Bitbucket Pipe + SonarCloud + C#/.net core

Hi,

I’m trying to use Bitbucket Pipe with SonarCloud pipe. The configuration from guide looks simple but it doesn’t seem to analyze my code though source codes are detected

Here is the code snippet for my pipeline

      step: &sonarcloud-scan
        name: SonarCloud Scan
        script:
          - pipe: sonarsource/sonarcloud-scan:0.1.5
            variables:
              SONAR_TOKEN: ${MY_SONARCLOUD_KEY}
              DEBUG: "true"
              EXTRA_ARGS: -Dsonar.verbose="true" -Dsonar.projectVersion=1.0.0

From SonarCloud.io, my project overview says “This project is empty”
Please let me know what info I should provide cos I’m on company’s source code so I’m trying to avoid sending sensitive log for security reason

Thanks,
Hoang

Hello,
Based on the error I suggest to:

• make sure that you build the project before you run the SonarCloud Scan pipe in bitbucket-pipelines.yml
• if build execution and SonarCloud Scan execution are not done in the same Pipelines step, you have to explicitly define the artifacts that are produced by the build step in bitbucket-pipelines.yml so that all the subsequent Pipeline steps can even see the results of the build. You can do that by using artifacts property of a Pipelines step (here is the link to Bitbucket docs: https://confluence.atlassian.com/bitbucket/using-artifacts-in-steps-935389074.html)

Please let me know if that fixes the issue and if not I’ll investigate.

Hi Michal,

By “build the project before you run the SonarCloud Scan pipe”, do you mean build script to be at the same level as -pipe ?

Can you please give a sample bitbucket pipeline snippet for it? Thanks

Hi Hoang,
Apologies, I missed the important part where you mention it’s C#/.net core. Unfortunately the pipe doesn’t yet work for these since they require a dedicated scanner (https://docs.sonarqube.org/display/SCAN/Analyzing+with+SonarQube+Scanner+for+MSBuild).

Hi @Michal_Duda, that’s good to know.

Is there a plan to support it? It looks to me like SonarSource can provide some sonarsource/sonarcloud-scan-msbuild docker

We don’t have plans to add MSBuild support in the Pipe at the moment but I opened a ticket to create an example MSBuild project that uses Bitbucket Pipelines to trigger SonarCloud analysis since we are missing that in our Bitbucket Pipelines examples.

awesome. I look forward to seeing that example code. Thanks, @Michal_Duda

It would really help to get this example. Any idea of the timeframe for including it in your examples?

I managed to get our particular pipeline working. The requirements were for the pipeline just to run and publish analysis of a C# .NET Core 2.2 app - the rest of the work was being done on Azure pipelines.

One issue we had was that java was not installed as we were using the microsoft/dotnet:sdk image. So I added a few additional command lines to download it - it would really have been nice to use an image that included dotnet and java so we don’t have to do this every time. We might create a custom image, but for now it’s not that big a deal.

The analysis works on all merge requests into dev in additional to all PRs
First thing I created the project manually from our designated MAIN BRANCH by running the following commands from the root of a local copy of the repo (replace the necessary properties):

dotnet sonarscanner begin /k:"project.key" /d:"sonar.login=${SONAR_TOKEN}" /o:"organization-name" /d:"sonar.host.url=https://sonarcloud.io"
dotnet build App.sln
dotnet sonarscanner end /d:"sonar.login=${SONAR_TOKEN}"           

If you are building a project as opposed to a solution, then I think the project file needs to include a ProjectGuid.

