

• Grant privileges and exit the shell.

  postgres=# GRANT ALL PRIVILEGES ON DATABASE sonarqube to sonaruser;
  postgres=# \q

• Come back to user account (default).

  $ exit

Install SonarQube

• Now, download and install the latest version of SonarQube. First, get the download URL from the official SonarQube page and use it to fetch the archive. Then, unzip and move the files to the appropriate directory.

  $ wget https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-9.6.1.59531.zip
  $ unzip -q sonarqube-9.6.1.59531.zip
  $ sudo mv sonarqube-9.6.1.59531 /opt/sonarqube

• Delete the archive with –

  $ rm sonarqube-9.6.1.59531.zip

Create the SonarQube User

Now, create a system user for SonarQube and give it the necessary permissions:

$ sudo adduser --system --no-create-home --group --disabled-login sonarqube
$ sudo chown sonarqube:sonarqube /opt/sonarqube -R

Configure SonarQube

• Next, configure SonarQube to connect to the PostgreSQL database and make some performance tweaks. Edit the configuration file:

  $ sudo nano /opt/sonarqube/conf/sonar.properties

• Uncomment and add your database credentials:

  sonar.jdbc.username=sonaruser
  sonar.jdbc.password=your_password
  sonar.jdbc.url=jdbc:postgresql://localhost:5432/sonarqube

• You will also need to set SonarQube to listen only to localhost, especially if you are using a reverse proxy like Nginx:

  sonar.web.host=127.0.0.1

• Save with Ctrl X and then Y
  Finally, increase the virtual memory settings so that Elasticsearch functions –

  $ sudo nano /etc/sysctl.conf

• Add these lines to the end:

  vm.max_map_count=524288
  fs.file-max=131072

• Then, create the file /etc/security/limits.d/99-sonarqube.conf and set the file descriptors and threads:

  $ sudo nano /etc/security/limits.d/99-sonarqube.conf

• Add the following:

  sonarqube - nofile 131072
  sonarqube - nproc 8192

• Save again and reboot the system to apply these changes –

  $ sudo reboot

Set Up SonarQube as a Service

• Create a systemd service file to start SonarQube on boot:

  $ sudo nano /etc/systemd/system/sonarqube.service

• Here’s a sample configuration:

  [Service]
  Type=forking
  ExecStart=/opt/sonarqube/bin/linux-x86-64/sonar.sh start
  ExecStop=/opt/sonarqube/bin/linux-x86-64/sonar.sh stop
  User=sonarqube
  Group=sonarqube
  PermissionsStartOnly=true
  Restart=always
  StandardOutput=syslog
  LimitNOFILE=131072
  LimitNPROC=8192
  TimeoutStartSec=5
  SuccessExitStatus=143
  
  [Install]
  WantedBy=multi-user.target
  
  [Unit]
  Description=SonarQube service
  After=syslog.target network.target

• Save the file and enable the service:

  $ sudo systemctl start sonarqube
  $ sudo systemctl status sonarqube
  $ sudo systemctl enable sonarqube

• Verify if the server is running by checking the following URL:

  $ curl http://127.0.0.1:9000
  Text similar to below confirms all is well –
  <script>
  window.baseUrl = '';
  window.serverStatus = 'UP';
  window.instance = 'SonarQube';
  window.official = true;
  </script>

Install Nginx for Reverse Proxy

• If you plan to use Nginx as a reverse proxy, install its dependencies with the following commands:

  $ sudo apt install curl gnupg2 ca-certificates lsb-release ubuntu-keyring -y

• The below imports its signing key –

  $ curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null

• Run the below command to add the repository and update the list –

  $ echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg arch=amd64] http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" | sudo tee /etc/apt/sources.list.d/nginx.list
  $ sudo apt update

• Lastly, install and start the server –

  $ sudo apt install nginx
  $ sudo systemctl start nginx

Set Up SSL

For SSL, use Certbot to get a free SSL certificate:

