SonarQube is an open source static code analysis tool to ensure code quality. To ensure its traceable, it support upload scan result to remote server. Dependency check is one of the security measurement to ensure application is develop with libraries without security vulnerability. Previously it automated by Java. In this case, it will try in JavaScript project.In this demo, it will install sonarqube-scanner
and owasp-dependency-check
to generate report and send result to remote SonarQube server.
Step of install and configure owasp-dependency-check
- Install development dependency.
In command prompt, input command below:npm install -D owasp-dependency-check
- Test and verify result.
In command prompt, input command below, expect it will generate reports in HTML, JSON and XML format.owasp-dependency-check --project \"sample project\" -f HTML -f JSON -f XML
Steps of install and configure sonarqube-scanner
- Generate token.
In SonarQube server, in My Account > Security > Tokens, input token name in textbox Generate Token, and click Generate. Then copy token value for later use.
- Install
sonarqube-scanner
with development dependency.
In command prompt, input command below:npm install -D sonarqube-scanner
- Configure SonarQube scanner.
Create new file namesonar-project.properties
and input settings below.sonar.host.url=https://sonarqube.home.local sonar.login=[App Token] sonar.projectKey=sample-project sonar.projectName=Sample Project sonar.sourceEncoding=UTF-8 sonar.sources=src sonar.exclusions=**/node_modules/**,**/*.spec.ts sonar.dependencyCheck.jsonReportPath=dependency-check-reports/dependency-check-report.json sonar.dependencyCheck.htmlReportPath=dependency-check-reports/dependency-check-report.html sonar.dependencyCheck.summarize=true sonar.dependencyCheck.securityHotspot=true
- Test and verify settings.
In command prompt, execute command below. Expected it will shown in SonarQube.cd $PROJECT_DIR sonar-scanner
Step of integrate with single script
- Create script.
Inpackage.json
, alter script as below:{ ... "scripts": { "health-check": "owasp-dependency-check --project \"sample-service\" -f HTML -f JSON -f XML && sonar-scanner", } ... }
- Test and verify result.
In command prompt, input command below, check in SonarQube and expect report has been uploaded.npm run health-check
Leave a Reply