Contents x
    Installing CodeScan Self-Hosted
    • 13 Sep 2023
    • 7 Minutes to read
    • Contributors
    • Dark
      Light
    • PDF
    Contents

    Installing CodeScan Self-Hosted

    • Updated on 13 Sep 2023
    • 7 Minutes to read
    • Contributors
    • Dark
      Light
    • PDF
    Article Summary

    CodeScan On-Premise Implementation

    What's New:

    CodeScan Self-Hosted version 23.1.3 (now compatible with SonarQube™ version 10 or earlier) is the latest CodeScan release. We strongly recommend all CodeScan users upgrade to this iteration.

    Download

    Release Note

    Overview

    This section describes installing the CodeScan self-hosted server, allowing you to experience a fully functional evaluation version of enterprise CodeScan on your server.

    Prerequisites

    Step 1: Request a CodeScan License Key

    Note:

    If you already have a License Key or Subscription Code, proceed to step 2.

    AutoRABIT Access/License Key: Before downloading the necessary files, email AutoRABIT’s support team at support@codescan.io to request a CodeScan License Key.

    Provide the following information in the email:
    • Client Name (first and last – typically the admin)
    • Client Company
    • Email
    • Duration of License (e.g., varies, 30 days)

    Step 2: Download and Install SonarQube™ & CodeScan Zip Files

    SonarQube™ Download

    You must have a SonarQube™ server currently running in your environment. If not, please visit SonarQube.org to download the latest Community version.

    At SonarSource.com, scroll down to this graphic:
    [CS Self-Hosted pic1.png] https://www.sonarsource.com/products/sonarqube/downloads/lts/9-9-lts/){target="_blank"}

    Note:

    This link will take you to the SonarQube™ 9.9 LTS download. SonarQube™ 10 is now supported as well.

    CodeScan Zip File Download

    1. Download the latest compatible CodeScan version (currently 23.1.3) from here.
    Note:

    Keep in mind you need to download a version compatible with your SonarJS plugin version. Refer to the requirements section for more information.

    1. You will need to enter your License Key (to be provided by our Support Team) or a Subscription Code. For more information on Subscription Codes, click here.

    CS Self-Hosted pic2.png

    1. Accept our Terms of Service and click on the Request Download button.

    2. Extract the ZIP file. It contains the SonarQube™ plugin and an ant-based tool enabling you to run an analysis.

    CodeScan VersionPlatform CompatibleDate of ReleaseSupport End DateDownload LinkRelease Note
    23.1.3 (current version)SonarQube™ 10 or earlier12 Sept 202330 June 2024DownloadRelease Note
    23.1.1SonarQube™ 9.9 or earlier12 May 202330 June 2024DownloadRelease Note
    22.8SonarQube™ 8.9+ and SonarQube™ 9.925 December 202230 June 2024DownloadRelease Note
    22.7SonarQube™ 8.9+01 November 202230 June 2024DownloadRelease Note
    22.6.2SonarQube™ 8.9+12 July 202230 June 2024DownloadRelease Note
    22.6.1SonarQube™ 8.9+23 June 202230 June 2024DownloadRelease Note
    22.6SonarQube™ 8.9+13 June 202230 June 2024DownloadRelease Note
    22.5SonarQube™ 8.9+30 May 202230 June 2024DownloadRelease Note
    22.4SonarQube™ 8.9+16 May 202230 June 2024DownloadRelease Note
    22.3SonarQube™ 8.9+
    (From SonarQube™ 8.9 onwards, the vulnerability in Log4J has been fixed)    		24 April 202230 June 2023DownloadRelease Note
    22.2.1SonarQube™ 7.9 to 8.9, SonarJS 6.2+02 February 202231 December 2022DownloadRelease Note
    22.2SonarQube™ 7.9+, SonarJS 6.2+26 January 202231 December 2022DownloadRelease Note
    22.1.1SonarQube™ 7.9 to 8.5+, SonarJS 6.2+31 December 202131 December 2022DownloadRelease Note
    22.1SonarQube™ 7.9 to 8.4, SonarJS 6.2+29 December 202131 December 2022DownloadRelease Note
    21.5.1SonarQube™ 7.9 to 8.5+, SonarJS 6.2+06 November 202131 December 2022DownloadRelease Note
    21.5SonarQube™ 7.9 to 8.4, SonarJS 6.2+01 November 202131 December 2022DownloadRelease Note
    4.5.7.1SonarQube™ 7.9 to 8.5+, SonarJS 6.2+16 April 202131 December 2022DownloadRelease Note
    4.5.7SonarQube™ 7.9 to 8.4, SonarJS 6.2+08 April 202131 December 2022DownloadRelease Note

