Custom Sonar Scanner To Scan XML files Using C# language


I am looking for a way to write Custom Sonar Scanner rules To Scan XML files using C# language. Is there a way to write a plugin using c#.

Thank you

Hey @RohanA,

Technically speaking, our .NET analyzers (C# and VB) are written in C# (you can check this here as it’s open source). But as you know SQ is Java, and plugins must be Java packages (which is the case ofc!). So how does it work?

The analyzer is a regular Roslyn analyzer, acting during the MSBuild to scan the code and raise Warnings on it. These Warnings (so-called issues in SQ) are also written in some JSON reports (from what I remember). Then during the scanner execution, the Java plugin (sonar-csharp-plugin here) will parse Roslyn reports and raise issues using the regular Java SQ API.

So as you can see, in this scenario, you would need a bit of Java because that’s the only way of raising issues in SQ. But all the logic (code parsing, lexing, detecting issues, etc.) could be done by any technologies of your choice actually.

Though you have some other alternatives for your use case, and I think you should pick one of these instead:

  • SQ has a XML plugin with some rules. This plugin also accepts custom rules based on XPATH. It’s quite simple as you can write them from the UI using the template rule Track breaches of an XPath rule
  • SQ also have a Generic Issue Data format (JSON-based). You could create such a report with whatever technology/language/framework you want, then pass it to SQ using sonar.externalIssuesReportPaths. This prevents you to write the Java connector explained above.

I hope this will help.

1 Like

Thanks Antoine for quick reply.

I have written custom rules for C# code analyzer using Roslyn and create Sonar .jar file from it to refer in SQ. That worked file.

But i want to scan xml files and Xpath is not sufficient for my custom xml rules. They are little complex and can written well in c#. Is there a way to write custom rules to scan XML files in c# ?

Sorry I guess you answered by question -
SQ also have a Generic Issue Data format (JSON-based). You could create such a report with whatever technology/language/framework you want, then pass it to SQ using sonar.externalIssuesReportPaths . This prevents you to write the Java connector explained above.

Yeah, indeed the Generic Issue Data feature is the way to go. You could write something that works like the C# Roslyn analyzer + Java connector to raise issues in SQ. But for XML files? It might be possible (not sure though, I don’t know is MSBuild allows to scan XML files) but it will be overly complex.
Also, it’s quite common in a pipeline to run a tool that creates a report, then use this report in another step. So I think it makes sense to go this way!

Good luck!

I will try this and will get back to you if I have any questions.

Thanks Antonie

I am not planning to add this to MS build. Would i be able to add custom rules and refer Json file in basic Sonar Scanner ? And we will invoke scanning using external CLI

Yes sure, sonar.externalIssuesReportPaths works for every scanner (the core of the scanner is actually the same).
After that, as your custom rules are implemented in a external custom solution, you can do whatever you want here, the only thing is to generate the report in the documented format.

Hi Antoine
Could you please also help me with how to configure sonar.externalIssuesReportPaths ?I am not able to find more details.

I added sonar.externalIssuesReportPaths=Issues.json in and it worked fine with standalone scanner. Now I am trying to sonar.externalIssuesReportPaths=Issues.json in additional properties in Azure pipeline for MS build Scanner but it is throwing error. Please help.

@RohanA which kind of error? Any logs? Error message?

Here is the configuration :

and here is the error

I have placed issues.json file at the root of the project , is it okay ?

@Antoine Am I missing any configuration in this?

Hello @RohanA,

Wherever’s the report located is fine, as soon as its location is well referenced into sonar.externalIssuesReportPaths of course. Is it really where the scanner mentions it is? (C:\LocalAgent_work\1\s\Code\slnNeoSpin\NeoSpinLogger\Issues.json).

As the error is triggered from a code file named, I’d say that either the path is not well given to the property (then you have to adapt), or somehow the file format has an issue (which shouldn’t be the case as you said it worked locally, but double check just in case).

Either way, I can’t really help much on these kind of issues.

Thanks Antoine. I am able to figure out the issue. The issue was related to path to Json file.

I wrote a separate XML scanner and created Json file with results in format expected by SonarQube. I am trying to upload xml scanning result Json as a part of MS build scanner so that i can get C# + xml analysis in one project but i am not able to see results from XML Json file on SOnarQube.

Hmm, let me rephrase to confirm I understood what you are trying to achieve:

  • you made a custom SonarQube plugin that will analyze XML files
  • during a code analysis, this plugin will generate a report in the SQ Generic JSON format
  • then, during the same code analysis, you expect this report to be imported in SQ


There might be some technicalities to handle to do this, but it should be possible I think. Usually, such reports are made prior to the scanner invocation, by another tool, so when the scanner starts the report is ready.

Ok, what does the scanner debug logs say (in particular the Import external issues report sensor)? Did you make sure to feed sonar.externalIssuesReportPaths in the begin step of the scanner (even though the report is not ready yet, the parameter has to be set in the begin step)?