Build an Automated Security Code Scanning Platform with SonarQube, Jenkins, and SVN

Background and Purpose

With rapid development of new business and technologies, software security defects are increasingly common. While developers usually perform unit tests and functional testing, security testing often lacks awareness, skills, and tools. This article proposes a method to test software security defects as systematically as functional testing and embed it into the development lifecycle.

Overview of Automated Security Code Detection Platform

Security code audit tools statically scan source code for vulnerabilities such as buffer overflows, null pointer dereferences, resource leaks, and SQL injection. Existing tools (e.g., Fortify, FindBugs) are numerous, making selection and integration difficult for developers.

Building the Platform on SonarQube

3.1 Platform Overview

The platform integrates Jenkins, SVN, Maven, and SonarQube. Jenkins triggers scans on SVN commits, Maven compiles the code, and SonarQube performs static analysis and generates reports.

3.2 Core Design

Seamlessly embed into the software development process.

Automatic, efficient, and accurate detection.

Generate reports for project managers and developers.

3.3 Implementation Steps

3.3.1 Prepare the Environment

Hardware: 1 CPU core, 4 GB RAM, Linux (Ubuntu or CentOS). Install JDK 1.8 and MySQL as root.

<code>vi /etc/profile</code>

Add at the end of the file:

<code>#JDK
JAVA_HOME=/usr/bin/jdk1.8.0_151
JRE_HOME=/usr/bin/jdk1.8.0_151/jre
CLASSPATH=.:$JAVA_HOME/lib/dt.jar:$JAVA_HOME/lib/tools.jar:$JAVA_HOME/lib:$JRE_HOME/lib:$CLASSPATH
PATH=$JAVA_HOME/bin:$PATH</code>

Apply changes:

<code>source /etc/profile
java -version</code>

3.3.2 Install MySQL 5.7

<code>yum update
yum install -y mysql-server mysql-client</code>

Set root password to

mysql

and verify:

<code>mysql -u root -p</code>

3.3.3 Create a Non‑root User

<code>adduser qube</code>

Set password to

admin

and grant sudo rights by editing

/etc/sudoers

:

<code># User privilege specification
root    ALL=(ALL:ALL) ALL
qube    ALL=(ALL:ALL) ALL</code>

3.3.4 Install SVN Server

<code>yum install subversion
mkdir -p /opt/svn/repos
svnadmin create /opt/svn/repos</code>

Configure

svnserve.conf

:

<code>anon-access = none
auth-access = write
password-db = passwd
authz-db = authz
realm = /opt/svn/repos</code>

Configure

passwd

(user

admin

with password

admin

) and

authz

(grant

admin

read/write on

/

).

<code>[/]
admin = rw</code>

Start the service:

<code>svnserve -d -r /opt/svn/repos</code>

Verify:

<code>netstat -antp | grep svnserve</code>

3.3.5 Install Maven

<code>cd /opt
wget http://mirror.bit.edu.cn/apache/maven/maven-3/3.5.2/binaries/apache-maven-3.5.2-bin.tar.gz
tar -xf apache-maven-3.5.2-bin.tar.gz
mv apache-maven-3.5.2 maven</code>

Add to

/etc/profile

:

<code>#Maven
export M2_HOME=/opt/maven
export CLASSPATH=$CLASSPATH:$M2_HOME/lib
export PATH=$PATH:$M2_HOME/bin</code>

<code>. /etc/profile
mvn -v</code>

3.3.6 Install Tomcat 8.5

<code>cd /opt
wget http://mirrors.shuosc.org/apache/tomcat/tomcat-8/v8.5.24/bin/apache-tomcat-8.5.24.tar.gz
tar -xf apache-tomcat-8.5.24.tar.gz
mv apache-tomcat-8.5.24 tomcat</code>

Start Tomcat:

<code>cd /opt/tomcat/bin
./catalina.sh start</code>

Verify by accessing

http://<server_ip>:8080

.

3.3.7 Install Jenkins (war)

<code>cd /opt
wget https://mirrors.tuna.tsinghua.edu.cn/jenkins/war-stable/2.138.3/jenkins.war
mv jenkins.war /opt/tomcat/webapps/</code>

Access

http://<server_ip>:8080/jenkins

, complete initial setup, and set admin credentials (

admin/admin

).

3.3.8 Install SonarQube and Sonar‑Scanner

<code>cd /opt
wget https://sonarsource.bintray.com/Distribution/sonarqube/sonarqube-6.7.1.zip
wget https://sonarsource.bintray.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-3.0.3.778.zip
unzip sonarqube-6.7.1.zip
unzip sonar-scanner-cli-3.0.3.778.zip
mv sonarqube-6.7.1 sonarqube
mv sonar-scanner-3.0.3.778 sonar-scanner</code>

Add environment variables:

<code>#SonarQube
export SONAR_HOME=/opt/sonarqube
export SONAR_RUNNER_HOME=/opt/sonar-scanner
export PATH=$PATH:$SONAR_RUNNER_HOME/bin</code>

<code>. /etc/profile</code>

Create MySQL database for SonarQube:

<code>mysql -u root -p
CREATE DATABASE sonar DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci;
CREATE USER 'sonar' IDENTIFIED BY 'sonar';
GRANT ALL ON sonar.* TO 'sonar'@'%' IDENTIFIED BY 'sonar';
GRANT ALL ON sonar.* TO 'sonar'@'localhost' IDENTIFIED BY 'sonar';
FLUSH PRIVILEGES;</code>

Configure

sonar.properties

(set JDBC URL, username, password, and web port 9000).

<code>sonar.jdbc.username=sonar
sonar.jdbc.password=sonar
sonar.jdbc.url=jdbc:mysql://localhost:3306/sonar?useUnicode=true&characterEncoding=utf8&rewriteBatchedStatements=true&useConfigs=maxPerformance&useSSL=false
sonar.web.port=9000</code>

Configure

sonar-scanner.properties

:

<code>sonar.host.url=http://localhost:9000
sonar.jdbc.username=sonar
sonar.jdbc.password=sonar
sonar.jdbc.url=jdbc:mysql://localhost:3300/sonar?useUnicode=true&characterEncoding=utf8&rewriteBatchedStatements=true&useConfigs=maxPerformance&useSSL=false</code>

Start SonarQube:

<code>cd /opt/sonarqube/bin/linux-x86-64
./sonar.sh start</code>

Access

http://<server_ip>:9000

, log in with

admin/admin

, and optionally install the Chinese language plugin.

3.4 Using the Platform in Jenkins

Configure Jenkins system settings:

Set SonarQube server URL.

Add JDK and Maven installations under “Global Tool Configuration”.

Create a Maven job (e.g.,

helloWorld

) with the following key sections:

Source Code Management – point to the SVN repository.

Build Triggers – e.g., poll SCM or schedule.

Build – add “Invoke SonarQube Scanner” and supply

sonar-project.properties

such as:

<code>sonar.login=admin
sonar.password=admin
sonar.projectKey=test
sonar.projectName=test
sonar.projectVersion=0.1
sonar.sources=.
sonar.java.binaries=.</code>

Run the job; Jenkins will compile with Maven, invoke Sonar‑Scanner, and push results to SonarQube.

After a successful build, open SonarQube UI to view security issues, code smells, and other metrics.

Conclusion

The described platform demonstrates how to integrate static security analysis into a CI/CD pipeline using open‑source tools, providing automated, accurate detection and reporting of code vulnerabilities throughout the development lifecycle.