What is the difference between code analysis and sonar? - sonarqube

I have a set of rules defined for Visual Studio Code Analysis and I also configured them in Sonar (http://www.sonarqube.org/). I get different results.
Why?
Code Analysis uses FxCop ? In Sonar I can configure FxCop.

Well, the reason is simple: these are different tools, with different features and capabilities...
In SonarQube, you can configure the quality profile (= rule set) that you want to apply on your project when you analyse it. This rule set is probably very different from the one available in Visual Studio Code Analysis.

Related

Visual Studio SonarLint extension connected to SonarQube is generating warnings CA0507 and CA0064 and no sonar Sxxx warnings

I installed the SonarLint extension for Visual Studio and connected successfully to our SonarQube server and successfully ran Code Analysis to display sonar issues in VS. So it was working OK but for some reason I am now no longer getting any sonar Sxxx warnings and instead now see the following 2 warnings:
> Warning CA0507 Post-build Code Analysis (FxCopCmd.exe) has been
> deprecated in favor of FxCop analyzers, which run during build. Refer
> to https://aka.ms/fxcopanalyzers to migrate to FxCop analyzers.
>
> Warning CA0064 : No analysis was performed because the
> specified rule set could not be loaded or did not contain any managed
> code analysis rules.
But I am not using FxCop and I am not aware of having done anything to turn it on.
If I check one rule inside "Managed Binary Analysis" the CA0064 warning will go away, but CA0507 remains and still no sonar Sxxx warnings.
The "Run Code Analysis" menu items only apply to the legacy FxCop rules. You don't need to use those menu items for Roslyn-based analyzers (like the C# and VB.NET rules in SonarLint) - Visual Studio will automatically trigger the analysis in the background. See the Microsoft docs for more info.
If you are not seeing Sxxx issues being reported there are a couple of things to look at:
Check whether you have the Enable full solution analysis option checked. If not, VS will only report issues in open files.
You've connected the solution to your SonarQube server so SonarLint will have generated a ruleset based on the Quality Profile. The ruleset will be in the solution-level .sonarlint folder. Check whether the rules you are expecting to report issues are enabled in the ruleset file. If not, update the Quality Profile on the server then close and re-open the solution. SonarLint will detect that the Quality Profile has changed and prompt you to update it.
Try to Compile again the project. With first compilation this errors will appear but with second compilation probably not.
No idea why, but it worked for me.

Why are some SonarQube rules not present in SonarLint in Visual Studio

I didnĀ“t understand this bellow difference between SonarLint and SonarQube.
Is my sonarLint configuration missing?
See print bellow
Compare rules from SonarQube to SonarLint
Thanks folks!
For C# code, both SonarLint for VS ("SLVS") and the Scanner for MSBuild ("S4MSB") use the SonarC# Roslyn analyser.
SLVS uses the version of SonarC# embedded in the VSIX; S4MSB uses the version embedded in the SonarQube SonarC# plugin. You might see slightly different sets of issues being reported if different versions of the SonarC# analyser are being used as the analyser is under active development (e.g. new rules being added, false-positives and bugs being fixed).
A more common source of differences is the configuration of the set of rules to be run.
The same default set of rules is used by both SLVS and SonarQube, but this is configurable. In SonarQube, rules configuration is done using Quality Profiles. In VS, it is done using the standard VS ruleset mechanism.
The rule S1244 in your screenshot is disabled by default, so my guess is that your SonarQube project is using a customised Quality Profile that has enabled the rule.
If you are using SLVS in "standalone mode" (i.e. independently of SonarQube/SonarCloud), you'd configure the rules you want to run using rulesets.
If you have a project on SonarQube/SonarCloud and want to use the same set of rules locally in SLVS, you can use "connected mode" to link your VS solution to your SonarQube/SonarCloud project from the Team Explorer in VS. SLVS will generate a ruleset from the Quality Profile and configure the projects in your solution to use the generated ruleset.

Visual studio c++ static analysis plugin for feeding into sonar

Is there any way to feed visual studio static analysis on c++ code base into sonar?
Thanks
Did you check out the VSSonarExtension? Some hints on how to use it your can find here.
Update:
The other way around there may be a plugin by jmecosta called VSSonarAddin. One of its features is
"c++, runs local analysis with cppcheck and reports violations added
by local changes. "
You can find the project on github.
The Community C++ Plugin supports feeding compiler warnings as violations into SonarQube. You usually need to build your code with code analysis enabled and later you can use that data during SonarQube analysis. See here for more details!

custom threshold for CA1502 in visual studio 2013 ultimate

This question: Custom threshold for CA1502
discusses how to set up custom thresholds for code metrics rules in code analysis.
I have the same problem, but think that the old question is out of date.
To repeat:
In particular, we would like our Build to fail when a method has a
code complexity of more than 20. Unfortunately, rule CA1502 has a
threshold of 25:
The rule reports a violation when the cyclomatic complexity is more
than 25.
Can we somehow change this?
The accepted answer is to edit an .fxcop file to include the rules.
In visual studio 2013 ultimate we have integrated Code Analysis and Code metrics; but we don't appear to have .fxcop rules - I think this used to be when fxcop was a separate extension.
Is there any way to edit the thresholds in the .ruleset files produced by visual studio?
Or have I missed how and where to get .fxcop files in the more recent versions?
The post you cited is actually pretty recent. The use of .fxcop files is still the only way to configure the rules. (If you're not fond of this limitation, you might want to vote at http://visualstudio.uservoice.com/forums/121579-visual-studio/suggestions/2406555-allow-code-analysis-rules-to-be-configured-via-ru.)
You can use the FxCop 10.0 UI to create a "seed" .fxcop file, but you will need to edit it by hand to add the settings. To integrate with Visual Studio, you can use the CodeAnalysisProject MSBuild property to specify the relative path to the .fxcop file.

How to get FxCop have the same set of rules as that of Visual Studio Code Analysis?

Yesterday I posted a question here ( FxCop and Code Analysis Rules ) about getting FxCop to run the same rules as Code Analysis and I thought it was resolved.
However it seems like there's no real way to get FxCop to run the same exact set of rules as Visual Studio 2010's Code Analysis. For instance once I got everything working with my FxCopCmd setup it started barking about rules denoted in the Minimum Recommended Rules ruleset like CA2000. If I remove the rules it doesn't like it runs the analysis and everything looks good . . . except it's really not running the same ruleset!
This seems kind of crazy to me! Is there anyway to get FxCop to analyze the exact same set of rules that Visual Studio Code Analysis can analyze against? Is there a .dll to add to the rules to analyze to get the rules like CA2000 and others?
VS Code Analysis includes some rules that are not included with stand-alone FxCop. You will need to ensure that the extra rule assemblies are available to fxcopcmd.exe. The easiest way to do this is to replace the contents of your build-source FxCop folder with those from your Visual Studio installation since one of the rule assemblies (DataflowRules.dll) uses an analysis engine that isn't included with stand-alone FxCop either, and that depends on a bunch of other assemblies that are also included in the FxCop folder under the VS installation folder hierarchy.

Resources