Generating a SonarQube SAST Report
Introduction
This guide will walk you through the steps to run a python script which will download your SonarQube vulnerability SAST report as a json file that can be submitted to Mobb. This script works for both Sonarcloud (SaaS) and SonarQube (on-premise).
Pre-Requisites
You must have Python installed in your environment. If you don't have Python installed, please do so by visiting the Python download site here.
You will need to run the script via your terminal or command prompt.
Download the
sonarqube_download_report.pyscript from here.
Required environment variable settings
SONARQUBE_HOST_URL
SONARQUBE_HOST_URLExample values: https://sonarcloud.io or http://localhost:9000
SONARQUBE_TOKEN
SONARQUBE_TOKENGenerate this token at by following the instruction here
SONARQUBE_ORG
SONARQUBE_ORGYour Sonarcloud Org ID. If you are using SonarQube, enter none
SONARQUBE_PROJECT
SONARQUBE_PROJECTYour Sonarqube project key
REPORT_PATH
REPORT_PATHName of the output report For example: sonar_report.json
BRANCH (Use either BRANCH or PULL_REQUEST_ID depending on your scan type. Do not use both together. See examples below)
BRANCH (Use either BRANCH or PULL_REQUEST_ID depending on your scan type. Do not use both together. See examples below)The branch name. For example: main
'PULL_REQUEST_ID' (Use either BRANCH or PULL_REQUEST_ID depending on your scan type. Do not use both together. See examples below)
BRANCH or PULL_REQUEST_ID depending on your scan type. Do not use both together. See examples below)The Pull Request ID or Pull Request Number associated to the scan, for example PULL_REQUEST_ID=13
Sample command to download a report tied to a branch:
SONARQUBE_HOST_URL=https://sonarcloud.io \
SONARQUBE_TOKEN=XXX \
SONARQUBE_ORG=antonychiu2 \
SONARQUBE_PROJECT=antonychiu2_wf-examples-sonar \
BRANCH=main \
REPORT_PATH=sonar_report.json \
python sonarqube_download_report.pySample command to download a report tied to a PR:
SONARQUBE_HOST_URL=https://sonarcloud.io \
SONARQUBE_TOKEN=XXX \
SONARQUBE_ORG=antonychiu2 \
SONARQUBE_PROJECT=antonychiu2_wf-examples-sonar \
PULL_REQUEST_ID=13 \
REPORT_PATH=sonar_report.json \
python sonarqube_download_report.pySample command to download a SAST report from SonarQube (on-premise):
SONARQUBE_HOST_URL=http://local-ubuntu-vm:9000 \
SONARQUBE_TOKEN=XXX \
SONARQUBE_ORG=none \
SONARQUBE_PROJECT=webgoat-local \
BRANCH=main \
REPORT_PATH=sonar_report.json \
python sonarqube_download_report.pyLast updated
Was this helpful?