Disable StaticCodeAnalysis when doing a SonarQube analysis

Thomas_Mittermair · November 12, 2024, 2:03pm

Hi there

We use SonarQube on Teamcity. Our solution is quite large (around 2 million LOC). Therefore buildtime is always an issue.

A normal build in our buildchain takes approx. 10-15mins. When we include SonarQube our buildtime is around 40 mins.

I’m currently trying to get our buildtime down as much as possible. My first step was to create a dedicated build configuration for sonarqube which disables all static code analysis. We currently use NSDepCop, StyleCop as well as Roslyn and C# code analyzers.

The config looks like this atm:

<DebugType>full</DebugType>
        <RunCodeAnalysis>false</RunCodeAnalysis>
        <RunAnalyzersDuringBuild>False</RunAnalyzersDuringBuild>
        <RunAnalyzersDuringLiveAnalysis>False</RunAnalyzersDuringLiveAnalysis>
        <EnforceCodeStyleInBuild>False</EnforceCodeStyleInBuild>
		<DisableNsDepCop>true</DisableNsDepCop>
        <DefineConstants>DEBUG;$(DefineConstants)</DefineConstants>
		<StyleCopEnabled>false</StyleCopEnabled>

I assumed, this would disable all analyzers. But when I run a build with reportanalyzers=true and verbosity:detailed, I still get reports for all the static code analyzers.
We configure all the analyzer rules in an .editorconfig.

We currently have 2 “build-paths” on teamcity:

one with all the static code analyzers on. this one also runs all the tests
one with all the static code analyzers off. this one only runs the sonarqube analyis

Does anybody have an idea how to accomplish this and actually completly disable all other analyzers beside sonarqube?

As a sidenote: I know that there is an option in sonarqube if other analyzers should be reported. That’s not what I mean with this. I want to disable them completely. I only care about what sonarqube has to say about our code.

Any help is highly appreciated

costin.zaharia · November 18, 2024, 4:47pm

Hi Thomas,

Welcome to our community!

I took a look, and as far as I can tell, this is caused by a bug in the Scanner. I’ve created an issue and you can follow the progress here https://sonarsource.atlassian.net/browse/SCAN4NET-166.

costin.zaharia · November 19, 2024, 8:03am

As a workaround, you can make the references conditional

  <ItemGroup Condition="'$(IsCI)' == ''">
    <PackageReference Include="NsDepCop" Version="2.4.0">
      <PrivateAssets>all</PrivateAssets>
      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
    </PackageReference>
    <PackageReference Include="StyleCop.Analyzers" Version="1.1.118">
      <PrivateAssets>all</PrivateAssets>
      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
    </PackageReference>
  </ItemGroup>

and, on CI, provide the parameter when calling the build command.

dotnet build --no-incremental /p:reportanalyzer=true /p:IsCI=true

Depending on the usage, you can avoid duplication, by declaring them in a Directory.Build.targets file.

Thomas_Mittermair · November 19, 2024, 8:29am

Hi, thanks for your reply

The workaround looks solid, but it’s just not feasable for our solution. We have like 150 projects and have the analyzers referenced in each of them. This would be a major refactoring for us.
We just wait for now if there is a possible fix coming.
I’ll keep an eye on the issue