Fix Issues in Your Code Before Going to Production in Minutes with SonarQube

Carlos Rodríguez and Raquel Campuzano co-wrote this blog post

SonarQube is an open-source code analyser designed for analysing and measuring the technical quality of code. This is particularly useful to avoid the need of fixing issues when your applications are already running in production environments. With SonarQube you can keep your code clean and prevent future vulnerabilities from the earliest stages of development to production.  

It combines static and dynamic analysis tools to monitor the following: 

• Duplicated code 
• Compliance with coding standards 
• Unit tests 
• Complex code 
• Potential bugs 
• Comments and design 
• Code architecture 

SonarQube is used for major programming languages such as C/C++, JavaScript, Java, C#, PHP, or Python, amongst others. Often, applications use several programming languages simultaneously, for example, a combination of Java, JavaScript, and HTML. SonarQube automatically detects these languages and invokes the corresponding analyzers. 

Sonarqube was available in the Bitnami Application Catalog for its local deployment or in the cloud, and now, you can also deploy it on your Kubernetes cluster as a Helm chart.  

Keep reading to learn how to install it in your cluster to start analysing your code in minutes.  

How to Install the SonarQube Helm chart in your Kubernetes Cluster 

Having SonarQube running in your cluster is as easy as executing a couple of commands.  

First, install the Bitnami Helm charts repository by executing the following: 

helm repo add bitnami https://charts.bitnami.com/bitnami 

Once the repo is installed in your chart, run the command below to finish the installation of the SonarQube Helm chart:   

helm install my-release bitnami/sonarqube 

Remember that “my-release” is a placeholder, you can replace it with an identifiable name for your release.  

Once the deployment completes, refer to the output to obtain the SonarQube URL and credentials.  

To start using SonarQube, execute the corresponding command to get the URL. Then, open a browser and enter the IP address you have obtained. You will see the login screen: 

Enter the username “user” and the password obtained by running the command shown in the deployment notes. 

That’s all! Now you can start analysing your code! In the following sections, you will find a sample JavaScript code and some examples of how to use SonarQube to detect bugs, vulnerabilities, and errors in your code and how to clean up your code to make it safe for production environments.  

Playing with SonarQube  

In this GitHub project, you’ll find an example of code written in JavaScript. The goal: to show you how to incorporate SonarQube into your development workflow. The repository contains two main folders (sources and tests) so, in this way, you can know the percentage of our code that is being covered by the tests. 

This project also includes a sonar-project.properties file where there are some configuration parameters needed to configure SonarQube like username, password, language, etc. 

First, run the scanner inside the project folder, that way the first scanner is launched and you can check the results in the web interface. 

sonar-scanner 

As you can see in the above screenshot, the current code has zero bugs, zero vulnerabilities and six code "smells". 

Modify the source code in order to introduce one bug and one vulnerability. This time it is intentional, but in daily work problems like this can arise without you realizing. 

Run the scanner again:

sonar-scanner 

As expected, a new bug and vulnerability appear. Check the analysis again to see the changes we made: 

A new section appears on the right-hand side of the screen (highlighted in yellow). SonarQube handles two states: the current state (in white) and the latest changes. 

As you can see in the screenshot, the changes introduced in the last scan have added one bug and one vulnerability. SonarQube evaluates the quality of each section with a score based on different parameters, A being the best state. In this case, introducing the bug has caused the “Bugs” section to pass from A to C and the “Vulnerabilities” section from A to B. 

You can set the “Leak Period” to determine how you want to make the comparison: by time or between each scanner execution. 

Let’s see in detail the "Coverage" section: 38.1% is the global test coverage (as you can see in the GitHub repository, I have tests for some files, but not for all of them). In the yellow section, you can see the coverage for the newly added lines. Previously, we introduced some new lines in order to add errors but we didn’t create any test for these new lines, so the new test coverage is 0%. Also, by clicking on Coverage, you can see more information about the coverage, for example, coverage by file, number of covered lines, etc. 

With this quick and simple analysis (you only have to execute one command) you will be able to prevent errors like these arising in production environments, keeping the code safe and complying with best practice and quality standards. In the following iterations we will work towards the goal of zero bugs, vulnerabilities, and code "smells". We might also work on getting 100% of our code covered by the tests. 

Once we have my code in this state, it is very simple to see if the changes made have introduced some kind of error or bad practice. 

How to squeeze SonarQube 

As you saw in the previous section, it is quite simple to keep your code in good health. But, there is more to discover. SonarQube has a lot of cool integrations. 

