Roslyn analyzer issues is not ignored

We are using Roslynator for static analysis of .net projects and have customized the default Roslynator rules in .editorconfig files. These customizations are not taken into account in the sonarscanner even that the build output doesn’t report these issues.
It looks to us that it is a behaviour that have changed recently since we earlier haven’t seen this problem.
We are running the build in GitHub Actions and are using the sonarscanner dotnet tool.

Hi,

Welcome to the community!

I’m not familiar with Roslynator. Does it provide its own unique set of rules?

Assuming so, you’re saying that even when its rules are suppressed and don’t show up in the build log, they do show up in SonarCloud? Can you give an example (screenshot) and your full verbose job logs?

The analysis / scanner log is what’s output from the analysis command. Hopefully, the log you provide - redacted as necessary - will include that command as well.

This guide will help you find them.

 
Ann

Here is a screenshot from SonarCloud that shows the scanner finds a lot of IDE0058 that are ignored in editorconfig.


And here is the build log without any IDE0058 findings
buildlog.txt (56.3 KB)

IDE0058 is actually not even a Roslynator rule but just a standard .net code analysis rule. I thought I had seen the issue with Roslynator rules but I can’t find that example now.

Hi,

So since IDE0058 isn’t a Roslynator rule, suppressing it in the Roslynator config would have no effect. So… there’s no problem?

 
Ann

It is still a problem but not only related to Roslynator.

Somehow the sonarscanner client find issues that are not reported by the build. IDE0058 is suppressed in editorconfig

Hi,

Okay, can we see the build log then?

Share the Scanner for .NET verbose logs

  • Add /d:"sonar.verbose=true" to the…
    • SonarScanner.MSBuild.exe or dotnet sonarscanner begin command to get more detailed logs
      • For example: SonarScanner.MSBuild.exe begin /k:"MyProject" /d:"sonar.verbose=true"
    • “SonarQubePrepare” or “SonarCloudPrepare” task’s extraProperties argument if you are using Azure DevOps
      • For example:
        - task: SonarCloudPrepare@1
            inputs:
              SonarCloud: 'sonarcloud'
              organization: 'foo'
              scannerMode: 'MSBuild'
              projectKey: 'foo_sonar-scanning-someconsoleapp'
              projectName: 'sonar-scanning-someconsoleapp'
              extraProperties: |
                sonar.verbose=true
        
  • The important logs are in the END step (i.e. SonarQubeAnalyze / SonarCloudAnalyze / “Run Code Analysis”)

Share the msbuild detailed logs

MsBuild.exe /t:Rebuild /v:d

or

dotnet build -v:d

 
Thx,
Ann

Here you go

debugbuildlog.txt (1.6 MB)

I did another experiment. If I add IDE0058 to the NoWarn property in the project file then sonarscanner will also ignore it.

So… we’re good?

 
Ann

It depends how your product should work;-)
If sonarscanner should respect what has been configured in .editorconfig then we are not good. If sonarscanner only fully respect what has been configured directly in the project-file then we are good.

Something has changed because we have been running fine with .editorconfig only until recently. Whether it is a change in .net and/or in sonarscanner I cannot tell.

Hi,

Here are the docs on it:

 
HTH,
Ann

The documentation states Issues from third-party Roslyn analyzers (including Roslyn analyzers provided by Microsoft) are included in the MSBuild output and imported by default into SonarCloud

In our case sonarscanner finds issues that are not included in the MSBuild output. So either sonarscanner should work as specified or we should be able to configure sonarscanner to avoid finding issues we have decided to ignore.

How can I make sure roslyn IDE0058 is not posted to SonarCloud?

We would like to see this category while editing locally (as a suggestion, not as a warning). But it should not be posted to SonarCloud.

  • ALM used: Azure DevOps
  • CI system used: Azure DevOps
  • Language used: C#
  • .editorconfig contains:
dotnet_diagnostic.IDE0058.severity = suggestion #Expression value is never used
  • Directory.Build.props contains:
<PropertyGroup>
	<NoWarn>IDE0058</NoWarn>
</PropertyGroup>
  • Error observed: SonarCloud still lists a lot of issues regarding IDE0058:

Consistency|Not conventional
Expression value is never used
roslyn:IDE0058 external_roslyn:IDE0058 roslyn
Software qualities impacted: Maintainability

I agree. We explicitly set the severity in .editorconfig and added NoWarn to Directory.Build.props in order to suppress these warnings in the past. This used to work fine.

Nevermind. I just found out that someone added another NoWarn after <NoWarn>IDE0058</NoWarn> causing the first one to be overridden.
Once consolidated into a single NoWarn node, the issue is resolved for us.

1 Like

Hello @Simplicitdk,

I tried to reproduce the issue but I was not able to.
When using the NoWarn property or the .editorconfig to disable an issue, it is working as expected for me: the issue does not appear in the analysis.

Would you be able to provide me with a reproducer?

This would help me to identify the issue.

Thank you,

Hi

I finally figured out the cause of our issues.

It seems that analyzer suggestions that are not reported in the MSBuild output are being picked up by sonarscanner anyways. You can reproduce it with the two commits in this repo GitHub - Simplicitdk/HelloWorld.
With the first commit it reports IDE0058 as a codesmell with medium severity. And with the second commit IDE0058 is being ignored.

I don’t think suggestions should show up as code smells. And I also think it is a behaviour that has changed recently in sonarscanner.

1 Like