SonarQube for Visual Studio plugin version: 8.19.1.13210
Programming language you’re coding in: C#/HTML/CSS/JS
Is connected mode used: No
And a thorough description of the problem / question:
I want to use SonarQube for IDE on a large ASP.NET Framework 4.7.2 application (Combination of WebForms and MVC). The analyzer appears to give a lot of warnings for .cshtml files that are related to what I am assuming is internal/hidden c# code behind.
Examples of these warnings include S108, S101, S4487, S1905 and S2696.
From what I have read .cshtml files in .NET Framework apps are not properly supported for SonarQube (correct me if i’m wrong) so instead I would like to exclude .cshtml files from analysis. I have added a file exclusion via extension settings, but no amount of cleaning, restarting or re running code analysis removes warnings from these files.
It looks like not only are file exclusions not working, but individual rule exclusions are also not working. I would’ve thought at the very least I should be able to exclude certain file types from analysis, this is making it hard to justify using (and potentially purchasing) SonarQube for a large legacy project that contains a lot of .cshtml files.
If my expectations are wrong or I am configuring something incorrectly, please let me know.
Configuring C# file exclusions and rules should normally work. There is a small caveat to that, which is that the settings, after they’ve just been changed, don’t take effect until the next roslyn analysis (basically, you need to modify the source code or reopen the solution). This should not be the problem if the settings are not modified.
From what it seems, the configuration in the settings.json file is correct and should have worked. Could you please send the contents of AppData\Roaming\SonarLint for Visual Studio\.global folder? It contains the analyzer configs generated based on settings.json. I would like to confirm that they were generated correctly
I did a few more code changes and Solution restarts to check I wasn’t just failing to re run analysis, but to no avail.
I have attached a .zip archive containing all configuration for the Solution I’m working in, called “SonarQubeTest”. Just from taking a quick peek myself, it does appear that the correct exclusion and severity rules have made their way into the SonarLint.xml and .globalconfig files so there may be something else at play here.
I would really appreciate getting to the bottom of this, as I would really love to champion the use of this wonderful tool.
Thank you for the provided archive! I could indeed reproduce the problem and we are currently investigating it. We will keep you informed as soon as we have more info.
It seems the problem consists in the fact that the compiler generates a new file .cshtml.g.cs for the .cshtml files and, indeed, this is the file that we actually analyze (and then map back to the source).
Therefore the following patterns should help you: *.cshtml* *cshtml*
Could you, please, try them and let us know if they helped you?
Be aware that exclusions will be applied on the next analysis run by the Roslyn analyzers, so reloading the solution would be recommended.
Unfortunately, those file exclusions had no effect for me. Were you able to reproduce this solution in an ASP.NET Framework MVC Web Application?
If so, I would be interested in the exact steps you took.
An interesting FYI, I decided to try and disable SonarQube for IDE and instead install the SonarAnalyzer NugetPackage, and that appears to not be raising warnings in cshtml files at all, even legitimate ones. Does the nuget package look for any exclusion settings? I don’t have an .editorconfig in this solution
I have actually tested it with a ASP.NET Core Web App, for which the exclusions worked as expected. They do not seem indeed to work for ASP.NET Framework MVC Web Application.
We are currently investigating this further and will be back to you when you have updates. Thank you for your patience!
This issue has been taken over by us - the team that works on the .NET analyzer.
It’s a pretty tricky issue as for .NET framework the cshtml and razor files during compilation are being treated differently than in .NET, by MSBuild.
During actual compilation (built time) these files for the framework you are targeting are not being picked up by us at all, however SQ IDE uses the analyzer during design time which is different, and it seems that in that case we are picking them up. This is what we are investigating currently, how the analysis differs in .net framework during design time in order to update our exclusion mechanism.
I’m aware how annoying this can be, we’ll come back to you soon with news.
