Monday 2 August 2021

Secure coding: Integrating SonarQube in Android Studio

It is often difficult to spot the security issues in your App code while you focus more on adding features and offer exceptional user experience. Here is how you can take care of security bugs and protect your apps and users from being exposed to vulnerabilities. There are lot of opensource and free security scanners which you can integrate in your favourite IDEs and get rid of some common, basic security bugs easily. In this article, I will show how we can use the community edition of a popular code scanning tool- SonarQube- for finding bugs in Android app development by integrating it in Android Studio.

The SonarQube scanner is a popular code quality and security scanning tool available in multiple editions like Community, Developer, Enterprise and Data Center. You can read about it more, here.

Prerequisites:

  • Java 11 or higher (Tested it using Java 11)
  • Android Studio
Make sure your Android Studio is working properly. The JAVA_HOME variable should be pointing to Java installation root directory.

Follow the below simple steps to download and configure SonarQube in your system.

  1. Visit SonarQube website download page and understand the different editions of this static code analysis tool.
  2. If you prefer the Community edition, download the latest version appropriate for your machine's operating system. For this article, I will be using the Windows OS version.
  3. Now simply unpack the zipped file to your directory of choice. We will call it the base directory for simplicity.
  4. Browse through the directories 'sonarqube-xy.x.xx.xx\bin\windows-x86-64' to locate StartSonar bat file. Based on your version, the path might differ.
  5. Add the location to your system path variable.
  6. Now simply run the bat file from command-prompt.
  7. If everything goes well, you will see that execution is completed. Keep the CMD running.
  8. Now open http://127.0.0.1:9000 in your browser to get the tool UI.
  9. Login with default credentials (admin/admin)
  10. The tool installation is complete. 
Now we have to integrate the tool in Android Studio. Install the SonarQube plugin for Android Studio.
File>Settings>Plugins
Search for SonarQube Analyzer and install the same.

Fire up the IDE and open the build,gradle files.
Open the project build.gradle file . Add the below line under dependencies. 

classpath "org.sonarsource.scanner.gradle:sonarqube-gradle-plugin:2.6.2"



Now open the build,gradle file corresponding to the app and add the below entry at the end. Make sure you give the username/password corresponding to your installation of SonarQube.

apply plugin: 'org.sonarqube'

sonarqube
        {
            properties
                    {
                        property "sonar.projectName", "developerlibs"
                        property "sonar.projectKey", "com.devlibs.android"
                        property "sonar.language", "kotlin"
                        property "sonar.sources", "src/main/java/"
                        property "sonar.binaries", "build"
                        property "sonar.sourceEncoding", "UTF-8"
                        property "sonar.login", "admin"
                        property "sonar.password", "admin"
                    }
        }



Finally, execute Gradle Wrapper command to complete the process.

 

You are all set to go, Just refresh your SonarQube homepage opened at http://127.0.0.1:9000 and you can see scan results appearing in your dashboard. Simple, right?



Posted by at No comments:
Subscribe to: Posts (Atom)