So I’ve written a few rules before which have been great using the SDK and I’ve just started with the newer version and hit an issue.
I’ve read over some of the issues mentioned and it seems like you’ve killed off the ability to have custom third party rules as part of the Sonarqube scan. Is this correct?
I think i read some misguided reason to just use project Roslyn analyzers - which is great if a project includes it.
So can someone confirm if I can still develop third party rules and include them in scans?
We have only deprecated the SQ Roslyn SDK because we want to provide the same level of features without having all the ceremony of creating a SonarQube plugin.
If you are using SonarQube 7.4+ and a recent version of the Scanner for MSBuild and SonarC# you will see that any Roslyn analyzer which is run during the build will have its issues automatically imported to SonarQube.
So I am clear @Ammo does that mean now that any custom analyzers will now need to be applied to each and every project for the rules to report to Sonarqube?
Is there any guidance on how to append these analyzers to each project prior to a scan without an update to the project? A log of the projects that come through for me are legacy and I am applying own security rules to locate issues - I cannot append these to the source code myself.
If you don’t want to modify your projects but still run some rules I would recommend you to stick with the Roslyn SDK because the modification we did only (for now) to import to SQ issues that are raised during the build without us doing anything.