初版 Check List - daniel-qa/Information-Security GitHub Wiki
初版 Check List
Source code analysis tools
Static Application Security Testing (SAST) Tool
| Index | Tool | Content | P.S |
|---|---|---|---|
| 1 | Sonarqube | 原始碼檢測 | |
| 2 | Nessus | 弱掃工具 | 只需 ip 位置 |
| 3 |
- 檢測主機: 192.168.0.19
- 位置 : /opt/sonarqube
- url 位置 : 192.168.0.19:9000
- 帳密: 預設 admin,修改後為統編
- Sourcecode 放置位置: /opt/sokradeo
創建 Manual專案,最後會提示sonar scan 的安裝方式
- Download and unzip the Scanner for Linux
Visit the official documentation of the Scanner to download the latest version, and add the bin directory to the PATH environment variable
掃描指令
- Execute the Scanner
Running a SonarQube analysis is straighforward. You just need to execute the following commands in your project's folder.
sonar-scanner \
-Dsonar.projectKey=sokrates \
-Dsonar.sources=. \
-Dsonar.host.url=http://192.168.0.19:9000 \
-Dsonar.login=sqp_659e1c5931f3efb3aa07315640cfef18ace46d92
P.S 1 - 把 /opt/sonar-scanner-4.7.0.2747-linux/bin 加入環境變數 /etc/environment
P.S 2 - 用 git clone,先 pull 最新版本至欲掃描的資料夾
Scan 問題排除
- ERROR: Error when running: 'node -v'. Is Node.js available during analysis?
安裝 node
Sonarqube 容器化
- Dockerfile 編寫
| Index | Content | P.S |
|---|---|---|
| 1 | 安裝相依套件 | |
| 2 | 安裝 sonarqube | |
| 3 | 安裝 sonar scanner |
- Run Dokcer Container Service
| Index | Content | P.S |
|---|---|---|
| 1 | volume Mapping | |
| 2 | Start Sonarqube Service |
- Analysis Source Code
| Index | Content | P.S |
|---|---|---|
| 1 | git pull version | |
| 2 | Sonar Scanning |
- Analysis Report