New SonarQube project that needs code from multiple repositories

Must-share information :

  • SonarQube Server Developer edition 9.9.4.87374, installed on IIS VM

We have a few C# solutions that include code from multiple different repositories.
I’m trying to set up the SonarQube project (using ‘create project’), but it only lets me select one repository.

How do i configure the SonarQube project so that it can scan the application as a whole, pulling in the code from each of the component repositories?

The end goal is to run this SonarQube project as part of our Azure Devops build pipeline.

I’ve been searching through https://docs.sonarsource.com/ but haven’t found anything that seems to fit the scenario.

Hi,

Generally, it’s one build per repo, and one project per build.

You say you’ve got multiple repos that all build together? Would you mind sharing what technical constraints led you to that solution?

And in the meantime, I think you’re not going to be able to use the onboarding wizard to create the project in SonarQube. Instead, just add analysis to your pipeline, and the project will be created on the next run.

That said, I assume the SCM metadata in your workspace will be quite a melange, and that is likely to have interesting impacts on analysis. Analysis uses SCM metadata to understand which code is new and to assign issues to their creators. But it expects to only find a single repo’s data in the workspace. So you may need to disable the SCM detection part of analysis. But let’s cross that bridge when we come to it.

 
Ann

Less ‘technical constraints’ and more ‘technical debt’. These are old solutions in a monorepo, and they bring in utility code from an even older separate monorepo.
We are replacing these as time permits but have a requirement to implement scans in the meantime.

I did add SonarQube prepare/analysis/publish to my Devops build pipeline for one of these projects, and ran it. The prepare worked fine but the analysis ended up basically attempting to scan everything in the repo and eventually crashed allocating memory.

Is there a way to tell prepare/analysis to look at the solution/code being built, and only scan code in that solution or included project files?

Hi,

Ehm… that should be what happens automatically. That said, we’ve recently expanded .NET analysis to include other languages by default, so I suppose it would pick up all the E.G. JS code in the monorepo by default.

So let’s start by turning that feature back off. Can you add /d:sonar.scanner.scanAll=false to the prepare/begin step?

Note that for non-C# projects, I would advise you to set exclusions, but the SonarScanner for .NET doesn’t process them in the same way other scanners do - it still analyzes the files, and then filters out those results at the end, so you would (probably) still face the memory problems & crash.

 
Ann