{"id":10161,"date":"2015-08-24T12:52:00","date_gmt":"2015-08-24T12:52:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/visualstudioalm\/2015\/08\/24\/build-tasks-for-sonarqube-analysis\/"},"modified":"2022-08-02T03:59:37","modified_gmt":"2022-08-02T11:59:37","slug":"build-tasks-for-sonarqube-analysis","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/devops\/build-tasks-for-sonarqube-analysis\/","title":{"rendered":"Build Tasks for SonarQube Analysis"},"content":{"rendered":"

Note: a more recent documentation is available from Analyzing with SonarQube Extension for VSTS\/TFS<\/a><\/span><\/p>\n

[Update Sept 11, 2015:\u00a0 fixing broken links, Thanks Terje!, and adding a Previous post \/ Next postsection at the end of the post]<\/p>\n

_<\/p>\n

As you may be aware, we have been working with SonarSource to integrate SonarQube with MSBuild, Team Foundation Server, and Visual Studio Online. Up to now<\/a>, you could use the MSBuild.SonarQube.Runner to perform analysis locally on your development box<\/a>, or in TFS (2013 or 2015) and VSO<\/a>, but you had to provide your own build agent, install Java, and setup the MSBuild.SonarQube Runner<\/a> on that agent.<\/p>\n

Today we released in Visual Studio Online two new build tasks to execute a SonarQube analysis:<\/p>\n

\u00b7 SonarQube for MSBuild \u2013 Begin Analysis<\/p>\n

\u00b7 SonarQube for MSBuild \u2013 End Analysis<\/p>\n

These tasks can be added as steps in a build definition in exactly the same way as any other tasks.<\/p>\n

\"image\"<\/p>\n

As the name suggests, the first of these tasks is used to define a step that start the SonarQube analysis, before any MSBuild build steps. The Begin Analysis task contacts the SonarQube server to retrieve the quality profile, and dynamically produces rulesets to be applied during the static analysis. It also sets things up so that the following MSBuild steps produce some data to prepare the analysis.<\/p>\n

The End Analysis task should be used to create a step that is executed after the \u201cVisual Studio Test\u201d task step if you want SonarQube to show code coverage data. In any case, it should be run after the \u201cVisual Studio Build\u201d step. The End Analysis task finalizes the analysis (computation of the clones, metrics, and analysis for languages other than .Net), and sends the analysis results to the SonarQube server.<\/p>\n

Configuring the SonarQube build tasks<\/h3>\n

In the screenshot below, you can see that I\u2019ve added the two SonarQube tasks as steps in my existing Visual Studio build definition. Note that the End Analysis step does not require any parameters.<\/p>\n

\"image\"<\/a><\/p>\n

Now let\u2019s have a look at the settings that I need to configure in the \u201cBegin Analysis\u201d step:<\/p>\n

\u00b7 SonarQube Server Settings<\/a><\/p>\n

\u00b7 SonarQube Project Properties<\/a><\/p>\n

\u00b7 Database Settings<\/a><\/p>\n

\u00b7 The completed Begin Analysis definition<\/a><\/p>\n

<\/a>SonarQube Server Settings<\/h4>\n

Here you choose a service endpoint that you previously configured, which defines the URL and credentials required to contact your SonarQube server.<\/p>\n

\"image\"<\/p>\n

If you have not already configured your SonarQube service endpoint (if it does not appear in the endpoint combo-box):<\/p>\n

\u00b7 Choose the Manage<\/strong> link at the right-hand end of the VSO window header to open the Services<\/strong> tab of the Administration<\/strong> pages for your account.<\/p>\n

\u00b7 Add a new Generic<\/strong> service endpoint:<\/p>\n

\"image\"<\/p>\n

\u00b7 Enter the values for your SonarQube server:<\/p>\n

o A friendly name identifying your service endpoint, which will appear in the endpoint combo-box.<\/p>\n

o The URL of your SonarQube server.<\/p>\n

o The user name and password (or security token) for the user executing the analysis. You must enter values for these two fields. If your SonarQube server is on-premises, you can use anything (for example, \u201canonymous\u201d and \u201canonymous\u201d). Of course, here my SonarQube server is running in an Azure VM, so I must provide the appropriate credentials.<\/p>\n

\"image\"<\/p>\n

\u00b7 Now go back to the build definition page and choose the \u201cRefresh\u201d icon so that the endpoint appears in the combo-box, and select it.<\/p>\n

\"image\"<\/a><\/p>\n

<\/a>SonarQube Project Properties<\/h4>\n

The next group of settings are the SonarQube project key (which uniquely identifies your SonarQube project on the SonarQube server), the SonarQube project name, and the SonarQube analysis version. These are the same parameters as those you use in the XAML build configuration.<\/p>\n

\"image\"<\/p>\n

<\/a>Database Settings<\/h4>\n

The third group of settings are the SonarQube database parameters. These are required only until SonarSource ships SonarQube 5.2 (starting with that release, SonarQube will have a 3-tier architecture, and you won\u2019t need to provide the database details).<\/p>\n

