.NET core project Sonar analysis is empty but SonarLint shows issues

Continuing the journey setting this up I have run into another “problem”. I tested 3 .netcore projects and all of them come back with no issues (only some code duplication). That should make my happy, but I did try sonarlint in VS for one of those projects and it found some issues. So I am thinking maybe I am not checking everything? It doesn’t standard check all possible checks? Is there something I need to configure?

Hi @eriksteinebach!

Can you please show the following?

  • debug level logs for one of the projects with sonarcloud (add /d:“sonar.verbose=true” to the extraProperties key in the SonarCloudPrepare task)

Joe

Here I added the results from the analyze task:
sonarcloud.txt (2.5 MB)

Hi @eriksteinebach ,

I don’t see anything obvious yet from your logs. What issue(s) and which files are you not seeing in SonarCloud that you are seeing in SonarLint?

Here’s what I see in your logs that could be problematic:

  • 021-02-16T22:14:53.4741509Z 22:14:53.149 DEBUG: 227 non excluded files in this Git repository
    Please check your .gitignore file for the correct files to be excluded. There may be files that are not scanned in SonarCloud that can scan in SonarLint.
  • Here are the sonar.sources I see for the first of your “modules”:
2021-02-16T22:14:00.6964519Z 40E7A4B7-848D-4EC4-92D5-DC3062096F81.sonar.projectName=Company.ProductAccess.Infrastructure
2021-02-16T22:14:00.6965669Z 40E7A4B7-848D-4EC4-92D5-DC3062096F81.sonar.projectBaseDir=D:\\a\\1\\s\\Company.ProductAccess.Infrastructure
2021-02-16T22:14:00.6966541Z 40E7A4B7-848D-4EC4-92D5-DC3062096F81.sonar.sources=\
2021-02-16T22:14:00.6968835Z "D:\\a\\1\\s\\Company.ProductAccess.Infrastructure\\Deploy-AzureResourceGroup.ps1",\
2021-02-16T22:14:00.6969759Z "D:\\a\\1\\s\\Company.ProductAccess.Infrastructure\\Company.ProductAccess.json",\
2021-02-16T22:14:00.6972034Z "D:\\a\\1\\s\\Company.ProductAccess.Infrastructure\\Company.ProductAccess.parameters.json",\
2021-02-16T22:14:00.6973409Z "D:\\a\\1\\s\\Company.ProductAccess.Infrastructure\\Deployment.targets"

You should double-check each of the modules’ sonar.sources (just search sonar.sources in the log file) and make sure they include what you want. You may have accidentally excluded a file that SonarLint will still scan.

Here are couple of warnings to consider remedying also:

Minor things to check

2021-02-16T22:15:00.3395927Z 22:15:00.338 WARN: The Data Dictionary is not configured for PLSQL analyzer which prevents rule(s) S3641, S3921, S3618, S3651 to raise issues. See https://sonarcloud.io/documentation/analysis/languages/plsql/

This is an optional configuration for your PL/SQL analysis. If you don’t care about those specific rules (see our rules repository here for more info), then you can ignore this warning. If you want to fix this warning, see our docs for more info: PL/SQL | SonarQube Docs

2021-02-16T22:15:01.9563616Z 22:15:01.954 WARN: 
2021-02-16T22:15:01.9572127Z 22:15:01.954 WARN: Unable to fully parse: D:/a/1/s/Company.ProductAccess.Migrations/Migrations/20200818-DRM-index-updates.sql
2021-02-16T22:15:01.9575515Z 22:15:01.954 WARN: Parse error starting from line 252
2021-02-16T22:15:01.9582441Z 22:15:01.955 WARN: 
2021-02-16T22:15:01.9583639Z 22:15:01.955 WARN: 
2021-02-16T22:15:01.9587364Z 22:15:01.955 WARN: Unable to fully parse: D:/a/1/s/Company.ProductAccess.Migrations/Migrations/20200818-DRM-index-updates.sql
2021-02-16T22:15:01.9590733Z 22:15:01.955 WARN: Parse error starting from line 259
2021-02-16T22:15:01.9591929Z 22:15:01.955 WARN: 
2021-02-16T22:15:01.9592831Z 22:15:01.956 WARN: 
2021-02-16T22:15:01.9594027Z 22:15:01.956 WARN: Unable to fully parse: D:/a/1/s/Company.ProductAccess.Migrations/Migrations/20200818-DRM-index-updates.sql
2021-02-16T22:15:01.9595207Z 22:15:01.956 WARN: Parse error starting from line 266
2021-02-16T22:15:01.9596085Z 22:15:01.956 WARN: 

The error is self-explanatory: double-check for any strange white-space or unusual characters. Check the file encoding on this file as well.

Joe


I added a picture of sonarlint in VS. As you can see these are warnings inside UserSkuManager.cs.

2021-02-16T22:14:00.7103005Z 28A3093A-823B-498D-AA85-0EF2AAE78513.sonar.projectName=Company.ProductAccess.BusinessLogic
2021-02-16T22:14:00.7103633Z 28A3093A-823B-498D-AA85-0EF2AAE78513.sonar.projectBaseDir=D:\a\1\s\Company.ProductAccess.BusinessLogic
2021-02-16T22:14:00.7104184Z 28A3093A-823B-498D-AA85-0EF2AAE78513.sonar.sourceEncoding=utf-8
2021-02-16T22:14:00.7104636Z 28A3093A-823B-498D-AA85-0EF2AAE78513.sonar.sources=

2021-02-16T22:14:00.7112519Z “D:\a\1\s\Company.ProductAccess.BusinessLogic\Managers\UserSkuManager.cs”,\

I looks to me as this file has been scanned correctly?

