Skip to end of metadata
Go to start of metadata

Documentation for the version 3.0 of the SonarQube extension

This documentation refers to the deprecated way to trigger SonarQube analyses, when using:

  • either an old version (< 4.0) of the SonarQube extension
  • or the new version of that extension, but using the deprecated versions of the SonarQube tasks.


Installation

  1. Make sure the .NET Framework v4.5.2+ is installed
  2. Make sure the Java Runtime Environment 8 is installed
  3. Download the latest 3.x VSIX on the "Releases" page of the GitHub repository
  4. Install it through the TFS 
    1. Navigate to the "Manage Extensions" page on your TFS server
    2. Click on the green Upload new extension button on the top right and follow the instructions.

Use

Analyzing with SonarQube Scanner for MSBuild

Use the two SonarQube Scanner for MSBuild tasks to analyze Visual Studio solutions.

Configure

  1. Under the Build category, find and add the SonarQube Scanner for MSBuild - Begin Analysis and the SonarQube Scanner for MSBuild - End Analysis tasks
  2. Reorder the tasks to respect the following order:
    • SonarQube Scanner for MSBuild - Begin Analysis task before any MSBuild or Visual Studio Build task.
    • SonarQube Scanner for MSBuild - End Analysis task after the Visual Studio Test task.



  3. Click on the SonarQube Scanner for MSBuild - Begin Analysis build step to configure it:
    1. The SonarQube Server section allows you to define the endpoint (i.e. SonarQube Server instance) to use.
      You can:
      • select an existing endpoint from the drop down list
      • add a new endpoint
      • manage existing endpoints

      Remarks

      This is equivalent to setting sonar.host.urlsonar.login and sonar.password arguments on a local call.

    2. The SonarQube Project Settings section allows you to specify which SonarQube project to use.

      • Project Key - the unique project key in SonarQube

      • Project Name - the name of the project in SonarQube

      • Project Version - the version of the project in SonarQube

      Remarks

      This is the equivalent of setting  sonar.projectKey, sonar.projectName and sonar.projectVersion arguments on a local CLI call.

  4. Click the Visual Studio Test task and check the Code Coverage Enabled checkbox to process the code coverage and have it imported into SonarQube. (Optional but recommended)

Note

The Scanner for MSBuild hooks into the MSBuild pipeline, and will modify the properties listed below:

  • All existing code analyzers in the projects are removed to prevent duplicate issues from being reported.
  • The SonarC# and SonarVB analyzers are added, and the CodeAnalysisRuleSet is updated to match the SonarQube quality profile.
  • WarningsAsErrors is turned off to avoid breaking the build before the reported issues are submitted to SonarQube.

If your build process cannot tolerate these changes, we recommend creating a second job for SonarQube analysis.

 

Analysis Reports

Queue a new build. At its completion, you should see the Quality Gate status reflected at the bottom of the Build Summary:

By default, the SonarQube Scanner for MSBuild - End Analysis task waits for the SonarQube analysis report to be consumed in order to flag the build job with the Quality Gate status. A project's Quality Gate status indicates at each analysis whether the application passes or fails its release criteria. In other words it tells you at every analysis whether an application is ready for production "quality-wise".

 

Pull Request commenting

When analysis is triggered from a Pull Request the SonarQube Scanner for MSBuild - End Analysis task decorates the updated source code in the Pull Request with the new code quality issues, instead of pushing the analysis report to the SonarQube server.

Analyzing with SonarQube Scanner CLI Task

Use this task to analyze any file not relying on MSBuild compilation (Javascript, VB6...). The extensive list of supported language plugins can be found here.

Configure

  1. Under the Build category, find and add the SonarQube Scanner CLI task 
  2. Click on the SonarQube Scanner CLI build step to configure it.
    1. The SonarQube Server section allows you to define the endpoint (i.e. SonarQube Server instance) to use.
      You can:
      • select an existing endpoint from the drop down list
      • add a new endpoint
      • manage existing endpoints

      Remarks

      This is equivalent to setting sonar.host.urlsonar.login and sonar.password arguments on a local call.

    2. SonarQube Project Settings section allows you to specify which SonarQube project to use.

      • Project Key - the unique project key in SonarQube

      • Project Name - the name of the project in SonarQube

      • Project Version - the version of the project in SonarQube

      Remarks

      This is the equivalent of setting  sonar.projectKey, sonar.projectName and sonar.projectVersion arguments on a local CLI call.

Analysis Reports

Currently, neither reports nor Pull Request analysis comments are supported in this mode. But if the SonarQube Scanner CLI detects that the current analysis is part of a Pull Request, the analysis will not be pushed to the SonarQube server.

 

  • No labels