Build an Automated Security Code Scanning Platform with SonarQube, Jenkins, and SVN

Background and Purpose

With rapid development of new business and technologies, software security defects are increasingly common. While developers usually perform unit tests and functional testing, security testing often lacks awareness, skills, and tools. This article proposes a method to test software security defects as systematically as functional testing and embed it into the development lifecycle.

Overview of Automated Security Code Detection Platform

Security code audit tools statically scan source code for vulnerabilities such as buffer overflows, null pointer dereferences, resource leaks, and SQL injection. Existing tools (e.g., Fortify, FindBugs) are numerous, making selection and integration difficult for developers.

Building the Platform on SonarQube

3.1 Platform Overview

The platform integrates Jenkins, SVN, Maven, and SonarQube. Jenkins triggers scans on SVN commits, Maven compiles the code, and SonarQube performs static analysis and generates reports.

3.2 Core Design

Seamlessly embed into the software development process.

Automatic, efficient, and accurate detection.

Generate reports for project managers and developers.

3.3 Implementation Steps

3.3.1 Prepare the Environment

Hardware: 1 CPU core, 4 GB RAM, Linux (Ubuntu or CentOS). Install JDK 1.8 and MySQL as root. vi /etc/profile Add at the end of the file:

#JDK
JAVA_HOME=/usr/bin/jdk1.8.0_151
JRE_HOME=/usr/bin/jdk1.8.0_151/jre
CLASSPATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar:$JAVA_HOME/lib:$JRE_HOME/lib:$CLASSPATH
PATH=$JAVA_HOME/bin:$PATH

Apply changes:

source /etc/profile
java -version

3.3.2 Install MySQL 5.7

yum update
yum install -y mysql-server mysql-client

Set root password to mysql and verify:

mysql -u root -p

3.3.3 Create a Non‑root User

adduser qube

Set password to admin and grant sudo rights by editing /etc/sudoers:

# User privilege specification
root    ALL=(ALL:ALL) ALL
qube    ALL=(ALL:ALL) ALL

3.3.4 Install SVN Server

yum install subversion
mkdir -p /opt/svn/repos
svnadmin create /opt/svn/repos

Configure svnserve.conf:

anon-access = none
auth-access = write
password-db = passwd
authz-db = authz
realm = /opt/svn/repos

Configure passwd (user admin with password admin) and authz (grant admin read/write on /).

[/]
admin = rw

Start the service: svnserve -d -r /opt/svn/repos Verify:

netstat -antp | grep svnserve

3.3.5 Install Maven

cd /opt
wget http://mirror.bit.edu.cn/apache/maven/maven-3/3.5.2/binaries/apache-maven-3.5.2-bin.tar.gz
tar -xf apache-maven-3.5.2-bin.tar.gz
mv apache-maven-3.5.2 maven

Add to /etc/profile:

#Maven
export M2_HOME=/opt/maven
export CLASSPATH=$CLASSPATH:$M2_HOME/lib
export PATH=$PATH:$M2_HOME/bin

. /etc/profile
mvn -v

3.3.6 Install Tomcat 8.5

cd /opt
wget http://mirrors.shuosc.org/apache/tomcat/tomcat-8/v8.5.24/bin/apache-tomcat-8.5.24.tar.gz
tar -xf apache-tomcat-8.5.24.tar.gz
mv apache-tomcat-8.5.24 tomcat

Start Tomcat:

cd /opt/tomcat/bin
./catalina.sh start

Verify by accessing http://<server_ip>:8080.

3.3.7 Install Jenkins (war)

cd /opt
wget https://mirrors.tuna.tsinghua.edu.cn/jenkins/war-stable/2.138.3/jenkins.war
mv jenkins.war /opt/tomcat/webapps/

Access http://<server_ip>:8080/jenkins, complete initial setup, and set admin credentials ( admin/admin).

3.3.8 Install SonarQube and Sonar‑Scanner

cd /opt
wget https://sonarsource.bintray.com/Distribution/sonarqube/sonarqube-6.7.1.zip
wget https://sonarsource.bintray.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-3.0.3.778.zip
unzip sonarqube-6.7.1.zip
unzip sonar-scanner-cli-3.0.3.778.zip
mv sonarqube-6.7.1 sonarqube
mv sonar-scanner-3.0.3.778 sonar-scanner

Add environment variables:

#SonarQube
export SONAR_HOME=/opt/sonarqube
export SONAR_RUNNER_HOME=/opt/sonar-scanner
export PATH=$PATH:$SONAR_RUNNER_HOME/bin

. /etc/profile

Create MySQL database for SonarQube:

mysql -u root -p
CREATE DATABASE sonar DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci;
CREATE USER 'sonar' IDENTIFIED BY 'sonar';
GRANT ALL ON sonar.* TO 'sonar'@'%' IDENTIFIED BY 'sonar';
GRANT ALL ON sonar.* TO 'sonar'@'localhost' IDENTIFIED BY 'sonar';
FLUSH PRIVILEGES;

Configure sonar.properties (set JDBC URL, username, password, and web port 9000).

sonar.jdbc.username=sonar
sonar.jdbc.password=sonar
sonar.jdbc.url=jdbc:mysql://localhost:3306/sonar?useUnicode=true&characterEncoding=utf8&rewriteBatchedStatements=true&useConfigs=maxPerformance&useSSL=false
sonar.web.port=9000

Configure sonar-scanner.properties:

sonar.host.url=http://localhost:9000
sonar.jdbc.username=sonar
sonar.jdbc.password=sonar
sonar.jdbc.url=jdbc:mysql://localhost:3300/sonar?useUnicode=true&characterEncoding=utf8&rewriteBatchedStatements=true&useConfigs=maxPerformance&useSSL=false

Start SonarQube:

cd /opt/sonarqube/bin/linux-x86-64
./sonar.sh start

Access http://<server_ip>:9000, log in with admin/admin, and optionally install the Chinese language plugin.

3.4 Using the Platform in Jenkins

Configure Jenkins system settings:

Set SonarQube server URL.

Add JDK and Maven installations under “Global Tool Configuration”.

Create a Maven job (e.g., helloWorld) with the following key sections:

Source Code Management – point to the SVN repository.

Build Triggers – e.g., poll SCM or schedule.

Build – add “Invoke SonarQube Scanner” and supply sonar-project.properties such as:

sonar.login=admin
sonar.password=admin
sonar.projectKey=test
sonar.projectName=test
sonar.projectVersion=0.1
sonar.sources=.
sonar.java.binaries=.

Run the job; Jenkins will compile with Maven, invoke Sonar‑Scanner, and push results to SonarQube.

After a successful build, open SonarQube UI to view security issues, code smells, and other metrics.

Conclusion

The described platform demonstrates how to integrate static security analysis into a CI/CD pipeline using open‑source tools, providing automated, accurate detection and reporting of code vulnerabilities throughout the development lifecycle.