Rule for avoiding pre-release packages in C#?

Rules and Languages New rules / language support
,
1

I have introduced SonarCloud in my organization, and we would like to have a rule, that prevents having code dependencies on pre-release packages.
It doesnt seem to exist in the Sonar Rules base, does anyone know if such a rule is already there?
If not, what would it take to make a custom rule?

MSBuild mode: How to scan c#, csproj and nuget.config files in same scan?
Suport roslyn analyzers on additional files
4

Hello @themathmagician

Thank you for suggesting this rule idea. I created the issue New rule idea: Mark pre-release nuget package as non compliant · Issue #8351 · SonarSource/sonar-dotnet · GitHub in our repository. Implementing this rule is possible but also challenging. I think it is worth the effort as it makes sense to track dependencies on pre-releases. I’m unaware of any third-party analyzers that provide such functionality, but chances are that someone already implemented and released such an analyzer on Nuget. If you find such an analyzer or want to implement it, you can include it in your project, and it will show up as an “external” issue in your SonarCloud or SonarQube server.

7

Nice idea: You might want to have a look at: https://dotnet-project-file-analyzers.github.io for a lot of rules on project files. As mentioned, they are not regonized by Sonar yet, but they are regonized by your compiler/build.

2 Likes
9

We just shipped a version supporting this: NuGet Gallery | DotNetProjectFile.Analyzers 1.3.1

2 Likes
11

We just shipped a version also support CPM: NuGet Gallery | DotNetProjectFile.Analyzers 1.4.0

14

Hi there, @themathmagician, @Corniel

If you use the new v8+ version of the scanner for .Net (v8.0.2 at the time of this post), it will automatically find all files that can be analyzed by one of our languages.

Since csproj is an XML-based file, you can add the extension to the set of extensions for XML file.
Doing this, any issue raised by any roslyn analyzer on the csproj file will be automatically included in the SonarCloud analysis.

In Short:

  1. In SonarCloud, in your project’s General Settings (from the administration menu at the bottom left), in the languages section, choose the XML language and add .csproj as an extension
  2. Include the package @Corniel gave a reference to, commit and push

You should see the issues detected by the analyzer as new issues once the analysis completes.

Please note: if Sonar decides to create rules on csproj, we will have to claim the .csproj extension for the csharp language, which will create an error if you have mapped it to a different language. In that case, you will have to remove the extension from the XML language.

Denis