How do i reconcile scan via Gitlab and Azure devops result

Template for a good new topic, formatted with Markdown:

  • ALM used GitLab, Azure DevOps
  • CI system used Azure DevOps, GitLab CI
  • Scanner command used when applicable (private details masked)
    script:
    • sonar-scanner
      -Dsonar.verbose=true
      -Dsonar.c.file.suffixes=-
      -Dsonar.cpp.file.suffixes=-
      -Dsonar.objc.file.suffixes=-
      -Dsonar.projectKey=**********
      -Dsonar.organization=*****************
      -Dsonar.host.url=https://sonarcloud.io
      -Dsonar.token=**********************
  • Languages of the repository
  1. Reactjs
  2. .Net Core
  • Error observed (wrap logs/code around with triple quotes ``` for proper formatting)
    Not an error result from pull request scan is different from azure devops scan

Hi,

Remind me of the actual problem here?

 
Ann

Result from sonar scan from azure devops CI is different from scan result from gitlab. …
Azure uses msbuild quite alright and gitlab uses the sonarsource image

Is there a way to configure gitlab to use msbuild and how do i do it?

Hi,

And what about the result is different? Are we talking about issues? Coverage? Something else?

 
Ann

about 80% of the the result is different.
The scan from Azure devops ms build exposes a lot more issues that the scan using the image on gitlab

Hi,

This is probably going to be about the build environments. Are you using the same versions of everything (scanner, SDK &etc) in both places?

Alternately, could this be a question of which files are recognized as new in the PR? And thus a question of the SCM data available to analysis?

 
Ann

Yes . … i think

Because i have another project which is newly integrated to sonar and no issues were found in the code

Please can i get a say 30 minutes session with your representatives to look at this hands on?

@ganncamp kindly assist with this issue?

I have a couple of projects are sonar is not detecting anything . … during MR and PR. … and i need to block bad code merge.

Awaiting your response

Many thanks

Hey there.

Ann is on holiday. I’m going to step in.

I think this is key here, especially if you’re analyzing .NET Core.

It’s quite annoying we don’t have a .NET + Gitlab tutorial in the UI. There’s an ongoing discussion about that internally.

That said, as long as you can massage your pipeline to run the following commands (documented here)

dotnet tool install --global dotnet-sonarscanner
dotnet sonarscanner begin /k:"project-key" /d:sonar.login="<token>"
dotnet build <path to project file or .sln file>
dotnet sonarscanner end /d:sonar.login="<token>"

You should be able to get analysis working.

Thank you Colin for stepping in.

Just before i try the approach you shared. … one question

Does this scan only the new code or the entire project.

Also, another question on mono repos. … what do you advice and how do you expect mono repos to be handled from gitlab?
is it with a single project in sonarcloud or with different projects especially when dealing with a mono repo of microservices as that’s most how our projects are structured.

The entire project will be scanned, but in some cases caching can prevent unchanged parts of the project from being reanalyzed (in the case of Pull Request analysis, for example).

How do you normally build your code? With many separate build commands (selectively building parts of the repo based on what changed), or just one? If it’s the former, I’d suggest a monorepo. If it’s the latter, a single SonarCloud project works fine.

Hi Colin

Many thanks for the other time

Please see below result of the commands you suggested to run

$ dotnet tool install --global dotnet-sonarscanner Tools directory '/root/.dotnet/tools' is not currently on the PATH environment variable. If you are using bash, you can add it to your profile by running the following command: cat << \EOF >> ~/.bash_profile # Add .NET Core SDK tools export PATH="$PATH:/root/.dotnet/tools" EOF You can add it to the current session by running the following command: export PATH="$PATH:/root/.dotnet/tools" You can invoke the tool using the following command: dotnet-sonarscanner Tool 'dotnet-sonarscanner' (version '6.2.0') was successfully installed. $ dotnet sonarscanner begin /k:"<project key>" /d:sonar.login="$SONAR_TOKEN" Possible reasons for this include: * You misspelled a built-in dotnet command. * You intended to execute a .NET program, but dotnet-sonarscanner does not exist. * You intended to run a global tool, but a dotnet-prefixed executable with this name could not be found on the PATH. Could not execute because the specified command or file was not found. Cleaning up project directory and file based variables 00:00 ERROR: Job failed: exit code 1

You might need to add something in your pipeline like:

  • “export PATH=”$PATH:$HOME/.dotnet/tools""

As it suggests.

Tools directory '/root/.dotnet/tools' is not currently on the PATH environment

Hi @Colin

Not sure how i can add that in gitlab CI

Has this been done before? if yes, how do it do same

It’s just another line in your script. For example:

sonarqube-check:
  stage: sonarqube-check
  image: mcr.microsoft.com/dotnet/sdk:7.0
  variables:
    SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
    GIT_DEPTH: "0"  # Tells git to fetch all the branches of the project, required by the analysis task
  cache:
    key: "${CI_JOB_NAME}"
    paths:
      - .sonar/cache
  script: 
      - "apt-get update"
      - "apt-get install --yes --no-install-recommends openjdk-17-jre"
      - "dotnet tool install --global dotnet-sonarscanner"
      - "export PATH=\"$PATH:$HOME/.dotnet/tools\""
      - "dotnet sonarscanner begin /k:\"newproj\" /d:sonar.token=\"$SONAR_TOKEN\" /d:\"sonar.host.url=$SONAR_HOST_URL\" "
      - "dotnet build"
      - "dotnet sonarscanner end /d:sonar.token=\"$SONAR_TOKEN\""
  allow_failure: true
  only:
    - merge_requests
    - master
    - main
    - develop