ip a
Make a note of your Linux server's IP address.
You'll need it later.
sudo ss -pant
Look to see if "docker-proxy" is listening
on port 9000,
as shown below.
If it is not, execute these commands to start SonarQube:
sudo docker rm sonar
sudo docker run -d --name sonar -p 9000:9000 --network sonar-network \
-e SONARQUBE_JDBC_URL=jdbc:postgresql://sonar-db:5432/sonar \
-e SONAR_JDBC_USERNAME=sonar -e SONAR_JDBC_PASSWORD=sonar sonarqube
After this, you'll need to log in with the default password of admin
http://172.16.123.132:9000If necessary, log in with the username admin and the password you chose at installation, such as P@ssw0rd
The dashboard appears, as shown below.
Click "Local project".
Enter a display name of SC101, as shown below.
Click Next.
On the "Set up project for Clean as You Code" page, click the "Use the global setting" button and click the "Create project" button.
On the "Analysis Method" page, click Locally.
On the "Analyze your project" page, as shown below, click Generate.
Your token appears, as shown below. Copy it to a text editor so you can use it later.
Click Continue.
Perform these steps to limit the scan to only Python files:
On the "Analyze your project" page, at the top right, click "Project Settings".
Click "General Settings".
Click "Analysis Scope".
In the "A. File Exclusions" section, in the "Source File Inclusions" field, enter this pattern, as shown below.
**/*.py
Click the Save button.
wget https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-5.0.1.3006-linux.zip
sudo apt update
sudo apt install unzip
unzip sonar*.zip
mv sonar-scanner-5.0.1.3006-linux sonar-scanner
If it is not, go do this project:
SC 100: Installing the OWASP Juice Shop
Execute this command, replacing the token at the end with the correct token for your project.
./sonar-scanner/bin/sonar-scanner \
-Dsonar.projectKey=SC101 \
-Dsonar.sources=juice-shop \
-Dsonar.host.url=http://127.0.0.1:9000 \
-Dsonar.ws.timeout=500 \
-Dsonar.javascript.node.maxspace=4096 \
-Dsonar.token=sqp_0a660d7e4b7435c0fd7b6152eb6f69e55ac3eea8 -X
The analysis finishes within a minute or two,
showing a path to the results,
highlighted in the image below.
Flag SC 101.1: Vulnerability (10 pts)
In the Overview page, in the Security section, click the number 4.Click the blue text saying "Use secure mode and padding scheme".
Click the "Where is the issue?" tab.
The flag is the word covered by a green rectangle in the image below.
Flag SC 101.2: JS (10 pts)
Add more RAM to your Debian server--I used 8 GB. The default of 2 GB was not enough.Scan the same project for Javascript files (**/*.js)
In the Overview page, in the Security section, click the number 1.
Click the blue text saying "Make sure this private key gets revoked, changed, and removed from the code.".
The flag is the word covered by a green rectangle in the image below.
Posted 2-26-24