Karush Logo


Using SonarCube for static analysis of PHP files

I was recently asked to review the open source NextCloud project for common security issues as part of a project. I used a tool called SonarCube (and SonarScanner) to perform this analysis.

These are Java based tools, so I used the available docker images to do the analysis.

Using SonarCube

SonarQube offers a community edition with a docker implementation. This approach seemed appropriate for this project.

Docker must first be installed on Windows. This was done by following these instructions. Note that this also required WSL2 (Windows subsystem for Linux) to be installed on the PC.

After docker desktop is installed, the SonarQube docker images must be installed. The first image installed and was the base SonarQube website image. This was installed and ran by entering the following commands in powershell:

  • docker pull sonarqube
  • docker run -d --name sonarqube -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -p 9000:9000 sonarqube:latest

Once installed, the SonarQube website could be accessed by going to http://localhost:9000. Following the SonarQube documentation, a "project" was then created in the SonarQube website. This effectively provided a bucket for the results of the security analysis performed in the next step.

Next, the SonarScanner software needed to be installed to provide the specific functionality to scan PHP files. This was installed by entering the following commands in powershell:

  • docker pull sonarsource/sonar-scanner-cli

In order to then perform a scan, I did the following (modify parameters as needed):

  • download the project to scan from github to a local folder. In this case the folder was: C:\temp\nextcloud\3rdparty\sabre\dav\lib\CalDAV

  • docker run -d --name sonarqube -e SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true -p 9000:9000 sonarqube:latest

Run the following SonarScanner command in powershell:

  • docker run --rm -e SONAR_HOST_URL="" -e SONAR_SCANNER_OPTS="-Dsonar.projectKey=JimTest1" -e SONAR_LOGIN="sqp_71e6b2ac956b3da33d972f36f5d0f06b6fbb36df" -v "C:\temp\nextcloud\3rdparty\sabre\dav\lib\CalDAV:/usr/src" sonarsource/sonar-scanner-cli

The project key and the SONAR_LOGIN were both values provided by the SonarQube website when I created a test project. Two other important details:

  • the SONAR_HOST_URL value could not reference "localhost". In order for one docker image to communicate to the other docker image, and IP address value from "ipconfig" needed to be used.
  • the parameter -v "C:\temp\nextcloud\3rdparty\sabre\dav\lib\CalDAV:/usr/src" is important and it links a local folder to an internal folder used by the scanner software in the docker image.

After running the SonarScanner docker command above, the scan ran for approximately 6 minutes. When the scan was complete assessment details were available in the SonarQube website.


SonarCube is a decent tool for performing static analysis on PHP websites.