SonarQube 8.3.0.34182
SonarScanner for MSBuild 4.9
Running a build with SonarScanner for MSBuild I’m getting a couple of hundred warnings similar to the following:
EXEC : warning : File ‘C:\Program Files (x86)\MyProduct\MyAssembly.dll’ is not located under the root directory ‘C:\Perforce\MyProduct\src’ and will not be analyzed.
The built assemblies go to a folder under Program Files, so there’s a warning for each dll, pdb, xml file etc. The analysis works fine otherwise.
On the analysis scope page of the project in SonarQube I’ve tried setting source file inclusions to C:\Perforce\MyProduct** and file exclusions to C:\Program Files (x86)\MyProduct** without success. And played around with these settings.
What’s the best method for removing these warnings?
Does anyone have any suggestions on how to remove these warnings? It’s the last item that’s preventing us rolling out SonarQube. We don’t want the warning count to include these.
If you run the scanner with debug logs enabled you should be able to see the file inclusions/exclusions being applied. There are several properties that can be passed to the scanner to control what files get included: https://docs.sonarqube.org/latest/project-administration/narrowing-the-focus
If you post the logs we can try to help see what’s wrong.
I set up a temporary SonarQube project and built one of our projects against it. It gives the following two warnings:
EXEC : warning : File ‘C:\Perforce\FCI\main\src\Common\CommonAssemblyInfo.cs’ is not located under the root directory ‘C:\Perforce\FCI\main\src\FID.Core’ and will not be analyzed.
EXEC : warning : File ‘C:\Perforce\FCI\main\src\Common\VersionNumber.cs’ is not located under the root directory ‘C:\Perforce\FCI\main\src\FID.Core’ and will not be analyzed.
I tried setting sonar.exclusions on the project settings page to exclude:
C:\Perforce\FCI\main\src\Common\*
I also tried adding each file explicitly. Neither stopped the warnings.
Apologies, I thought my temporary project would demonstrate the problem sufficiently but it doesn’t. Your suggestion of using projectBaseDir fixes the issue in my test project but I don’t think I can use it in the real project, as the source code folder and output folders are in completely different areas.
My source files are in C:\Perforce\FCI\main\src but SonarScanner is complaining about files under C:\Program Files (x86)\FID.New not being located under the root directory.
C:\Program Files (x86)\FID.New is where the built assemblies etc are copied to during the build.
I think we just want to ignore anything under C:\Program Files (x86)\FID.New but I haven’t managed to do that via exclusions.
EXEC : warning : File ‘C:\Program Files (x86)\FID.New\x86\msvcp140_2.dll’ is not located under the root directory ‘C:\Perforce\FCI\main\src’ and will not be analyzed.
File was referenced by the following projects: ‘C:\Perforce\FCI\main\src\FID.Core.Native.Tests\FID.Core.Native.Tests.csproj’, ‘C:\Perforce\FCI\main\src\FID.Core.Tests\FID.Core.Tests.csproj’, ‘C:\Perforce\FCI\main\src\FID.Integration.Slave.Tests\FID.Integration.Slave.Tests.csproj’, ‘C:\Perforce\FCI\main\src\FID.Integration.Master.Tests\FID.Integration.Master.Tests.csproj’.
Could you please let me know how they are referenced in the CSPROJ? I mean what MSBuild schema element is used to reference them?
Also, what are the exclusion patterns you are using to exclude these files?
The Scanner for MSBuild looks at files referenced in the CSPROJ as sources or resources (e.g. html, javascript).
I can see that all of the projects mentioned in “File was referenced by the following projects:” are our test projects, which SonarQube doesn’t analyse anyway. I’m not sure if this is significant. Most of the files are not explicitly referenced by those projects, for example, the file you picked out (msvcp140_2.dll) isn’t referenced by any project, our build just copies it to the output folder.
For the few that are referenced explicitly e.g. nunit, they are referenced as follows:
dotnet sonarscanner begin /k:root-dir /d:sonar.verbose=true > 1.log
msbuild /t:rebuild > 2.log
dotnet sonarscanner end > 3.log
and I could not find any warnings related to ...is not located under the root.... Do you think there might be something relevant which is done in your environment and it’s missing here? Are you able to reproduce this issue with a small project or solution?
I believe I’ve discovered what triggers the problem.
Create a folder on your machine.
Copy a couple of random files into it.
Add the following to your csproj file:
<ItemGroup>
<Content Include="<path to your folder>\*.*">
<CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
<Visible>False</Visible>
</Content>
</ItemGroup>
Replace “path to your folder” with the path to your local folder containing the random files.
Build your project and SonarScanner should output a warning for each file in your folder.
We build each of our test projects to a folder separate from the released assemblies, so we have a copy task similar to the above to copy any config etc required by the tests.
thanks for pointing this out. The issue is now easily reproducible by including the snippet you mentioned in the csproj file. It seems that the SonarScanner for MSBuild is including the folder content to the files to analyze.
I will let my colleagues know about this and get back to you.