Here is the bitbucket-pipelines.yaml file:

NOTE: If you want to analyse multiple branches use the format {dev, master, qa} - you get the idea

image: microsoft/dotnet:sdk

pipelines:
  branches:
    "{dev}":
      - step:
          name: Running SonarCloud Analysis
          services:
            - docker
          script:
            - apt-get update
            - apt-get install --yes --force-yes openjdk-8-jre
            - export PATH="$PATH:/root/.dotnet/tools"
            - dotnet tool install --global dotnet-sonarscanner
            - dotnet sonarscanner begin /k:"project.key" /d:"sonar.login=${SONAR_TOKEN}" /o:"organization-name" /v:"${BITBUCKET_COMMIT}" /d:"sonar.host.url=https://sonarcloud.io"
            - dotnet build App.sln
            - dotnet sonarscanner end /d:"sonar.login=${SONAR_TOKEN}"
  pull-requests:
      '**': #this runs as default for any branch not elsewhere defined in this script
      - step:
          name: Running SonarCloud Analysis
          services:
            - docker
          script:
            - apt-get update
            - apt-get install --yes --force-yes openjdk-8-jre
            - export PATH="$PATH:/root/.dotnet/tools"
            - dotnet tool install --global dotnet-sonarscanner
            - dotnet sonarscanner begin /k:"project.key" /d:"sonar.login=${SONAR_TOKEN}" /o:"organization-name" /v:"${BITBUCKET_COMMIT}" /d:"sonar.host.url=https://sonarcloud.io"
            - dotnet build App.sln
            - dotnet sonarscanner end /d:"sonar.login=${SONAR_TOKEN}"
definitions:
  services:
    docker:
      memory: 3072 # increase memory for docker-in-docker from 1GB to 3GB

Thanks a lot for contributing this!
Bookmarked!

@dibbdob - lifesaver; thanks for the above… now to get rid of the code smells I’ve just been informed about

Hi Alexander.

Thanks, your more than welcome.

If you get a chance to speed up the build with a custom image that includes the scanner (instead of downloading it every time I’d be very interested to use that instead. Perhaps some cache definitions in the pipeline might work just as well.

I might get around to creating a new image as, but probably not in the near future. Fingers crossed someone beats me to it - always too much to do and never enough time!

Good luck with the code smells!!!

I am getting following error message, do you know what I am doing wrong here?

• apt-get --assume-yes install openjdk-8-jre
  Reading package lists…
  Building dependency tree…
  Reading state information…
  E: Unable to locate package openjdk-8-jre

Hi Mahendra,

You’ve got something slightly different to my configuration - perhaps that’s the reason. I’m just guessing here as my experience in this area is somewhat limited.

Just a couple of points:

Are you running apt-get update beforehand?
Can you use what I originally posted up for the install:

apt-get install --yes --force-yes openjdk-8-jre

or have you had to modify it?

By the way, if you do get this working and can get back with some suggested improvements then I’d really appreciate it.

Hi @dibbdob,

When I have tried using the above yml to do the code analysis for . Net in bitbucket, I’m landing with the following error:

Nothing to do. None of the projects specified contain packages to restore.
/usr/share/dotnet /sdk/2.2.207/Microsoft.common.currentversion.targets(1183,5):error MSV3644: The reference assemblies for framework “. NETFRAMEWORK, Version=4. 5” were not found. To resolve this, install the SDK or targeting pack for this framework version or retsrget your application to a version of the framework for which you have the SDK or targeting pack installed. Note that assemblies will be resolved from the global assembly cache and wi be used in place of reference assemblies.

There seems to be a version dependencies while running the. Net framework of 4.5 version.
Can you suggest how to get rid of this error… Do we have any alternative solution to run the Pipeline for 4.5 version?

Hi @dibbdob,
I’ve followed the same process by taking the above yml file,
But the build is failing with the following error:

Task “MSBUILD” execution - - FAILED
Warnings : /opt/atlasssian/agent /build/B. Sln warning : opt/atlasssian/agent /build/A/A.csproj : DATA at the root level is invalid. Line 1 position 1
opt/atlasssian/agent /build/B.sln warning: Don’t know how to handle globalsection extensibility globals, ignoring.

opt/atlasssian/agent /build/B.sln (Build) - >
/usr/lib/mono/xbuild/14.0/bin/microsoft.csharp.targets (core compile target)

3 warnings
1 error

Time elapsed 00.00.05.