Excluded folders are still being analysed in msbuild step

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    SonarQube 8.6.1 SonarScanner
    dotnet-sonarscanner 4.10

dotnet project.

  • what are you trying to achieve
    I am trying to reduce the time taken to run msbuild with sonarscanner running.
    I have run “msbuild /p:reportanalyzer=true”. The profile results identified some projects that were taking a LOT longer to analyse than most projects (> 5 minutes vs < 1 second for most projects).
    These projects have code autogenerated by swagger. I want to exclude this autogenerated code from analysis without excluding the whole project.

  • what have you tried so far to achieve this
    I have excluded specific folders using the “sonar.exclusions” setting, from the project settings in sonarqube. What I have noticed is that this setting is working correctly for the post build sonarqube analysis step (i.e. the step that runs when you call “dotnet-sonarscanner.exe end”). The folders are correctly excluded from the analysis.

BUT the excluded files are still being analysed during the msbuild step.

  • the profile results returned by “msbuild /p:reportanalyzer=true” have not changed at all
  • the msbuild log has entries from sonarqube analysis, showing that those excluded files are being analysed during the build. e.g. warnings about unused local variables etc.

Is this expected behaviour? Should the sonar.exclusions setting effect the msbuild step? Or does it only effect the “dotnet-sonarscanner.exe end” step?

Or am I not applying the settings correctly?

The code exclusion documentation mentions how to excluded files, but doesn’t specify what the files will be excluded from.

Hey there.

sonar.exclusions does not affect the MSBuild step itseelf – only the “end” step of the Scanner for .NET. You can prevent the analyzers from running at all during the build adding this to the relevant .csproj file(s).

<!-- in .csproj -->
  <!-- Exclude the project from analysis -->

There’s also an interesting solution proposed in this StackOverflow post to systematically apply this setting based on a RegEx.

Thank you Colin. I have ended up excluding the entire project from analysis as you suggested.
It would be preferable if there was a way to just exclude the autogenerated code from build analysis, instead of having to exclude the whole project.

This should work. We have a GeneratedCodeRecognizer which we use to tell if a file has been autogenerated, and we skip that file from analysis. There is a setting to enable analyzing generated code (see C# | SonarQube Docs), but it’s disabled by default. Could you please check that setting in your SQ instance?

We have this on our internal roadmap to improve (i.e. treat exclusions in the Roslyn analyzer, not when importing the Roslyn results after the build).