• Make sure with the below commands that you have the latest snapd version required to install Certbot and then install it –

  $ sudo snap install core
  $ sudo snap refresh core
  $ sudo snap install --classic certbot

• The below creates a symlink –

  $ sudo ln -s /snap/bin/certbot /usr/bin/certbot
  Get the SSL certificate and dry run it –
  $ sudo certbot certonly --nginx --agree-tos --no-eff-email -m [email protected] -d
  

• sonarqube.example.com

  $ sudo certbot renew --dry-run

Configure Nginx for SonarQube

• Set up Nginx to proxy requests to SonarQube. Edit Nginx configuration:
  $ sudo nano /etc/nginx/nginx.conf
• Add the following line:
  server_names_hash_bucket_size 64;
• Then, create the SonarQube configuration for Nginx:
  $ sudo nano /etc/nginx/conf.d/sonar.conf
• Add the configuration to redirect HTTP to HTTPS and set SSL settings:

  server {
  listen 80;
  server_name sonarqube.example.com;
  return 301 https://$server_name$request_uri;
  }
  
  server {
  listen 443 ssl;
  server_name sonarqube.example.com;
  ssl_certificate /etc/letsencrypt/live/sonarqube.example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/sonarqube.example.com/privkey.pem;
  proxy_pass http://127.0.0.1:9000;
  proxy_set_header Host $host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme;
  }

• Test Nginx configuration:

  $ sudo nginx -t
  $ sudo systemctl restart nginx

Securing SonarQube

Once logged into SonarQube, change the default password. Create a new user for code scanning. Also, generate an authentication token for the new user and save it for future use. For better security, you can also enable encryption for database passwords and other sensitive data in the configuration file:

$ sudo nano /opt/sonarqube/conf/sonar.properties

• Add your secret key:

  sonar.secretKeyPath=/opt/sonarqube/conf/sonar-secret.txt

• Generate a secret key and update the file. Make sure to restrict access to it.

  $ sudo nano /opt/sonarqube/conf/sonar-secret.txt
  $ sudo chown sonarqube:sonarqube /opt/sonarqube/conf/sonar-secret.txt

• Finally, restart SonarQube to apply the changes:

  $ sudo systemctl restart sonarqube

Installing SonarQube’s Code Scanner

• To start scanning your code, you need to install the SonarQube scanner. First, download the scanner:

  $ wget https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.7.0.2747-linux.zip
  $ sudo unzip sonar-scanner-cli-4.7.0.2747-linux.zip
  $ sudo mv sonar-scanner-4.7.0.2747-linux /opt/sonarscanner

• Now, configure the scanner by setting the SonarQube server URL:

  $ sudo nano /opt/sonarscanner/conf/sonar-scanner.properties

• Set the following:

  sonar.host.url=https://sonarqube.example.com

• Make the binary executable:

  $ sudo chmod +x /opt/sonarscanner/bin/sonar-scanner

• Create a symbolic link for easy access:

  $ sudo ln -s /opt/sonarscanner/bin/sonar-scanner /usr/local/bin/sonar-scanner

Scanning Example Projects

• You can test the scanner with SonarQube example projects. First, download an example project:

  $ wget https://github.com/SonarSource/sonar-scanning-examples/archive/master.zip
  $ unzip master.zip
  $ cd sonar-scanning-examples-master/sonarqube-scanner

• Now, run the scanner:

  $ sonar-scanner -D sonar.login=<YourLoginToken>

Scanning Your Own Code

• Finally, scan your own code. Create a project configuration file:

  $ nano sonar-project.properties

• Set your project properties:

  sonar.projectKey=MyProject:Key1
  sonar.projectName=First Project
  sonar.projectVersion=1.0
  sonar.sources=src

• Run the scanner:

  $ sonar-scanner -D sonar.login=<YourLoginToken>

Conclusion

You have now installed SonarQube and scanned your code for quality issues. For more details and troubleshooting, you can check out SonarQube’s official documentation and community resources.