configMode: 'file' with Azure DevOps and MSBuild scanner

TridentTrue · May 1, 2023, 3:13pm

ALM used: Azure DevOps
CI system used: Azure DevOps
Scanner command used: MSBuild
Language of the repository: C#

I would like to use file configMode in my Azure DevOps pipeline, mainly to exclude external library code but cannot seem to get it to recognize config files of any kind. I do not want to use the UI or pipeline .yaml file to specify the exclusions as only some developers have access to these locations.

Here is my current SonarCloudPrepare task:

- task: SonarCloudPrepare@1
  inputs:
    SonarCloud: 'sonarcloud.analysis'
    organization: 'myorg'
    scannerMode: 'MSBuild'
    configMode: 'file'
    configFile: 'SonarQube.Analysis.xml'
    projectKey: 'my-project-key'
    projectName: 'project-name'
    extraProperties: |
      sonar.cs.vstest.reportsPaths=$(Agent.TempDirectory)\**\*.trx
      sonar.qualitygate.wait=true

I have tried both the SonarQube.Analysis.xml format (which worked fine when I tested the self hosted SonarQube version), and the sonar-project.properties format outlined elsewhere and neither file type seems to work. The only mention of configuration in the log output is this:

Calling the SonarScanner CLI...
INFO: Scanner configuration file: C:\a\_tasks\SonarCloudPrepare_14d9cde6-c1da-4d55-aa01-2965cd301255\1.35.0\classic-sonar-scanner-msbuild\sonar-scanner-4.8.0.2856\bin\..\conf\sonar-scanner.properties
INFO: Project root configuration file: C:\a\1\.sonarqube\out\sonar-project.properties

Is it possible at all to use file configuration with SonarCloud for Azure DevOps? Do I have to resort to UI configuration instead?

Colin · May 2, 2023, 8:17am

Hey there.

You can’t combine a scannerMode of MSBuild with a configMode. While you can pass a SonarQube.Analysis.xml file to the Scanner for .NET when running it without the extension (/s:<custom.analysis.xml>) this isn’t supported by the extension for Azure DevOps.

Can you clarify what you mean by developers not having access to the pipeline .yaml file? Isn’t it checked in with your codebase?

TridentTrue · May 2, 2023, 9:28am

Yes but it is the responsibility of the devops team to maintain, as are the sonarcloud project settings, so they are restricted only to that team. I want to be able to specify a config file in order to avoid unnecessary collaboration between the devevloper and devops teams whenever a new exclusion has to be added e.g. when a dev adds some library code.

I had assumed there would be some way to specify a file as in the SonarCloud Extension for Azure DevOps documentation it says “The extension embeds its own version of the SonarScanner for .NET”, which does indeed allow you to specify a SonarQube.Analysis.xml file.

I will just revert to running the scanner manually in the pipeline if using a config file is not possible with the Azure DevOps extension as this feature is too important not to have.

MarioDS · June 11, 2024, 11:57am

Wow, I just lost so much time trying to figure out why my sonar-project.properties weren’t picked up. This really should be clearer in the documentation!

That said, are there any plans for automatically converting the .properties file to the XML format expected by the MSBuild scanner in the future? It would be easier to streamline configuration instead of “hiding” it in csproj files…