Generating a SonarQube SAST Report

Introduction

This guide will walk you through the steps to run a python script which will download your SonarQube vulnerability SAST report as a json file that can be submitted to Mobb. This script works for both Sonarcloud (SaaS) and SonarQube (on-premise).

Pre-Requisites

• You must have Python installed in your environment. If you don't have Python installed, please do so by visiting the Python download site here.

• You will need to run the script via your terminal or command prompt.

• Download the sonarqube_download_report.py script from here.

Required environment variable settings

SONARQUBE_HOST_URL

Example values: https://sonarcloud.io or http://localhost:9000

SONARQUBE_TOKEN

Generate this token at by following the instruction here

SONARQUBE_ORG

Your Sonarcloud Org ID. If you are using SonarQube, enter none

SONARQUBE_PROJECT

Your Sonarqube project key

REPORT_PATH

Name of the output report For example: sonar_report.json

BRANCH (Use either BRANCH or PULL_REQUEST_ID depending on your scan type. Do not use both together. See examples below)

The branch name. For example: main

'PULL_REQUEST_ID' (Use either BRANCH or PULL_REQUEST_ID depending on your scan type. Do not use both together. See examples below)

The Pull Request ID or Pull Request Number associated to the scan, for example PULL_REQUEST_ID=13

Sample command to download a report tied to a branch:

Sample command to download a report tied to a PR:

Sample command to download a SAST report from SonarQube (on-premise):