I am a software developer working on a primarily .NET C# project with an Angular front-end. I have full admin rights to the project, the Azure DevOps environment and the SonarQube Cloud environment.
Recently we have switched over from a local instance of SonarQube Server to SonarQube Cloud for analyzing our project. The SonarQube Server was configured by a collegue who currently was busy with other projects.
The analysis is being done via an Azure DevOps pipeline, configured via .yml. In the pipeline we have the following steps:
- DotNetCoreCLI@2 with the restore command
- SonarCloudPrepare@3
- DotNetCoreCLI@2 with the build command
- SonarCloudAnalyze@3
- SonarCloudPublish@3
The initial analysis of the project was going well. Using scannerMode ‘dotnet‘ it scans everything that the DotNetCoreCLI build generates and analyses that as intended.
The issue that we’re having is that we have some additional files / folder in the root of the folder that it doesn’t analyze, but we do want it to. In short, the root of the project is as following:
- /src folder
- /test folder
- /cicd folder containing various .yml files for our pipelines
- /infra folder containing Kubernetes and Azure Resource Management files
- various .yml files for our pipelines
The first two are correctly analyzed because they are part of generated build. However getting to analyze the other files / folders has proven to be a bigger pain then I anticipated.
Please keep in mind that the following experiments may look very stupid, but this was my first experience with SonarQube and the AI tool I was recommended using proved to be less useful then I’d hoped.
Initially it was recommended to me that I should set the following:
sonar.sources=.
sonar.inclusions=**/*.yml,infra/**/*.*,cicd/**/*.*
The result of this was that it now did include the additional files, but it skipped everything in the /src folder. I was aware that for the ‘dotnet’ scannerMode sonar.sources would be ignored (as spelled out in the documentations), but apparently this combination just flat-out breaks the analysis.
Next up I was recommended using just the sonar.inclusions, but now it only included everything in the /test folder and skipped everything else.
After some back and forth the AI tool started recommending some magical attribute named sonar.additionalFiles after which I realized it was now just making things up as I could not find documentation on this.
I’ve attached a snippet of our pipeline configuration of the SonarCloudPrepare@3 task. This is the version that it at least analyzes what the build generates but excludes anything else.
# Prepare Analysis Configuration task
- task: SonarCloudPrepare@3
displayName: 'SonarCloud prepare'
inputs:
SonarCloud: '$(SonarCloudServiceConnection)'
organization: '$(OrganizationName)'
scannerMode: 'dotnet'
projectKey: '$(ProjectKey_BLOXS)'
projectName: '$(ProjectName_BLOXS)'
extraProperties: |
sonar.exclusions=**/BLOXS.Data.Update/**,**/BLOXS.Data.Environment/Migrations/**,**/BLOXS.Data.Application.Migrations/**,**/ClientApp/**/*.spec.ts,**/ClientApp/e2e/**,**/*.resx
sonar.coverage.exclusions=**/ClientApp/**,**/BLOXS.Data.Update/**,**/BLOXS.Data.*/Migrations/**,**/BLOXS.Data.*/20*/**
sonar.cs.vscoveragexml.reportsPaths=$(System.DefaultWorkingDirectory)/TestResults/Coverage/coverage.xml
sonar.verbose=true
sonar.scanner.scanAll=false
sonar.azureresourcemanager.activate=true
sonar.kubernetes.activate=true
sonar.yaml.activate=true
I am now kinda at the point that I start to think that using the ‘dotnet‘ scannerMode limits you to whatever your build spews out and if you want it to analyze things outside of that scope you’re just out of luck.
What my end goal preferably would be is:
- it analyzes our source code including tests
- it analyzes our .yaml, Kubernetes and Azure Resource Manager files
- all preferably within the same SonarQube project
Any advice would be appreciated 