DevSecOps-(SonarQube,Owasp,Trivy) in jenkins for java project
First we need to install jenkins and docker
Here I am Using Oracle server for that then you have to open the port 8080 in iptables
sudo iptables -I INPUT -p tcp -m tcp --dport {PORT} -j ACCEPT
#change {port} 8080 here
then for sonarqube use this docker images and run it
docker run -itd --name sonarQube-server -p 9000:9000 sonarqube:lts-community
Open Port 9000
Install Trivy in the same instance
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
Install some plugins in jenkins and then restart it
Sonarqube Scanner
Sonar Quality Gate
Owasp Depedency check
Docker
Integrate Jenkins and SonarQube
here code coming from jenkins to SonarQube then check vulnability and the send back to jenkins
SonarQube ID and Password is admin
In SonarQube
go to administrator(upper side)
Click on configuration and Webhooks
Click on create enter any name
Enter Jenkins Url and then Enter sonarqube-webhook/
http://144.24.107.181:8080/sonarqube-webhook/
Do same thing in Jenkins
1.First Generate a token in sonarqube
2.Admistrator(same)>security>>users
3.Under token colum click three dots from here genarate a token for sonar Copy it
Go to jenkins
manage jenkins>credential>secret text >id(sonar) (secret text (paste))
Manage jenkins>systems>sonarqube server >add sonarqube>name sonar>server usr (sonarqube url:9000)>authetication(sonar)
save
manage jenkins >tools>sonarqube scanner installation>enter name>save
manage jenkins>tools>Dependency-check installation>install automatic>add install(github)
Install Tomcat in server
Download Files for tomcat
sudo apt-get install tomcat9
Jenkins Working Pipeline
pipeline {
agent any
environment {
SONAR_HOME = tool name: 'sonar'
}
stages {
stage('Check Java') {
steps {
sh 'echo $JAVA_HOME'
sh 'java -version'
}
}
stage('Clone') {
steps {
git url: 'https://github.com/krishnaacharyaa/wanderlust.git', branch: 'main'
}
}
stage('SonarQube Quality Analysis') {
steps {
withSonarQubeEnv('sonar-server') {
sh "${SONAR_HOME}/bin/sonar-scanner -Dsonar.projectName=Petclinic -Dsonar.projectKey=Petclinic"
}
}
}
stage('OWASP Dependency Check') {
steps {
dependencyCheck additionalArguments: "--scan ./", odcInstallation: "DP-check"
dependencyCheckPublisher pattern: "**/dependency-check-report.xml"
}
}
stage('SonarQube Quality Gate') {
steps {
timeout(time: 2, unit: 'MINUTES') {
waitForQualityGate abortPipeline: false
}
}
}
stage('Trivy File System Scan') {
steps {
sh "trivy fs --format table --output trivy-fs-report.html ."
}
}
}
}
Pre-Final Working Pipeline
pipeline {
agent any
environment {
SONAR_HOME = tool 'sonar'
}
stages {
stage('Check Java') {
steps {
sh 'echo $JAVA_HOME'
sh 'java -version'
}
}
stage('Clone') {
steps {
git url: 'https://github.com/satyagilegitbytes/Petclinic.git', branch: 'main'
}
}
stage('SonarQube Quality Analysis') {
steps {
withSonarQubeEnv('sonar-server') {
sh ''' ${SONAR_HOME}/bin/sonar-scanner -X -Dsonar.projectName=Petclinic \
-Dsonar.java.binaries=. \
-Dsonar.projectKey=Petclinic '''
}
}
}
stage('OWASP Dependency Check') {
steps {
dependencyCheck additionalArguments: "--scan ./", odcInstallation: "DP-check"
dependencyCheckPublisher pattern: "**/dependency-check-report.xml"
}
}
stage('SonarQube Quality Gate') {
steps {
timeout(time: 2, unit: 'MINUTES') {
waitForQualityGate abortPipeline: false
}
}
}
stage('Build the Code') {
steps {
sh "mvn clean package"
// sh "docker build -t shopping-cart:dev -f docker/Dockerfile ."
