Setting Up the SonarQube Plugin
Prerequisites
The following components must be installed and in place:
A supported version of SonarQube as listed in the SonarQube Plugin change log.
CxSAST 9.0 or higher
The latest version of the Checkmarx SonarQube Plugin. It is available for download from Checkmarx Plugins.
Installing and Configuring the SonarQube Plugin
If not already done, you have to first install the required software specified above.
To install and setup the CxSAST SonarQube plugin, navigate to Checkmarx Plugins.
Once the Checkmarx Plugin page is displayed, click <Download>. The CxSAST SonarQube plugin is downloaded as a zip archive to your default downloads directory.
Extract the zip archive to a folder of your choice. It contains the Sonar CxPlugin JAR file, which is currently called com.checkmarx.sonar.cxplugin-2021.2.1.jar.
Navigate to the JAR file and place it into the following SonarQube server directory: $SONARQUBE_HOME/extensions/plugins.
To do so, open a Windows PowerShell
and enter the syntax outlined below.Restart the SonarQube server.
PS C:\Users\johanness> docker cp
"docker cp" requires exactly 2 arguments.
See 'docker cp --help'.
Usage: docker cp [OPTIONS] CONTAINER:SRC_PATH DEST_PATH|-
docker cp [OPTIONS] SRC_PATH|- CONTAINER:DEST_PATH
Copy files/folders between a container and the local filesystem
PS C:\Users\johanness>
PS C:\Users\johanness> C:\Users\johanness\Downloads\Software_Installations\SonarQube\com.checkmarx.sonar.cxplugin-2021.2.1.jar c04b:/opt/sonarqube/extensions/plugins
PS C:\Users\johanness> docker exec -it c04b bash
bash-5.0# pwd
/opt/sonarqube
bash-5.0# ls
COPYING bin conf data elasticsearch extensions lib logs temp web
bash-5.0# cd extensions/
bash-5.0# cd plugins/
bash-5.0# ls
README.txt
bash-5.0# exit
PS C:\Users\johanness> docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
c04b3bb7f7b4 sonarqube:8.9.2-community "bin/run.sh bin/sona…" 4 hours ago Up 4 hours 9000/tcp modest_montalcini
PS C:\Users\johanness>To verify that the Checkmarx plugin is installed:
Open your browser and enter the URL of your SonarQube server. If it is installed on your local host, enter http://localhost:9000, otherwise enter http://<IP address or hostname>:9000 . The login prompt appears.
Log in with your credentials. The Projects page appears. The Projects page is also the homepage.
From the main menu, select Administration. The Administration page appears with the General tab open.
Select Marketplace and under Plugins, select Installed. The installed plugins appaear listed. If Checkmarx plugin is listed, the Checkmarx SonarQube plugin has been properly installed.
Notice
In order to show Checkmarx vulnerability results according to the language scanned language, the plugin for that particular language must be installed. C#, Java, PHP, Python, JavaScript are pre-installed with SonarQube. Go, Groovy and Perl can be downloaded for free. C\C++, Objective C PLSQL, Swift, VB.NET and VB\VB6 must be purchased. For additional information on installing plugins, refer to the SonarQube Documentation here.