I am using SonarScanner for MSBuild 5.3.2 with an ASP.NET MVC 5 web application using .NET Framework 4.7.2. We have generated files and third-party code scattered across multiple products, and I am trying to include just our code for analysis. I have modified the csproj to include:
<ItemGroup>
<SonarQubeSetting Include="sonar.inclusions">
<!-- I am including only controllers for testing purposes. -->
<Values>Controllers\*.cs</Values>
</SonarQubeSetting>
</ItemGroup>
However, when I build my project using:
> SonarScanner.MSBuild.exe begin /k:<project key>
> MSBuild.exe /t:Rebuild <sln>
> SonarScanner.MSBuild.exe end
All source code files in the project are analyzed. I can verify this by examining the FilesToAnalyze.txt output in the .sonarqube directory and by looking at the target output.
Due to how C# analysis works, all files will get analyzed during the build (and be included in FilesToAnalyze.txt) and only get excluded during the end step. What’s important to evaluate here is whether or not the inclusions/exclusions have taken place once the results reach the SonarQube UI.
That makes sense, but does it not count against the license? If I set it up incorrectly, would I not then be analyzing 100,000s LoC instead of the 10,000s that I intended?
That’s an interesting question! Even though technically analysis was done during the build, because the files are filtered out in the End step, they don’t make their way to the server for processing and therefore don’t count against your license.
Unfortunately, there’s no “no-op” or “what-if” mode to run, but I suppose you could halt the scanner execution locally before it actually submits the report and check the logs (or use a different, temporary project key for testing).