We are using AzureDevOps, Gradle and Sonar cloud. In our yaml pipeline file, we added the sonar tasks, but its not doing the code analysis.
See below logs from pipeline and pipeline yaml file

Logs
021-08-12T03:47:06.6480528Z ##[section]Starting: SonarCloudAnalyze
2021-08-12T03:47:06.6487316Z ==============================================================================
2021-08-12T03:47:06.6487720Z Task : Run Code Analysis
2021-08-12T03:47:06.6488092Z Description : Run scanner and upload the results to the SonarCloud server.
2021-08-12T03:47:06.6488423Z Version : 1.23.0
2021-08-12T03:47:06.6488686Z Author : sonarsource
2021-08-12T03:47:06.6489306Z Help : Version: 1.23.0. This task is not needed for Maven and Gradle projects since the scanner should be run as part of the build.

More Information
2021-08-12T03:47:06.6489980Z ==============================================================================
2021-08-12T03:47:06.7880756Z ##[warning][SQ] When using Maven or Gradle, don’t use the analyze task but instead tick the ‘SonarQube’ option in the Maven/Gradle task to run the scanner as part of the build.
2021-08-12T03:47:06.7897934Z ##[section]Finishing: SonarCloudAnalyze

Pipeline yaml file

jobs:

• job: Job_1
  displayName: Build Project
  pool:
  vmImage: ubuntu-20.04
  demands:

  • java
    steps:

  • script: echo $(build.artifactstagingdirectory) | echo $(system.defaultworkingdirectory)

  • checkout: self
    clean: true

  • task: MavenAuthenticate@0
    displayName: Maven Authenticate
    inputs:
    artifactsFeeds: test

  • task: SonarCloudPrepare@1
    inputs:
    SonarCloud: ‘Sonar Cloud’
    organization: ‘kxxxxxx’
    scannerMode: ‘Other’
    extraProperties: |
    # Additional properties that will be passed to the scanner,
    # Put one key=value per line, example:
    # sonar.exclusions=**/.bin
    sonar.projectKey=***
    sonar.projectName=****

  • task: Gradle@2
    displayName: Build Project
    inputs:
    tasks: clean build -x test
    jdkVersion: 1.11

  • task: SonarCloudAnalyze@1

  • task: SonarCloudPublish@1
    inputs:
    pollingTimeoutSec: ‘300’

Hello @martinjosephm,

Welcome to the community!

As you can see here, you should not be using Analyze task for Maven/Gradle, but instead, tick the following box in your gradle task:

image914×156 18.1 KB

You can find out more information here: https://sonarcloud.io/documentation/advanced-setup/ci-based-analysis/sonarscanner-for-azure-devops/#configure

Let me know in case of any further questions.

Best,
Marcin

Hi Marcin,
SonarCloud only scans master or main branch? What can I do to scan the feature branch as well ?

Hi @martinjosephm,

SonarCloud scans whichever branch you will run your pipeline on. If you run your pipeline on your feature branch, SonarCloudPrepare task will populate all needed properties, and you should have your branch analyzed and results should visible in the UI.

Best,
Marcin

I don’t think its scanning the code.
All I see is a passed green message, with all metrics as zero.

@martinjosephm,

Do you your branch scanned in the SonarCloud UI? Is your main branch correctly scanned? Can you see metrics for your main branch? Can you browse code in the ‘Code’ Tab?

Let me know,
Marcin

Yes, the main branch is scanned. I could see issues and vulnerabilities … the feature branch is saying ‘Passed’ i could see source code, but no issues reporting everything is 0

Are you sure there is sth that should be detected in the feature branch? Can you try adding the file with the bug and reanalyzing it? Please keep in mind, the issues will only appear on the new code in comparison to your target branch (unless you have a long branch)

You can read about it here:
https://sonarcloud.io/documentation/improving/clean-as-you-code/#focus-on-new-code
https://sonarcloud.io/documentation/enriching/branch-setup/#issue-synchronization

Best,
Marcin