SC 101: Scanning the OWASP Juice Shop with SonarQube (10 pts + 10 extra)

What You Need

Purpose

To use a code scanner to find coding flaws and vulnerabilities in the OWASP Juice Shop.

Finding your Linux Server's IP Address

On your Debian machine, in a Terminal or SSH window, execute this command: 
ip a
Make a note of your Linux server's IP address. You'll need it later.

Starting SonarQube

On your Debian machine, in a Terminal or SSH window, execute this command: 
sudo ss -pant
Look to see if "docker-proxy" is listening on port 9000, as shown below.

If it is not, execute these commands to start SonarQube: 

sudo docker rm sonar

sudo docker run -d --name sonar -p 9000:9000 --network sonar-network \
  -e SONARQUBE_JDBC_URL=jdbc:postgresql://sonar-db:5432/sonar \
  -e SONAR_JDBC_USERNAME=sonar -e SONAR_JDBC_PASSWORD=sonar sonarqube
After this, you'll need to log in with the default password of admin

Launching the SonarQube Dashboard

In a Web browser, go to the address of your server on port 9000. When I did it, I used this URL:
http://172.16.123.132:9000
If necessary, log in with the username admin and the password you chose at installation, such as P@ssw0rd

The dashboard appears, as shown below.

Creating a New Project

At the top right, click the "Create Project" button.

Click "Local project".

Enter a display name of SC101, as shown below.

Click Next.

On the "Set up project for Clean as You Code" page, click the "Use the global setting" button and click the "Create project" button.

On the "Analysis Method" page, click Locally.

On the "Analyze your project" page, as shown below, click Generate.

Your token appears, as shown below. Copy it to a text editor so you can use it later.

Click Continue.

Including Only PY Files

When I did it, SonarQube kept crashing when attempting to parse TypeScript and XML files, and apparently other types too.

Perform these steps to limit the scan to only Python files:

On the "Analyze your project" page, at the top right, click "Project Settings".

Click "General Settings".

Click "Analysis Scope".

In the "A. File Exclusions" section, in the "Source File Inclusions" field, enter this pattern, as shown below. 

**/*.py
Click the Save button.

Installing the Sonar Scanner on your Linux Server

On your Debian machine, in a Terminal or SSH window, execute these commands, one at a time: 
wget https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-5.0.1.3006-linux.zip

sudo apt update

sudo apt install unzip

unzip sonar*.zip

mv sonar-scanner-5.0.1.3006-linux sonar-scanner

Scanning the OWASP Juice Shop

On your Debian machine, in a Terminal or SSH window, execute the ls command and verify that the juice-shop directory is present, as shown below.

If it is not, go do this project:

SC 100: Installing the OWASP Juice Shop

Execute this command, replacing the token at the end with the correct token for your project. 

./sonar-scanner/bin/sonar-scanner \
  -Dsonar.projectKey=SC101 \
  -Dsonar.sources=juice-shop \
  -Dsonar.host.url=http://127.0.0.1:9000 \
  -Dsonar.ws.timeout=500 \
  -Dsonar.javascript.node.maxspace=4096 \
  -Dsonar.token=sqp_0a660d7e4b7435c0fd7b6152eb6f69e55ac3eea8 -X
The analysis finishes within a minute or two, showing a path to the results, highlighted in the image below.

Viewing Results

Open the Results page, replacing "127.0.0.1" with the correct IP address of your Linux server, as shown below.

Flag SC 101.1: Vulnerability (10 pts)

In the Overview page, in the Security section, click the number 4.

Click the blue text saying "Use secure mode and padding scheme".

Click the "Where is the issue?" tab.

The flag is the word covered by a green rectangle in the image below.

Flag SC 101.2: JS (10 pts)

Add more RAM to your Debian server--I used 8 GB. The default of 2 GB was not enough.

Scan the same project for Javascript files (**/*.js)

In the Overview page, in the Security section, click the number 1.

Click the blue text saying "Make sure this private key gets revoked, changed, and removed from the code.".

The flag is the word covered by a green rectangle in the image below.

Posted 2-26-24