configMode: 'file' with Azure DevOps and MSBuild scanner

  • ALM used: Azure DevOps
  • CI system used: Azure DevOps
  • Scanner command used: MSBuild
  • Language of the repository: C#

I would like to use file configMode in my Azure DevOps pipeline, mainly to exclude external library code but cannot seem to get it to recognize config files of any kind. I do not want to use the UI or pipeline .yaml file to specify the exclusions as only some developers have access to these locations.

Here is my current SonarCloudPrepare task:

- task: SonarCloudPrepare@1
    SonarCloud: 'sonarcloud.analysis'
    organization: 'myorg'
    scannerMode: 'MSBuild'
    configMode: 'file'
    configFile: 'SonarQube.Analysis.xml'
    projectKey: 'my-project-key'
    projectName: 'project-name'
    extraProperties: |

I have tried both the SonarQube.Analysis.xml format (which worked fine when I tested the self hosted SonarQube version), and the format outlined elsewhere and neither file type seems to work. The only mention of configuration in the log output is this:

Calling the SonarScanner CLI...
INFO: Scanner configuration file: C:\a\_tasks\SonarCloudPrepare_14d9cde6-c1da-4d55-aa01-2965cd301255\1.35.0\classic-sonar-scanner-msbuild\sonar-scanner-\bin\..\conf\
INFO: Project root configuration file: C:\a\1\.sonarqube\out\

Is it possible at all to use file configuration with SonarCloud for Azure DevOps? Do I have to resort to UI configuration instead?

Hey there.

You can’t combine a scannerMode of MSBuild with a configMode. While you can pass a SonarQube.Analysis.xml file to the Scanner for .NET when running it without the extension (/s:<custom.analysis.xml>) this isn’t supported by the extension for Azure DevOps.

Can you clarify what you mean by developers not having access to the pipeline .yaml file? Isn’t it checked in with your codebase?

Yes but it is the responsibility of the devops team to maintain, as are the sonarcloud project settings, so they are restricted only to that team. I want to be able to specify a config file in order to avoid unnecessary collaboration between the devevloper and devops teams whenever a new exclusion has to be added e.g. when a dev adds some library code.

I had assumed there would be some way to specify a file as in the SonarCloud Extension for Azure DevOps documentation it says “The extension embeds its own version of the SonarScanner for .NET”, which does indeed allow you to specify a SonarQube.Analysis.xml file.

I will just revert to running the scanner manually in the pipeline if using a config file is not possible with the Azure DevOps extension as this feature is too important not to have.