跳转至

02.工作流自动化代码审计

作者:Lost Maniac

协作:


简介


sonar

项目源码

本项目托管在GitHub,地址为:https://github.com/sdlchina/php_code_audit

部署方法


安装文档基于centos 7.x

安装PGsql

打开官网安装文档 https://www.postgresql.org/download/linux/redhat/

选择要安装的版本为10版本

安装repo源

yum install https://download.postgresql.org/pub/repos/yum/10/redhat/rhel-7-x86_64/pgdg-centos10-10-2.noarch.rpm

安装客户端

yum install postgresql10

安装服务端

yum install postgresql10-server

新建数据库存储目录

mkdir -p /www/pgsql/data //递归方式创建pgsql/data目录

授权目录权限

chown -R postgres:postgres /www/pgsql/

修改开机启动配置文件

vim /usr/lib/systemd/system/postgresql-10.service


[Unit]
Description=PostgreSQL 10 database server
Documentation=https://www.postgresql.org/docs/10/static/
After=syslog.target
After=network.target

[Service]
Type=notify

User=postgres
Group=postgres

# Note: avoid inserting whitespace in these Environment= lines, or you may
# break postgresql-setup.

# Location of database directory
Environment=PGDATA=/www/pgsql/data/

# Where to send early-startup messages from the server (before the logging
# options of postgresql.conf take effect)
# This is normally controlled by the global default set by systemd
# StandardOutput=syslog

# Disable OOM kill on the postmaster
OOMScoreAdjust=-1000
Environment=PG_OOM_ADJUST_FILE=/proc/self/oom_score_adj
Environment=PG_OOM_ADJUST_VALUE=0

ExecStartPre=/usr/pgsql-10/bin/postgresql-10-check-db-dir ${PGDATA}
ExecStart=/usr/pgsql-10/bin/postmaster -D ${PGDATA}
ExecReload=/bin/kill -HUP $MAINPID
KillMode=mixed
KillSignal=SIGINT


# Do not set any timeout value, so that systemd will not kill postmaster
# during crash recovery.
TimeoutSec=0

[Install]
WantedBy=multi-user.target

修改初始化脚本

vim /usr/pgsql-10/bin/postgresql-10-setup


# Log file for initdb
PGLOG=/www/pgsql/log/initdb.log


对PGsql进行初始化

/usr/pgsql-10/bin/postgresql-10-setup initdb

检查目录/www/pgsql/data目录下有文件表示初始化成功

开启pgsql服务

systemctl start postgresql-10.service

检查pgsql服务

systemctl status postgresql-10.service

显示

● postgresql-10.service - PostgreSQL 10 database server
   Loaded: loaded (/usr/lib/systemd/system/postgresql-10.service; disabled; vendor preset: disabled)
   Active: active (running) since Mon 2018-09-10 11:35:21 CST; 1h 5min ago
     Docs: https://www.postgresql.org/docs/10/static/
  Process: 17986 ExecStartPre=/usr/pgsql-10/bin/postgresql-10-check-db-dir ${PGDATA} (code=exited, status=0/SUCCESS)
 Main PID: 17993 (postmaster)
   CGroup: /system.slice/postgresql-10.service
           ├─17993 /usr/pgsql-10/bin/postmaster -D /www/pgsql/data/
           ├─17994 postgres: logger process
           ├─17996 postgres: checkpointer process
           ├─17997 postgres: writer process
           ├─17998 postgres: wal writer process
           ├─17999 postgres: autovacuum launcher process
           ├─18000 postgres: stats collector process
           └─18001 postgres: bgworker: logical replication launcher

表示服务启动成功

由于pgsql默认既是监听127.0.0.1,所以不加密码也OK

切换到postgres用户

su - postgres

连接到数据库

psql

创建数据库

postgres=# CREATE DATABASE sonar;

创建用户

CREATE USER sonar WITH PASSWORD 'xxxxx';

创建授权

GRANT ALL PRIVILEGES ON DATABASE sonar to sonar;

修改配置文件

vim /www/pgsql/data/pg_hba.conf

# TYPE  DATABASE        USER            ADDRESS                 METHOD

# "local" is for Unix domain socket connections only
local   all             all                                     trust
# IPv4 local connections:
host    all             all             127.0.0.1/32            trust
# IPv6 local connections:
host    all             all             ::1/128                 trust
# Allow replication connections from localhost, by a user with the
# replication privilege.
#local   replication     all                                     peer
#host    replication     all             127.0.0.1/32            ident
#host    replication     all             ::1/128                 ident
host    all             all             0.0.0.0/0       md5

重新载入配置文件

systemctl reload postgresql-10.service

安装sonar

官方下载地址:https://www.sonarqube.org/downloads/

本次选择最新版本7.3版本

新建安装目录

mkdir /www/sonar

由于sonar不能使用root启动,所以我们需要新建用户

新建用户 useradd sonar

切换到安装目录

cd /www/sonar

下载sonar

wget https://sonarsource.bintray.com/Distribution/sonarqube/sonarqube-7.3.zip

解压sonar

unzip sonarqube-7.3.zip

如果提示没有unzip命令请执行yum install unzip安装命令后,再次执行解压

切换到sonar解压后目录

cd sonarqube-7.3

移动所有文件到上级目录&返回上级目录

mv * .. && cd ..

