Hi All, My project is a legacy one which we can’t build/create a solution. Sonar Scanner is expecting to build the application to analyse code. Is it possible to scan the code and get the report without building the application?
I have been using static analysis with the help of SonarLint which is working fine in IDE, But the expectation is to use SonarQube and SonarScanner without building project.
Thanks in advance
Hey there.
What languages are you trying to analyze?
For compiled languages – there’s no way out of it. Java, C#, and C/C++ require a bulid.
As a developer, how do you work on a project if you can’t build it?
There is one scenario where it requires.
We are using a lowcode platform, which basically generates c# code. The platform build the project by internally managing the references. But we are not able to build the solution when we try to build manually using msbuild. Due to this, the sonarclient is failing to scan the code.
Not seeing any way around for this.
Is it really worth scanning the code if it’s autogenerated? Will developers be able to go in and change and the autogenerated code?
I see value to the question, there are times that I cannot build it on a specific agent (specially if i am on a ci/cd).
I can build it locally, i can build it using azure ci/cd… but it will depend on the setup or architecture of the build and release process.
My setup is similar to this:
Build and Release processor : Azure Pipeline
Target Server: Either AWS EC2 or AWS Lambda
Sonar Server : Intranet Server(Not accessible within azure or aws, its private)
Sonar Scanner server - intranet , it can access azure via azure agent, it can access sonar server since its on the same network. but azure cannot access it directly.
so with that setup. I need to run the scan process on a separate build, instead of within the same build pipeline so it will not slow down the current build/release process. since the build/release and scanner will be happening on a separate server.
So i believe not requiring to build a c# project will have a benefit on this setup. the scan will run faster. and I dont have to compile it again(on separate server).