Analysis Methods

You can choose between the following analysis methods: 

• SonarQube scanner for MSBuild: Launch analysis of .Net projects 
• SonarQube scanner for Maven: Launch analysis from Maven with minimal configuration 
• SonarQube scanner for Gradle: Launch Gradle analysis 
• SonarQube scanner for Ant: Launch analysis from Ant 
• SonarQube scanner for Jenkins: Launch analysis from Jenkins 
• SonarQube scanner: Launch analysis from the command line when none of the other analyzers is appropriate 

Plugins

In addition, SonarQube has an Update Center with a variety of plugins organized into different categories, some useful plugins are: 

• Code Analyzers 
• SonarCFamily C/C++ 
• SonarPHP 
• SonarJS 
• SonarWeb 
• SonarJava 
• CSS 
• Integration
• GitHub Plugin: Analyzes pull requests, and points out the issues as comments.
• Google Analytics: Adds the Google Analytics tracking script to the SonarQube web application.
• SCM Engines 
• Mercurial: Adds support for Mercurial. 
• Git: Adds support for Git. 
• SVN: Adds support for Subversion. 
• Authentication & Authorization
• GitHub Authentication: Enables user authentication and Single Sign-On via GitHub. 
• GitLab Authentication: Enables user authentication and Single Sign-On via GitLab. 
• Google Authentication: Enabled delegation of user authentication to Google. 

Happy (and safe) coding! 

Deploy SonarQube Now

Bitnami Cloud Hosting Deprecation – Focus on Extending Bitnami Application Catalog and Services

Since 2011, Bitnami Cloud Hosting (BCH) has provided an easy way for users to deploy and manage Open Source applications on the Amazon EC2 Cloud.  

Thanks to this service, users new to the cloud had the chance to quickly deploy and manage applications on AWS servers through an intuitive and user-friendly interface.  

As new packaging formats and deployment platforms come up, the Bitnami Engineering team has concentrated its efforts in providing multi-cloud cross-platform applications and services to match emerging developers’ needs.  

In the past two years, since the VMware acquisition, we have extended the Bitnami Open Source Catalog for containers and Helm charts, released VMware Application Catalog, a curated and customizable selection of Open Source software from the Bitnami Application Catalog, and improved in number and quality of the templates delivered to the major cloud marketplaces: VMware Marketplace, AWS, Azure, Google Cloud, and IBM.  

Continuing to focus on increasing the investment to help developers adopt Cloud Native solutions and considering that there are multiple products that offer a similar experience as BCH, Bitnami team will discontinue the service for Bitnami Cloud Hosting by February 15th, 2022.  

Can I still launch Bitnami applications on AWS servers? 

The answer is: of course, you can! 

Discover and deploy the Bitnami Application Catalog on AWS Cloud servers using the following platforms:  

• AWS Marketplace  
• AWS Lightsail 
• Bitnami for AWS Cloud Launchpad 
• Amazon Elastic Container Service for Kubernetes (EKS) 

We know that some of the concepts and terms used to manage your servers in Bitnami Cloud Hosting are different from the ones used by AWS Cloud services. For that reason, we have created a detailed tutorial on how to manage Bitnami Cloud Hosting servers from the AWS console.  

If you experience any issue migrating your BCH data to the AWS console or you want to provide your feedback please post to our Community forums. We will be happy to help you there! 

Deploy Applications with Confidence and Control with VMware Application Catalog™ and Sealed Secrets

Raquel Campuzano and Juan Ariza co-wrote this blog post

As more organizations adopt Kubernetes as the preferred infrastructure for running their IT resources, enterprise SRE teams tend to adopt a GitOps mindset.  

The GitOps approach consists of embracing different practices that manage infrastructure configuration as a code. This means that Git becomes the single source of truth and as such, all operations are tracked via commits and pull requests. Thus, every action performed on the infrastructure will leave a trace and can be reverted if needed.  

This practice brings a lot of benefits to IT admins, since automation and ease of managing Kubernetes configurations are extremely important to them. 

Despite this, there’s a high probability of discovering security risks when managing access to the applications running in a Kubernetes cluster. This is where Sealed Secrets comes in. Sealed Secrets is a  Kubernetes controller and a tool for one-way encrypted Secrets.  

Why should every cluster controller use Sealed Secrets to protect their deployments?  

When cluster operators and administrators follow the GitOps approach, they usually find that they can manage all Kubernetes configurations through Git except secrets. Sealed Secrets solves this problem by encrypting the secret into a new Kubernetes object called “SealedSecret” which is safe to store even in public repositories.  

Sealed Secrets is a popular Open-Source project led by Bitnami that helps Kubernetes operators and administrators keep their deployments safe and under control. Sealed Secrets can only be decrypted by those who have access to the sealing private key — usually the cluster administrator — ensuring that nobody else, even the original author, is able to obtain the secret given in a Sealed Secret manifest file. 

Sealed Secrets is now available as a Helm chart in VMware Application Catalog! VMware Application Catalog is a customizable selection of trusted, pre-packaged open-source application components that are continuously maintained and verifiably tested for use in enterprise production environments – the ideal option to procure secure application building blocks.  

