Upgrade to SonarQube 7.9

[esune]

Updates for the image version 7.9 of SonarQube. The Docker container was tested by performing a scan, and it appears to have worked correctly.

Based on the SonarQube upgrade guide though, we will probably want/need to upgrade every instance in OpenShift to v6.7.7 BEFORE we can upgrade to v7.9.

Some backup and maintenance steps on the PostgreSQL instance backing the scan database may be necessary as well, as decribed in the document.

Badges and Zap scan integration have not yet been tested.

[esune]

@WadeBarnes leaving this PR in draft until we decide what to do about the upgrade strategy for instances that have already been deployed.

[esune]

@WadeBarnes I bumped the SonarQube version to the latest LTS available as we speak, and updated the docs. I referred directly to the official SonarQube upgrade guide, do you want me to explicitly mention about retaining the history, or just leave it to the official docs?

Other than that, we will just need to test the image in OpenShift once we merge - either trying to keep the history or not.

[WadeBarnes]

@esune, For the upgrade documentation I would create an upgrade section that calls out the possibility of loosing the history between version 6.7.5 and 7.9.1, and place the link to the upgrade docs there. Leave it to the official docs for the rest of the details.

I've given you access to push images to the bcgovimages/sonarqube repo. Please build and push a 7.9.1 and we can test it out on the VON projects.

[GuiF007]

Don't you have any trouble with vm.max_map_count value with Openshift ?

[WadeBarnes]

@esune, Did you run into any troubles with the above in your testing?

[esune]

@GuiF007 @WadeBarnes I need to pick up where I left, as I was pulled onto something else and left this in progress. I believe all the testing I did was locally on Docker, I will report back as soon as I manage to push changes to OpenShift as well.

[WadeBarnes]

@GuiF007 @esune, As a bit of a test and validation, I'm using the 7.9.1 bcgovimages/sonarqube image for the Cullen Commission Website and it's working just fine on OpenShift. Cullen Commission SonarQube Results. I still have to wire up the ZAP Scanning, but assuming that goes well we can merge this PR.

[WadeBarnes]

@esune, the documentation indicates the ZAP plugin is bundled with the bcgovimages/sonarqube:7.9.1 image, but that does not appear to be the case. I also noticed you need to install plugins explicitly. There don't appear to be any installed by default, so will need to make mention of that in the documentation.

[WadeBarnes]

@esune, we should also provide an example in our documentation of how to copy the sonar-zap-plugin to the running SonarQube instance in OpenShift in the case it's not bundled or needs to be updated:

oc cp ./sonar-zap-plugin-1.2.0.jar kyrwwq-tools/sonarqube-1-w4shw:/opt/sonarqube/extensions/plugins

[WadeBarnes]

There appears to be an issue with the summary report not showing up that we'll have to address. You have to drill into the issues to see the results.

Perhaps we need to update the zap-scanner on the scanner pod, or there needs to be some code files included in the project (right now we're filtering out the xml report so it does not get scanned as source code).

Examples:

• Cullen Commission Website OWASP ZAP Scan
• Cullen Commission Website OWASP ZAP Scan - Issues

Compared to:

• TheOrgBook-Zap

[esune]

The Dockerfile has been updated, now the ZAP plugin registers correctly and is deployed with the bundle. I will be looking into the scanner pod to determine whether the cause of the reports not being displayed lays there.