SonarLint ruleset file in Visual Studio

Hi,

I have questions about how to control modifications in ruleset files on Visual Studio. The point is, i don’t want any modification in rules by any others (developers) so, how can i avoid it without block since TFS configuration file? That is my actual option.

There is no specific documentation about that. It’s difficult to improve the Quality Processes if any one else can disable rules and then recompile solution.

Thanks.

There is no way to limit the access to ruleset files from SonarLint. If your source control allows this, you could limit the access to these files on SCM level, but the developers will still be able to modify the files locally and compile the solution.

SonarLint will complain if a ruleset is different than the Quality Profile on SonarQube, but if someone is so inclined to compile and commit without certain rules enabled, SonarLint will not prevent them to do it.

In case you use (or could use) branches, pull requests and code reviews in your development workflow, a better option would be to include build steps with Scanner for MSBuild in your CI process and prevent the PRs from merging into the master branch if the SonarQube quality gate fails. This way the quality will be assessed on the build agents, the local ruleset files will be ignored and the developers will not be able to interfere.

In any case, if the developers themselves don’t want to improve the quality of their code, it will be difficult to solve the problem with just tools…

Could you please elaborate further on the following statement?

SonarLint will complain if a ruleset is different than the Quality Profile on SonarQube

I’ve tried disabling a rule locally while in Connected Mode and there is no warning related to that.

I’m thinking that disabling a rule from Visual Studio could happen by mistake or curiosity and then I don’t seem to find any indicator of this change that could be visible to the developer, besides opening the ruleset file with an XML editor.

Apologies for the delay in responding. I’ll reply anyway as the information might be of interest to other forum users.

SonarLint for VS performs the checks when the bound solution is opened, or when the Update button in the SonarLint tab of the Team Explorer is clicked.

It actually performs two checks:

  • that the appropriate projects reference the ruleset generated from the Quality Profile, and
  • that the effective ruleset is not weaker than the Quality Profile ruleset (i.e. it is possible for developers to locally edit a ruleset to activate more rules).