Hello,

Sonarqube keeps crashing if running from docker-compose.
Example:

version: '2'
services:
sonarqube:
image: owasp/sonarqube
ports:
- "9000:9000"
- "9092:9092"
networks:
jenkins:

• install open source database (Postgres 8 or 9; MySQL 5.6 or 5.7) for use by SQ

steps
docker run -d -p 9000:9000 -p 9092:9092 -e SQ_GITLAB_VERSION='4.0.0' --name basim owasp/sonarqube

Actual results
observed in the logs
2018.11.07 12:37:15 INFO web[][o.s.s.p.ServerPluginRepository] Deploy plugin GitLab / 3.0.2 / d04a1b6f22629bab354ac29599b3b78a190a9311

also observed in the marketplace installed plugins still has 3.0.2

Expected Results
Gitlab version 4.0.0 plugin to be installed

Hi,

I ran the Owasp SonarQube Docker and I wanted to try it with just a simple maven project from Spring Initializr.
But when I compile my maven project :

mvn sonar:sonar  \
 -Dsonar.host.url=http://localhost:9000  \
 -Dsonar.login=somelogin

I get this error :
[ERROR] Failed to execute goal org.sonarsource.scanner.maven:sonar-maven-plugin:3.5.0.1254:sonar (default-cli) on project demo: Unable to load component class org.sonar.scanner.scan.ProjectLock.

However when I try with the official SonarQube Docker it works.

Thank you,
Kevin

A range of sonarqube plugins that cover different aspects of https://www.owasp.org/index.php/Component_Analysis

License : https://github.com/porscheinformatik/sonarqube-licensecheck
Known Vulnerabilities : https://github.com/SonarSecurityCommunity/dependency-check-sonar-plugin (already included)
Outdated Components : https://github.com/reallyinsane/mathan-dependency-updates-sonar-plugin

https://bitbucket.org/excentia/sonarqube-tattletale-plugin/src/master/ no 7.9(only 5.6) support but provides

Identify dependencies between JAR files
Spot if a class/package is located in multiple JAR files
Spot if the same JAR file is located in multiple locations

best regards

Hi! I'm the OWASP Benchmark Project lead and we used to have support for scanning OWASP Benchmark (https://github.com/OWASP/Benchmark) with SonarQube years ago, but that feature hasn't been maintained.

Can you add support for scanning OWASP Benchmark to your project, or mine, leveraging this project? I.e., a simple script or instructions? Once we have the ability to do such a scan easily and repeatably, I can then update the scorecard generation capabilities in Benchmark for SonarQube. This would be great as we haven't been able to generate a scorecard for SonarQube against Benchmark in a long while.

Would it be possible to include a license in the repo itself, or at least mention the license in the readme?

The OWASP website mentions that this is licensed under the Apache 2.0 license
https://www.owasp.org/index.php/OWASP_SonarQube_Project#tab=Main

Thanks!

This could be a great project but i need more info :
what does this project add to the offical docker image https://hub.docker.com/_/sonarqube/ ?
what version of sonarqube is used ?

Building out the docker image it looks like quite a few of the plugin jars you are referencing are no longer available.

I've corrected/updated them for whats available 11/7/2018 so the docker image now builds.