SonarQube Enterprise Edition, Version 8.9 (build 43852)
In general: ensure that my .net code is properly checked with sonarqube on CI pipeline.
We are using:
- .NET 5
- docker container to serve the application AND build the code
- similar approach to the one on the official website: Dockerize an ASP.NET Core application | Docker Documentation
mcr.microsoft.com/dotnet/sdk:5.0-alpine3.12as an build image base
- azure devops pipelines to execute the build
- SonarQubePrepare/Analyze/Publish tasks are available
docker buildto compile app inside the container
Assuming that the build is being done inside the docker container, using specific environment and sdk version, I would like to ensure that exact the same are used during the sonarqube scan.
I’m just afraid that if I execute the scan directly on a build agent, it could give me a false-positives or false-negatives just because different sdk and system was used.
So far I couldn’t find any way to run the sonarqube on my sources inside the build container and I’m wondering if it’s even needed…
Totally first approach was to just checkout sources to the build agent and execute the scan on it directly on pipeline - but this is exactly what I want to avoid (or maybe not? see last question in this message).
Then I tried to copy the sources and artifacts from the container to the outside but this didn’t work at all as the sonar needs to be plugged-in during the msbuild compilation time.
Searching the web for a
sonarqube and docker the results refers to the scanner that is a docker container rather than scanning the code that is being build inside the container.
Is there any way of achieving my goal that I’m missing?
Should I even care?
I learned that sonarQube for .net plugs into msbuild.exe, which in fact is being taken from the sdk folder, but still - if the source code is the same, can there be different findings or reports if different version of sdk is being used to compile the app?