DevSecOps-(SonarQube,Owasp,Trivy) in jenkins for java project

First we need to install jenkins and docker

Here I am Using Oracle server for that then you have to open the port 8080 in iptables

sudo iptables -I INPUT -p tcp -m tcp --dport {PORT} -j ACCEPT
#change {port} 8080 here

then for sonarqube use this docker images and run it

 docker run -itd --name sonarQube-server -p 9000:9000 sonarqube:lts-community

Open Port 9000

Install Trivy in the same instance

sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy

Install some plugins in jenkins and then restart it

Sonarqube Scanner
Sonar Quality Gate
Owasp Depedency check
Docker

Integrate Jenkins and SonarQube

here code coming from jenkins to SonarQube then check vulnability and the send back to jenkins

SonarQube ID and Password is admin

In SonarQube

  1. go to administrator(upper side)

  2. Click on configuration and Webhooks

  3. Click on create enter any name

  4. Enter Jenkins Url and then Enter sonarqube-webhook/

http://144.24.107.181:8080/sonarqube-webhook/

Do same thing in Jenkins

1.First Generate a token in sonarqube

2.Admistrator(same)>security>>users

3.Under token colum click three dots from here genarate a token for sonar Copy it

Go to jenkins

manage jenkins>credential>secret text >id(sonar) (secret text (paste))

Manage jenkins>systems>sonarqube server >add sonarqube>name sonar>server usr (sonarqube url:9000)>authetication(sonar)

save

manage jenkins >tools>sonarqube scanner installation>enter name>save

manage jenkins>tools>Dependency-check installation>install automatic>add install(github)

Install Tomcat in server

Download Files for tomcat

sudo apt-get install tomcat9

Jenkins Working Pipeline

pipeline {
    agent any
    environment {
        SONAR_HOME = tool name: 'sonar'
    }

    stages {
        stage('Check Java') {
            steps {
                sh 'echo $JAVA_HOME'
                sh 'java -version'
            }
        }
        stage('Clone') {
            steps {
                git url: 'https://github.com/krishnaacharyaa/wanderlust.git', branch: 'main'
            }
        }
        stage('SonarQube Quality Analysis') {
            steps {
                withSonarQubeEnv('sonar-server') {
                    sh "${SONAR_HOME}/bin/sonar-scanner -Dsonar.projectName=Petclinic -Dsonar.projectKey=Petclinic"
                }
            }
        }
        stage('OWASP Dependency Check') {
            steps {
                dependencyCheck additionalArguments: "--scan ./", odcInstallation: "DP-check"
                dependencyCheckPublisher pattern: "**/dependency-check-report.xml"
            }
        }
        stage('SonarQube Quality Gate') {
            steps {
                timeout(time: 2, unit: 'MINUTES') {
                    waitForQualityGate abortPipeline: false
                }
            }
        }
        stage('Trivy File System Scan') {
            steps {
                sh "trivy fs --format table --output trivy-fs-report.html ."
            }
        }

    }
}

Pre-Final Working Pipeline

pipeline {
    agent any
    environment {
        SONAR_HOME = tool 'sonar'
    }

    stages {
        stage('Check Java') {
            steps {
                sh 'echo $JAVA_HOME'
                sh 'java -version'
            }
        }
        stage('Clone') {
            steps {
                git url: 'https://github.com/satyagilegitbytes/Petclinic.git', branch: 'main'
            }
        }
        stage('SonarQube Quality Analysis') {
            steps {
                withSonarQubeEnv('sonar-server') {
                    sh ''' ${SONAR_HOME}/bin/sonar-scanner -X -Dsonar.projectName=Petclinic \
                    -Dsonar.java.binaries=. \
                    -Dsonar.projectKey=Petclinic '''
                }
            }
        }
        stage('OWASP Dependency Check') {
            steps {
                dependencyCheck additionalArguments: "--scan ./", odcInstallation: "DP-check"
                dependencyCheckPublisher pattern: "**/dependency-check-report.xml"
            }
        }
        stage('SonarQube Quality Gate') {
            steps {
                timeout(time: 2, unit: 'MINUTES') {
                    waitForQualityGate abortPipeline: false
                }
            }
        }
        stage('Build the Code') {
            steps {
                sh "mvn clean package"
                // sh "docker build -t shopping-cart:dev -f docker/Dockerfile ."
            }
        }
        stage('Docker Build & Push The Code') {
    steps {
        script {
            withCredentials([usernamePassword(credentialsId: 'dockercred', passwordVariable: 'dockerhubPass', usernameVariable: 'dockerhubuser')]) {
                sh "docker build -t notes-app ."
                sh "docker tag notes-app ${env.dockerhubuser}/javacode:latest"
                // Uncomment the following line if you need to tag another image
                // sh "docker tag notes-app01 ${env.dockerhubuser}/backend1-image:01"
                sh "docker login -u ${env.dockerhubuser} -p ${env.dockerhubPass}"
                sh "docker push ${env.dockerhubuser}/javacode:latest"
                // Uncomment the following line if you need to push another image
                // sh "docker push ${env.dockerhubuser}/backend1-image:01"
            }
        }
    }
}

