Static analysis only of .Net projects

scanner

(Mc Matty) #1

Sonarqube 7.1
SonarScanner.MSBuild.exe 4.4.2
SonarQube Scanner 3.2.0.1227

So what I am trying to do here is use Sonarqube as the static analysis engine for code checking. Not interested in unit tests results etc just the built in code analysis rules and reporting.

Now this is due to the fact that I may not have access to all the resources required to build a project and for my purpose I don’t need them - only the source code.
As an example a vendor delivers a binary without source which required decompiling and analysis performed against it.

Is there a way to leverage the analysis only without requiring a build? This should be possible given the way the rules are written but is it possible through the the scanners - I believe it used to be possible with the CLI and this is a very useful feature.


(Antoine Vigneau) #2

Hello @McMatty,

As you mention SonarScanner.MSBuild.exe 4.4.2 may I ask you which kind of languages are you analyzing? Assuming it’s all about C# and/or VB.NET, what you would like is not doable, simply because the rule violations are detected by the Roslyn compiler, during the MSBuild process.

To be more accurate during the BEGIN step, the scanner provides MSBuild needed targets to perform the code analysis, then the code is analyzed by MSBuild, and the END phase gather analysis results and send them to SonarQube (I keep things simple).
Hence analyzing these languages with SonarQube Scanner CLI will not work as anyway the code analysis is performed by MSBuild.

Best,

Antoine


(Mc Matty) #3

A range of languages C#, Java, JavaScript, TS, .Net standard and Framework and I was hoping to just use the same command line to keep things simple - unfortunately now I have to worry about three command line interfaces.

I guess my scenario is outside what Sonarqube is intended for as I want to use it as a static analysis tool - with the Roslyn rules a successful build doesn’t need to be a factor as the rules can be treated as external and not tied to MsBuild with a small amount of stub code.

I had just hope there was a way to perform the scan without tying it to MsBuild.
As an alternative if I populate the properties files and ProjectInfo.xml am I able to trick the subsequent scanning as it just looks like these files are created based of csproj data?
Or is there any way around this?