feat: integrate SonarQube and bump version to 2.0.0

- Add SonarQube service to docker-compose.yml
- Implement SonarQubeManager for handling scans
- Update Engine to include SonarQube integration
- Add SonarQube configuration in config.py
- Bump version to 2.0.0 in pyproject.toml
- Add tests for SonarQube integration

Author: alanjoseph2004

docker/docker-compose.yml

@@ -22,5 +22,21 @@ services:
       - mobsf-data:/root/.MobSF
     restart: unless-stopped
 
+  sonarqube:
+    image: sonarqube:community
+    container_name: secuscan-sonarqube
+    ports:
+      - "9000:9000"
+    environment:
+      - SONAR_ES_BOOTSTRAP_CHECKS_DISABLE=true
+    volumes:
+      - sonarqube_data:/opt/sonarqube/data
+      - sonarqube_extensions:/opt/sonarqube/extensions
+      - sonarqube_logs:/opt/sonarqube/logs
+    restart: unless-stopped
+
 volumes:
   mobsf-data:
+  sonarqube_data:
+  sonarqube_extensions:
+  sonarqube_logs:

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "secuscan"
-version = "1.1.3"
+version = "2.0.0"
 description = "A dual-platform static vulnerability scanner for Android and Web applications."
 readme = "README.md"
 authors = [

secuscan/core/config.py

@@ -22,6 +22,12 @@ def __init__(self):
         self.mobsf_api_key = None
         self.output_dir = "reports"
 
+        # SonarQube settings
+        self.sonar_url = "http://localhost:9000"
+        self.sonar_login = "admin"
+        self.sonar_password = "Secuscan@2026"
+        self.sonar_token = "squ_62e4d6fcedaa5e177e545cbb30eaf5e48259fe0f"
+        
         self.load_config()
         self.load_from_env()
         self._initialized = True
@@ -42,6 +48,13 @@ def load_config(self):
 
                         reports = yaml_config.get('reports', {})
                         self.output_dir = reports.get('output_dir', self.output_dir)
+                        
+                        # SonarQube config
+                        sonar = yaml_config.get('sonarqube', {})
+                        self.sonar_url = sonar.get('url', self.sonar_url)
+                        self.sonar_login = sonar.get('login', self.sonar_login)
+                        self.sonar_password = sonar.get('password', self.sonar_password)
+                        self.sonar_token = sonar.get('token', self.sonar_token)
             except Exception as e:
                 print(f"Warning: Failed to load config file: {e}") 
                 # raise ConfigError(f"Failed to load config file: {e}") from e
@@ -51,5 +64,9 @@ def load_from_env(self):
         self.debug = os.getenv("SECUSCAN_DEBUG", "false").lower() == "true"
         self.mobsf_url = os.getenv("MOBSF_URL", self.mobsf_url)
         self.mobsf_api_key = os.getenv("MOBSF_API_KEY", self.mobsf_api_key)
+        self.sonar_url = os.getenv("SONAR_URL", self.sonar_url)
+        self.sonar_login = os.getenv("SONAR_LOGIN", self.sonar_login)
+        self.sonar_password = os.getenv("SONAR_PASSWORD", self.sonar_password)
+        self.sonar_token = os.getenv("SONAR_TOKEN", self.sonar_token)
 
 config = Config()

secuscan/core/engine.py

@@ -5,6 +5,7 @@
 
 from secuscan.core.detection import detect_project_type, ProjectType
 from secuscan.core.docker_manager import DockerManager
+from secuscan.core.sonarqube_manager import SonarQubeManager
 from secuscan.scanners.factory import ScannerFactory
 from secuscan.scanners.secrets import SecretScanner
 
@@ -16,6 +17,7 @@ class ScanEngine:
     def __init__(self, target: str):
         self.target = target
         self.docker_manager = DockerManager()
+        self.sonarqube_manager = SonarQubeManager()
 
     def start(self):
         """Starts the vulnerability scan and returns findings."""
@@ -58,6 +60,17 @@ def start(self):
 
              results = scanner.scan()
 
+        # Run SonarQube Scan (Global)
+        if self.sonarqube_manager.is_available():
+            with console.status("[bold green]Running SonarQube Analysis...[/bold green]"):
+                try:
+                    self.sonarqube_manager.ensure_sonarqube()
+                    self.sonarqube_manager.run_scan(self.target)
+                except Exception as e:
+                    console.print(f"[yellow]Warning: SonarQube scan failed: {e}[/yellow]")
+        else:
+             console.print("[dim]Docker not available - skipping SonarQube scan.[/dim]")
+
         # Run Secret Scanner (Global)
         with console.status("[bold green]Scanning for Hardcoded Secrets...[/bold green]"):
             secret_scanner = SecretScanner(self.target)
@@ -66,14 +79,4 @@ def start(self):
                 console.print(f"[bold red]Found {len(secret_results)} potential secrets![/bold red]")
                 results.extend(secret_results)
 
