Setting up a SonarQube 7.1 server using an OpenAPI plugin running in a Docker container

About this guide:

After the reading, you’ll be able to install a SonarQube 7.1 server using Docker Desktop and configure it with a plugin based on OpenAPI specification. This will allow you to scan your project to validate if the source code complies with basic OpenAPI standard rules.

The operating system used is Microsoft Windows.

Prerequisites:

• Docker Desktop. Official download available on: https://docs.docker.com/desktop/windows/install/
• Java JDK 8
• Official documentation: SonarQube-7.1

Installation steps:

• Verify if Docker Desktop is installed and available in the system.
• Specify a working folder where SonarQube server is going to run. Then create a new file named docker-compose.yml
• Edit the file docker-compose.yml then copy and paste the source code from here: docker-compose.yml

Source code available to download: docker-compose.yml

This setup will create a Docker container based on the official SonarQube 7.1 image available on DockerHub and another Docker container with a Postgres database.

• In the same docker-compose.yml location open a shell terminal
• Start Docker Compose using the command:
  docker-compose up -d

Windows default shell terminal

• Verify that containers have been created in the terminal output

Technical Reference:
docker compose up
Overview of docker compose CLI

• Navigate to the SonarQube server web console by accessing the local address http://localhost:9000/

SonarQube 7.1 web console view

• Log in as an administrator using the default credentials:

User: admin
Password: admin

View of the SonarQube 7.1 web console authenticated with the administrator profile

• To end the local instance of the SonarQube 7.1 server you must go to the shell terminal and execute the command docker-compose stop or docker-compose down

Technical Reference:
docker compose stop
docker compose down

Available to download:

docker-compose.yml

SonarQube 7.1 OpenAPI Plugin Installation Guide

The Sonar OpenAPI plugin incorporates some generic rules that allow you to analyze the source code of services built under the standards proposed in the OpenAPI specification.

Note: The Sonar OpenAPI plugin is a project published on Github under the LGPL-3.0 license and is compatible with OpenAPI versions 2.0, 3.0.0 and 3.0.1.

Prerequisites:

• SonarQube 7.1 server running on a Docker container
• Apache Maven installed

Oficial Apache Maven repository: Maven Download

Installation steps:

• Update your Maven config file settings.xml using the settings you can download from here: settings-sonar.xml

Ensure the following tags are present:
<pluginGroup>...</pluginGroup>
<profile>...</profile>

Maven specific settings

• Specify a working folder for the Sonar OpenAPI plugin downloading the source code from the official GitHub repository: sonar-openapi.git
• Edit the main pom.xml and update the SonarQube version to 7.1

The pom.xml is located in the main project folder

• Locate and update the value of the following tags:
  <sonarQubeMinVersion>7.1</sonarQubeMinVersion
<sonar.version>7.1</sonar.version>
• Open a shell terminal in the working folder and then execute the following maven command to make a build: mvn clean install

Maven command output

The building creates a jar file in the folder: sonar-openapi-plugin\target . By default the file name is: sonar-openapi-plugin-1.2.3-SNAPSHOT.jar

Folder view: sonar-openapi-plugin\target

• Copy the plugin jar to the folder extensions/plugins inside the SonarQube server root folder
• Restart the SonarQube server to end the setup

OpenAPI Plugin installation in a Docker container

To perform the manual installation of the OpenAPI plugin in the context of a Docker container, it is necessary to use the docker cp command to perform the jar file copy operation.

The docker cp command enables file copying between the guest OS file system and the Docker container.

Before using the docker cp command, you need to know the name of the docker container running the SonarQube server. There are two ways to find out this:

• Option 1: In a shell terminal execute the command docker ps
• Option 2: Locate the container’s name in Docker Desktop

Registered containers in Docker Desktop

• The target folder inside the Docker container is: /opt/sonarqube/extensions/plugins

Example:

docker cp “C:\dev\sonar-openapi\sonar-openapi-plugin\target\sonar-openapi-plugin-1.2.3-SNAPSHOT.jar” sonarqube_sonarqube_1:”/opt/sonarqube/extensions/plugins”

• Restart the docker container
• Navigate to the web console : http://localhost:9000
• Use the default credentials: admin / admin
• Verify the OpenAPI rules are available in the menu Rules

SonarQube web console

Available to download:

• settings-sonar.xml

Using SonarScanner with Maven projects

It is recommended to use SonarScanner as the default scanner for projects managed with Maven, as it allows SonarQube analysis to be run before the developer build or through a continuous integration pipeline, without the need to manually download, configure and maintain an installation by Sonar Qube Runner.

Official documentation:
SonarScanner for Maven | SonarQube Docs

Prerequisites:

• Java 8
• Apache Maven with SonarQube settings-sonar.xml
• SonarQube 7.1 server with plugin de OpenAPI installed

Procedure:

• Open a shell terminal at the root location of the project and run the Maven command to perform source code analysis:
  mvn clean verify sonar:sonar
• Verify the output:

• Navigate to the URL provided by the build output (highlighted in the image above on line 7) to access the report in SonarQube.

The report will be available as a project created on the SonarQube server:

Quality report view on web console

Files available to download:

• docker-compose.yml
• settings-sonar.xml