This is our gitignore file, I don’t see anything problematic here either:
gitignore.txt.txt (4.5 KB)

I did see the SQL warning in sonarcloud, but it was “on the side”, but that does mean it did check those files correctly? So it is sort of working, but warnings are not shown in sonarcloud?

@Joe did you have a chance to take a look at this. I think I am going to have to cancel my trial for sonarcloud, because I cannot get it to work


I just noticed this. It looks as if 0 lines of code have been analyzed. So that would explain it didn’t find anything. But I have no idea why.

@Eric could you share the log file for the MSBuild step please?

There’s nothing obviously wrong in the logs for the “analyse” step, and it looks like the C# analyzer report files are being produced. However, it looks like the analyzers are not reporting any issues, so it would be useful to see what is actually passed to the csc.exe command line.

One possibility is that the RunAnalyzersDuringBuild property is false - see this thread for more info.

Hi Duncan, thanks for the reply. I am using a .net core build step in a yaml file. I have added the RunAnalyzerDuringBuild argument, because I did not have that one before, but not seeing a different result.

- task: SonarCloudPrepare@1
  inputs:
    SonarCloud: 'SonarCloud'
    organization: '<org>'
    scannerMode: 'MSBuild'
    projectKey: '<org>_company.productaccess'
    extraProperties: |
      sonar.verbose=true
- task: DotNetCoreCLI@2
  displayName: Build projects
  inputs:
    command: 'build'
    arguments: '--configuration $(BuildConfiguration) --no-restore /p:Version=$(GitVersion.NuGetVersion) /p:SourceLinkCreate=true /p:PublicRelease=true /p:RunAnalyzersDuringBuild=true'
    versioningScheme: byBuildNumber  
- task: SonarCloudAnalyze@1
- task: SonarCloudPublish@1
  inputs:
    pollingTimeoutSec: '300'

Here are the logs from the 4 steps:
SonarCloudPrepare.txt (11.7 KB)
Build projects.txt (149.2 KB)
SonarCloudAnalyze.txt (1.6 MB)
SonarCloudPublish.txt (987 Bytes)

Hi @eriksteinebach ,

In the SonarCloudPrepare.txt step, we see the issues on UserSkuManager, so the scanner is detecting it:

2021-02-23T18:45:08.5715331Z ##[warning]Company.ProductAccess.BusinessLogic\Managers\UserSkuManager.cs(394,80): Warning S927: Rename parameter 'stateId' to 'userSkuStatusId' to match the interface declaration.

In the SonarCloudAnalyze.txt step:

2021-02-23T18:45:29.8003759Z sonar.branch.name=erik_sonarcloud
...
2021-02-23T18:46:45.6413059Z 18:46:45.637 DEBUG: Merge base sha1: 5a3def9071c101ca57fd77f314747df2d6b828fa
2021-02-23T18:46:45.6414132Z 18:46:45.638 DEBUG: SCM reported changed lines for 0 files in the branch

It looks like the scanner is not seeing any changed lines on your erik_sonarcloud branch. Can you try your main/master branch and see what happens?

Joe

1 Like

Interesting, yes, on the master branch it works.

That is great, but we would like to see the warnings in the PR in bitbucket (before we merge into master)? Do you think this is possible?

@eriksteinebach: Yes, it is possible. Can you explain how you pass the relevant branch analysis (not pullrequest analysis) parameters ( sonar.branch.name, sonar.branch.*, sonar.target.name) in your build pipeline for Azure DevOps? See Branch analysis details for details on how it works.

Also, can you show your entire pipeline and how the branch is determined?

If we can make sure this branch information is passed correctly on branch analysis, we should be able to make pullrequest analysis work.

Lastly, please test this outside of Azure DevOps also. Let’s make sure you can get branch analysis to work first, which does not require Azure DevOps or a CI system.

Hi Joe,

Thank you, that helps, because I didn’t set those up. I now added this:

- task: SonarCloudPrepare@1
  inputs:
    SonarCloud: 'SonarCloud'
    organization: '<org>'
    scannerMode: 'MSBuild'
    projectKey: '<project>'
    extraProperties: | 
        sonar.verbose=true
        sonar.branch.name=$(Build.SourceBranch)
        sonar.branch.target=master

On sonarcloud.io the branch now shows “failed” because I added a unused field to test. But in my pull request in bitbucket I don’t see this information yet. I can see “Code Quality” has been added and it says something like “loading sonarcloud” for a second, but after the field is empty. Screenshot:

I also tried removing the branch name (so it uses the original name “erik_sonarcloud” vs “/refs/heads/erik_sonarcloud”), but both gave the same result.

I guess I might have to configure something for that as well? Could you help me with this final step?

Thank you very much already for all your help

You’re welcome! Make sure to use sonar.branch.name so that SonarQube knows which branch you are using to pass to Azure DevOps and Bitbucket.

For bitbucket integration, please review our documentation:

This link includes a step-by-step tutorial from Microsoft and there’s a sample .NET project hosted on Bitbucket for comparison purposes.