    Plugin Installation

    Step 1: Download CodeScan file

    1. Delete any existing Salesforce plugins from your installation.

    2. Ensure your SonarJS plugin is compatible with the current CodeScan for Lightning version. Currently the supported release requires version 6.2+ of the SonarJS plugin. Click here to see alternatives.

    Step 2: CodeScan JAR file

    1. Copy CodeScan downloads JAR files, sonar-salesforce-plugin-XXX.jar and sonar-codescanlang-plugin-XXX.jar into your SonarQube™ installation at /extensions/plugins/.

    2. Place JAR files into your SonarQube™ file installation at /extensions/plugins/.

    3. Keep the SonarQube™ file open for next steps.

    Step 3: Start Web Server

    1. In your SonarQube™ installation file, open sonar.properties, located in the config folder (<SONARQUBE_HOME>/conf/sonar.properties).

    2. Starting at lines 108-111, add/replace these to the appropriate web server section and save your changes:

    • sonar.web.host=192.168.0.1
    • sonar.web.port=80
    • sonar.web.context=/sonarqube
    1. Lastly, you need to RUNsonar to execute the script to start the server. In your SonarQube™ installation file, open, '/bin' folder, choose server type, and select ‘StartSonar’. Once rendering is finished, the plugin installation is complete.

    Standard SonarQube™ Setup

    Step 1: Log in to the SonarQube™ self-hosted instance at http://localhost:9000/.
    The default System Admin credentials are admin/admin:
    image.png

    Step 2. Once you've gained access, go to Administrator > Configuration > General Settings.

    1. Select the CodeScan tab.

    2. Enter your CodeScan License Key in the designated field.
      image.png

    3. Click Save.

    4. You have successfully completed the CodeScan on-premise integration. See the instructions below on how to integrate this to ARM.

    CodeScan On-Premise + ARM Integration

    Overview

    This guide will show you how to integrate the CodeScan self-hosted instance to ARM.

    CodeScan On-Premise ARM Integration

    Step 1: Generate a SonarQube™ Token

    1. Log in to your SonarQube™ instance.

    2. Go to User > My Account > Security. Your existing tokens are listed here, each with a Revoke button.

    3. The form at the bottom of the page allows you to generate new tokens. Once you click the Generate button, you will see the token value. Be sure to copy it immediately; once you dismiss the notification, you will not be able to retrieve it.

    4. This token is used when storing your credentials, such as your username and password, with AutoRABIT.

    Step 2: Store Your SonarQube™ Credentials in ARM

    This initial step is when your SonarQube™ credentials, such as your username and password, are stored in AutoRABIT.

    1. Log in to your AutoRABIT account.

    2. Hover your mouse over the Admin module and click on the Credentials tab.

    3. Next, click on Create Credential from the right navigation bar.

    4. On the next pop-up screen, enter the Credential Name.

    5. Choose the Credential Type as Username with Password.

    6. Choose your Credential Scope:
      Global: Credentials accessible within the team.
      Private: Credentials for private use.

