SonarCloud with custom roslyn analyzer for C# and JS

Hello,

I am exploring usage of SonarCloud for my team/project as a static code analysis tool of choice for C# and JS.
The functionality that we are looking for is being able to include customized rules/policies. From what I was searching, it is possible in SonarQube using Roslyn Analyzers. Also it’s possible to include those policies in general profile in SonarCloud. Few questions with this:

  1. What Roslyn Analyzer choose? SonarC# is the best choice when we think about integrating it with sonarCloud? For other- as this doc says ( Importing Issues from Third-Party Roslyn Analyzers (C#, VB.NET) - Plugins - Doc SonarQube) - configuration is more complex as it involes adding NuGet package.
    What about JS, which analyzer would you recommend?
  2. Could someone explain step-by-step what is needed to include custom Roslyn Analyzers in SonarCloud generale profile?

Thanks,
Rafal

Hi @roofiq and welcome to the community !

Yes, SonarC# is built-in on SonarCloud, i would suggest you to give it a try first and see if something is missing for you (let us know in that case)

Same for JS, we have our dedicated analyzer built-in on SonarCloud (SonarJS).

Please note however that if you need to analyze both code within the same analysis (targetting the same SonarCloud project), you will need to reference all your JS files in your CSPROJs, otherwise they won’t be picked up by the SonarScanner for .NET.

HTH,
Mickaël

1 Like

Thanks @mickaelcaro.

I would have few more questions regarding the integration with Azure devops.

  1. When I’m running analyses on short live branches, they are not being shown in sonarcloud, the code is there but no defects are being found. Do I need to change something in sonarcloud configuration?
  2. For running sonarcloud analyses inside Azure DevOps pipeline we have two main options - with msbuild or just analyzing the directories that we can input manually.
    The msbuild option takes quite a lot of time I must say. Even when I’m testing it on Pull Requests scenario with 1 file changed (which btw. works great with comments etc) it takes a while.

On the other hand, on PR scenario it seems like comment is not being added when analysing with manual added directories.

Thanks for help :slight_smile:

Hi @roofiq

Are you using our SonarCloud extension on Azure DevOps ? If yes, this should be automatically detected / configured. Otherwise you’ll need to pass a sonar.branch.name parameter to the scanner.

The SonarScanner for .NET will add targets during the Prepare analysis configuration step, so then we can hook up into the subsequent msbuild task. This can take a bit of time yes, depending on how many issues we will discover, as well as the size and complexity of your code.

How did you configure everything by the way ? I’m not sure to understand the “or just analyzing the directories that we can input manually.”

Thanks.
Mickaël

Yes, Im using Azure DevOps. It is detecting branches but I’m getting this message:
“Default branch” branch has not been analyzed yet and you have multiple branches already. It looks like it is not your Main Branch, check your configuration.

And for those side-branches I’m getting A mark for all. That’s the thing. I’m using free trial account btw, maybe that’s the point?

When I said analysing manually, I mean by using Standalone scanner (that’s how it called in Azure DevOps task). Ok, but I just checked it in this doc - Azure DevOps Integration | SonarQube Docs and its says that its just not for .Net code.

So .Net is being analysed with msbuild and if we would like to analyse JavaScript/Typescript we should use this standalone scanner and point to the root of directory?

Hi @roofiq

Yes very first thing after creating your project on SonarCloud, you’ll need to analyze the default branch of your repository to define a baseline for all other branches.
Trial account is OK, there are no limit on this, only the 14 days :wink:

You have 2 solutions here : either you can analyze your JS/TS code with the SonarScanner for .NET, but all those files should be referenced as Items in your csprojs.

Or you can also do 2 analysis (but they should be in a separated SonarCloud project) one after the other with only .NET Code first (with the SonarScanner for .NET) and the JS/TS with the ScannerCLI (standalone).

Mickaël