How do you specify the sonarscanner version that is being used with SonarQubeAnalyze task?

When I use the SonarQubeAnalyze@5 task I notice that the scanner version is always

SonarScanner 4.7.0.2747

I want a newer version of the scanner to be used. Is there anyway to specify that or is that a deficiency of using these tasks ?

I want the " SonarScanner for .NET" which is 5.8.0 to be used. I shouldn’t have to download it and install it on the agent.

is the latest version of the CLI scanner.
If you want to use the latest .Net scanner you will have to download it one time.
Did you check SonarScanner for .NET | SonarQube Docs ?

ok then how do i tell the SonarQubeAnalyze@5 task to use that ? cause by default the task wants to run SonarScanner 4.7.0.2747 …

I understand you’re telling me to load scanner 5.8.0 (so that means people need to add a pipeline task for that which is already wrong cause the point of the “prepare task” which I call before the analyze task is to load the latest scanners regardless) …
but then there should be a way to tell the analyze task to use sonarscanner 5.8 without having to add an additional task into the pipeline ... cause even after loading 5.8.0 scanner the analyze task is still running SonarScanner 4.7.0.2747

ok, SonarQubeAnalyze@5 means you’re using Azure Devops, didn’t know that, as we use Jenkins.
The docs for Azure Devops integration should be sufficient
https://docs.sonarqube.org/latest/analysis/scan/sonarscanner-for-azure-devops/
https://docs.sonarqube.org/latest/analysis/azuredevops-integration/

The pages you replied with do not say how to update SonarQubeAnalyze@5 task to use a different version of the scanner. So can the SonarQubeAnalyze@5 task be configured to use the 5.8.0 scanner ? and if so how can that be done please ?

I don’t do an msbuild or vsbuild … I’m building a linux .net executable. Are you saying I need to set

scannerMode: 'MSBuild'

in the SonarQubePrepare@5 task ?

Without really knowing anything about .Net on linux, the .Net section at
https://docs.sonarqube.org/latest/analysis/azuredevops-integration/

has this .yml example

trigger:
- master # or the name of your main branch
- feature/*

steps:
# Prepare Analysis Configuration task
- task: SonarQubePrepare@5
  inputs:
    SonarQube: 'YourSonarqubeServerEndpoint'
    scannerMode: 'MSBuild'
    projectKey: 'YourProjectKey'

# Run Code Analysis task
- task: SonarQubeAnalyze@5

# Publish Quality Gate Result task
- task: SonarQubePublish@5
  inputs:
    pollingTimeoutSec: '300'

so i guess scannerMode: 'MSBuild' is right.

And the example is completely wrong. Here’s why : the example clearly states you can “prepare, analyze, and publish” with the scanner mode as ‘MSBuild’ … but the moment you do that the follow error happens :

The SonarScanner for MSBuild integration failed: SonarQube was unable to collect the required information about your projects.
Possible causes:
  1. The project has not been built - the project must be built in between the begin and end steps
  2. An unsupported version of MSBuild has been used to build the project. Currently MSBuild 14.0.25420.1 and higher are supported.
  3. The begin, build and end steps have not all been launched from the same folder
  4. None of the analyzed projects have a valid ProjectGuid and you have not used a solution (.sln)
17:39:22.841  The SonarScanner for MSBuild integration failed: SonarQube was unable to collect the required information about your projects.

No where does the example (or integration) infer anything about building.

The docs clearly lead people to believe you don’t have to build to get an analysis of the code.

Unfortunately I am out, have no experience with MSBuild, i hope someone with more idea chimes in.

1 Like

Hello @Mike_Greco

The SonarQube Extension for Azure DevOps contains the Scanner for .NET 5.8.0 , which has an embedded SonarScanner version 4.7.0.2747. You can read Introduction to the SonarQube/SonarCloud .NET analysis to get a better understanding of what each component does.

So: SonarQube Extension for Azure DevOps contains an embedded version of the Scanner for .NET, which contains an embedded version of SonarScanner. Each of these three components has its own version.

The logs in the Prepare Analysis Configuration step (SonarQubePrepare@5) will show:

SonarScanner for MSBuild 5.8

This is not possible. The Scanner for .NET is embedded in the Azure Devops Extension. To update it, we need to release a new version of the AZDO Extension and publish it to the marketplace.

As I mentioned, this is the currently embedded version (since the 5th of September 2022).

Not really, the documentation says:

  • Add a new Run Code Analysis task after your build task.

So between SonarQubePrepare and SonarQubePublish, you need to build and also to run the tests in order to have the code coverage report. See this example (SonarCloudPrepare and SonarQubePrepare are essentially the same steps).

Having said that, I do believe we can improve our existing documentation, as it is not clear from the YML example file what you need to fill in between SonarQubePrepare and SonarQubePublish. I will send this feedback to our documentation team.

Thank you for your feedback.

Yeah eventually I figured it out that you need to do a build between the prepare (where the scannermode is set to MSBUILD) and analyze tasks.

I was doing a build that creates a docker image and I didn’t want to put the SQ analysis of the code into the dockerfile. I wound up doing the build outside the docker context and then the ‘docker build’ COPYs it into the resulting image (which isn’t ideal either cause one of the points of using docker is you can do a multistage build where you start with a docker image that has all the build dependencies in it). Anyways thanks for replying !

1 Like