How to Build an Automated Security Code Scanning Platform with SonarQube, Jenkins, and Maven

Background and Purpose

With rapid development of new business and technologies, software security defects appear frequently. While developers usually perform unit tests, builds, and functional tests, they often lack security awareness, skills, and tools, leading to security flaws. This article proposes a method to test security defects as developers test functionality, integrating security testing into the development process.

Overview of the Automated Security Code Detection Platform

What is a security code audit tool?

Static analysis tools locate potential security issues such as buffer overflows, null‑pointer dereferences, resource leaks, and SQL injection. Examples include Fortify and FindBugs.

Can developers directly use these tools?

In theory yes, but in practice it is difficult because of tool selection, high false‑positive rates, integration challenges, and the separation of security and development responsibilities.

Many tools make selection hard.

High false‑positive rates reduce accuracy.

Integrating a single tool into the development workflow is complex.

Security testing is often isolated from developers.

What is an automated security code detection platform?

The platform should (1) integrate into the software development process, (2) perform automatic, efficient, and accurate detection, and (3) generate reports automatically for project managers and developers.

Building the Platform on SonarQube

Platform Overview

The environment combines Jenkins, SVN, Maven, and SonarQube.

Jenkins provides continuous integration, monitoring repeated tasks and triggering builds.

SVN is the version‑control system for multiple developers.

Maven manages project builds, dependencies, and documentation.

SonarQube is an open‑source code‑quality management platform supporting many languages via plugins.

Core Integration Idea

SVN serves as the entry point. Jenkins monitors SVN commits and triggers SonarQube analysis. Before analysis, Jenkins invokes Maven to compile the code; the compiled output and source are then sent to SonarQube, which uses plugins to detect defects and generate reports.

Benefits include automatic generation of high‑quality reports without manual intervention, seamless integration of new detection tools via plugins, and protection of intellectual property through an Alibaba Cloud mirror.

Installation and Configuration Steps

1. Prepare the Base Environment

Hardware: 1 CPU core, 4 GB RAM, Linux (Ubuntu or CentOS).

Install JDK 1.8 and MySQL, then set environment variables.

# JDK
export JAVA_HOME=/usr/bin/jdk1.8.0_151
export JRE_HOME=$JAVA_HOME/jre
export PATH=$JAVA_HOME/bin:$PATH

Install MySQL 5.7.20, set root password to mysql, and create a sonar database and user.

mysql -u root -p
CREATE DATABASE sonar DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci;
CREATE USER 'sonar'@'%' IDENTIFIED BY 'sonar';
GRANT ALL ON sonar.* TO 'sonar'@'%';
FLUSH PRIVILEGES;

2. Install SVN Server

yum install subversion
mkdir -p /opt/svn/repos
svnadmin create /opt/svn/repos

Configure svnserve.conf, passwd, and authz to allow the admin user full access.

# svnserve.conf
anon-access = none
auth-access = write
password-db = passwd
authz-db = authz
realm = /opt/svn/repos

# passwd
admin = admin

# authz
[/]
admin = rw

Start the service:

svnserve -d -r /opt/svn/repos

3. Install SonarQube and Sonar‑Scanner

Download and unzip the binaries, then rename directories for convenience.

cd /opt
wget https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-7.9.1.zip
unzip sonarqube-7.9.1.zip
mv sonarqube-7.9.1 sonarqube
wget https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-4.6.2.2472-linux.zip
unzip sonar-scanner-cli-4.6.2.2472-linux.zip
mv sonar-scanner-4.6.2.2472-linux sonar-scanner

Add environment variables:

# SonarQube
export SONAR_HOME=/opt/sonarqube
export SONAR_RUNNER_HOME=/opt/sonar-scanner
export PATH=$PATH:$SONAR_RUNNER_HOME/bin

4. Configure SonarQube

Edit sonar.properties to point to the MySQL database and set the web port.

sonar.jdbc.username=sonar
sonar.jdbc.password=sonar
sonar.jdbc.url=jdbc:mysql://localhost:3306/sonar?useUnicode=true&characterEncoding=utf8&useSSL=false
sonar.web.port=9000

5. Install Maven

cd /opt
wget http://mirror.bit.edu.cn/apache/maven/maven-3/3.5.2/binaries/apache-maven-3.5.2-bin.tar.gz
tar -xf apache-maven-3.5.2-bin.tar.gz
mv apache-maven-3.5.2 maven

Set Maven environment variables:

export M2_HOME=/opt/maven
export PATH=$PATH:$M2_HOME/bin

6. Install Tomcat

cd /opt
wget http://mirrors.shuosc.org/apache/tomcat/tomcat-8/v8.5.24/bin/apache-tomcat-8.5.24.tar.gz
tar -xf apache-tomcat-8.5.24.tar.gz
mv apache-tomcat-8.5.24 tomcat

Start Tomcat:

cd /opt/tomcat/bin
./catalina.sh start

7. Install Jenkins

cd /opt
wget https://mirrors.tuna.tsinghua.edu.cn/jenkins/war-stable/2.138.3/jenkins.war
mv jenkins.war /opt/tomcat/webapps/

Access Jenkins at http://<server_ip>:8080/jenkins, complete the initial setup, and install the “SonarQube Scanner for Jenkins” and “Sonar Gerrit” plugins.

Using the Platform

Create a Maven job in Jenkins, configure source control (SVN), triggers, and build steps. Add SonarQube analysis properties, for example:

sonar.login=admin
sonar.password=admin
sonar.projectKey=helloWorld
sonar.projectName=helloWorld
sonar.projectVersion=0.1
sonar.sources=.
sonar.java.binaries=.

Run the job; Jenkins will compile the project, invoke Sonar‑Scanner, and SonarQube will display the security analysis results at http://<server_ip>:9000.

Result Verification

After a successful build, open the SonarQube dashboard to view detected security issues, code quality metrics, and generated reports.