Any difference between SonarAnalyzer.CSharp Nuget pack and SonarLint?


(Cemile) #1


I have two question.
First question is that there are two tools that name are SonarAnalyzer.CSharp Nuget pack and SonarLint extension. Do i have to install both of these or is it enough to install SonarLint extension.

Second is that what is the SonarLint rule by the default. Which rules are active, recomended rules or all rules?

Visual Studio : 2017

Thank you.

(Valeri Hristov) #2

Hi @ckonca,

There is no functional difference in the rules and actually SonarLint for Visual Studio uses the same DLLs that are in SonarAnalyzer.CSharp. The are some other differences though:

  • When using the nuget the build times in Visual Studio will increase significantly. When using SonarLint, Visual Studio will analyze the projects in the background and the build time will not change.
  • You will not see issues from SonarLint in the Visual Studio Output window, only in the Error List. When using the nuget you will see issues in both Error List and Output Windows.
  • SonarLint will not modify your projects (unless you use connected mode, but that’s only for the rule config) and you will always use the latest version of the analyzers. With the nuget you lock to a specific version and you need to manually update and commit the changes in the source control system.
  • When in connected mode, SonarLint can hide issues that are marked as Won’t Fix, False Positive, etc. on SonarQube.
  • When in connected mode, SonarLint will automatically sync the local rule configuration with the one that’s on SonarQube.

Kind regards,

(Cemile) #3

Hi Valeri,

Thank you for useful and detailed info.

I have another question.
Which rules are active in SonarLint by the default without connected mode?
Are they recomended one that’s on SonarQube?

Thank you.

(Valeri Hristov) #4

Hi Cemile,

The rules that are enabled by default in SonarLint without connected mode are the same rules that appear in the Sonar Way quality profile for C# in SonarQube.

For some project types (the old .NET projects) Visual Studio displays UI to edit the enabled rules and you could customize what is executed in SonarLint (and the nuget package), but for some it doesn’t - the .NET Core and .NET Standard projects, and you are stuck with the default settings.

Some rules are part of SonarWay, but are not included in SonarLint, though. Those are the Sonar Secuity and the Security Hotspot rules.

  • The SonarSecurity rules are built-into another plugin - SonarSecurity, which is part of the commercial editions and cannot be executed in SonarLint.
  • The Security Hotspot rules generate a lot of issues and they are not supposed to be reviewed outside of the SonarQube UI.

Kind regards,

(Cemile) #5

Thank you so much.

Best Regards.