Is there any way to feed visual studio static analysis on c++ code base into sonar?
Thanks
Did you check out the VSSonarExtension? Some hints on how to use it your can find here.
Update:
The other way around there may be a plugin by jmecosta called VSSonarAddin. One of its features is
"c++, runs local analysis with cppcheck and reports violations added
by local changes. "
You can find the project on github.
The Community C++ Plugin supports feeding compiler warnings as violations into SonarQube. You usually need to build your code with code analysis enabled and later you can use that data during SonarQube analysis. See here for more details!
Related
I installed the SonarLint extension for Visual Studio and connected successfully to our SonarQube server and successfully ran Code Analysis to display sonar issues in VS. So it was working OK but for some reason I am now no longer getting any sonar Sxxx warnings and instead now see the following 2 warnings:
> Warning CA0507 Post-build Code Analysis (FxCopCmd.exe) has been
> deprecated in favor of FxCop analyzers, which run during build. Refer
> to https://aka.ms/fxcopanalyzers to migrate to FxCop analyzers.
>
> Warning CA0064 : No analysis was performed because the
> specified rule set could not be loaded or did not contain any managed
> code analysis rules.
But I am not using FxCop and I am not aware of having done anything to turn it on.
If I check one rule inside "Managed Binary Analysis" the CA0064 warning will go away, but CA0507 remains and still no sonar Sxxx warnings.
The "Run Code Analysis" menu items only apply to the legacy FxCop rules. You don't need to use those menu items for Roslyn-based analyzers (like the C# and VB.NET rules in SonarLint) - Visual Studio will automatically trigger the analysis in the background. See the Microsoft docs for more info.
If you are not seeing Sxxx issues being reported there are a couple of things to look at:
Check whether you have the Enable full solution analysis option checked. If not, VS will only report issues in open files.
You've connected the solution to your SonarQube server so SonarLint will have generated a ruleset based on the Quality Profile. The ruleset will be in the solution-level .sonarlint folder. Check whether the rules you are expecting to report issues are enabled in the ruleset file. If not, update the Quality Profile on the server then close and re-open the solution. SonarLint will detect that the Quality Profile has changed and prompt you to update it.
Try to Compile again the project. With first compilation this errors will appear but with second compilation probably not.
No idea why, but it worked for me.
Is it possible to analyze C# project using Sonar-runner with sonar-c#-plugin-4.2. I saw the MSBuild SonarQube Runner to be used for C# analysis on the documentation.
Does sonar-runner support C# analysis on sonarqube 5 with C# 4.2
The use of the sonar-runner is no longer supported to analyze C# projects. Indeed, analysis through the MSBuild SonarQube Runner will be of much higher quality because it fully integrates with MSBuild and knows everything about your project, and at the same time also much easier to setup, again because most manual configuration required before is now obtained through MSBuild itself.
At least I managed to run the analysis with the sonar-runner. I consider the new begin-build-end workflow with MSBuild SonarQube Runner a bit complicated while using Jenkins and having plenty of existing scripts in play at least. Or I could not get it working due to slightly TFS-oriented documentation with Visual Studio command prompt being also involved.
I finally, after intensive googling, got the analysis running with my Visual Studio Pro + Jenkins + OpenCover + Mstest + Nunit combination by defining below properties in Invoke Standalone SonarCube Analysis in Jenkins job. I still do not know how to separate integration tests from unit tests. It does not say anywhere is this even supported for C# projects.
Workflow is that I first build everything, then run OpenCover to collect results with coverage and then invoke the runner. The below properties can of course be as file in the root folder of the project as well, but in my initial proof of concept I set these in Jenkins plugin.
sonar.projectName=projectname
sonar.projectKey=key
sonar.ProjectVersion=1.1
sonar.visualstudio.enable=true
sonar.language=cs
sonar.sources=.
sonar.dotnet.visualstudio.solution.file=code.sln
#not sure if the line below is correct or relevant...
sonar.dotnet.visualstudio.testProjectPattern=*Test
#two frameworks producing tests.
sonar.cs.vstest.reportsPaths=relativepath/results.trx
sonar.cs.nunit.reportsPaths=relativepath/testresults.xml
sonar.cs.opencover.reportsPaths=1.xml,2.xml
I have a solution in Visual Studio 2013 (c# code) that has a reference to a third-party assembly that I added with NuGet (ICSharpCode.SharpZipLib). When I run the "Code Analysis" on the solution I get lots of warnings coming from the third-party assembly. How do I tell VS that I only want code analysis advice from my code?
I'm pretty sure the errors are coming from the library itself and not my usage of it. There are a total of 32 issues e.g.
CA2237: Mark ISerializable types with SerializableAttribute.
I am using ILMerge to bundle into a single executable do you think that has confused the code analysis?
There is no way to tell FxCop to ignore namespaces or types in your code if it lives in the same binaries. When using ILMerge, the SharpZipLib essentially becomes part of your code, as it's merged into your assembly.
To get proper results, run FxCop on the assembly that's generated before the merge.
Other solutions will mention to put a [GeneratedCode] attribute on classes you want excluded, but IlMerge has no option to to that while merging, so that won't help you out.
In Visual Studio 2015 Code Analysis works on the source code using the new Roslyn Engine, which will solve the issue probably, as it does the analysis even before compilation and as such will not be impacted by your use of IlMerge.
I have a set of rules defined for Visual Studio Code Analysis and I also configured them in Sonar (http://www.sonarqube.org/). I get different results.
Why?
Code Analysis uses FxCop ? In Sonar I can configure FxCop.
Well, the reason is simple: these are different tools, with different features and capabilities...
In SonarQube, you can configure the quality profile (= rule set) that you want to apply on your project when you analyse it. This rule set is probably very different from the one available in Visual Studio Code Analysis.
I live in Visual Studio with Resharper.
What free plug ins should I get for Eclipse to get me to the same level as I am used to in VS with Resharper.
I have found Eclipse to have many of the Resharper features built in, but don't want to be missing great productivity tools.
Eclipse indeed already ships with decent builtin refactoring and static code analysis capabilities. However, there are several plugins available which improves static code analysis, the popular ones being FindBugs and PMD. They will report about potential programming bugs. Further there's also a static code style checker plugin CheckStyle which will report about potential programming style flaws which may not necessarily lead to runtime errors, but rather to maintainability problems.
Related questions:
Recommended Eclipse plugins for source code analysis
Generally recommended Eclipse plugins
Hidden features of Eclipse