Background Circle Background Circle

SonarQube-Part2

SonarQube-Part2

1. SonarQube Flow
2. Common Bug in SonarQube: Server Not Actually Starting
• What People Usually Do After That
• Check Logs to Find Root Cause
• Step 1: Go to the logs directory
• Root Cause
3. Integrate SonarQube in Maven Project
• Step 1: Connect to the Maven Server
• Step 2: Update with SonarQube details
• Step 3: View the Report on SonarQube
• What You Will See in the Report
• Go to the Issues Tab
• Estimated Time to Fix
4. Secure Token Authentication (Avoid Hardcoding Credentials)
• Problem
• Solution: Use SonarQube Token
• Update
5. How to Change SonarQube Default Port
• Step 2: Modify the Port
• Step 4: Update the New Port in Maven
• Step 5: Add Port to Security Group
• Step 6: Access with New Port
6. Quality Profiles
• Attach Quality Profile to Your Project
7. Quality Gates
• What is a Quality Gate?
• Steps to Create
• Step 2: Unlock Editing
• Assign Quality Gate to a Project
8. Administration Settings
• How You Can Use Users, Groups & Permissions in SonarQube
• Step 1: Create Users
• Create Another User
• Step 2: Create Groups
• Step 3: Set Global Permissions for Groups
• Step 5: Add Users to Groups
• Step 6: Check Group Membership

SonarQube – Real-Time Issues, Project Analysis, and Administration (Complete Guide)

SonarQube is widely used for continuous code quality inspection, but in real environments users often face common runtime issues, authentication challenges, and configuration needs. This article covers real-time bugs, project analysis for Java, token-based authentication, port changes, and administration concepts with practical explanations.

Real-Time Bug: SonarQube Not Starting After Running as Root

Problem Statement

Many users accidentally start SonarQube using the root user. Although the command output says “started”, the SonarQube server actually does not run.

Why This Happens

SonarQube is strictly designed to run as a non-root user.
When started as root:

  • Temporary files are created with root ownership

  • Elasticsearch fails silently

  • Subsequent attempts using the sonar user also fail

This creates a false positive startup message.

Symptoms

sh sonar.sh start # shows started
sh sonar.sh status # but server is not running

Even when switching to sonar user, the issue persists.

Root Cause

A corrupted or root-owned temp directory:

/opt/sonarqube/temp/

This directory blocks Elasticsearch startup.

Solution (Fix)

  1. Check logsb —> cd /opt/sonarqube/logs
    cat sonar.log

You’ll notice: –> Temp directory already exists / permission denied

  1. Delete the temp directory –> sudo rm -rf /opt/sonarqube/temp/

  1. Start SonarQube as sonar user —> su - sonar --> cd /opt/sonarqube/bin/linux-x86-64 --> sh sonar.sh start --> sh sonar.sh status

  1. Access UI –> http://<server-ip>:9000

Best Practice ✅

  • ❌ Never start SonarQube as root

  • ✅ Always use a dedicated user (e.g., sonar)

  • ✅ If stuck, check sonar.log and es.log

How to Execute SonarQube Analysis for Java Projects

SonarQube does not analyze code automatically. You must trigger analysis from your project build tool, commonly Maven.

Step 1: Connect to the Maven Server

Login to the server where your Java project exists:

ssh ec2-user@<maven-server-ip>

Step 2: Update pom.xml with SonarQube Details

Add SonarQube configuration under <properties>:

<properties>
<sonar.host.url>http://43.205.231.25:9000</sonar.host.url>
<sonar.login>admin</sonar.login>
<sonar.password>kkfunda</sonar.password>
</properties>

⚠️ This approach works but is not recommended for security reasons.

Step 3: Generate SonarQube Report

mvn sonar:sonar package

  • sonar:sonar → plugin and goal

  • Maven sends analysis data to SonarQube server

Step 4: View the Report

  • Open SonarQube UI

  • Go to Projects

  • Select your project

  • View bugs, vulnerabilities, coverage, duplications, and technical debt

Secure Authentication Using SonarQube Token (Recommended)

Hardcoding username/password is insecure. SonarQube provides token-based authentication.

