02.工作流自动化代码审计
作者:Lost Maniac
协作:
简介
sonar
项目源码
本项目托管在GitHub,地址为:https://github.com/sdlchina/php_code_audit
部署方法
安装文档基于centos 7.x
安装PGsql
打开官网安装文档 https://www.postgresql.org/download/linux/redhat/
选择要安装的版本为10版本
安装repo源
yum install https://download.postgresql.org/pub/repos/yum/10/redhat/rhel-7-x86_64/pgdg-centos10-10-2.noarch.rpm
安装客户端
yum install postgresql10
安装服务端
yum install postgresql10-server
新建数据库存储目录
mkdir -p /www/pgsql/data //递归方式创建pgsql/data目录
授权目录权限
chown -R postgres:postgres /www/pgsql/
修改开机启动配置文件
vim /usr/lib/systemd/system/postgresql-10.service
[Unit]
Description=PostgreSQL 10 database server
Documentation=https://www.postgresql.org/docs/10/static/
After=syslog.target
After=network.target
[Service]
Type=notify
User=postgres
Group=postgres
# Note: avoid inserting whitespace in these Environment= lines, or you may
# break postgresql-setup.
# Location of database directory
Environment=PGDATA=/www/pgsql/data/
# Where to send early-startup messages from the server (before the logging
# options of postgresql.conf take effect)
# This is normally controlled by the global default set by systemd
# StandardOutput=syslog
# Disable OOM kill on the postmaster
OOMScoreAdjust=-1000
Environment=PG_OOM_ADJUST_FILE=/proc/self/oom_score_adj
Environment=PG_OOM_ADJUST_VALUE=0
ExecStartPre=/usr/pgsql-10/bin/postgresql-10-check-db-dir ${PGDATA}
ExecStart=/usr/pgsql-10/bin/postmaster -D ${PGDATA}
ExecReload=/bin/kill -HUP $MAINPID
KillMode=mixed
KillSignal=SIGINT
# Do not set any timeout value, so that systemd will not kill postmaster
# during crash recovery.
TimeoutSec=0
[Install]
WantedBy=multi-user.target
修改初始化脚本
vim /usr/pgsql-10/bin/postgresql-10-setup
# Log file for initdb
PGLOG=/www/pgsql/log/initdb.log
对PGsql进行初始化
/usr/pgsql-10/bin/postgresql-10-setup initdb
检查目录/www/pgsql/data目录下有文件表示初始化成功
开启pgsql服务
systemctl start postgresql-10.service
检查pgsql服务
systemctl status postgresql-10.service
显示
● postgresql-10.service - PostgreSQL 10 database server
Loaded: loaded (/usr/lib/systemd/system/postgresql-10.service; disabled; vendor preset: disabled)
Active: active (running) since Mon 2018-09-10 11:35:21 CST; 1h 5min ago
Docs: https://www.postgresql.org/docs/10/static/
Process: 17986 ExecStartPre=/usr/pgsql-10/bin/postgresql-10-check-db-dir ${PGDATA} (code=exited, status=0/SUCCESS)
Main PID: 17993 (postmaster)
CGroup: /system.slice/postgresql-10.service
├─17993 /usr/pgsql-10/bin/postmaster -D /www/pgsql/data/
├─17994 postgres: logger process
├─17996 postgres: checkpointer process
├─17997 postgres: writer process
├─17998 postgres: wal writer process
├─17999 postgres: autovacuum launcher process
├─18000 postgres: stats collector process
└─18001 postgres: bgworker: logical replication launcher
表示服务启动成功
由于pgsql默认既是监听127.0.0.1,所以不加密码也OK
切换到postgres用户
su - postgres
连接到数据库
psql
创建数据库
postgres=# CREATE DATABASE sonar;
创建用户
CREATE USER sonar WITH PASSWORD 'xxxxx';
创建授权
GRANT ALL PRIVILEGES ON DATABASE sonar to sonar;
修改配置文件
vim /www/pgsql/data/pg_hba.conf
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all trust
# IPv4 local connections:
host all all 127.0.0.1/32 trust
# IPv6 local connections:
host all all ::1/128 trust
# Allow replication connections from localhost, by a user with the
# replication privilege.
#local replication all peer
#host replication all 127.0.0.1/32 ident
#host replication all ::1/128 ident
host all all 0.0.0.0/0 md5
重新载入配置文件
systemctl reload postgresql-10.service
安装sonar
官方下载地址:https://www.sonarqube.org/downloads/
本次选择最新版本7.3版本
新建安装目录
mkdir /www/sonar
由于sonar不能使用root启动,所以我们需要新建用户
新建用户
useradd sonar
切换到安装目录
cd /www/sonar
下载sonar
wget https://sonarsource.bintray.com/Distribution/sonarqube/sonarqube-7.3.zip
解压sonar
unzip sonarqube-7.3.zip
如果提示没有unzip命令请执行
yum install unzip安装命令后,再次执行解压
切换到sonar解压后目录
cd sonarqube-7.3
移动所有文件到上级目录&返回上级目录
mv * .. && cd ..
