This document is available in languages: eng 🇬🇧, rus 🇷🇺

In this image are combined:

• SonarQube Scanner Cli
• OWASP DependencyCheck
• Adding a project to SonarQube and syncing the default branch
• Syncing SonarQube and Gitlab entitlements via guassp
• Running tests for .Net
• Code coverage request from SonarQube

Special thanks to WoozyMasta for the utility guassp.

• Build
  • Building an Image with a Plugin Cache
• Images
  • Standard Image
  • Images for analyzing .NET projects
  • Image for analyzing Gradle projects
• Variables
  • Variable Mapping
    • Github Actions
    • Gitlab CI
  • SonarQube
    • General
    • Github Action
    • GitLab CI
  • OWASP Dependency Check
    • Database
    • Criteria for evaluation
    • OSS Index
    • Removing false positives
  • Variables for .Net
    • Nuget
    • .Net
    • Tests
  • Exclusion of stages
  • Other

You need to pass arguments to build.:

• SONAR_SCANNER_VERSION=5.0.1.3006 - version of the scanner, you can take in project repositories sonar-scanner-cli
• DOTNET_SONARSCANNER_VERSION=6.0 - dotnet-sonarscanner version
• GRADLE_VERSION=8.1.1 - gradle version
• POSTGRES_DRIVER_VERSION=42.7.0 - postgres driver version
• MYSQL_DRIVER_VERSION=8.2.0 - mysql driver version
• DEPENDENCY_CHECK_VERSION=9.0.7 - DependencyCheck version

To speed up the passage of the stage, you can pack all the necessary plugins and SonarQube bases into the image during assembly, to do this, pass the variables during the assembly:

• SONARQUBE_TOKEN=XXTOKENXX - SonarQube token, must have rights to create projects and perform analysis
• SONARQUBE_URL=https://sonarqube.com - SonarQube URL

And at the end of the RUN section of the Dockerfile, add:

    mkdir -p "$SRC_PATH" "$SONAR_USER_HOME" "$SONAR_USER_HOME/cache"; \
    sonar-scanner \
      -Dsonar.qualitygate.wait=false \
      -Dsonar.projectKey=self-build \
      -Dsonar.host.url="$SONARQUBE_URL" \
      -Dsonar.login="$SONARQUBE_TOKEN" \
      -Dsonar.dryRun=true \
      -Dsonar.exclusions='**/dependency-check/bin/*'

The current cache of plugins will be packed into the image in the directory /opt/sonar-scanner/.sonar

sentoz/multi-sonarqube-scanner-cli:0.2.1

This image allows you to scan projects implemented in languages:

• typescript|javascript
• python
• go
• ruby
• shell
• html
• css

sentoz/multi-sonarqube-scanner-cli:0.2.1-dotnet-3.1
sentoz/multi-sonarqube-scanner-cli:0.2.1-dotnet-5.0
sentoz/multi-sonarqube-scanner-cli:0.2.1-dotnet-6.0
sentoz/multi-sonarqube-scanner-cli:0.2.1-dotnet-7.0
sentoz/multi-sonarqube-scanner-cli:0.2.1-dotnet-8.0

Each image is built on the latest stable version of .Net, includes dotnet sonarscanner and reportgenerator.

sentoz/multi-sonarqube-scanner-cli:0.2.1-gradle-8.1.1
sentoz/multi-sonarqube-scanner-cli:0.2.1-gradle-7.3.3

The gradle binaries of the latest stable version are packed into the image.

• DEFAULT_BRANCH=$GITHUB_BASE_REF
• COMMIT_BRANCH=$GITHUB_REF_NAME
• COMMIT_TAG=${GITHUB_REF#"refs/tags/"}
• JOB_TOKEN=$GITHUB_TOKEN
• PROJECT_DIR=$GITHUB_WORKSPACE
• REF_NAME=$GITHUB_REF_NAME
• MERGE_REQUEST_ID=$GITHUB_RUN_ID
• COMMIT_REF_SLUG=$GITHUB_REF_NAME
• PROJECT_NAME=${GITHUB_REPOSITORY#*/}
• PROJECT_URL=$GITHUB_SERVER_URL/$GITHUB_REPOSITORY

• DEFAULT_BRANCH=$CI_DEFAULT_BRANCH
• COMMIT_BRANCH=$CI_COMMIT_BRANCH
• COMMIT_TAG=$CI_COMMIT_TAG
• PROJECT=$CI_PROJECT_ID
• JOB_TOKEN=$CI_JOB_TOKEN
• PROJECT_DIR=$CI_PROJECT_DIR
• REF_NAME=$CI_COMMIT_REF_NAME
• MERGE_REQUEST_ID=$CI_MERGE_REQUEST_IID
• PROJECT_NAME=$CI_PROJECT_NAME
• COMMIT_REF_SLUG=$CI_COMMIT_REF_SLUG
• SONARQUBE_ALM_NAME=GitLab
• JOB_TOKEN=$CI_JOB_TOKEN
• PROJECT_URL=$CI_PROJECT_URL

