Our code-base is using one big mono repo which includes JavaScript code (Vue/frontend, Node APIs) and C# code (APIs) - currently I use two steps build/analysis where generic scanner is invoked for JS code and scanner for .NET is invoked afterwards.
But when both scanners targets one SonarQube projects the results seems to be “rewritten” by last scanner - so in this case JS issues are lost.
I know I can create two projects in SonarQube for two scanners but it feels bit clumsy so my question is - Is there anyway how to achieve one SonarQube project with aggregated results from both scanners?
EDIT: I know I can add *.js files into .csproj but C# and JS code lives in different folders and in different logical parts of repo (frontend vs. micro-services).
If you want to see JS and C# scan results in the same project, you’ll need to scan them at the same time. That does not mean that they need to live in the same repository - you can check out both repositories into a common folder structure, run an MSBuild, and feed the result to SonarQube.
Thank you for response - could you please elaborate this a bit more?
Because when I ran two step analysis (we are using TeamCity but that is not important I guess) in following order:
Generic SQ Scanner runner (using TC plugin) which picks-up JS, Kotlin/Java, CSS code and ignores C#
SQ for MS Build using dotnet tool
# Example from docs
dotnet sonarscanner begin /k:"project-key" /d:sonar.login="<token>"
dotnet build <path to solution.sln>
dotnet sonarscanner end /d:sonar.login="<token>"
And I still get only last analysis which is in this case C# in SonarQube. I also tried to force both scanners to use same version using sonar.projectVersion (/d:sonar.projectVersion="something" for .NET in begin phase) but it did not helped.
Just to clarify - we have one big mono repo where is source code for all our apps/APIs which generally means:
C# code for API micro services
NodeJS code for API micro services
Frontend client code with pure JS and Vue
Kotlin/Java for early version of Android client
…and more to come, but everything inside one repo under /src folder. And the goal is to have one SonarQube project for all analysis results for all (supported) languages.
I’m afraid you can’t run multiple scans in a single project. You can use the Scanner for .NET that will pick up anything referenced by your .NET solution (including JS). Or you can use the generic Scanner which doesn’t support .NET.
Our support for mono repos covers using multiple projects on a single repo see this thread for more info
I’d be interested to learn more about why you think multiple projects is clumsy in your situation?
I understand and generally it is not “big deal”, it is maybe more “OCD” about having two projects:
One for C# developers
Second for all others - JS, CSS, Kotlin etc.
But maybe when Android development starts to get more traction in our team, we probably would have to start using SonarScanner for Gradle which means - another separated project and that’s probably makes more sense like:
Android project
JS, CSS/Sass etc frontend project including some APIs written in Node
C# APIs project
We are at the beginning with our trial integration of SonarQube but maybe when we scale and integrate SQ - this will start feel better Yet again - no practical issues, only my brain seems to be thinking in different way about this
As your solution grows you might find that having multiple smaller projects is an advantage, you’ll get faster feedback from just analysing the project that has changed. In Developer Edition there is a feature called Applications that can be used to get an aggregated view of projects that belong to the same application.
