-
DarkLight
CodeScan Self-Hosted 22.8 version is the latest release of CodeScan platform. We strongly recommends that all CodeScan users upgrade to this release.
Overview
This section describes installing the CodeScan self-hosted server and allow you to get a fully functional evaluation version of the enterprise CodeScan running on your server.
Prerequisite
You must have a SonarQube™ server currently running in your environment. If you do not, please visit SonarQube.org to get set up.
Download and Install CodeScan from the ZIP file
- First check the requirements. Then download the latest compatible CodeScan 22.8 version from here.
Keep in mind that you need to download a version that is compatible with your SonarJS plugin version. Refer the requirements section for more information.
-
You will need to enter your
License Key
(to be provided by our Support Team) orSubscription Code
. For more information on Subscription Code, see HERE. -
Accept our Terms of Service and click on
Request Download
button. -
Extract the ZIP file. It contains the SonarQube™ plugin and an ant-based tool enabling you to run an analysis.
Download links for previously supported CodeScan versions
CodeScan Version | Platform Compatible | Date of Release | Support End Date | Download Link | Release Note |
---|---|---|---|---|---|
22.8 (current version) | SonarQube™ 8.9+ | 25 December 2022 | 30 June 2024 | Download | Release Note |
22.7 | SonarQube™ 8.9+ | 01 November 2022 | 30 June 2024 | Download | Release Note |
22.6.2 | SonarQube™ 8.9+ | 12 July 2022 | 30 June 2024 | Download | Release Note |
22.6.1 | SonarQube™ 8.9+ | 23 June 2022 | 30 June 2024 | Download | Release Note |
22.6 | SonarQube™ 8.9+ | 13 June 2022 | 30 June 2024 | Download | Release Note |
22.5 | SonarQube™ 8.9+ | 30 May 2022 | 30 June 2024 | Download | Release Note |
22.4 | SonarQube™ 8.9+ | 16 May 2022 | 30 June 2024 | Download | Release Note |
22.3 | SonarQube™ 8.9+ (From SonarQube™ 8.9 onwards, the vulnerability in Log4J has been fixed) |
24 April 2022 | 30 June 2023 | Download | Release Note |
22.2.1 | SonarQube™ 7.9 to 8.9, SonarJS 6.2+ | 02 February 2022 | 31 December 2022 | Download | Release Note |
22.2 | SonarQube™ 7.9+, SonarJS 6.2+ | 26 January 2022 | 31 December 2022 | Download | Release Note |
22.1.1 | SonarQube™ 7.9 to 8.5+, SonarJS 6.2+ | 31 December 2021 | 31 December 2022 | Download | Release Note |
22.1 | SonarQube™ 7.9 to 8.4, SonarJS 6.2+ | 29 December 2021 | 31 December 2022 | Download | Release Note |
21.5.1 | SonarQube™ 7.9 to 8.5+, SonarJS 6.2+ | 06 November 2021 | 31 December 2022 | Download | Release Note |
21.5 | SonarQube™ 7.9 to 8.4, SonarJS 6.2+ | 01 November 2021 | 31 December 2022 | Download | Release Note |
4.5.7.1 | SonarQube™ 7.9 to 8.5+, SonarJS 6.2+ | 16 April 2021 | 31 December 2022 | Download | Release Note |
4.5.7 | SonarQube™ 7.9 to 8.4, SonarJS 6.2+ | 08 April 2021 | 31 December 2022 | Download | Release Note |
Plugin installation
-
Delete any existing Salesforce plugins from your installation.
-
Ensure your SonarJS plugin is compatible with the current CodeScan for Lightning version. Currently the supported release requires v 6.2+ of the SonarJS plugin. See here for alternatives.
-
Copy
sonar-salesforce-plugin-XXX.jar
andsonar-codescanlang-plugin-XXX.jar
into your SonarQube™ installation at /extensions/plugins/
Standard setup:
-
When you receive your license, enter it by logging into SonarQube™ with the credentials User: admin, Password: admin
-
Go to
Administrator > General Settings
. -
Click on CodeScan on the list of Categories.
