I was recently asked to review the open source NextCloud project for common security issues as part of a project. I used a tool called SonarCube (and SonarScanner) to perform this analysis.
These are Java based tools, so I used the available docker images to do the analysis.
SonarQube offers a community edition with a docker implementation. This approach seemed appropriate for this project.
Docker must first be installed on Windows. This was done by following these instructions. Note that this also required WSL2 (Windows subsystem for Linux) to be installed on the PC.
After docker desktop is installed, the SonarQube docker images must be installed. The first image installed and was the base SonarQube website image. This was installed and ran by entering the following commands in powershell:
docker pull sonarqube
docker run -d --name sonarqube -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -p 9000:9000 sonarqube:latest
Once installed, the SonarQube website could be accessed by going to http://localhost:9000. Following the SonarQube documentation, a "project" was then created in the SonarQube website. This effectively provided a bucket for the results of the security analysis performed in the next step.
Next, the SonarScanner software needed to be installed to provide the specific functionality to scan PHP files. This was installed by entering the following commands in powershell:
docker pull sonarsource/sonar-scanner-cli
In order to then perform a scan, I did the following (modify parameters as needed):
download the project to scan from github to a local folder. In this case the folder was: C:\temp\nextcloud\3rdparty\sabre\dav\lib\CalDAV
docker run -d --name sonarqube -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -p 9000:9000 sonarqube:latest
Run the following SonarScanner command in powershell:
docker run --rm -e SONAR_HOST_URL="http://172.31.144.1:9000/" -e SONAR_SCANNER_OPTS="-Dsonar.projectKey=JimTest1" -e SONAR_LOGIN="sqp_71e6b2ac956b3da33d972f36f5d0f06b6fbb36df" -v "C:\temp\nextcloud\3rdparty\sabre\dav\lib\CalDAV:/usr/src" sonarsource/sonar-scanner-cli
The project key and the SONAR_LOGIN were both values provided by the SonarQube website when I created a test project. Two other important details:
After running the SonarScanner docker command above, the scan ran for approximately 6 minutes. When the scan was complete assessment details were available in the SonarQube website.
SonarCube is a decent tool for performing static analysis on PHP websites.