Hello to the sonarsource community,
i discovered a bug in SonarLint for VisualStudio regarding the CredentialStore
, which is reproducable in 2 ways.
When you open a Visual Studio solution wich is already bound to a SonarQube project via connected mode and need to provide credentials, the credentials aren’t saved.
UseCase 1
I have multiple GIT-repositories, each repository has it’s own Visual Studio solution. Each solution has a corresponding SonarQube project in connected mode.
When a new user wich hasn’t already bound a solution to a SonarQube project (i.e. hasn’t provided a URL and token in the “Connect to a SonarQube server”) opens the solution and want’s to connect to the SonarQube server, the credentials aren’t saved for future connections. That means, if the user opens the same solution again or another solution wich is bound to the same SonarQube instance, an error message “Cannot connect to the SonarQube server. Make sure you provided the correct connection information, including your sign-in credentials, and try again.” in the “Team Explorer: SonarQube” window appears.
UseCase 2
When you have bound a solution to a sonarqube project with a token, revoke this token and generate a new token in SonarQube, the extension can’t connect to SonarQube at project startup - you always have to provide the new token.
Steps to reproduce:
- Generate a fresh SonarQube token “A”
- Open Visual Studio
- Load a C# Solution without an already bound SonarQube project
- Go to “Team Explorer: SonarQube”
- Click “Connect …”
- Enter your Server and the fresh token “A”
- Bind the solution to a SonarQube project
- Close Visual Studio
- Revoke the token from SonarQube
- Open the Visual Studio Solution again
- Go to “Team Explorer: SonarQube”
- → The extension can’t connect to SonarQube, wich is correct, because we revoked the token
- Generate a fresh SonarQube token “B”
- Click “Connect …”
- → The hostname is already filled in, because the project is still bound
- Enter the fresh SonarQube token “B”
- → The extension successfully connects to SonarQube, the project is already bound.
- Close Visual Studio
- Open the Visual Studio Solution again
- Go to “Team Explorer: SonarQube”
- → The extension can’t connect to SonarQube, wich is NOT correct, because the token “B” is still valid
Reason
I digged a little bit in the extension sourcecode and noticed the SonarLint.VisualStudio.Integration.CredentialStore
-class.
The method WriteCredentials
is called at the end of the binding process in SonarLint.VisualStudio.Integration.Persistence.SolutionBindingDataWriter.Save()
. When the solution is already bound to a SonarQube project, the WriteCredentials
-method is never called. The method ReadCredentials
is therefore always fetching an old token (when you revoked it - UseCase 2) or no token at all (when you are a new user - UseCase 1).
Workaround:
Delete the .\sonarlint
-directory in the solution directory and rebind the project
Problem: When you bind a solution to a SonarQube project, the extension adds ItemGroup/AdditionalFiles
-elements to the .csproj
files.
When you rebind and these XML-elements are still there, you get useless *.ruleset
-Files alongside each project in the solution.
Versions:
Visual Studio Professional 2022 (17.0.4)
SonarLint 5.3.0.41207
SonarQube 9.2.4.50792