删除无用文件

rm -rf sonarqube-7.3.zip sonarqube-7.3/

修改目录所属权限

chown -R sonar:sonar /www/sonar/

切换用户

su - sonar

切换目录

cd /www/sonar/

配置文件

vim /www/sonar/conf/sonar.properties

sonar.jdbc.username=sonar
sonar.jdbc.password=xxxxx
sonar.jdbc.url=jdbc:postgresql://localhost/sonar
sonar.web.javaOpts=-Xmx8120m -Xms128m -XX:+HeapDumpOnOutOfMemoryError
sonar.web.host=127.0.0.1
sonar.web.port=9000
sonar.search.javaOpts=-Xms512m -Xmx4096m -XX:+HeapDumpOnOutOfMemoryError
sonar.telemetry.enable=false

启动服务

/www/sonar/bin/linux-x86-64/sonar.sh start

测试是否能访问

```curl http://127.0.0.1:9000

安装NGINX

yum install nginx

增加配置文件

/etc/nginx/conf.d/sonar.conf

server {
        server_name sonar.xxx.com;
        listen 80;
        location / {
                proxy_pass http://127.0.0.1:9000;
        }
}

编辑文件/etc/nginx/nginx.conf

user nginx;
worker_processes 4;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;
    client_max_body_size 100m;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    server {
        listen       80 default_server;
        server_name  _;
        return 444;
    }
}

systemctl reload nginx.service

安装Jenkins

执行命令

sudo wget -O /etc/yum.repos.d/jenkins.repo https://pkg.jenkins.io/redhat-stable/jenkins.repo

sudo rpm --import https://pkg.jenkins.io/redhat-stable/jenkins.io.key

安装jenkins

yum install jenkins

启动jenkins

systemctl start jenkins.service

配置jenkins的NGINX规则

新建配置文件

/etc/nginx/conf.d/jenkins.conf

upstream jenkins {
  keepalive 32; # keepalive connections
  server 127.0.0.1:8080; # jenkins ip and port
}

server {
  listen          80;       # Listen on port 80 for IPv4 requests

  server_name     jenkins.example.com;

  #this is the jenkins web root directory (mentioned in the /etc/default/jenkins file)
  root            /var/run/jenkins/war/;

  access_log      /var/log/nginx/jenkins/access.log;
  error_log       /var/log/nginx/jenkins/error.log;
  ignore_invalid_headers off; #pass through headers from Jenkins which are considered invalid by Nginx server.

  location ~ "^/static/[0-9a-fA-F]{8}\/(.*)$" {
    #rewrite all static files into requests to the root
    #E.g /static/12345678/css/something.css will become /css/something.css
    rewrite "^/static/[0-9a-fA-F]{8}\/(.*)" /$1 last;
  }

  location /userContent {
    #have nginx handle all the static requests to the userContent folder files
    #note : This is the $JENKINS_HOME dir
    root /var/lib/jenkins/;
    if (!-f $request_filename){
      #this file does not exist, might be a directory or a /**view** url
      rewrite (.*) /$1 last;
      break;
    }
    sendfile on;
  }

  location @jenkins {
      sendfile off;
      proxy_pass         http://jenkins;
      proxy_redirect     default;
      proxy_http_version 1.1;

      proxy_set_header   Host              $host;
      proxy_set_header   X-Real-IP         $remote_addr;
      proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
      proxy_set_header   X-Forwarded-Proto $scheme;
      proxy_max_temp_file_size 0;

      #this is the maximum upload size
      client_max_body_size       10m;
      client_body_buffer_size    128k;

      proxy_connect_timeout      90;
      proxy_send_timeout         90;
      proxy_read_timeout         90;
      proxy_buffering            off;
      proxy_request_buffering    off; # Required for HTTP CLI commands in Jenkins > 2.54
      proxy_set_header Connection ""; # Clear for keepalive
  }

  location / {
    # Optional configuration to detect and redirect iPhones
    if ($http_user_agent ~* '(iPhone|iPod)') {
      rewrite ^/$ /view/iphone/ redirect;
    }

    try_files $uri @jenkins;
  }
}

重新载入NGINX配置文件

systemctl reload nginx.service

配置联动

访问jenkins域名

点击系统管理-》插件管理

勾选如下插件

SonarQube Scanner
GitLab

安装完插件后,等待重启

配置SonarQube

重启后选择 系统管理 -> 系统设置

SonarQube servers

勾选Enable injection of SonarQube server configuration as build environment variables

点击Add SonarQube

name:sonar

server Url : 填写自己sonar服务器url

Server authentication token: 在sonar后台,管理用户 类目新建即可

注意:token只会出现一次。

点击保存

全局工具配置

找到全局工具配置

选择新增 SonarQube Scanner

Name:sonar

点击保存

凭据

在jenkins右侧选择凭据

添加自己的gitlab账号

配置任务

点击新建任务

填写名称,选择构建一个自由风格的软件项目

源码管理

选择git

填写git地址,

选择刚刚填写的凭据

构建这里选择增加Execute SonarQube Scanner

Analysis properties

填写如下信息

# 配置唯一ID
sonar.projectKey=oa
# 配置显示名称
sonar.projectName=oa
# 配置项目初始目录
sonar.sources=$WORKSPACE
#配置项目语言
sonar.language=php
#配置文件编码
sonar.sourceEncoding=UTF-8
#配置排除文件或者文件夹
sonar.exclusions=public/*
sonar.exclusions=*.js
sonar.exclusions=*.css
sonar.exclusions=*.html
sonar.exclusions=*.jpg
sonar.exclusions=*.jpge
sonar.exclusions=*.png
sonar.exclusions=*.gif
sonar.exclusions=*.pdf
sonar.exclusions=*.htm
sonar.exclusions=vendor/**
sonar.exclusions=Vendor/**

点击保存后

点击右侧立刻构建

本文档完成