-
Enter your license in the text box labeled
CodeScan license
(key is "sf.license.secured") -
Click
Save
.
Setting up Your Quality Profiles
-
Click on the
Quality Profiles
menu. -
Make sure you have selected the
Salesforce Lightning profile
as the default for both the JavaScript and Visualforce and Lightning languages. This can be done with the settings cog to the right of the profile name.
Running a Scan
There are a few ways to run your scan. The first is using our SFDX plugin (this requires that the Salesforce CLI and the SFDX CodeScan Plugin be installed).
-
Generate a token from the
My Account > Security
menu in SonarQube™. -
Open the command prompt and navigate to:
/runner/my-project
-
Run the following command:
sfdx codescan:run --token <token> --projectkey my-project-key --organization default-organization --server https://your.server.url
The Organization Key above will work for the Community edition of SonarQube™ but may need to be edited depending on your setup using a paid edition.
You can also use Ant (this requires Ant version 1.9+).
You will need to edit antbuild.properties
if your SonarQube™ installation is different than usual, or if you have a proxy. You can also edit /runner/antbuild.xml
to customize your workflows.
Running SFDX plugin behind proxy
To run the SFDX plugin behind a proxy, you will need to pass all the related information in the parameters of the analysis command.
Example:
sfdx codescan:run --server {instanceurl} --token {TKN} --projectkey {PRJ} --organization {ORG} -J-Dhttp.proxyHost=## -J-Dhttp.proxyPort=## -J-Dhttp.proxyUser=## -J-Dhttp.proxyPassword=## -J-Dhttps.proxyHost=## -J-Dhttps.proxyPort=## -J-Dhttps.proxyUser=## -J-Dhttps.proxyPassword=##
where,
Parameter | Description |
---|---|
instanceurl | Enter your CodeScan instance url example- https://app.codescan.io for US region https://app-eu.codescan.io for EU region https://app-aus.codescan.io for AUS region. |
TKN | Enter your CodeScan security token (For more information on how to generate a security token, see Security Token) |
PRJ | Enter your CodeScan project key (to find your project key, refer to the article Project Key) |
ORG | Enter your CodeScan organization (for more information, see Create a new CodeScan Organization) |
SonarQube™ ant plugin
For more instructions on setting up the SonarQube™ ant plugin, see https://docs.sonarqube.org/latest/analysis/scan/sonarscanner-for-ant/. You should verify that the ant script's steps are appropriate for your requirements.
-
Create a copy of the
sonar-project-template
folder in the runner directory of this folder and put it in the same project. Callit /runner/my-project
. Add the following to thesonar-project.properties
file in themy-project
folder. -
Set sonar.login= to a token available from the
My Account > Security menu
in SonarQube™. -
Set sonar.projectKey=myproject
-
Set sonar.projectName=My Project
-
Set salesforce.username, salesforce.password and salesforce.url to your Salesforce username/password. Your Salesforce token must also be appended to the end of your salesforce.password parameter.
For example:salesforce.password=passwordtoken
.
Setting your Salesforce username, password, and URL is unnecessary if you want to analyze static content. Please use a system administrator user profile for this otherwise you may experience strange errors when downloading the code or executing tests.
-
Open a command prompt and navigate into
/runner/my-project
-
Run the following command:
ant -f ../antbuild.xml analyse
If the Anyone group is not granted Execute Analysis permission, or if the SonarQube™ instance is secured (sonar.forceAuthentication property
is set to true
), a user whose credentials have Execute Analysis
permission has to be provided through the sonar.login
and sonar.password properties
.
Proxies
-
If your network has a proxy, you must pass some more parameters to avoid license errors.
-
A guide for this is available HERE.
Having trouble?
- Read the tutorials
- Check the troubleshooting section
- Contact Support