Step 1: Generate Token

  1. Login as admin

  2. Go to
    Administration → Security → Users

  3. Click Tokens

  4. Enter a token name

  5. Click Generate

  6. Copy the token

  7. Example:  —>  squ_cc48a3bf6387f56c0e7175f5a8ab99d63c0caa45

Step 2: Update pom.xml

Replace username/password with token:

<properties>
<sonar.host.url>http://43.205.231.25:9000</sonar.host.url>
<sonar.login>squ_f16a79749bad93fb485aa8e2c3b323ef7f2c8b6d</sonar.login>
</properties>

Step 3: Run Analysis Again

mvn clean sonar:sonar

Benefits of Token Authentication

  • More secure

  • Token can be revoked anytime

  • Ideal for CI/CD pipelines

  • No password exposure

How to Change SonarQube Server Port and Context Path

Default Values

  • Port: 9000

  • Context Path: /

Step 1: Edit Configuration File

cd /opt/sonarqube/conf
vi sonar.properties

Step 2: Update Port and Context Path

Uncomment and modify:

sonar.web.context=/kkfunda
sonar.web.port=8639

Step 3: Restart SonarQube

cd /opt/sonarqube/bin/linux-x86-64
sh sonar.sh restart

New Access URL

http://<server-ip>:8639/kkfunda

SonarQube UI Components Explained

Projects

  • Displays all analyzed projects

  • Entry point for reports

Issues

  • Lists all bugs, vulnerabilities, and code smells

  • Can be filtered by severity and type

Rules

  • Coding rules per programming language

  • Used during analysis to detect issues

Quality Profiles

What is a Quality Profile?

A Quality Profile is a collection of rules applied during analysis.

  • Each language has its own profile

  • One profile per language per project

Can We Create a Custom Quality Profile?

Yes

Steps to Create Custom Quality Profile

  1. Go to Quality Profiles

  2. Click Create

  3. Enter:

    • Name: jio-qp

    • Language: Java

    • Parent: None

  4. Save

Assign Profile to Project

  1. Go to Project → Project Settings

  2. Select Quality Profiles

  3. Change Java profile to:

    • Always use specific quality profile

  4. Save

Run Analysis Again

mvn clean sonar:sonar

Quality Gates

What is a Quality Gate?

A Quality Gate is a set of conditions that decide whether a project passes or fails quality standards.

Default gate: Sonar Way

Create Custom Quality Gate

  1. Go to Quality Gates → Create

  2. Name: jio-qg

  3. Add conditions:

    • Coverage < 80% → Fail

    • Duplicated Lines > 3% → Fail

Assign Quality Gate to Project

  1. Go to Project Settings → Quality Gate

  2. Select Always use specific quality gate

  3. Save

Run Analysis

mvn sonar:sonar

If conditions fail → Quality Gate fails, deployment can be stopped.

Administration Overview

Configuration

  • Language plugins

  • Analysis parameters

  • Extensions and integrations

Security – Users

  • Create users

  • Manage credentials

  • Enable/disable users

Grant Admin Access to User

  1. Login as admin

  2. Go to Security → Users

  3. Select user

  4. Click Groups

  5. Add sonar-administrators

  6. Save

Create Groups

  1. Login as admin

  2. Go to Administration → Security → Groups

  3. Create group

  4. Assign permissions

  5. Add users

Conclusion

SonarQube is powerful, but misconfiguration can easily break startup, analysis, or authentication. Understanding:

  • Proper user permissions

  • Token-based security

  • Quality Profiles and Gates

  • Common runtime issues

will help you run SonarQube smoothly in real-time production environments.

 

Post Tags :

Leave a Reply

Your email address will not be published. Required fields are marked *