Add analyzers to support running outside of Visual Studio

Please provide

  • Operating system: Windows
  • SonarLint plugin version: 6.7.0.52071
  • Is connected mode used: Yes
    • Connected to SonarCloud or SonarQube (and which version): SonarCloud

And a thorough description of the problem / question:

I’ve a .NET 6 project which I analyze on SonarCloud. Locally we use SonarLint to synchronize rulesets and in CI pipeline the Azure DevOps tasks. In this setup the Azure DevOps prepare task and SonarLint seem to bring the analyzers into the build pipeline and issues are reported based on the defined quality profile / synced ruleset.

When we run the build from outside Visual Studio / Azure DevOps with dotnet build no issues for the Sonar linters are reported, since the analyzers are not added to the project.

What is the suggested way to have a consistent build experience across Visual Studio, CI Pipeline and building with dotnet from command line. I remember that years ago SonarLint in connected mode did add analyzers to the project, but it does no longer seem to do this in our case. Should we add SonarAnalzer.CSharp manually? Does it contain all rules which are available in SonarCloud?

Hi,

It’s not clear to me what is happening, but I’m pretty sure that what’s not happening is SonarLint having an impact on your build.

Probably your CI pipeline includes SonarCloud analysis. And now you just need to make sure that when you build from outside ADO, that job includes the right steps too.

 
HTH,
Ann

Azure DevOps and SonarLint I mentioned only to give you more context, we can ignore them.

My question is: How can I run dotnet build and have the code analyzed with the rule sets defined in the quality profile on SonarCloud?

Related to this: How is the analyzer brought into the build when building from Visual Studio? I’ve connected the project to SonarCloud and a ruleset is added to the project, but no analyzer. When building, Sonar rules are reported. So something (and my assumption is, that it is SonarLint) makes the analyzer available to the build.

Hi,

The docs should help with that.

Yes, this is going to be via SonarLint.

 
HTH
Ann

Where? This is the documentation how to run it in a CI pipeline on Azure DevOps.

My questions is: How to run dotnet build on local machine from CLI (without Azure DevOps or any IDE, like Visual Studio, involved) and get the issues reported as defined in SonarCloud quality profile?

You possible answer could be: You need to manually add the SonarAnalyzer.CSharp analyzer to all projects

My follow up question to this answer would be: Does this analyzer include all rules available on SonarCloud and why is this not (or no longer) done automatically by SonarLint in connected mode.

@pascalberger the Sonar C# and VB.NET analyzers are Roslyn analyzers. Like any other Roslyn analyzers, they can be packaged in two ways: in a VSIX extension and in a NuGet Package.

When they are packaged in a VSIX (like SonarLint), Visual Studio will run the rules on every C#/VB.NET project.

If you want to run those Roslyn rules outside Visual Studio, you would need to add references to the NuGet packages to the relevant projects, as you suspected (in fact, this effectively what the SonarScanner for MSBuild does; it programmatically adds references to the Sonar Roslyn analyzers at build time).

So:

Yes.

SonarCloud and SonarLint both effectively embed the analyzer NuGet packages, so the rules they execute will correspond to those in a specific version of the NuGet packages.
In practice, what happens currently is as follows:

  • a new version of the analyzer NuGet packages is released.
  • SonarCloud is updated within a few days
  • SonarLint is updated within a few weeks (look at the release notes to see which version is currently embedded).

Originally, SonarLint in Connected Mode would add references to the analyzer NuGet packages to all C#/VB.NET projects. However, that means that the analyzers would be executed in all VS builds. That led to complaints from users about the impact on builds in the IDE, so we stopped adding NuGet references (since the analyzers in VSIXes were not run in IDE builds).

1 Like

Thanks for the explanation.

Just to verify: The SonarAnalyzer.CSharp contains all C# rules which are available on SonarCloud? There are no rules which are not part of the open source analyzer?

The taint analysis (injection) rules are not part of the open source analyzer (they are implemented in Java).

1 Like

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.