SonarQube
Configuration
SonarCloud
From Eric Ball:
"We have several docs on implementing Sonar jobs for various languages from our global-jjb templates, such as this one for maven sonar jobs: https://docs.releng.linuxfoundation.org/projects/global-jjb/en/latest/jjb/lf-maven-jobs.html#lf-infra-maven-sonarcloud
We could link to those, but I could probably put together something a little simpler that would allow for faster implementation. Also, all of our Sonar jobs are currently built using a maven template, so even those that we've implemented for Python and C require a pom.xml in the repo. We are currently working on a language-agnostic version that will use a standard sonar-project.properties file, and it should be implemented soon (I know that the code is mostly finished, so it may even be ready to go in the next few days, if it doesn't run into any hurdles in review). I'm not sure what the timeline requirements are for implementing this, but all the non-Java projects will probably want to wait until that is ready before implementing scans (if possible)."
SonarQube on-prem
Akraino code scan is migrating to use SonarCloud, the following will be removed once the migration is done.
Following configuration assumes SonarQube on prem. As LF is moving to SonarCloud, the setup might be different.
Each project should have jjb file to integrate with CI.
To add SonarQube scan, the jjb file should be modified with the following changes:
- mvn-settings
- mvn-params
- gerrit-maven-sonar job
Here is an example:
- project:
name: portal_user_interface
project: portal_user_interface
project-name: portal_user_interface
mvn-settings: portal_user_interface-settings
mvn-params: '-f AECPortalMgmt'
nexus-iq-namespace: 'akraino-'
build-node: centos7-builder-2c-1g
stream: master
jobs:
- '{project-name}-maven-jobs'
- gerrit-maven-sonar
views:
- project-view
Currently, global-jjb has jobs for Java/maven, Python/tox, and C/cmake. Other languages will have to create their own job templates. For the supported global-jjb jobs, it's just a matter of including the job (such as "gerrit-maven-sonar"), and any parameters that the job requires, in each project's jjb file.
Here's some additional documentation on the Sonar jobs/macros we have set up:
https://docs.releng.linuxfoundation.org/projects/global-jjb/en/latest/jjb/lf-maven-jobs.html#lf-infra-maven-sonar
https://docs.releng.linuxfoundation.org/projects/global-jjb/en/latest/jjb/lf-python-jobs.html#lf-infra-tox-sonar
https://docs.releng.linuxfoundation.org/projects/global-jjb/en/latest/jjb/lf-c-cpp-jobs.html#cmake-sonar
Scan Result
SonarQube scan results can be accessed from https://sonarcloud.io/organizations/akraino-edge-stack/projects. You should be able to log in with your LFID credentials, the same as you would use for Gerrit or Jenkins.
Bug Severity in SonarQube and mapping to Akraino security requirements
| SonarQube | Akraino |
|---|---|
| Blocker | Critical |
| Critical | Important |
| Major | Important |
| Minor | Moderate |
| Info | Low |
Vuls
Vuls will be integrated with Validation Framework (Bluval User Guide)
Below are the list of tasks for the integration.
- Install Vuls containers (https://vuls.io/docs/en/install-with-docker.html). Vuls containers can be found at: https://hub.docker.com/u/vuls/
- Install go-cve-dictionary, run "docker pull vuls/go-cve-dictionary"
- Install goval-dictionary, run "docker pull vuls/goval-dictionary"
- Install gost, run "docker pull vuls/gost"
- Install vuls, run "docker pull vuls/vuls"
- Set up and run (https://vuls.io/docs/en/tutorial-docker.html)
Prepare log dir
cd /path/to/working/dir
mkdir go-cve-dictionary-log goval-dictionary-log gost-log
- Fetch NVD
for i in `seq 2002 $(date +"%Y")`; do \ docker run --rm -it \ -v $PWD:/vuls \ -v $PWD/go-cve-dictionary-log:/var/log/vuls \ vuls/go-cve-dictionary fetchnvd -years $i; \ done
- Fetch OVAL
docker run --rm -it \ -v $PWD:/vuls \ -v $PWD/goval-dictionary-log:/var/log/vuls \ vuls/goval-dictionary fetch-redhat 5 6 7
- Fetch gost
docker run --rm -i \ -v $PWD:/vuls \ -v $PWD/goval-log:/var/log/gost \ vuls/gost fetch redhat
- Config the SUT, configuration will be stored in config.toml
- SSH key generation & distribution: As Vuls connects to target server through SSH, and Vuls has to use SSH key-based authentication. There needs to be a way to generate SSH key pair, save the private key for Vuls container and dispatch the public key to target server. We probably don’t want to store the private key with the container image if the container image is public accessible.
- Config the SUT, configuration will be stored in config.toml
[servers]
[servers.c74]
host = "54.249.93.16"
port = "22"
user = "vuls-user"
keyPath = "/root/.ssh/id_rsa" # path to ssh private key in docker
- Start Vuls container to run tests
- docker run --rm -it \ -v ~/.ssh:/root/.ssh:ro \ -v $PWD:/vuls \ -v $PWD/vuls-log:/var/log/vuls \ -v /etc/localtime:/etc/localtime:ro \ -e "TZ=Asia/Tokyo" \ vuls/vuls scan \ -config=./config.toml
- Start Vuls container to run tests
- Write Bluval configuration file for security tests
- Push test results to LF Nexus
- Show test results in Bluval UI
Lynis
Lynis requires to run on SUT (System Under Test). The overall test framework will the similar to that of Vuls. As to the Lynis installation, there are two options:
- Lynis is pre-installed on SUT by project team.
- Lynis is to be installed as part of test flow from Validation Framework.
Considering the complexity of installing application on target system, it is recommended that option 1 is to be used.