[JavaScript] Integrate with SonarQube and OWASP dependency check

2021-11-30 C.H. Ling Dependency Check, DevOps, Infrastructure 基建, JavaScript, Programming, SonarQube 0

SonarQube is an open source static code analysis tool to ensure code quality. To ensure its traceable, it support upload scan result to remote server. Dependency check is one of the security measurement to ensure application is develop with libraries without security vulnerability. Previously it automated by Java. In this case, it will try in JavaScript project.In this demo, it will install sonarqube-scanner and owasp-dependency-check to generate report and send result to remote SonarQube server.

Step of install and configure owasp-dependency-check

  1. Install development dependency.
    In command prompt, input command below:

    npm install -D owasp-dependency-check
  2. Test and verify result.
    In command prompt, input command below, expect it will generate reports in HTML, JSON and XML format.

    owasp-dependency-check --project \"sample project\" -f HTML -f JSON -f XML

Steps of install and configure sonarqube-scanner

  1. Generate token.
    In SonarQube server, in My Account > Security > Tokens, input token name in textbox Generate Token, and click Generate. Then copy token value for later use.
  2. Install sonarqube-scanner with development dependency.
    In command prompt, input command below:

    npm install -D sonarqube-scanner
  3. Configure SonarQube scanner.
    Create new file name sonar-project.properties and input settings below.

    sonar.host.url=https://sonarqube.home.local
sonar.login=[App Token]
sonar.projectKey=sample-project
sonar.projectName=Sample Project
sonar.sourceEncoding=UTF-8
sonar.sources=src
sonar.exclusions=**/node_modules/**,**/*.spec.ts
sonar.dependencyCheck.jsonReportPath=dependency-check-reports/dependency-check-report.json
sonar.dependencyCheck.htmlReportPath=dependency-check-reports/dependency-check-report.html
sonar.dependencyCheck.summarize=true
sonar.dependencyCheck.securityHotspot=true

     

  4. Test and verify settings.
    In command prompt, execute command below. Expected it will shown in SonarQube.

    cd $PROJECT_DIR
sonar-scanner

Step of integrate with single script

  1. Create script.
    In package.json, alter script as below:

    {
  ...
  "scripts": {
    "health-check": "owasp-dependency-check --project \"sample-service\" -f HTML -f JSON -f XML && sonar-scanner",
  }
  ...
}

     

  2. Test and verify result.
    In command prompt, input command below, check in SonarQube and expect report has been uploaded.

    npm run health-check
About C.H. Ling 262 Articles
a .net / Java developer from Hong Kong and currently located in United Kingdom. Thanks for Google because it solve many technical problems so I build this blog as return. Besides coding and trying advance technology, hiking and traveling is other favorite to me, so I will write down something what I see and what I feel during it. Happy reading!!!
Website LinkedIn

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.