• SONARQUBE_URL - SonarQube server address
• SONARQUBE_TOKEN - Token for connecting to SonarQube
• SONARQUBE_CUSTOM_ARGS - A list of custom keys for SonarScaner separated by a comma, for example: sonar.exclusions=/path, sonar.test.exclusions=/path2
• SONARQUBE_GENERIC_REPORTS_FILE=$PROJECT_DIR/issues.json - File with generic reports
• SONARQUBE_QUALITYGATE_WAIT=true - waiting to receive the Quality Gate status
• SONARQUBE_QUALITYGATE_TIMEOUT=300 - Quality Gate timeout
• SONARQUBE_LOG_LEVEL=INFO - Logging Level SonarQube Scanner
• SONARQUBE_VERBOSE=true - more information in the analysis log
• SONARQUBE_PYTHON_VERSION=3 - python version
• SONARQUBE_ALOW_FAILURE=false - Criticality of falling stage SonarQube Scanner.

• SONARQUBE_PROJECT_NAME=$GITHUB_REPOSITORY
• SONARQUBE_PROJECT_KEY=${GITHUB_REPOSITORY#*/}

• SONARQUBE_PROJECT_NAME=$CI_PROJECT_NAMESPACE/$CI_PROJECT_NAME
• SONARQUBE_PROJECT_KEY=gitlab:$CI_PROJECT_ID

To speed up the passage of the pipeline, dependency check can store the database of vulnerabilities in a separate database and, at the start of the check, take data from it, and not download it from the Internet at each start.

• OWASP_DEPENDENCY_CHECK_DB_DRIVER=org.postgresql.Driver - Database driver used(org.postgresql.Driver or com.mysql.jdbc.Driver)
• OWASP_DEPENDENCY_CHECK_DB_STRING - database connection string
• OWASP_DEPENDENCY_CHECK_DB_PASSWORD - database connection password
• OWASP_DEPENDENCY_CHECK_DB_USER - username to connect to the database
• OWASP_DEPENDENCY_CHECK_NVD_VALID_HOURS - 24 - The number of hours after which the NVD will check for a database update.

• OWASP_DEPENDENCY_CHECK_SEVERITY_BLOCKER - 9.0
• OWASP_DEPENDENCY_CHECK_SEVERITY_CRITICAL - 7.0
• OWASP_DEPENDENCY_CHECK_SEVERITY_MAJOR - 4.0
• OWASP_DEPENDENCY_CHECK_SEVERITY_MINOR - 0.0

• OWASP_DEPENDENCY_CHECK_DISABLE_OSS_INDEX - true - Disabling OSS Index
• OWASP_DEPENDENCY_CHECK_OSS_INDEX_USERNAME - Username to connect to Sonatype's OSS Index (optional)
• OWASP_DEPENDENCY_CHECK_OSS_INDEX_PASSWORD - Password to connect to Sonatype OSS Index(optional)

• OWASP_DEPENDENCY_CHECK_SUPPRESSIONS_FILE_PATH - $PROJECT_DIR/suppression.xml - Use suppression file to remove false positives if any.

If you want to connect sources using nuget.config, then it must be placed in the same directory as the *.sln file according to the official documentation

• NUGET_PRIVATE_REGISTRY_URL - Address to private package registry (optional)
• NUGET_PRIVATE_REGISTRY_USERNAME - Username for authorization in the private package registry (optional)
• NUGET_PRIVATE_REGISTRY_TOKEN - Token for authorization in the private package registry (optional)
• NUGET_REGISTRY_URL - Address to the public caching package registry (optional)

• DOTNET_PROJECT_CONFIGURATION=Debug - Build Configuration
• DOTNET_VERBOSITY=minimal - Logging level
• DOTNET_CUSTOM_BUILD_ARGUMENTS - Custom Application Build Arguments
• DOTNET_CUSTOM_TEST_ARGUMENTS - Custom Application Test Arguments
• DOTNET_WORK_DIR=$PROJECT_DIR - Directory with sln file (optional)
• DOTNET_CSPROJ_FILE_PATH - Path to csproj application file (optional)
• DOTNET_CSPROJ_FILE_TEST_PATH - Path to csproj test file (optional)
• DOTNET_RESTORE_ATTEMPT_COUNT - Number of execution attempts dotnet restore in case of a fall

• SKIP_DOTNET_TEST=false - Skipping tests for .Net

• SKIP_DEPENDENCY_CHECK_JOB=false - Skip DependencyCheck Scan
• SKIP_SONARQUBE_PREPARE=false - Skip project preconfiguration in SonarQube
• SKIP_SONARQUBE_SCANNER_JOB=false - Skip SonarQube Scanner
• SKIP_SONARQUBE_PERMISSIONS_SYNC=false - Skip rights sync
• SKIP_SONARQUBE_COVERAGE=false - Skip code coverage request

• SUPPORT_CONTACTS = https://github.com/sentoz/multi-sonarqube-scanner-cli/issues - Contacts for feedback