Azure DevOps: SonarCloud Prepare Analysis Configuration task ignores selected organization when fetching quality profiles


(Tim Waalewijn) #1

Versions used

  • SonarCloud 7.7.0.21686 (api/server/version result)
  • Azure DevOps SonarCloud Extension 1.5.1
  • MSBuild scanner (whichever version is used by the SonarCloud extension)

Error observed

I’ve created a new private organization to test if I could move my organization’s SonarQube installation into SonarCloud.

After modifying a copy of the C# Sonar way profile, activating a few extra rules we use for our projects, setting up a project to use said profile and running an analysis through my test Azure DevOps pipeline I noticed the rules I activated weren’t being used.

For the rest of the bug report I’ll refer to this organization and project as myorg and myproject respectively.

Checking the logs of the pipeline showed me that the scanner first tried to get the quality profiles for my project using an api call:

Fetching quality profile for project 'myproject' from https://sonarcloud.io/api/qualityprofiles/search?projectKey=myproject...

Following that link showed me a JSON response containing an error:

{
  "errors": [
    {
      "msg": "Component key 'myproject' not found"
    }
  ]
}

The log then shows that the scanner is fetching the default profiles, which I assume is a fallback for when the project’s profiles cannot be found:

Fetching quality profile for project 'myproject' from https://sonarcloud.io/api/qualityprofiles/search?defaults=true...

It then states that rules were being fetched for the ‘cs-sonar-way-31865’ profile, which is not the one I assigned to the project, and then uses those for the Roslyn ruleset.

Looking at the MSBuild SonarScanner source code I found out that the begin command accepts an optional argument /o: to specify the organization.

This value then later gets added to the api call here.

Modifying the earlier api call from the log to what the scanner would use when this value is provided did indeed retrieve a result for my modified quality profile:

https://sonarcloud.io/api/qualityprofiles/search?projectKey=myproject&organization=myorg

The command that the Prepare Analysis Configuration task performs to start the scanner looks like this in the log:

SonarScanner.MSBuild.exe begin /k:myproject

Looking at the Azure DevOps extension source code it looks like this argument is indeed not being added.

The end result being that the extension does not pass on the selected organization to the scanner and it ends up using the default quality profile because it could not find one for the project.

Steps to reproduce

  • Create a new (private) organization
  • Derive a C# quality profile from Sonar way.
  • Activate a new rule on it e.g. S103
  • Create a new project inside the organization and set it up to use the derived quality profile
  • Run the analysis in an Azure DevOps pipeline using the SonarCloud extension
  • Log should be similar to the full_log one I’ve uploaded which means the default C# quality profile was used.

full_log.txt (9.6 KB)

Workaround

None that I know of.