Hi, we seem to have observed a regression with the release of SonarCloud Azure DevOps extension v3.0.3.

We configure SonarCloud to work in mono-repository setup, analyzing one C# project at a time.
The typical SonarCloudPrepare@2 (prior to migration to @3) looked like this:

- task: SonarCloudPrepare@2
    inputs:
      SonarCloud: "SonarCloud"
      organization: "<ORGANIZATION>"
      scannerMode: "dotnet"
      projectKey: "${{ parameters.sonarProjectKey }}"
      projectVersion: "$(Build.BuildNumber)"
      extraProperties: |
        sonar.cs.opencover.reportsPaths=${{ parameters.workingDirectory }}/test_output/Coverage/*/coverage.opencover.xml
        sonar.cs.vstest.reportsPaths=$(Agent.TempDirectory)/*.trx
        sonar.projectBaseDir=${{ parameters.workingDirectory }}

We recently updated all tasks to @3 version, which worked for some time. However, on 30.10.2024 our builds started to fail because task SonarCloudAnalyze@3 was no longer able to find sources to analyze. After examining the logs, we discovered that SonarCloud no longer respects sonar.projectBaseDir. While I cannot share logs directly, every single file that should be anayzed produced the following warning:

12:39:24.422  WARNING: File '/home/vsts/work/1/project/<projet-name-in-monorepo>/tests/SomeCode.cs' is not located under the base directory '/home/vsts/work/1/s' and will not be analyzed.

Notice that /home/vsts/work/1/s is a wrong base directory. The value of ${{parameters.workingDirectory}} is /home/vsts/work/1/project/<projet-name-in-monorepo>, and all sources are found in its subfolders.

We wasted half a day debugging CI until I pinned the version of all three SonarCloud tasks (SonarCloudPrepare, SonarCloudAnalyze, and SonarCloudPublish) to @3.0.2, which immediately resolved all the issues for us across the board.

Now I believe that we might have a suboptimal configuration, yet it worked perfectly fine until a minor (!) release by Sonar, which destroyed half of our deployment processes. I failed to find any other similar issue reported, so perhaps it is a unique situation, and at this points I have no resources to debug it further, so I’d welcome any insights in the issue.

(I did not debug which combination of @3.0.3 and @3.0.2 produces the issue, I can only confirm that if all tasks are @3 resolving to @3.0.3, it does not work, but if all tasks are @3.0.2, it works)

• ALM used: Azure DevOps
• CI system used: Azure DevOps
• Scanner command used when applicable:

- task: SonarCloudPrepare@3
  inputs:
     SonarCloud: "SonarCloud"
     organization: "<ORGANIZATION>"
     scannerMode: "dotnet"
     projectKey: "${{ parameters.sonarProjectKey }}"
     projectVersion: "$(Build.BuildNumber)"
     extraProperties: |
       sonar.cs.opencover.reportsPaths=${{ parameters.workingDirectory }}/test_output/Coverage/*/coverage.opencover.xml
       sonar.cs.vstest.reportsPaths=$(Agent.TempDirectory)/*.trx
       sonar.projectBaseDir=${{ parameters.workingDirectory }}

# Build and test dotnet app

- task: SonarCloudAnalyze@3 # Here it breaks
- task: SonarCloudPublish@3
  inputs:
     pollingTimeoutSec: "300"

• Languages of the repository: At least C#
• Error observed (wrap logs/code around with triple quotes ``` for proper formatting)

12:39:24.422  WARNING: File '/home/vsts/work/1/project/<projet-name-in-monorepo>/tests/SomeCode.cs' is not located under the base directory '/home/vsts/work/1/s' and will not be analyzed.

• Steps to reproduce: Nothing, as soon as @3 started to resolve to @3.0.3
• Potential workaround: Pinning version to @3.0.2, but unless it is resolved in future releases, we are stuck

Hi there, @ilia_k, welcome to the community

Thank you for reporting this issue. We are aware of this regression and are working on a fix. I’ll come back to this post once it is available.

Denis

Hi Ilia,

Thanks for reporting this.

In the Azure DevOps environment:

• The Scanner for .NET uses the Build.SourcesDirectory predefined variable as the project base directory. In your case, /home/vests/work/1/s. According to the documentation, this property points to “The local path on the agent where your source code files are downloaded.”
• The property sonar.projectBaseDir is ignored. This is a known issue that would require a major rework of how parameters are handled.

Why did it work before and it doesn’t work anymore (starting with SonarCloudPrepare@3.0.3)?

Previously, on Unix systems, the Scanner could not detect correctly that it runs in the Azure DevOps environment. Since the detection did not work, it failed back to other heuristics to find the project base directory. And that seems to work fine in your specific case.

Once the problem with environment detection was fixed in Scanner for .NET 9.0.1.102776, the Build.SourcesDirectory predefined variable is used by design.

In your specific case, the source files are cloned in a place other than Build.SourcesDirectory (/home/vsts/work/1 instead of /home/vsts/work/1/s). Can I ask why this is needed? Additionally, would it be possible to clone the sources at the default location?

Hi! We experienced this issue in a pipeline where we have two checkout steps: one brings in the actual repository, another one – additional CI scripts. Technically we could clone into Build.SourceDirectory and keep scripts elsewhere, it will not be a huge change, but the main issue here is that this is definitely a breaking change which was pushed as a patch (and if one references tasks as just @3, this patch was applied automatically), which completely broke our builds.

It would also be nice for dotnet scanner to respect some configuration, having a tool with a hardcoded path (even if it is set by devops agent) is an inconvenience for sure.

Hey there @ilia_k ,

You are right that this breaking behavior should not have been pushed on a patch but on a major.
The problem is that we did not actually change if the projectBaseDir parameter is respected when passed as part of extraProperties. It actually has not been working for a while, and thanks to threads like this we managed to pinpoint why.

The version changed something else, as Costin mentioned:

Previously, on Unix systems, the Scanner could not detect correctly that it runs in the Azure DevOps environment.

So since the scanner is now privy to the fact that it is running inside Azure Devops, some behaviors unfortunately changed and you got hit with this regression.

I apologize for this, as I can understand it can be frustrating.
We aim to fix it, but it will require a lot of work, and for now, please make use of the workaround with Builds.SourcesDirectory.

Regards,
Greg

Hey there!

Can I ask you to try pinning the version of S4NET to the freshly baked hotfix version, by adding this on your inputs of SonarCloudPrepare:

dotnetScannerVersion: '9.0.2.104486'

If everything works as expected, we will soon go ahead with embedding this version on the AZDO extension (meaning you will be able to remove the pinning).

Hm, it at least looks like it works. I pinned version of all tasks to 3.0.3 and then pinned scanner version. Checked on some dummy changes, Sonar discovered changed and uncovered lines as expected. This definitely moves in the correct direction and might resolve our issue fully.

That’s great to hear!
If you could do a test on a real project, it would be very helpful

Hi! I negotiated with the teams & we’ve been running this fix for a day already, affecting many dotnet projects. No issues so far, everything builds correctly & coverage is reported to Sonar Cloud. I guess we are good. We switched to @3 version of tasks, which yesterday (EU time) was resolving to 3.0.4, if that is important.

Great news!
I will go forward with scheduling a release of the AZDO extension.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.