This guide assumes that Ubuntu Server has been installed on your VirtualBox virtual machine and you are logged in with sudo privileges and you have an internet connection.
Install the Salesforce CLI
CodeScan can run scans with the Salesforce CLI and CodeScan plugin.
Install both using the following commands.
mkdir .sfdx-install
wget -q https://developer.salesforce.com/media/salesforce-cli/sfdx-linux-amd64.tar.xz -O .sfdx-install/sfdx.tar.xz
tar xJf .sfdx-install/sfdx.tar.xz -C .sfdx-install --strip-components 1
sfdx plugins:install sfdx-codescan-plugin
Install JDK 8
CodeScan requires Java 8 to run.
Install Java using the following command.
sudo apt install openjdk-8-jre-headless
Install NodeJS
CodeScan for Lightning requires NodeJS to run.
Install NodeJS using the following command.
sudo apt install nodejs
Download and Install SonarQube™
Use the following command to download the SonarQube™ 8.4.2 archive.
wget https://binaries.sonarsource.com/Distribution/sonarqube/sonarqube-8.4.2.36762.zip
if you do not have a program to unzip the archive, use the following command to install one.
sudo apt install unzip
Then unzip the archive using:
unzip sonarqube-8.4.2.36762.zip
Download and Install CodeScan
Use the following command to download the CodeScan 4.4.4.1 archive.
wget http://downloads.code-scan.com/sonar-salesforce-plugin-4.4.4.1.zip
Then unzip the archive using:
unzip sonar-salesforce-plugin-4.4.4.1.zip
Copy the .jar file to the SonarQube plugins folder using:
cp sonar-salesforce-plugin/sonar-salesforce-plugin-4.4.4.1.jar sonarqube-8.4.2.36762/extensions/plugins/
Setup Network
To use CodeScan outside the server, you will need to configure the connection to the host machine.
Shut down the Ubuntu server using the command shutdown now
In your Virtualbox window, click your virtual machine and then the Network section of the details.
Click on Adapter 2. Select Host-only Adapter next to “Attached to” and VirtualBox Host-Only Ethernet Adapter next to “Name”.
Click on Adapter 1 > Advanced > Port Forwarding.
The default port that SonarQube runs on is Port 9000. Click the Add New Rule button on the right and configure port 9000 to be accessible as seen in the screenshot below.
Click OK on both windows. Now you’re ready to run a scan and view the results from your host machine.
Run SonarQube™
Start your virtual machine.
Log in and start SonarQube™ using the command:
sonarqube-8.4.2.36762/bin/linux-x86-64/sonar.sh start
Apply CodeScan License
On your host computer, open your command prompt and use ipconfig to find the IP address for the “Ethernet adapter VirtualBox Host-Only Network”.
Copy the IPv4 address and open your host computer’s web browser.
In the address bar paste the IP address you just copied and add :9000 for the port you configured as below
If everything is correct, you will see SonarQube™ load in your browser window.
Click Log In at the top right of the screen and use the default credentials (Login: admin, Password: admin) to log in as an administrator.
Click Administration at the top of the screen and select CodeScan on the left of the screen.
In the CodeScan License field, paste the license key you were supplied with and click Save.
Use CodeScan Quality Profiles
In SonarQube™, click Quality Profiles at the top of the screen. You will see a list of languages with the rule sets that are configured for them.
Scroll down to Javascript, find the ruleset Salesforce Lightning and click the settings cog next to it.
Select Set as Default.
Now scroll down and do the same for the Visualforce and Lightning language.
Running a scan
Now you are ready to run a scan.
First, create a security token. Learn how here.
Using your token and the IP address of your server, type the following into the command prompt:
sfdx codescan:run --token <token> --projectkey my-project-key --organization default-organization --server http://<server IP>:9000
After the analysis has finished, switch back to the browser on your host computer and click the Projects menu at the top of the page.
You should now be able to see your project listed.
Clicking on the name of the project will allow you to explore the measures in more detail.