Analyze C# Script (.csx) files

Versions

  • Community Edition Version - 7.9.2 (build 30863)
  • C# Code Quality and Security - 8.6 (build 16497)
  • .NET Core SDK 2.1.805
  • Sonar Scanner for MSBuild 4.7.1.2311 (.NET Core 2.0+)

What I’m trying to achieve

I am trying to analyze C# script files (i.e., .csx files) with SonarQube.

What I’ve tried

I’ve followed the Use section on the SonarScanner for MSBuild.

I’ve also tried using the Sonar Scanner directly (even though the documentations says not to for .NET), but it didn’t work either.

The issue

The source code specifically references .csx files, but I’m unable to get SonarQube to recognize the .csx file in any meaningful way. SonarQube shows the source code and number of lines, but it does not perform syntax highlighting or list any issues of the .csx file.

Greetings,

Have you associated the .csx file extension with the C# language? (Global/Project Administration > C#)

I see .csx files analyzed on SonarCloud, so I have some hope for you. :slight_smile:

Colin

Yes, I’ve configured .csx as a file extension for C# in SonarQube.

image

Do you have the source location of the project you linked above? I’d like to see the solution and project file.

I’ve just tested the same process using MSBuild (instead of .NET Core) with the same outcome.

  • MSBuild 16.5.0
  • Sonar Scanner for MSBuild 4.7.1.2311 (.NET 4.6+ Tool)

Hi there.

If you’ve analyzed using the SonarScanner for MSBuild it will have generated a file called sonar-project.properties file in the folder .sonarqube\out.

Have a look in the file - does it reference all of the files you expected to be analysed, and is the property key that references them xxx.sonar.sources or xxx.sonar.tests?

The SonarC# analysers are Roslyn analysers that are run as part of the MSBuild step. If the analysis has been run, then the generated sonar-project.properties file should also contain entries pointing to the analysis results file, which will have a name ending in .RoslynCA.json.

Is there a results file for the MSBuild project that references your .csx files, and does it contain any issues?

Hello

Yes, the sonar-project.properties file does reference both files I expect to be analyzed (i.e., Program.cs and Program.csx).

image

I do see a results file, but it does not contain any issues for the .csx file. It only contains issues for the .cs file.

Thanks

Ok, so if the files are referenced in the sonar-project.properties file and issues are being produced then that suggests that overall the Scanner for MSBuild is working as expected, but for some reason not all files are being analysed during the build step.

The SonarC# analyzer is a normal Roslyn analyzer, so it is passed as an input to the C# compiler csc.exe during the build step. The compiler then calls the analyzer during the compilation phase and hands it the files to analyse.

Have a look at the console output for the MSBuild step, specifically for the parameters passed to csc.exe. My guess is that the Program.cs is being passed to the compiler, but Program.csx isn’t.

If this is the case, then it will be down to how your MSBuild project is configured. Which template did you use to create the project? Is it just a normal C# library project that you’ve added a .csx file to? (it would be useful if you could share the project file).

I’ve attached a zip of my simple project. I created it using the console app template.

c-sharp-test.zip (1.3 KB)

Thanks. It looks like you can’t just include .csx files in a project to have them analysed by building the project with dotnet/MSBuild. This is nothing to do with the SonarScanner - it’s how the MSBuild/dotnet build targets work.

This isn’t unexpected: the compiler takes in source files to compile them to a single output assembly, and it calls the Roslyn analysers as part of the compilation pipeline. It expects all of the source files to contribute to the output assembly, and each source file needs to be a valid compilation unit.

.csx files can contain snippets of code that aren’t directly compilable. I had a look at the detailed build logs from your project, and dotnet does “see” the Program.csx, but it adds it to the ItemGroup “None” so it isn’t passed to the compiler.

I don’t use C# script code so I’m not familiar with the tooling that’s available. There might be a way of running Roslyn analysers against files containing snippets of C# script code, but referencing them in a “normal” C# library project and invoking a normal build isn’t it.

Regarding the .csx files analysed on SonarCloud that @Colin_SonarSource referred to, I suspect they are a red herring. The only .csx files that have been analysed are ones that contain complete C# classes; the files containing partial code snippets have all of the code commented out.
My guess is that the user did pretty much what you did, but then had to change the snippets to be valid classes and changed the build action for the file to “C# compiler” i.e. the files are effectively just normal .cs files, apart from the file extension:

1 Like

Thanks for your feedback. I will work with my .NET experts to see if they know of any way to pass the .csx files to the Roslyn analyzers. If I figure anything out, I’ll post back here.

Again, thanks for your time.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.