SonarCloud prepare for azure devops changes output of msbuild

Hi there,

First of all, I’m still not sure if this is a bug of if I’m using SonarCloud incorrectly, but some things have been surprising me a lot while using the tool.

I have installed the SonarCloud analyzers in my solution, and they work great for local builds. The problems starts happening when I try to build on a windows agent (windows-latest). For some reason, the SonarCloudPrepare step:

- task: SonarCloudPrepare@1
    SonarCloud: 'ascent-backend-pipeline'
    organization: 'nexusinno'
    scannerMode: 'MSBuild'
    projectKey: 'ascent'
    projectName: 'ascent'

Will change the output of my MSBuild step, adding some warnings to the build. I already find it odd that a “prepare” step changes the output of MSBuild. Furthermore, the warnings raised in MSBuild are warnings that I ignore in my .ruleset file, which is why it actually works on my local build without any warnings:

  <Rules AnalyzerId="SonarAnalyzer.CSharp" RuleNamespace="SonarAnalyzer.CSharp">
    <Rule Id="S1128" Action="None" />
    <Rule Id="S4529" Action="None" />
    <Rule Id="S4825" Action="None" />

So, basically, my question is: why does SonarCloudPrepare change the output of my build, and why does that output raise warnings that are ignored in my .ruleset file?

Hi @larryautravail. Welcome to the community.

Yes, the SonarCloudPrepare step can change the configuration of rules that are run. It won’t affect the binaries that are produced, but it will impact the set of issues that are raised.

This is by design, and it is done so that the set of rules that is executed can be configured in SonarQube/SonarCloud using the Quality Profiles. This means the administrator can centrally the configure the rules that are executed for all projects and across all languages, rather than having to configure each project locally.

When the Prepare step is run, it looks at the Quality Profile for the project on the server to see which SonarC#/SonarVB are enabled for the project and generates a ruleset so just those rules are run.
If your MSBuild project also has a local ruleset then the two rulesets will be merged, with the generated ruleset taking priority.

That is why your local settings for SonarC# rules are being overridden in the Azure Pipeline build.
If your project also referenced third-party Roslyn analysers then any ruleset configuration for those analysers would not be overridden since the generated ruleset won’t contain any settings for them.

If you want to configure the rules that are executed in the Azure Pipeline then the way to do it is to customise the Quality Profile for your SonarCloud project.

Thank you very much for the detailed answer.

I also just realized that the warnings that are produced by adding the SonarCloud prepare step do not break my build with TreatWarningsAsErrors=true, which is the behavior I expected.

This makes things a lot clearer to me,
Have a great day.