SonarScanner for dotnet AND MSBuild on Windows

SonarQube Server / Community Build
1

Must-share information (formatted with Markdown):

  • SonarQube 10.3 on Windows, Bamboo add-on “Include Code Quality for Bamboo” v3.3.3 by Mibex Software
  • how is SonarQube deployed: zip file
  • what are you trying to achieve:
    We need to install the Sonar scanner for dotnet and support dotnet core as well as MSBuild on Windows agents as well as dotnet core on Linux in addeition to the generic scanner
  • what have you tried so far to achieve this:
    Downloaded the Dotnet Core 3.1+ media and installed on a dev Windows server
    It is not clear how to install dotnet core scanner while staying the previous MSBuild scanner. It appears that the zipfile for dotnet core 3.1+ version 6.2 has files both for dotnet core and MSBuild. Our installer people are confused as to which files applies for what. Please advice.
    We need to get an installation of dotnet core for Windows while keeping our current scanner for MSBuild. It seems there is a batch file in a folder called sonar-scanner-5.0.1.3006\bin, Is that the one to run for dotnetcore n Windows? In that case, which file is supposed to be executed for dotnet core on Linux? THe instruction is confusing. Why doies the Windows instruction for how to run a dotnet core scan on Windows point to a MSBuild file?
dotnet <path to SonarScanner.MSBuild.dll> begin /k:"project-key" /d:sonar.token="<token>"
dotnet build <path to project file or .sln file> --no-incremental
dotnet <path to SonarScanner.MSBuild.dll> end /d:sonar.token="<token>"
2

Hi,

Could you explain why?

 
Thx,
Ann

3

We are running dotnet core as well as legacy dotnet framework MSBuild builds on our Windows build servers and we use Atlassian Bamboo tasks. There are separate Bamboo tasks for dotnet core and MSBuild. These need to reference different scanners. Unless for some reason the scanner for dotnet core 3.1+ also include support for MSBuild scanning. THe scanner installation documentation is not very clear about the difference between the dotnet core 3.1 zip file and the NET Framework 4.6.2+ scanner and how these can be installed in parrallel.

5

Hi,

Thanks for the detail. I’m a bit out of my depth, so I’ve flagged this for more expert eyes.

 
Ann

6

Thx, I just added some more info about it as we run both legacy dotnet framework builds and dotnet core on the same build server

1 Like
7

We are getting the dotnet scanner to run on Windows but now there seem to be a dependency between the dotnet 3.1+ scanner and the cli scanner. Is that by design. We are getting error messages indicating such dependency.

Error: LinkageError occurred while loading main class org.sonarsource.scanner.cli.Main
error 24-Jun-2024 12:31:13 java.lang.UnsupportedClassVersionError: org/sonarsource/scanner/cli/Main has been compiled by a more recent version of the Java Runtime (class file version 61.0), this version of the Java Runtime only recognizes class file versions up to 55.0
error 24-Jun-2024 12:31:13 The SonarSc

8

Ok, so we need to upgrade to Java17.

9

Just want to give a status update on this one. So, the version we installed of the dotnet core scanner (6.2) required a certain version of the CLI/generic scanner. We were not aware that there were dependencies between the different scanners. Perhaps the approach moving forward have to be to update all three scanners always at the same time. The dotnet core, the MSBuild, and the CLI one.

We also installed Java 17 to support the latest version of the scanner, but that installation made the Windows agents not checking in to the Bamboo main server. So we had to rollback to Java 11 and install 5.x versions of the dotnet core scanner and the cli. So now it seems to work when you run a scan on a new build a second time (the first time we run it dont see any code).

We will need to address the issue with Java 17 before we can upgrade the scanners to version 6.2.

1 Like
11

Hey there.

To clear up a few things:

Unless for some reason the scanner for dotnet core 3.1+ also include support for MSBuild scanning

Yes, it should work.
To be precise, the scanner version and the project you are actually scanning are not coupled at all.
From the docs:

The flavor used to compile the Scanner for .NET (either .NET Framework, .NET Core or .NET) is independent of the .NET version the project you want to analyze has been built with. Concretely, you can analyze .NET Core code with the .NET Framework version of the Scanner. It’s only relevant depending on your OS, and on the versions of .NET SDKs that are installed on your build machine.

Why does the Windows instruction for how to run a dotnet core scan on Windows point to a MSBuild file?

There are three “main” ways to run the scanner (from the same docs as above):

image

The reason for this is backwards compatibility as well as flexibility.
Specifically, the Scanner.MSBuild.exe begin one is for users that do not have the dotnet tool installed, so they just need an exe.

The prefered way is the dotnet global tool , as it is the simplest way via dotnet sonarscanner begin, but any of these three should work for you.

Ok, so we need to upgrade to Java17.

Correct, if you install scanner >= 6.0.0, the support for Java11 has been dropped.

TLDR:
I do not know what Include Code Quality for Bamboo is, but if this image is correct:

image
image870×495 76.2 KB

…you should be able to use any pair of:

  • SonarScanner for .NET Core - (Begin/End) Analysis
  • SonarScanner for MSBuild - (Begin/End) Analysis

The other scanners are for other languages, and if you scan only .NET projects you can ignore them.

Caveat: I am not sure how this is actually run by Bamboo, as this is a third party software that we do not control.

13

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.