Running code duplication scan on same repository per folder and not not for the whole Solution in a single Azure DevOps repository

In our product stack, we have an intricate projects structure.

There is a main app that is responsible for core functions (routing, auth, etc.) and there are submodules. Submodules each consist of two Projects.

The solution structure is following:

UI for web stuff (js, cshtml) and Application for business logic (C#).

We have three submodules (total six projects (3modules*2projects) that run under the main app)

We have introduced SonarQube analysis, and for code duplications, by default, all six projects were scanned and it gave quite a few false positives. The modules are not intended to be coupled and anything overlapping is intentional. In SonarQube one can exclude or include things by file folder etc, I couldn’t find a setting how to run it per set of things.

Our azure pipeline relevant bits are following:

   - variables:
      buildConfiguration: 'Release'
      SolutionPath: 'src/Solution.sln'
    - task: NuGetToolInstaller@1
        versionSpec: '5.11.0'
        checkLatest: true
    - task: DotNetCoreCLI@2
      displayName: "Restoring Company.Department.UI Solution"
        command: 'restore'
        projects: '$(SolutionPath)'
        feedsToUse: 'config'
        nugetConfigPath: 'src/nuget.config'
    - task: PowerShell@2
      displayName: Scan for NuGet vulnerabilities
      enabled: true
        targetType: inline
        script: >-
            $solutionPath = '$(SolutionPath)'
            Write-Host $solutionPath
            ($output = dotnet list "$solutionPath" package --vulnerable)
            $errors = $output | Select-String '>'
            if ($errors.Count -gt 0) {
                foreach ($err in $errors) {
                    Write-Host "##vso[task.logissue type=error]Found vulnerable NuGet package $err"
                exit 1
            exit 0
    - task: UseNode@1
      displayName: Use Node 16.x
        version: 16.x
        checkLatest: true
    - task: SonarQubePrepare@5
        SonarQube: 'SonarQube'
        scannerMode: 'MSBuild'
        projectKey: 'R-Department_Department-Frontend'
        extraProperties: "# Additional properties that will be passed to the scanner, \n# Put one key=value per line, example:\n# sonar.exclusions=**/*.bin\nsonar.cs.vscoveragexml.reportsPaths=$(Agent.TempDirectory)/**/*.coveragexml\nsonar.coverage.exclusions=**/*.js,**/*.cshtml"
    - task: DotNetCoreCLI@2
      displayName: "Building"
        command: 'build'
        projects: $(SolutionPath)
        arguments: --configuration $(buildConfiguration)
    - task: DotNetCoreCLI@2
      displayName: "Running Tests"
          command: test
          projects: >-
          arguments: --configuration $(buildConfiguration) --no-build --collect "Code Coverage"
    - task: PowerShell@2
      displayName: Create coveragexml file
        targetType: inline
        script: >-
            Get-ChildItem -Recurse -Filter "*.coverage" | % {
            $outfile = "$([System.IO.Path]::GetFileNameWithoutExtension($_.FullName)).coveragexml"
            $output = [System.IO.Path]::Combine([System.IO.Path]::GetDirectoryName($_.FullName), $outfile)
            "Analyse '$($_.Name)' with output '$outfile'..."
            . $env:USERPROFILE\.nuget\packages\microsoft.codecoverage\15.8.0\build\netstandard1.0\CodeCoverage\CodeCoverage.exe analyze /output:$output $_.FullName
    - task: SonarQubeAnalyze@5
      displayName: Run Code Analysis
    - task: SonarQubePublish@5
      displayName: Publish Quality Gate Result

What have we tried so far was to set up four SonarQube projects, that point so same folder on local.
Then run four times

    - task: SonarQubePrepare@5
    - task: SonarQubeAnalyze@5
    - task: SonarQubePublish@5

Three runs while filtering out all the other sub-project folders, and shared code
Forth run filtering out the sub-projects and running it for the Shared one.

Which worked on local
However in our development infrastructure, we use Azure DevOps and there we cannot set up multiple SonarQube projects pointing to same repository.

Running with same SonarQube project id four times just overwrites the previous run and you get only results for whichever is last.

How to set up to SonarQube check for code duplication by folder or per group of projects and not for the whole Solution in a single Azure DevOps repository?


Welcome to the community!

I’ll preface this with the fact that I’m not an Azure expert, by any stretch of the imagination…

If everything is working correctly once you move to Azure but the overwriting (yes, I know this is a big ‘but’) then you should be able to fix it just by passing a different project key in for each sub-project. That may require that you set them up manually, rather than by import, though.