SonarQube couldn't scan C# codes on Azure web app for containers

Get help SonarQube
, ,
#1

I was trying to use SonarQube to scan my .NET MVC project. But I met some problems, first I deploy SonarQube image to the Azure web app for containers as a service server. Then followed the instructions to create CI on my Azure DevOps. After completing these steps, everything worked fine. The thing I couldn’t fix is that the scanner only scanned all the static files, such as HTML, CSS… Files with cs extension were all ignored.

Here are my environment and configurations:
Server - Azure web app (Linux) + SonarQube image with Community edition version 8.4.2 (build 36762)
DB - SonarQube embedded H2
MSBuild - latest version
Project - .NET MVC 4.7.2
SCM - Azure DevOps TFVC

sonarqube-log.txt (12.7 KB)

scan-result
scan-result2430×1078 231 KB

#4

Hi @allen.c and welcome to the community :slight_smile:

Are you using the Scanner for MSBuild?

#5

Hi @Christophe_Havard, thank you for your reply.

Yes, I’m pretty sure that I was using Scanner for MSBuild.
The way I set before running the analysis task: In the Azure DevOps CI pipeline, I inserted a “Prepare analysis on SonarQube” task and chose the option “Integrate with MSBuild” in the configuration section.

#9

hey @allen.c,
Would it be possible for you to provide

  • the same log you provided, but in verbose mode. To activate it, you can edit your pipeline and add the following snippet at the beginning :

variables:
– name: system.debug
value: true

  • the background task id of your latest background task on your SonarCloud project. You can find it by going into your project on SonarCloud, then Administration > Background Task. It should look like “AXUntmUOpEe8QSin3l8L”.

Cheers,
Christophe

#10

Hi @Christophe_Havard,
The log in debug mode is attached, please take a look at it. Obviously, as the log shows, my .cs files were indexed, but the scanner only scanned HTML, CSS, and javascript as the final report.
For your second request, I’ve to say sorry, I’m not using the SonarCloud. I set up the SonarQube service on the Azure web app for Linux which what I mentioned in the first topic. However, if you really need this information, the task id is also provided at the bottom of the log file.

Thank you.
sonarqube-debug-log.txt (51.0 KB)

#11

Hi @allen.c

According to those latest logs, you’re not using the “Integrate with MSBuild” option.

May i ask you which kind of pipeline you are using (YAML vs classic) and how did you configure them ?

Thanks.

#12

Hi @mickaelcaro,

Oh no, I’m sorry about that. I forgot that I changed the pipeline settings for testing.
Here’s the new one with the “Integrate with MSBuild” option selected. Additionally, I also changed the SonarQube version to v7.4 LTS.

Update my environment and configs as below:
Server - Azure web app (Linux) + SonarQube image with Community 7.9.4.35981 (build 36762)
DB - SonarQube embedded H2
MSBuild - 14.0
Project - .NET MVC 4.7.2
SCM - Azure DevOps TFVC
sq-debug-log.txt (83.4 KB)

Thank you for your kindly help!

#13

Could you please send us the build step log, ideally in a kind of verbose mode. Or maybe trying that verbose mode, and see on you side if you see some logs related to SonarQube ?

#14

Hi @mickaelcaro,

Sure, the MSBuild log is attached. FYI.
Thank you.
msbuild-log.txt (5.5 KB)

#15

Hi @mickaelcaro, @Christophe_Havard, any comments?
Thank you.

#16

Hi @allen.c,
out of curiosite, in your code repo, do you have an .sln file to hold your solution or only a .csproj (which is possible with .NET Core if I remember well)? Though, do you build the csproj or the .sln ?

#17

Hi @Christophe_Havard,
Thank you for your rapid reply.
Yes, I have a .sln file in my solution, but I didn’t use it as the source for MSBuild. Because I don’t want to scan the entire solution. I just want to scan the specific project, so I used MSBuild to build the .csproj file.
Besides, I’m not using .NET Core, it’s a .NET MVC 4.7.2 project.

#18

ok, would it be possible for you to try the same config you have, but to scan the whole solution? Just as a test. Maybe it’s not this, but I’d like to be sure.

#19

Hi @Christophe_Havard,

Sorry for my late reply and thanks for giving me that point. I followed the way you pointed out and tried to build whole the solution and scan it. It finally worked as my expectation! I can see the C# analysis and reports now. Thank you so much!
Back to the original topic, if my project has many dependencies that take so much time to build and run, and I don’t want to scan those dependencies. How can I set the configuration to build and scan a specific project but the entire solution? Would it be possible?

#20

Hi @allen.c

(Sorry if you already read my redacted answer, this was not about your second question)

We don’t have a mechanism to exclude proper C# projects from analyses, however, with the help of sonar.exclusions, you can exclude a full set of source files, which belongs to a specific folder. You can read more about that on our Narrowing down the focus documentation.

Thanks !

#23

@allen.c, I’m not sure if you’re still working on this, but would it be possible to create a separate solution with only the project(s) you want scanned in it? Then you can use that as the source of your build. :slightly_smiling_face: This probably won’t work if the project(s) you are building changes from run to run, though.

As a more general question to the group: is SonarScanner for .NET limited to .sln files only when working with .NET Full Framework, or is this also a limitation for .NET Core/.NET 5?

#25

Hi @ahaleiii

With the .NET Core / .NET flavor, you can build single csproj files as well (starting version 5.0 of the Scanner)

Mickaël

1 Like