\"image\"<\/p>\n

In the screenshot, because these parameters are secrets, you can see that I\u2019ve chosen to add them using build variables. This hides the values themselves because I\u2019ve defined the variables in the Variables<\/strong> tab of the build definition and chosen the \u201cpadlock\u201d icon.<\/p>\n

\"image\"<\/p>\n

<\/a>The completed Begin Analysis definition<\/h4>\n

Here is my complete build definition:<\/p>\n

\"image\"<\/p>\n

Choosing the agent<\/h3>\n

The cool thing is that, not only can you (as you\u2019d expect) run the SonarQube build tasks with your own agent, you can also run them with the hosted agent<\/strong>. In fact, the build tasks embed all the necessary integration bits. The only constraint is that, if you want to use the hosted agent, you must ensure that your SonarQube server and (until SonarQube 5.2 ships) your database are accessible from the Internet. That is the case here because I\u2019ve used an Azure Virtual Machine. However, if I had an on-premises SonarQube server, I could also – if my organization authorized it – open some TCP\/IP ports to allow access from the Internet.<\/p>\n

The following screenshot shows that I used the Hosted<\/strong> agent as the default queue.<\/p>\n

\"image\"<\/p>\n

Performing the analysis<\/h3>\n

Performing the analysis is now very simple. You queue the build, or you change the Triggers<\/strong> tab of your build definition to enable a build and analysis as part of your continuous integration – and that\u2019s it!<\/p>\n

More options<\/h3>\n

You might have noticed, when I described the configuration of the Begin Analysis task, that I didn\u2019t mention the Advanced<\/strong> section. This section provides two opportunities to pass additional parameters to the SonarQube server:<\/p>\n

\u00b7 Add space-delimited command line arguments, which will be copied to the MSBuild.SonarQube.Runner command line. This allows you to pass extra properties, for example: \/d:propertyName1=value1 \/d:propertyName2=value2<\/strong><\/p>\n

\u00b7 Add a configuration file, which will be chosen from the files in source control (in your Git repository or TFVC branch). This file has the same format as the SonarQube.Analysis.xml<\/a> file that is dropped with the MSBuild.SonarQube.Runner 1.0. It\u2019s a list of SonarQube properties and values.<\/p>\n

A wealth of possibilities for analyzing your .NET projects<\/h3>\n

With the release of these two new SonarQube build tasks, you have a wealth of possibilities for analyzing your .NET applications. It really depends on whether you want to use TFS, VSO, or only MSBuild; and which build technology you prefer (XAML build or new build). To help you out, I\u2019ve put together a summary of these possibilities. What I\u2019ve described in this blog post are the last two rows of the table.<\/p>\n

\"image\"<\/p>\n

Note that SonarQube integration does not work with VSO in the case where if you want to do a XAML build with a XAML 2015 build agent (more details here<\/a>). You need to use a XAML 2013 build agent instead.<\/p>\n

If you analyze C# code, use SonarLint for Visual Studio to get alerted as you code in Visual Studio 2015, and fix some of the issues automatically.<\/h3>\n

If you analyze C# code, and with whatever option you chose in the above table , you can get, in the Visual Studio error list, the same static analysis issues as what the SonarQube C# plug-in generates. For this, SonarSource has been shipping a Visual Studio 2015 extension SonarLint for Visual Studio<\/a> which contains Roslyn analyzers. And, by the way, they released a new version yesterday (SonarLint for VS 1.2.0). This new version now includes code fixers for 19 of the static analysis rules: by using the light bulb icon associated with the warnings generated by these rules, you can choose to fix them, instance of issue by instance of the issue, for a whole project, or in the whole solution, therefore actively reducing your technical debt.<\/p>\n

In closing<\/h3>\n

In a future post, I\u2019ll provide more details of the options and possibilities you now have to perform a SonarQube analysis, including some examples of usage. I\u2019ll also show you how to use the additional options to run third-party plugins.<\/p>\n

Meanwhile, as usual, we look forward to receiving your feedback.<\/p>\n","protected":false},"excerpt":{"rendered":"

Note: a more recent documentation is available from Analyzing with SonarQube Extension for VSTS\/TFS [Update Sept 11, 2015:\u00a0 fixing broken links, Thanks Terje!, and adding a Previous post \/ Next postsection at the end of the post] _ As you may be aware, we have been working with SonarSource to integrate SonarQube with MSBuild, Team […]<\/p>\n","protected":false},"author":112,"featured_media":45953,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[253,229,1,249],"tags":[],"class_list":["post-10161","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure-devops-server","category-community","category-devops","category-open-source"],"acf":[],"blog_post_summary":"

Note: a more recent documentation is available from Analyzing with SonarQube Extension for VSTS\/TFS [Update Sept 11, 2015:\u00a0 fixing broken links, Thanks Terje!, and adding a Previous post \/ Next postsection at the end of the post] _ As you may be aware, we have been working with SonarSource to integrate SonarQube with MSBuild, Team […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/10161","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/users\/112"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/comments?post=10161"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/10161\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media\/45953"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media?parent=10161"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/categories?post=10161"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/tags?post=10161"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}