I’ve also tried using the Sonar Scanner directly (even though the documentations says not to for .NET), but it didn’t work either.
The issue
The source code specifically references .csx files, but I’m unable to get SonarQube to recognize the .csx file in any meaningful way. SonarQube shows the source code and number of lines, but it does not perform syntax highlighting or list any issues of the .csx file.
If you’ve analyzed using the SonarScanner for MSBuild it will have generated a file called sonar-project.properties file in the folder .sonarqube\out.
Have a look in the file - does it reference all of the files you expected to be analysed, and is the property key that references them xxx.sonar.sources or xxx.sonar.tests?
The SonarC# analysers are Roslyn analysers that are run as part of the MSBuild step. If the analysis has been run, then the generated sonar-project.properties file should also contain entries pointing to the analysis results file, which will have a name ending in .RoslynCA.json.
Is there a results file for the MSBuild project that references your .csx files, and does it contain any issues?
Ok, so if the files are referenced in the sonar-project.properties file and issues are being produced then that suggests that overall the Scanner for MSBuild is working as expected, but for some reason not all files are being analysed during the build step.
The SonarC# analyzer is a normal Roslyn analyzer, so it is passed as an input to the C# compiler csc.exe during the build step. The compiler then calls the analyzer during the compilation phase and hands it the files to analyse.
Have a look at the console output for the MSBuild step, specifically for the parameters passed to csc.exe. My guess is that the Program.cs is being passed to the compiler, but Program.csx isn’t.
If this is the case, then it will be down to how your MSBuild project is configured. Which template did you use to create the project? Is it just a normal C# library project that you’ve added a .csx file to? (it would be useful if you could share the project file).
Thanks. It looks like you can’t just include .csx files in a project to have them analysed by building the project with dotnet/MSBuild. This is nothing to do with the SonarScanner - it’s how the MSBuild/dotnet build targets work.
This isn’t unexpected: the compiler takes in source files to compile them to a single output assembly, and it calls the Roslyn analysers as part of the compilation pipeline. It expects all of the source files to contribute to the output assembly, and each source file needs to be a valid compilation unit.
.csx files can contain snippets of code that aren’t directly compilable. I had a look at the detailed build logs from your project, and dotnet does “see” the Program.csx, but it adds it to the ItemGroup “None” so it isn’t passed to the compiler.
I don’t use C# script code so I’m not familiar with the tooling that’s available. There might be a way of running Roslyn analysers against files containing snippets of C# script code, but referencing them in a “normal” C# library project and invoking a normal build isn’t it.
Regarding the .csx files analysed on SonarCloud that @Colin referred to, I suspect they are a red herring. The only .csx files that have been analysed are ones that contain complete C# classes; the files containing partial code snippets have all of the code commented out.
My guess is that the user did pretty much what you did, but then had to change the snippets to be valid classes and changed the build action for the file to “C# compiler” i.e. the files are effectively just normal .cs files, apart from the file extension:
Thanks for your feedback. I will work with my .NET experts to see if they know of any way to pass the .csx files to the Roslyn analyzers. If I figure anything out, I’ll post back here.