    7. Enter your SonarQube™ account username. For password, use the copied token mentioned in Step 1.

    8. Verify you are using your SonarQube™ username instead of the email address you use to log in to SonarQube™.

    CS Self-Hosted pic3.png

    1. Click Save.

    CS Self-Hosted pic4.png

    Setting up Your Quality Profiles

    1. In the SonarQube™ self-hosted instance, click on the Quality Profiles menu.

    2. Make sure you have selected the Salesforce Lightning profile as the default for both the JavaScript and Visualforce and Lightning languages. This can be done with the settings cog to the right of the profile name.

    Running a Scan

    There are a few ways to run your scan. The first is using our SFDX plugin (this requires that the Salesforce CLI and the SFDX CodeScan Plugin be installed).

    *Step 1: Generate a SonarQube™ token from the My Account > Security menu in SonarQube™.

    1. Open the command prompt and navigate to:
      /runner/my-project
    2. Run the following command:
      sfdx codescan:run --token <token> --projectkey my-project-key --organization default-organization --server https://your.server.url

    The Organization Key above will work for the Community edition of SonarQube™ but may need to be edited depending on your setup using a paid edition. You can also use Ant (this requires Ant version 1.9+).

    Note:

    You will need to edit antbuild.properties if your SonarQube™ installation is different than usual, or if you have a proxy. You can also edit /runner/antbuild.xml to customize your workflows.

    Running SFDX plugin behind a proxy

    To run the SFDX plugin behind a proxy, you will need to pass all the related information in the parameters of the analysis command.

    Example:

    sfdx codescan:run --server {instanceurl} --token {TKN} --projectkey {PRJ} --organization {ORG} -J-Dhttp.proxyHost=## -J-Dhttp.proxyPort=## -J-Dhttp.proxyUser=## -J-Dhttp.proxyPassword=## -J-Dhttps.proxyHost=## -J-Dhttps.proxyPort=## -J-Dhttps.proxyUser=## -J-Dhttps.proxyPassword=##

    where:

    ParameterDescription
    instanceurlEnter your CodeScan instance url
    Example:
    https://app.codescan.io for US region
    https://app-eu.codescan.io for EU region
    https://app-aus.codescan.io for AUS region.
    TKNEnter your CodeScan security token. (For more information on how to generate a security token, see Security Token.)
    PRJEnter your CodeScan project key (to find your project key, refer to Project Key)
    ORGEnter your CodeScan organization (for more information, see Create a new CodeScan Organization)

    SonarQube™ ant plugin

    For more instructions on setting up the SonarQube™ ant plugin, see https://docs.sonarqube.org/latest/analysis/scan/sonarscanner-for-ant/. You should verify that the ant script's steps are appropriate for your requirements.

    1. Create a copy of the sonar-project-template folder in the runner directory of this folder and put it in the same project. Call it /runner/my-project. Add the following to the sonar-project.properties file in the my-project folder.

    2. Set sonar.login= to a token available from the My Account > Security menu in SonarQube™.

    3. Set sonar.projectKey=myproject

    4. Set sonar.projectName=My Project

    5. Set salesforce.username, salesforce.password and salesforce.url to your Salesforce username/password. Your Salesforce token must also be appended to the end of your salesforce.password parameter.

      For example: salesforce.password=passwordtoken.

      Setting your Salesforce username, password, and URL is unnecessary if you want to analyze static content. Please use a system administrator user profile for this otherwise you may experience strange errors when downloading the code or executing tests.

    6. Open a command prompt and navigate into /runner/my-project

    7. Run the following command:

      ant -f ../antbuild.xml analyse
    Note:

    If the Anyone group is not granted Execute Analysis permission, or if the SonarQube™ instance is secured (sonar.forceAuthentication property is set to true), a user whose credentials have Execute Analysis permission has to be provided through the sonar.login and sonar.password properties.

    Proxies

    • If your network has a proxy, you must pass some more parameters to avoid license errors.

    • A guide for this is available here.

    Having trouble?

    • Read the tutorials

    • Check the troubleshooting section

    • Contact Support

    Was this article helpful?
    What's Next
    AutoRABIT Help Center © 2022. All rights reserved.