-        # 4. Report Results (Handled by Caller/CLI via Reporter, or return results for CLI to handle)
-        # Actually, refactoring plan said Engine should delegate. 
-        # But CLI needs to pass format options. 
-        # Better design: Engine returns results. CLI handles reporting.
-        # However, to keep 'start()' API simple for now, let's accept format/output in start() or __init__.
-        
-        # Let's return results here so CLI can decide what to do.
-        # Wait, start() current logic does printing.
-        # Let's change start() to return List[Vulnerability] and print nothing (or minimal).
-        
         return results

secuscan/core/sonarqube_manager.py

@@ -0,0 +1,167 @@
+"""SonarQube Manager - Handles SonarQube container and scanning operations."""
+
+import docker
+import time
+import requests
+import os
+from typing import Optional
+from rich.console import Console
+from secuscan.core.config import config
+
+console = Console()
+
+
+class SonarQubeManager:
+    """Manages SonarQube container interactions and scanning."""
+    
+    SONARQUBE_IMAGE = "sonarqube:community"
+    SCANNER_IMAGE = "sonarsource/sonar-scanner-cli:latest"
+    CONTAINER_NAME = "secuscan-sonarqube"
+    
+    def __init__(self):
+        try:
+            self.client = docker.from_env()
+            self._available = True
+        except docker.errors.DockerException:
+            self.client = None
+            self._available = False
+
+    def is_available(self) -> bool:
+        """Checks if Docker daemon is running and accessible."""
+        if not self._available:
+            return False
+            
+        try:
+            self.client.ping()
+            return True
+        except docker.errors.DockerException:
+            return False
+
+    def pull_image(self, image_name: str):
+        """Pulls a Docker image if not present."""
+        if not self.is_available():
+            return
+
+        try:
+            self.client.images.get(image_name)
+            console.print(f"[green]Image {image_name} found locally.[/green]")
+        except docker.errors.ImageNotFound:
+            console.print(f"[yellow]Pulling {image_name}...[/yellow]")
+            with console.status(f"[bold green]Downloading {image_name}... This may take a while..."):
+                self.client.images.pull(image_name)
+            console.print("[green]Image pulled successfully.[/green]")
+
+    def is_container_running(self) -> bool:
+        """Checks if the SonarQube container is currently running."""
+        if not self.is_available():
+            return False
+            
+        try:
+            container = self.client.containers.get(self.CONTAINER_NAME)
+            return container.status == "running"
+        except docker.errors.NotFound:
+            return False
+
+    def start_sonarqube(self):
+        """Starts the SonarQube container."""
+        if not self.is_available():
+            raise RuntimeError("Docker is not available.")
+
+        # Ensure image is pulled
+        self.pull_image(self.SONARQUBE_IMAGE)
+
+        if self.is_container_running():
+            console.print("[green]SonarQube container is already running.[/green]")
+            return
+
+        console.print("[yellow]Starting SonarQube container...[/yellow]")
+        try:
+            # Check if stopped container exists and remove it
+            try:
+                old_container = self.client.containers.get(self.CONTAINER_NAME)
+                old_container.remove(force=True)
+            except docker.errors.NotFound:
+                pass
+
+            self.client.containers.run(
+                self.SONARQUBE_IMAGE,
+                name=self.CONTAINER_NAME,
+                ports={'9000/tcp': 9000},
+                environment={"SONAR_ES_BOOTSTRAP_CHECKS_DISABLE": "true"},
+                volumes={
+                    'sonarqube_data': {'bind': '/opt/sonarqube/data', 'mode': 'rw'},
+                    'sonarqube_extensions': {'bind': '/opt/sonarqube/extensions', 'mode': 'rw'},
+                    'sonarqube_logs': {'bind': '/opt/sonarqube/logs', 'mode': 'rw'}
+                },
+                detach=True
+            )
+            console.print("[green]SonarQube container started on port 9000.[/green]")
+            self.wait_for_sonarqube()
+            
+        except Exception as e:
+            console.print(f"[bold red]Failed to start SonarQube container: {e}[/bold red]")
+            raise
+
+    def wait_for_sonarqube(self, timeout: int = 180):
+        """Waits for SonarQube API to become available."""
+        start_time = time.time()
+        
+        with console.status("[bold green]Waiting for SonarQube to initialize (this may take 1-2 minutes)...") as status:
+            while time.time() - start_time < timeout:
+                try:
+                    response = requests.get(
+                        f"{config.sonar_url}/api/system/status",
+                        timeout=5
+                    )
+                    if response.status_code == 200:
+                        data = response.json()
+                        if data.get("status") == "UP":
+                            console.print("[green]SonarQube is ready![/green]")
+                            return
+                except requests.exceptions.RequestException:
+                    pass
+                time.sleep(3)
+        
+        raise TimeoutError("SonarQube failed to start within the timeout period.")
+
+    def ensure_sonarqube(self):
+        """Ensures SonarQube is running and ready."""
+        if not self.is_available():
+            raise RuntimeError("Docker is not available.")
+             
+        self.start_sonarqube()
+
+    def run_scan(self, target_dir: str):
+        """Runs the SonarQube scanner on the target directory."""
+        if not self.is_available():
+            raise RuntimeError("Docker is not available.")
+
+        target_dir = os.path.abspath(target_dir)
+        self.pull_image(self.SCANNER_IMAGE)
+        
+        console.print(f"[yellow]Running SonarQube Scan on {target_dir}...[/yellow]")
+        
+        try:
+            # Run sonar-scanner container linked to SonarQube
+            self.client.containers.run(
+                self.SCANNER_IMAGE,
+                remove=True,
+                volumes={target_dir: {'bind': '/usr/src', 'mode': 'rw'}},
+                environment={
+                    'SONAR_HOST_URL': f'http://{self.CONTAINER_NAME}:9000',
+                    'SONAR_TOKEN': config.sonar_token,
+                } if config.sonar_token else {
+                    'SONAR_HOST_URL': f'http://{self.CONTAINER_NAME}:9000',
+                    'SONAR_LOGIN': config.sonar_login,
+                    'SONAR_PASSWORD': config.sonar_password
+                },
+                links={self.CONTAINER_NAME: self.CONTAINER_NAME},
+                command=['-Dsonar.projectKey=secuscan_project', '-Dsonar.sources=.', '-Dsonar.java.binaries=.']
+            )
+            console.print("[green]SonarQube Scan completed successfully.[/green]")
+            console.print(f"Results available at: {config.sonar_url}/dashboard?id=secuscan_project")
+            
+        except docker.errors.ContainerError as e:
+            console.print(f"[bold red]SonarQube Scanner failed: {e}[/bold red]")
+        except Exception as e:
+            console.print(f"[bold red]Error running SonarQube scan: {e}[/bold red]")