}
}
stage('Docker Build & Push The Code') {
steps {
script {
withCredentials([usernamePassword(credentialsId: 'dockercred', passwordVariable: 'dockerhubPass', usernameVariable: 'dockerhubuser')]) {
sh "docker build -t notes-app ."
sh "docker tag notes-app ${env.dockerhubuser}/javacode:latest"
// Uncomment the following line if you need to tag another image
// sh "docker tag notes-app01 ${env.dockerhubuser}/backend1-image:01"
sh "docker login -u ${env.dockerhubuser} -p ${env.dockerhubPass}"
sh "docker push ${env.dockerhubuser}/javacode:latest"
// Uncomment the following line if you need to push another image
// sh "docker push ${env.dockerhubuser}/backend1-image:01"
}
}
}
}
stage('Trivy File System Scan') {
steps {
sh "trivy fs --format table --output trivy-fs-report.html ."
}
}
stage('Deploy The Code') {
steps{
sh "cp /var/lib/jenkins/workspace/test_03/target/petclinic.war /var/lib/tomcat9/webapps "
}
}
}
}
Final Pipeline (Last)
pipeline {
agent any
environment {
SONAR_HOME = tool 'sonar'
}
stages {
stage('Check Java') {
steps {
sh 'echo $JAVA_HOME'
sh 'java -version'
}
}
stage('Clone') {
steps {
git url: 'https://first_workspace5-admin@bitbucket.org/first_workspace5/petclinic.git', branch: 'main'
}
}
stage('SonarQube Quality Analysis') {
steps {
withSonarQubeEnv('sonar-server') {
sh ''' ${SONAR_HOME}/bin/sonar-scanner -X -Dsonar.projectName=Petclinic \
-Dsonar.java.binaries=. \
-Dsonar.projectKey=Petclinic '''
}
}
}
stage('OWASP Dependency Check') {
steps {
dependencyCheck additionalArguments: "--scan ./", odcInstallation: "DP-check"
dependencyCheckPublisher pattern: "**/dependency-check-report.xml"
}
post {
always {
archiveArtifacts artifacts: '**/dependency-check-report.xml', allowEmptyArchive: true
}
}
}
stage('SonarQube Quality Gate') {
steps {
timeout(time: 2, unit: 'MINUTES') {
waitForQualityGate abortPipeline: false
}
}
}
stage('Build the Code') {
steps {
sh "mvn clean package"
// sh "docker build -t shopping-cart:dev -f docker/Dockerfile ."
}
}
stage('Docker Build & Push The Code') {
steps {
script {
withCredentials([usernamePassword(credentialsId: 'dockercred', passwordVariable: 'dockerhubPass', usernameVariable: 'dockerhubuser')]) {
sh "docker build -t notes-app ."
sh "docker tag notes-app ${env.dockerhubuser}/javacode:latest"
// Uncomment the following line if you need to tag another image
// sh "docker tag notes-app01 ${env.dockerhubuser}/backend1-image:01"
sh "docker login -u ${env.dockerhubuser} -p ${env.dockerhubPass}"
sh "docker push ${env.dockerhubuser}/javacode:latest"
// Uncomment the following line if you need to push another image
// sh "docker push ${env.dockerhubuser}/backend1-image:01"
}
}
}
}
stage('Trivy File System Scan') {
steps {
sh "trivy fs --format table --output trivy-fs-report.html ."
}
post {
always {
archiveArtifacts artifacts: 'trivy-fs-report.html', allowEmptyArchive: true
}
}
}
stage('Deploy The Code') {
steps{
sh "cp /var/lib/jenkins/workspace/test_03/target/petclinic.war /var/lib/tomcat9/webapps "
#petclinic.war file check the path in jenkins logs and change this path and also check webapps path 2 posibility of this path 1 is up second is /opt/tomcat/webapps(check))
}
}
}
}