Depending on your requirements, you can either navigate to the ongoing Open-Source project located in the Bitnami GitHub repository and download the tool and test it out, or if your organization requires a more stable, secure, and compliant image, you can deploy Sealed Secrets on your cluster through VMware Application Catalog.  

Deploy Sealed Secrets on Kubernetes through VMware Application Catalog

The following steps describe how to navigate to VMware Application Catalog — formerly known as Tanzu Application Catalog — and deploy Sealed Secrets in your cluster. 

Once you have it installed, you will be able to deploy any application — this blog post uses MariaDB as an example, but you can pick another solution existing in your catalog — and encrypt its secrets using a Sealed Secret.   

This post assumes that you already have: 

• Sealed Secrets and MariaDB added to your VMware Application Catalog 
• Kubeseal was previously installed on your computer. 

Navigate to app-catalog.vmware.com and sign in with your VMware account to your catalog. 

In the “My Applications” section, search for Sealed Secrets Helm chart and click “Details”. 

On the next screen, you will find the instructions for deploying the chart on your cluster. Make sure that your cluster is up and running by executing kubectl cluster-info. Then, run the commands you will find under the “Consume your Helm Chart” section.  

Once you have installed the Sealed Secrets chart, it is time to use it to encrypt the required secrets to manage the MariaDB credentials. Fortunately, the MariaDB Helm chart supports retrieving the credentials from an existing secret. 

To use that feature, you must make sure that you know which is the expected format for the MariaDB secret. You can obtain that information by checking in the MariaDB chart’s README file the “common parameters” section as shown below: 

Based on this information, you can use kubeseal to create a Sealed Secret with encrypted credentials for MariaDB by executing the command below: 

kubectl create secret generic mariadb-secret --dry-run=client \ 

  --from-literal=mariadb-root-password=ROOT_PASSWORD \ 

  --from-literal=mariadb-replication-password=REPLICATION_PASSWORD \ 

  --from-literal=mariadb-password=SOME_PASSWORD \ 

  -o yaml | kubeseal --controller-name=CONTROLLER_NAME \ 

  --controller-name=CONTROLLER_NAMESPACE \ 

  --format yaml > mariadb-sealedsecret.yaml 

Note: Remember to replace the ROOT_PASSWORD, REPLICATION_PASSWORD, and SOME_PASSWORD placeholders with the passwords you want to use to configure MariaDB. Also, replace the CONTROLLER_NAME and CONTROLLER_NAMESPACE with the name and namespace of your Sealed Secrets controller, respectively. This information is displayed in the NOTES when installing the Sealed Secret chart. 

The command above creates a new yaml file named mariadb-sealedsecret.yaml which contains the encrypted MariaDB credentials. That file should look like it is shown below: 

At this point, you can safely add this file to your Git repository. Once you have a Sealed Secret manifest, you can deploy it in your Kubernetes cluster running the command below: 

kubectl create -f mariadb-sealedsecret.yaml 

Use the following command to double-check that the Sealed Secret — and the associated secret — was successfully created: 

kubectl get sealedsecret mariadb-secret 

kubectl get secret mariadb-secret  

Now, you can deploy the MariaDB Helm chart retrieving the credentials from the existing “mariadb-secret” secret.  

To do so, back to the VMware Application Catalog and search for the MariaDB details page. Then, execute the command you will find in the “Consume your Helm Chart” by appending the following flag: 

--set auth.existingSecret=mariadb-secret 

Once the chart is installed, you can start to operate your MariaDB database as described in its installation notes. 

The last step is to obtain the chart installation values and save them in a file using the command below: 

helm get values MARIADB_RELEASE > mariadb-values.yaml 

Note: Remember to replace the MARIADB_RELEASE placeholder with the name you used for your MariaDB release. 

You can now add this mariadb-values.yaml to your Git repository.  

By committing both this and the mariadb-sealedsecret.yaml file in your repository you can record the status of your infrastructure in a reproducible manner – allowing you to again embrace the GitOps mindset.  Thanks to Sealed Secrets, now you can also publish your changes in any public repository without exposing your database credentials. 

Deploy Applications with Confidence and Control 

As shown in this blog post, the combination of Sealed Secrets and VMware Application Catalog allows you to deploy applications in your cluster with complete confidence. Apart from keeping your applications automatically updated and monitored thanks to VMware Application Catalog, now you can rely on the efficiency of Sealed Secrets for keeping your deployments locked and safe against misuse.  

Learn more about VMware Application Catalog by checking its product page on vmware.com. You can also check out technical documentation for VMware Application catalog here. You can also contact the VMware Application Catalog team directly at vac@vmware.com.

If you are interested in contributing to the Sealed Secrets Open Source project, check out the GitHub repository and do not hesitate to send us a pull request. The BItnami engineering team will check it and guide you in the process for a successful merge.