        stage('Trivy File System Scan') {
            steps {
                sh "trivy fs --format table --output trivy-fs-report.html ."
            }
        }
        stage('Deploy The Code') {
            steps{
               sh "cp  /var/lib/jenkins/workspace/test_03/target/petclinic.war /var/lib/tomcat9/webapps "
            }
        }

    }
}

Final Pipeline (Last)

pipeline {
    agent any
    environment {
        SONAR_HOME = tool 'sonar'
    }

    stages {
        stage('Check Java') {
            steps {
                sh 'echo $JAVA_HOME'
                sh 'java -version'
            }
        }
        stage('Clone') {
            steps {
                git url: 'https://first_workspace5-admin@bitbucket.org/first_workspace5/petclinic.git', branch: 'main'
            }
        }
        stage('SonarQube Quality Analysis') {
            steps {
                withSonarQubeEnv('sonar-server') {
                    sh ''' ${SONAR_HOME}/bin/sonar-scanner -X -Dsonar.projectName=Petclinic \
                    -Dsonar.java.binaries=. \
                    -Dsonar.projectKey=Petclinic '''
                }
            }
        }
        stage('OWASP Dependency Check') {
            steps {
                dependencyCheck additionalArguments: "--scan ./", odcInstallation: "DP-check"
                dependencyCheckPublisher pattern: "**/dependency-check-report.xml"
            }
            post {
                always {
                    archiveArtifacts artifacts: '**/dependency-check-report.xml', allowEmptyArchive: true
                }
            }
        }
        stage('SonarQube Quality Gate') {
            steps {
                timeout(time: 2, unit: 'MINUTES') {
                    waitForQualityGate abortPipeline: false
                }
            }
        }
        stage('Build the Code') {
            steps {
                sh "mvn clean package"
                // sh "docker build -t shopping-cart:dev -f docker/Dockerfile ."
            }
        }
        stage('Docker Build & Push The Code') {
    steps {
        script {
            withCredentials([usernamePassword(credentialsId: 'dockercred', passwordVariable: 'dockerhubPass', usernameVariable: 'dockerhubuser')]) {
                sh "docker build -t notes-app ."
                sh "docker tag notes-app ${env.dockerhubuser}/javacode:latest"
                // Uncomment the following line if you need to tag another image
                // sh "docker tag notes-app01 ${env.dockerhubuser}/backend1-image:01"
                sh "docker login -u ${env.dockerhubuser} -p ${env.dockerhubPass}"
                sh "docker push ${env.dockerhubuser}/javacode:latest"
                // Uncomment the following line if you need to push another image
                // sh "docker push ${env.dockerhubuser}/backend1-image:01"
            }
        }
    }
}

        stage('Trivy File System Scan') {
            steps {
                sh "trivy fs --format table --output trivy-fs-report.html ."
            }
            post {
                always {
                    archiveArtifacts artifacts: 'trivy-fs-report.html', allowEmptyArchive: true
                }
            }
        }
        stage('Deploy The Code') {
            steps{
              sh "cp  /var/lib/jenkins/workspace/test_03/target/petclinic.war /var/lib/tomcat9/webapps " 
         #petclinic.war file check the path in jenkins logs and change this path and also check webapps path 2 posibility of this path 1 is up second is /opt/tomcat/webapps(check))
            }
        }

    }
}