tests/test_sonarqube.py

@@ -0,0 +1,88 @@
+"""Tests for SonarQube manager."""
+
+import pytest
+from unittest.mock import MagicMock, patch
+from secuscan.core.sonarqube_manager import SonarQubeManager
+import docker
+
+
+@pytest.fixture
+def mock_docker_client():
+    """Fixture to mock Docker client."""
+    with patch('docker.from_env') as mock_env:
+        mock_client = MagicMock()
+        mock_env.return_value = mock_client
+        yield mock_client
+
+
+def test_sonarqube_available(mock_docker_client):
+    """Test SonarQube manager when Docker is available."""
+    manager = SonarQubeManager()
+    assert manager.is_available() is True
+
+
+def test_sonarqube_not_available():
+    """Test SonarQube manager when Docker is not available."""
+    with patch('docker.from_env', side_effect=docker.errors.DockerException):
+        manager = SonarQubeManager()
+        assert manager.is_available() is False
+
+
+def test_pull_image(mock_docker_client):
+    """Test image pulling when image is not found locally."""
+    manager = SonarQubeManager()
+    mock_docker_client.images.get.side_effect = docker.errors.ImageNotFound("msg")
+    
+    manager.pull_image("test:image")
+    
+    mock_docker_client.images.pull.assert_called_with("test:image")
+
+
+def test_is_container_running_true(mock_docker_client):
+    """Test container running check when container is running."""
+    manager = SonarQubeManager()
+    mock_docker_client.containers.get.return_value.status = "running"
+    
+    assert manager.is_container_running() is True
+
+
+def test_is_container_running_false(mock_docker_client):
+    """Test container running check when container is not found."""
+    manager = SonarQubeManager()
+    mock_docker_client.containers.get.side_effect = docker.errors.NotFound("msg")
+    
+    assert manager.is_container_running() is False
+
+
+def test_start_sonarqube_already_running(mock_docker_client):
+    """Test starting SonarQube when it's already running."""
+    manager = SonarQubeManager()
+    mock_docker_client.containers.get.return_value.status = "running"
+    
+    manager.start_sonarqube()
+    
+    mock_docker_client.containers.run.assert_not_called()
+
+
+def test_start_sonarqube_not_running(mock_docker_client):
+    """Test starting SonarQube when it's not running."""
+    manager = SonarQubeManager()
+    mock_docker_client.containers.get.side_effect = docker.errors.NotFound("msg")
+    
+    with patch.object(manager, 'wait_for_sonarqube'):
+        manager.start_sonarqube()
+        
+    mock_docker_client.containers.run.assert_called_once()
+    assert mock_docker_client.containers.run.call_args[1]['name'] == 'secuscan-sonarqube'
+
+
+def test_run_scan(mock_docker_client):
+    """Test running a SonarQube scan."""
+    manager = SonarQubeManager()
+    
+    manager.run_scan("/tmp/scan_target")
+    
+    mock_docker_client.containers.run.assert_called()
+    call_args = mock_docker_client.containers.run.call_args
+    assert call_args[0][0] == manager.SCANNER_IMAGE
+    assert "SONAR_HOST_URL" in call_args[1]['environment']