Connected to SonarCloud or SonarQube (and which version): SonarCloud
And a thorough description of the problem / question:
I’ve a .NET 6 project which I analyze on SonarCloud. Locally we use SonarLint to synchronize rulesets and in CI pipeline the Azure DevOps tasks. In this setup the Azure DevOps prepare task and SonarLint seem to bring the analyzers into the build pipeline and issues are reported based on the defined quality profile / synced ruleset.
When we run the build from outside Visual Studio / Azure DevOps with dotnet build no issues for the Sonar linters are reported, since the analyzers are not added to the project.
What is the suggested way to have a consistent build experience across Visual Studio, CI Pipeline and building with dotnet from command line. I remember that years ago SonarLint in connected mode did add analyzers to the project, but it does no longer seem to do this in our case. Should we add SonarAnalzer.CSharp manually? Does it contain all rules which are available in SonarCloud?
Related to this: How is the analyzer brought into the build when building from Visual Studio? I’ve connected the project to SonarCloud and a ruleset is added to the project, but no analyzer. When building, Sonar rules are reported. So something (and my assumption is, that it is SonarLint) makes the analyzer available to the build.
Where? This is the documentation how to run it in a CI pipeline on Azure DevOps.
My questions is: How to run dotnet build on local machine from CLI (without Azure DevOps or any IDE, like Visual Studio, involved) and get the issues reported as defined in SonarCloud quality profile?
You possible answer could be: You need to manually add the SonarAnalyzer.CSharp analyzer to all projects
My follow up question to this answer would be: Does this analyzer include all rules available on SonarCloud and why is this not (or no longer) done automatically by SonarLint in connected mode.
@pascalberger the Sonar C# and VB.NET analyzers are Roslyn analyzers. Like any other Roslyn analyzers, they can be packaged in two ways: in a VSIX extension and in a NuGet Package.
When they are packaged in a VSIX (like SonarLint), Visual Studio will run the rules on every C#/VB.NET project.
If you want to run those Roslyn rules outside Visual Studio, you would need to add references to the NuGet packages to the relevant projects, as you suspected (in fact, this effectively what the SonarScanner for MSBuild does; it programmatically adds references to the Sonar Roslyn analyzers at build time).
So:
Yes.
SonarCloud and SonarLint both effectively embed the analyzer NuGet packages, so the rules they execute will correspond to those in a specific version of the NuGet packages.
In practice, what happens currently is as follows:
a new version of the analyzer NuGet packages is released.
SonarCloud is updated within a few days
SonarLint is updated within a few weeks (look at the release notes to see which version is currently embedded).
Originally, SonarLint in Connected Mode would add references to the analyzer NuGet packages to all C#/VB.NET projects. However, that means that the analyzers would be executed in all VS builds. That led to complaints from users about the impact on builds in the IDE, so we stopped adding NuGet references (since the analyzers in VSIXes were not run in IDE builds).
Just to verify: The SonarAnalyzer.CSharp contains all C# rules which are available on SonarCloud? There are no rules which are not part of the open source analyzer?