Hi @alexvaccaro. It’s not clear to me from this thread if you are in the same team with @Schumi or have a different topic altogether.
RE: msbuild, like @mickaelcaro said, most of our analysis runs during msbuild.
The analysis is done in two steps:
- during the build - our native Roslyn analyzers are running for most of the rules (~250 in the default QP); also, UCFG files are created for the vulnerability injection analysis which is done in the SonarCloudAnalyze step
- during the SonarCloudAnalyze step - our security engine runs over the UCFG files to find vulnerabilities - we currently have 12 rules that detect injection vulnerabilities
The msbuild debug logs don’t help that much, we’d need the msbuild /v:d /p:reportanalyzer=true > build.log logs. At the end of each project compilation, it will print out a list with each of our rules and how much time it took. Like this we can detect outliers, and also maybe projects that are outliers. We can then advise based on this info.
If you want, we can continue this topic in a private thread , like we did with @Schumi. Or we can continue here.