SonarScanner with BuildWrapper does not analyze all source code

SonarQube Server / Community Build
, ,
1
  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    • SonarQube: sonarqube-10.6.0.92116
    • Scanner: sonar-scanner-cli-6.1.0.4477-windows-x64
    • BuildWrapper: build-wrapper-win-x86
  • how is SonarQube deployed: zip
  • what are you trying to achieve: Analyzing the c++ source code with BuildWrapper.
  • what have you tried so far to achieve this
    Hello
    I have built the Visual Studio2022 solution(.sln) by MSBuild with BuildWrapper.
    The BuildWrapper output build-wrapper-dump.json, build-wrapper.log, and compile_commands.json in bw-output folder.
    Then, I scanned the output with sonar-scanner, but the source codes included in the target .sln file are not analyze.
    I want to analyze all files specified in the solution file(.sln).

I upload the following items.

  • bw-output
  • command of BuildWrapper and sonar-scanner
  • Sonar-scanner output

Note.
Some files and paths have been renamed because they contain sensitive information.
BuildWrapper_SonarScanner_logs.zip (11.2 KB)

2

Hi there and welcome, @Endo

First of all, since you added the dotnet tag and use the build-wrapper, I assume you are attempting to analyze a solution containing a mix of dotnet (C#, VB.NET) and C++ code. Am I right?

Would you mind sharing an overview of the content of your solution (in terms of projects and languages)?

Denis.

3

I’m sorry, dotnet tag is my mistake.
Our solution contains only c, c++ code.

4

To begin with, is my command of BuildWrapper and Scanner correct?

5

Hello Denis

I can give you more information if you need to investigate this case.
I’d like to know the current situation.

7

Hello @Endo, and sorry for the delayed response,

From what I can tell, the build wrapper output looks OK; three files are being compiled and captured.

What is missing is the indexing of the source files. It seems you are running the scanner under

C:\Users\admin\VsProjects\TargetProj\(Project)\Win, but the source files are in C:\Users\admin\VsProjects\TargetProj\(SystemLayer)\Src\code1.C.

You would need to either run the scanner under TargetProj, or explicitly point sonar.projectBaseDir to that directory (I am guessing that is the project’s root).

If it still does not work, do not hesitate to come back. Please enable verbose logging if you don’t get the analysis to run (run the scanner with -X). It will help with the debugging.

9

Hello @aalvarez

Sorry for late replay.

I want to scan the code with build wrapper.

Our source files are located in each project folder as follows.
ProjectC.sln contains not only ProjectC.vcproj but also the ProjectA.vcxproj and ProjectB.vcxproj.

I know that we can specify the scan target path by setting files.
But as mentioned above, our source code files are located in wide-ranging folders with different parent folders.

We can scan the code of Project A, B and C by specifying the root folder.
However the root folder contains a lot of projects, so we cannot specify the target/untarget code path.

I understand that the build wrapper helps to scan in this situation.
I have tried to build ProjectC.sln with build wrapper and scan the code by specifying compile_commands.json the wrapper output.

Is my understanding of the build wrapper correct?

Root
 |- ProjectA
 |    |-ProjectA.vcxproj
 |    |-source
 |       |- some source code files of ProjectA
 |       
 |- ProjectB
 |    |-ProjectA.vcxproj
 |    |-source
 |       |- some source code files of ProjectB
 |
 |- ProjectC
 |     |-ProjectC.sln
 |     |-ProjectC.vcxproj
 |     |-source
 |        |- some source code files of ProjectC
 |
 |- ProjectD
      |-ProjectD.vcxproj
      |-source
         |- some source code files of ProjectD
10

The reason for build-wrapper is to capture the compilation flags so we can know how to analyze the code: macros, architecture, language, standard, etc. Not to select the files to analyze. That is the job of sonar-scanner.

It is true, however, that CFamily will not analyze any indexed file that has not been built, but it will not analyze any built file that has not been indexed either. There must be an intersection.

For your case, I would, per sub-project

  1. Always point sonar.projectBaseDir to Root
  2. Use sonar.sources to select only the subset you want per project

And leave the rest as-is, as build-wrapper is capturing what you want.

An example, if I understood your explanation

sonar.projectName=ProjectC
sonar.projectBaseDir=/Absolute/Path/To/Root
sonar.sources=ProjectC/sources
11

In fact, our .sln file contains many projects.
And there are some solutions that contain a project that we do not want to scan.

So it is desirable that we are able to specify the scan target by the both .sln and .vcxproj files, not by the folder path.

12

Unfortunately, that is not possible. The files to index are selected via sonar.sources, sonar.inclusions, and sonar.exclusions. SonarScanner does not support indexing based on a specific solution or project file.

13

What you could do is the following: When you build your solution, instead of building the full solution, only build the projects that you are interested in. This way, the build wrapper will only contain the files of interest to you.

14

I see.
I will try to specify the scan target in sonar-project.properties.

Thank you Alejandro.

This way, the build wrapper will only contain the files of interest to you.

It seems that the way is useful when focusing the target.
But Alejandro said that the build-Wrapper’s output does not contain the scan target path.

Because .sln and .vcxproj have the source code path, so I want to know the way to specify the scan target by .sln file instead of sonar-project.properties.
But it seems that the solution is to use sonar-project.properties so far.

Thank you Loïc.