SonarQube "exe" installer for version 7.9.6

Must-share information (formatted with Markdown):

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension) - 7.9.6
  • what are you trying to achieve - I am trying to automate the installation of SonarQube through Automation Account in Microsoft Azure. The automation requires either MSI or an exe version of SonarQube rather than the bat file.
  • what have you tried so far to achieve this: I have tried using the bat file, but the installation fails.

Hi,

First, 7.9.6 is past EOL. You should use to either the latest version or the current LTS. Second, it’s not clear to me why you’re trying to automate deployment. SonarQube isn’t something you should have to redeploy on a regular basis. You set it up and point all your analyses to the one, still-running instance.

 
:face_with_monocle:
Ann

Hi @robertjebakumar ,

I understand the preference for an automated deployment for SonarQube through Azure; we’ve set this up on our side as well. It makes updates super easy and repeatable across a Test and a Production environment, and I can delegate the update to someone who isn’t a server admin.

Having said that, just plugging an MSI file into Azure Automation isn’t the way to go here. SonarQube isn’t a desktop application - it’ll need custom configuration after the install (e.g. database config, server URLs and ports, user authentication, etc.). Here’s what we’ve done to get to an auto-deploy setup:

  • We keep SonarQube, JRE, and Tomcat in our source code repository as deployable artifacts. You’ll need the ZIP version of SonarQube for that, not the EXE.
  • We have an Azure build pipeline that combines those three into a deployable solution.
  • A release pipeline then injects custom, environment-specific configuration (see above)
  • PowerShell scripts then take this customized release package and take care of file copies, minimum folder permissions, and the service install on the server.

This brings a SonarQube update down to about 15 minutes of work by someone on the dev team, and we can deploy JRE and Tomcat updates out of band to keep up with any security issues. a nice side effect is built-in change tracking/auditing, and the ability to roll back if needed (assuming your release pipeline takes DB backups like ours).

Side note: Ann is correct about the version - 7.9.6 is end of life and contains a serious vulnerability through log4j2. You should consider updating to either 8.9.6 LTS or 9.3 as part of this deployment model change.

2 Likes

@ganncamp and @cba, thanks for your feedback. @ganncamp, I will look at upgrading the SonarQube version to 8.9.6 LTS which is sensible for vulnerability issues.

@cba , thanks for your input in automating SonarQube. I understand that you’re doing the packing and installation through Powershell scripts. However, we have standard to use Automation Account DSC to package and install softwares. Therefore, Automation Account DSC prefers to use an EXE or MSI instead of bat files.

1 Like