I've been setting up SonarQube analysis for one of our builds in VSTS, and I've noticed that there's a difference in the code analysis / build warnings if the advanced option "include full analysis report in build summary" is enabled in VSTS.
We have a custom ruleset enabled for our local builds in Visual Studio, which combines Microsoft CodeAnalysis warnings and StyleCop analyzers. When we run the build in VSTS with the full analysis report setting enabled, these warnings don't show up, and only the SonarQube warnings are displayed. I thought this was expected for all builds using SonarQube, as mentioned here in the link below.
https://docs.sonarqube.org/display/SCAN/Analyzing+with+SonarQube+Extension+for+VSTS-TFS#AnalyzingwithSonarQubeExtensionforVSTS-TFS-Note
However, if we disable this setting, we get additional SonarQube warnings, but the Microsoft and StyleCop warnings also show up.
Can anyone explain why the two behaviors are different? Ideally, we'd like warnings from Microsoft, StyleCop and SonarQube to show up, AND for the build to include the full analysis report - is there any way to do this?
I'm using SonarQube v6.7.1.35068, SonarC# v6.7.1 (build 4347), and v3.* of the VSTS SonarQube task.
The Include full analysis report in the build summary setting doesn't change the ruleset or analyzers that are run during the analysis. All it does is cause the End task to poll the SonarQube server until the server-side part of the analysis has completed so that it can show the final analysis results on the VSTS build summary page.
To work out what is different between the builds you could try enabling more verbose logging:
for SonarQube, set the Additional Settings property of the VSTS Begin task /d:sonar.verbose=true
for VSTS, set the system.debug build to true
You're right, the Begin task does limit the analyzers and rules that are run to those that are configured on the SonarQube server.
To have the Microsoft FxCop rules run as past of the analysis run you would install the FxCop plugin for SonarQube and include its rules in your Quality Profile.
To run the StyleCop rules (assuming you're using the new Roslyn-base StyleCop analyzers) you would first have to create a SonarQube plugin for it using the SonarQube Roslyn SDK, then install the plugin and add the rules to Quality Profile.
First, the Include full analysis report in build summary shouldn’t affect the result in Issues section of build summary, it is used to upload the report to build summary and the result will be show in the bottom of build summary (below Work items linked to associated changes section).
Secondly, the Issues section of build summary can’t show all analysis result, just part of it.
You can upload the result files to build through Logging Command (e.g. Write-Host "##vso[task.addattachment type=Distributedtask.Core.Summary;name=testsummaryname;]c:\testsummary.md") and it will show in the bottom of build summary (The sonarqube task uses this way too).
Related
I have installed Sonar Lint Extension for Visual Studio 2019 and according to the project i am working it is not required to fix the Code Smell Violations.
So is there a way that i can ignore the code smell violations using sonar lint in VS2019
please note that we are using sonar Lint in connected mode wit sonar cube server
Connected mode is to designed to configure the IDE to use the same set of rules as are configured in your Quality Profile on the SonarQube server, so if the code smell rules are part of your Quality Profile then they will be enabled in the IDE too.
If you don't want to see those issues reported in the IDE then you could either remove those rules from the Quality Profile, or use standalone mode and configure the set of rules to run locally as described here.
After doing some tweaks in the visual studio I was able to add the column category to the sonar output window and in that filtered out the sonar issues other than code smells.
We are using sonarqube version 6.7. I would like to execute all sonar bugs and vulnerability java rules with blocker and critical severity locally on my Intellij Idea. I want to run these rules on multiple IDEA projects that are configured in my IDE.
I have installed the SonarLint plugin (version 3.2) and configured it to bind to the sonar server. On running the analysis from the "Project Files" tab I get errors for all iml files as
"File 'feature.iml' can't be analyzed. Skipping:
F:/modules/feature.iml"
.
My goal is to identify all sonar rules that are failing on my projects so that I can activate them on the sonar server for periodic runs as part of CI. To get started I thought of starting with blocker and critical vulnerabilities.
Could someone guide me on this?
You should activate all rules with the desired severity in the quality profile assigned to your project in SonarQube. Then you can bind your project in IntelliJ to the project in SonarQube. SonarLint will use the same quality profile.
About the iml files, it's not an error. SonarLint will exclude certain files from analysis that doesn't make sense to be analyzed, such as binary files.
In VSTS (hosted TFS) I have a build definition which uses MSBuild. What I would really like is to have pull requests annotated with any rule violation detections. However I can't get the analysers to work at all. What I've done so far;
Installed Microsoft.CodeAnalysis.FxCopAnalyzers in one of the projects that gets build
Verified that running "Analyze Code" in Visual Studio does output rule violations
All the *.ruleset files are not available on the self-hosted build agent, as it only has MSBuild installed (no full-fledged Visual Studio). For the same project as in point 1, I've also used a custom ruleset.
I have also build the project on a hosted build agent (which has VS2017 installed), but also to no avail.
With all of the above, the build log / build overview in VSTS doesn't list any rule violations. It's my understanding that the code analysis should be run automatically and the output should appear on the build overview page (i.e. https://MYSITE.visualstudio.com/MYPROJECT/_build/index?buildId=XXX&_a=summary&tab=details).
The Code Analysis setting is based on the configuration and platform, so you need to make sure you build the project with the same configuration and platform that enabled code analysis on build.
You also could specify it in MSBuild Arguments of MSBuild task:
/p:RunCodeAnalysis=true;CodeAnalysisRuleSet=..\RuleSets\MyMixedRecommendedRules.ruleset
Trying to reproduce the steps that a TFS agent perform with the SonarQube Scanner for MSBuild.
I am not able to locate where the Agent injects the name of the coverage results file. The documentation states that a coverage file should be parsed to an xml file, but digging into the powershell at the SonarQubePostTest task there is no call to codecoverage.exe, neither a setting to the sonar.cs.vscoveragexml.reportsPaths variable.
How TFS 2015 agent assign coverage results to SonarQube Scanner for MSBuild in order to manually reproduce the call of the agent?
P.S.
I am using vNext build definition, it is the compilation of some c# dll projects, after the build, then a set of test run using VS test.
There should be a SonarQube begin analysis task before msbuild and a SonarQube end analysis task after msbuild.
The completed Begin Analysis definition. This just some configuration to connect to sonarqube server
The completed Begin Analysis definition
The End Analysis task should be used to create a step that is executed
after the “Visual Studio Test” task step if you want SonarQube to show
code coverage data. In any case, it should be run after the “Visual
Studio Build” step. The End Analysis task finalizes the analysis
(computation of the clones, metrics, and analysis for languages other
than .Net), and sends the analysis results to the SonarQube server.
More details please see this MSDN blog: Build Tasks for SonarQube Analysis
The teamcity Visual Studio build runner does not seem to report warnings in a meaningful way (other than the log).
Is there an easy way to get TeamCity to report the warnings?
I've found:
http://blogs.lessthandot.com/index.php/EnterpriseDev/application-lifecycle-management/displaying-net-build-warnings-in
but I wonder if I'm missing a more straightforward solution.
One option is to use the "Inspections (.NET)" Build Step as ReSharper Code Inspections include compiler warnings.
Should you and your teammates be using Resharper locally you can also set a "Custom settings profile path" in the Build Step's advanced settings, i.e. use a committed ReSharper settings file, not to get any unexpected warnings in CI versus those found working locally.
For each build result you'll have the total number of inspections (warnings) in the build status text, and also a "Code Inspection" tab where the inspections are categorized and you can drill into the .cs files in question.
Like any metric change you can also configure the build to fail if the number of inspections go above a specified amount or go up by a specified amount versus a previous build.