SonarCloud prepare for azure devops changes output of msbuild

larryautravail · October 29, 2019, 2:56pm

Hi there,

First of all, I’m still not sure if this is a bug of if I’m using SonarCloud incorrectly, but some things have been surprising me a lot while using the tool.

I have installed the SonarCloud analyzers in my solution, and they work great for local builds. The problems starts happening when I try to build on a windows agent (windows-latest). For some reason, the SonarCloudPrepare step:

- task: SonarCloudPrepare@1
  inputs:
    SonarCloud: 'ascent-backend-pipeline'
    organization: 'nexusinno'
    scannerMode: 'MSBuild'
    projectKey: 'ascent'
    projectName: 'ascent'

Will change the output of my MSBuild step, adding some warnings to the build. I already find it odd that a “prepare” step changes the output of MSBuild. Furthermore, the warnings raised in MSBuild are warnings that I ignore in my .ruleset file, which is why it actually works on my local build without any warnings:

  <Rules AnalyzerId="SonarAnalyzer.CSharp" RuleNamespace="SonarAnalyzer.CSharp">
    <Rule Id="S1128" Action="None" />
    <Rule Id="S4529" Action="None" />
    <Rule Id="S4825" Action="None" />
  </Rules>

So, basically, my question is: why does SonarCloudPrepare change the output of my build, and why does that output raise warnings that are ignored in my .ruleset file?

duncanp · October 31, 2019, 9:26am

Hi @larryautravail. Welcome to the community.

Yes, the SonarCloudPrepare step can change the configuration of rules that are run. It won’t affect the binaries that are produced, but it will impact the set of issues that are raised.

This is by design, and it is done so that the set of rules that is executed can be configured in SonarQube/SonarCloud using the Quality Profiles. This means the administrator can centrally the configure the rules that are executed for all projects and across all languages, rather than having to configure each project locally.

When the Prepare step is run, it looks at the Quality Profile for the project on the server to see which SonarC#/SonarVB are enabled for the project and generates a ruleset so just those rules are run.
If your MSBuild project also has a local ruleset then the two rulesets will be merged, with the generated ruleset taking priority.

That is why your local settings for SonarC# rules are being overridden in the Azure Pipeline build.
If your project also referenced third-party Roslyn analysers then any ruleset configuration for those analysers would not be overridden since the generated ruleset won’t contain any settings for them.

If you want to configure the rules that are executed in the Azure Pipeline then the way to do it is to customise the Quality Profile for your SonarCloud project.

larryautravail · October 31, 2019, 3:03pm

Thank you very much for the detailed answer.

I also just realized that the warnings that are produced by adding the SonarCloud prepare step do not break my build with TreatWarningsAsErrors=true, which is the behavior I expected.

This makes things a lot clearer to me,
Have a great day.

Topic		Replies	Views
Sonarcloud pipeline task warnings in the pipeline SonarCloudAnalyze@3 task SonarQube Cloud dotnet , azuredevops	3	287	November 29, 2024
Build pipeline is reporting warnings for files that are configured as exclusions SonarQube Cloud sonarqube-cloud	9	2800	May 7, 2021
SonarScanner for MSBuild 5.1 does not clean targets SonarQube Cloud dotnet , sonarqube-cloud	1	988	March 12, 2021
The analysis using MsBuild 14 is no longer supported warning with VS 2022 Build Tools SonarQube Server / Community Build sonarqube , msbuild , dotnet	1	38	August 29, 2024
[SonarCloud] Strange behavior during MsBuild scan of .NET application SonarQube Cloud scanner , cfamily , coverage , dotnet , sonarqube-cloud	4	29	November 29, 2024

SonarCloud prepare for azure devops changes output of msbuild

Related topics