删除无用文件
rm -rf sonarqube-7.3.zip sonarqube-7.3/
修改目录所属权限
chown -R sonar:sonar /www/sonar/
切换用户
su - sonar
切换目录
cd /www/sonar/
配置文件
vim /www/sonar/conf/sonar.properties
sonar.jdbc.username=sonar
sonar.jdbc.password=xxxxx
sonar.jdbc.url=jdbc:postgresql://localhost/sonar
sonar.web.javaOpts=-Xmx8120m -Xms128m -XX:+HeapDumpOnOutOfMemoryError
sonar.web.host=127.0.0.1
sonar.web.port=9000
sonar.search.javaOpts=-Xms512m -Xmx4096m -XX:+HeapDumpOnOutOfMemoryError
sonar.telemetry.enable=false
启动服务
/www/sonar/bin/linux-x86-64/sonar.sh start
测试是否能访问
```curl http://127.0.0.1:9000
安装NGINX
yum install nginx
增加配置文件
/etc/nginx/conf.d/sonar.conf
server {
server_name sonar.xxx.com;
listen 80;
location / {
proxy_pass http://127.0.0.1:9000;
}
}
编辑文件/etc/nginx/nginx.conf
user nginx;
worker_processes 4;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
client_max_body_size 100m;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
listen 80 default_server;
server_name _;
return 444;
}
}
systemctl reload nginx.service
安装Jenkins
执行命令
sudo wget -O /etc/yum.repos.d/jenkins.repo https://pkg.jenkins.io/redhat-stable/jenkins.repo
sudo rpm --import https://pkg.jenkins.io/redhat-stable/jenkins.io.key
安装jenkins
yum install jenkins
启动jenkins
systemctl start jenkins.service
配置jenkins的NGINX规则
新建配置文件
/etc/nginx/conf.d/jenkins.conf
upstream jenkins {
keepalive 32; # keepalive connections
server 127.0.0.1:8080; # jenkins ip and port
}
server {
listen 80; # Listen on port 80 for IPv4 requests
server_name jenkins.example.com;
#this is the jenkins web root directory (mentioned in the /etc/default/jenkins file)
root /var/run/jenkins/war/;
access_log /var/log/nginx/jenkins/access.log;
error_log /var/log/nginx/jenkins/error.log;
ignore_invalid_headers off; #pass through headers from Jenkins which are considered invalid by Nginx server.
location ~ "^/static/[0-9a-fA-F]{8}\/(.*)$" {
#rewrite all static files into requests to the root
#E.g /static/12345678/css/something.css will become /css/something.css
rewrite "^/static/[0-9a-fA-F]{8}\/(.*)" /$1 last;
}
location /userContent {
#have nginx handle all the static requests to the userContent folder files
#note : This is the $JENKINS_HOME dir
root /var/lib/jenkins/;
if (!-f $request_filename){
#this file does not exist, might be a directory or a /**view** url
rewrite (.*) /$1 last;
break;
}
sendfile on;
}
location @jenkins {
sendfile off;
proxy_pass http://jenkins;
proxy_redirect default;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_max_temp_file_size 0;
#this is the maximum upload size
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffering off;
proxy_request_buffering off; # Required for HTTP CLI commands in Jenkins > 2.54
proxy_set_header Connection ""; # Clear for keepalive
}
location / {
# Optional configuration to detect and redirect iPhones
if ($http_user_agent ~* '(iPhone|iPod)') {
rewrite ^/$ /view/iphone/ redirect;
}
try_files $uri @jenkins;
}
}
重新载入NGINX配置文件
systemctl reload nginx.service
配置联动
访问jenkins域名
点击系统管理-》插件管理
勾选如下插件
SonarQube Scanner
GitLab
安装完插件后,等待重启
配置SonarQube
重启后选择 系统管理 -> 系统设置
SonarQube servers
勾选Enable injection of SonarQube server configuration as build environment variables
点击Add SonarQube
name:sonar
server Url : 填写自己sonar服务器url
Server authentication token: 在sonar后台,管理用户 类目新建即可
注意:token只会出现一次。
点击保存
全局工具配置
找到全局工具配置
选择新增 SonarQube Scanner
Name:sonar
点击保存
凭据
在jenkins右侧选择凭据
添加自己的gitlab账号
配置任务
点击新建任务
填写名称,选择构建一个自由风格的软件项目
源码管理
选择git
填写git地址,
选择刚刚填写的凭据
构建这里选择增加Execute SonarQube Scanner
Analysis properties
填写如下信息
# 配置唯一ID
sonar.projectKey=oa
# 配置显示名称
sonar.projectName=oa
# 配置项目初始目录
sonar.sources=$WORKSPACE
#配置项目语言
sonar.language=php
#配置文件编码
sonar.sourceEncoding=UTF-8
#配置排除文件或者文件夹
sonar.exclusions=public/*
sonar.exclusions=*.js
sonar.exclusions=*.css
sonar.exclusions=*.html
sonar.exclusions=*.jpg
sonar.exclusions=*.jpge
sonar.exclusions=*.png
sonar.exclusions=*.gif
sonar.exclusions=*.pdf
sonar.exclusions=*.htm
sonar.exclusions=vendor/**
sonar.exclusions=Vendor/**
点击保存后
点击右侧立刻构建
本文档完成