Analysing repo with multiple project types (.net core / typescript)

brett.postin · January 24, 2020, 1:05pm

I have a repository containing two projects, a backend .net core api project and a frontend typescript based project. The typescript based project has no project file, just plain source files.

Using the Azure Pipelines tasks I’m unable to successfully get both projects under a single analysis. If I use the msbuild scanner, the backend api project gets analysed, but not the frontend. If I use the base cli scanner the opposite is true.

Using the following task definition:

- task: SonarCloudPrepare@1
  displayName: Prepare analysis on SonarCloud
  inputs:
    SonarCloud: 'SonarCloud'
    organization: '[REDACTED]'
    scannerMode: 'CLI'
    configMode: 'manual'
    cliProjectKey: '[REDACTED]'
    cliProjectName: '[REDACTED]'
    cliProjectVersion: '$(Build.BuildNumber)'
    cliSources: '.'
    extraProperties: |
     # Additional properties that will be passed to the scanner, 
     # Put one key=value per line, example:
     sonar.exclusions=**/node_modules/**/*,**/bundle.js

I can see in the Run Analysis task that the c# source files get indexed as [cs], but the sensor never analyses them:

11:15:52.840 INFO: Sensor C# [csharp]
11:15:52.840 INFO: Sensor C# [csharp] (done) | time=0ms

The frontend files do get analysed with this configuration.

Is it possible to analyse a .net core project using the core sonarscanner? If not, how should this repository be handled?

Additional Details:
SonarQube Scanner 4.1.0.1829
SonarQube server 8.0.0
SonarC# 8.2.0.14119 (csharp)
Sensors : SonarCSS Metrics -> SonarCSS Rules -> C# Properties -> JavaXmlSensor -> HTML -> SonarTS -> JaCoCo XML Report Importer -> JavaScript analysis -> TypeScript analysis -> C# -> JavaSecuritySensor -> CSharpSecuritySensor -> PhpSecuritySensor -> PythonSecuritySensor

mickaelcaro · January 27, 2020, 6:33am

Hi @brett.postin ,

As long as your typescript code is not referenced in any of your dotnet project, they won’t get analyzed.

Unfortunately, this “multiple-projects, mono-repo” scenario is not yet supported, but be sure that we think about it since a few months, and will begin the work to implement it very soon.

In the mean time, you can create 2 different projects, and make 2 analyses in the same build pipeline, targeting your different sources.

Mickaël

brett.postin · January 28, 2020, 2:28pm

We have looked at some of our other repos with similar setups and discovered the same, that not everything we thought was covered by analysis actually is.

Is this true for non .net core projects (i.e. full framework) too.

Are you saying that the only way to analyse .net code is via the msbuild scanner? If so, why do the C# sensors get pulled in using the base sonarscanner?

mickaelcaro · January 29, 2020, 6:06am

Currently, we don’t have easy way to discover code being analyzed before actually analyzing it (no parameters as well), so all the plugins and sensors are downloaded and ran side by side.

C# and dotnet world is a bit different, as we are relying on roslyn analyzer to get the proper code to analyze, we have to be plugged to the build itself, that’s the reason why there is a dedicated scanner.

Mickaël

brett.postin · February 3, 2020, 10:40am

Ok thanks for the clarification. Is there anywhere to track progress of the “multiple projects, mono repo” functionality work?

SteveDesmond.ca · August 17, 2021, 6:59pm

Any update on this would be greatly appreciated, as most of our products use this pattern (.NET API/backend, TypeScript UI/frontend)

Peeter_Piegaze · August 25, 2021, 2:15pm

Hi Steve,

Yes monorepos are now supported. You can have a look here: https://sonarcloud.io/documentation/advanced-setup/monorepo-support/