SBN

Analysis of Visual Studio Solutions with the SonarQube Scanner for MSBuild

At the end of April 2015 during the Build Conference, Microsoft and SonarSource Announced SonarQube integration with MSBuild and Team Build. Today, half a year later, we’re releasing the SonarQube Scanner for MSBuild 1.0.2. But what exactly is the SonarQube Scanner for MSBuild? Let’s find out!

The SonarQube Scanner for MSBuild is the tool of choice to perform SonarQube analysis of any Visual Studio solution and MSBuild project. From the command line, a project is analyzed in 3 simple steps:

  • MSBuild.SonarQube.Runner.exe begin /key:project_key /name:project_name /version:project_version
  • msbuild /t:rebuild
  • MSBuild.SonarQube.Runner.exe end

The “begin” invocation sets up the SonarQube analysis. Mandatory analysis settings such as the SonarQube project key, name and version must be passed in, as well as any optional settings, such as paths to code coverage reports. During this phase, the scanner fetches the quality profile and settings to be used from the SonarQube server.

Then, you build your project as you would typically do. As the build happens, the SonarQube Scanner for MSBuild gathers the exact set of projects and source files being compiled and analyzes them.

Finally, during the “end” invocation, remaining analysis data such as Git or TFVC one is gathered, and the overall results are sent to the SonarQube server.

Using the SonarQube Scanner for MSBuild from Team Foundation Server and Visual Studio Online is even easier: there is no need to install the scanner on build agents, and native build steps corresponding to the “begin” and “end” invocations are available out-of-the-box (see the complete Microsoft ALM Rangers documentation for details).

A similar experience is offered for Jenkins users as well since the Jenkins SonarQube plugin version 2.3.

Compared to analyzing Visual Studio solutions with the sonar-runner and the Visual Studio Bootstrapper plugin, this new SonarQube Scanner for MSBuild offers many advantages:

  • Having a Visual Studio solution (*.sln) file is no longer a requirement, and customized *.csproj files are now supported! The analysis data is now extracted from MSBuild itself, instead of being retrieved by manually parsing *.sln and *.csproj files. If MSBuild understands it, the SonarQube Scanner for MSBuild will understand it!
  • For .NET, analyzers can now run as part of the build with Roslyn, which not only speeds up the analysis but also yields better results; instead of analyzing files one by one in isolation, the MSBuild integration enables analyzers to understand the file dependencies. This translates into fewer false positives and more real issues.
  • Enabling FxCop is now as simple as enabling its rules in the quality profile. There is no longer any need to manually set properties such as “sonar.visualstudio.outputPaths” or “sonar.cs.fxcop.assembly” for every project: All the settings are now deduced by MSBuild.

As a consequence, we are deprecating the use of sonar-runner and the Visual Studio Bootstrapper plugin to analyze Visual Studio solutions, and advise all users to migrate to the SonarQube Scanner for MSBuild instead. Before you begin your migration, here are a few things you need to be aware of:

  • The analysis must be executed from a Windows machine, with the .NET Framework version 4.5.2+ installed, and the project must be built using MSBuild 12 or 14. Note that the project you analyze can itself target older versions of the .NET Framework, but the SonarQube Scanner for MSBuild itself requires at least version 4.5.2 to run.
  • Obviously, you now need to be able to build the project you want to analyze!
  • Most old analysis properties (such as "sonar.cs.fxcop.assembly", “sonar.dotnet.version”) are no longer used and should be removed. The only useful ones are unit test result and code coverage reports paths.
  • The “sonar-project.properties” file is no longer used and should be deleted.

Try it out for yourself and get started! Download the SonarQube Scanner for MSBuild, install it, and start to analyze your projects! If you are new to SonarQube, the end-to-end guide produced by the Microsoft ALM Rangers will take you through every step.

*** This is a Security Bloggers Network syndicated blog from Sonar Blog RSS feed authored by Sonar. Read the original post at: https://www.sonarsource.com/blog/easy-analysis-of-visual-studio-solutions-with-the-sonarqube-scanner-for-msbuild