{"id":12122,"date":"2016-02-18T20:56:28","date_gmt":"2016-02-18T20:56:28","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/visualstudioalm\/?p=12122"},"modified":"2020-03-05T06:12:03","modified_gmt":"2020-03-05T14:12:03","slug":"sonarqube-scanner-for-msbuild-v2-0-released-support-for-third-party-roslyn-analyzers","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/devops\/sonarqube-scanner-for-msbuild-v2-0-released-support-for-third-party-roslyn-analyzers\/","title":{"rendered":"SonarQube Scanner for MSBuild v2.0 released: support for third-party Roslyn analyzers"},"content":{"rendered":"

We are pleased to announce that SonarSource<\/a> has officially released version 2.0<\/a> of the SonarQube Scanner for MSBuild<\/i> and version 4.5<\/a> of the SonarQube C# Plugin<\/i>. The release notes for the scanner<\/a> and plugin<\/a> list the bugs that were fixed, but the major change is that together these releases provide support for using third-party Roslyn analyzers with SonarQube.<\/i><\/p>\n

A pre-release version of the SDK for SonarQube Roslyn Analyzer Plugins<\/em><\/a> is also available – more on that below.<\/p>\n

Support for third-party C# Roslyn analyzers<\/h3>\n

The Roslyn framework makes it easy to write custom code analysis rules for C# and VB code. With these new releases, it is possible to run custom Roslyn analyzers for C# as part of the build and have the results uploaded to SonarQube<\/i>.<\/p>\n

From an experience point of view this is straightforward:<\/p>\n

    \n
  1. Authors of the Roslyn analyzers produce a SonarQube plug-in for their analyzers using the SDK for SonarQube Roslyn Analyzer Plugins<\/i><\/li>\n
  2. The SonarQube<\/em> administrator installs this plug-in in the same way as any other SonarQube plug-in<\/li>\n
  3. Build users don\u2019t have to do anything: the SonarQube scanner for MSBuild<\/em> will automatically set up the required Roslyn analyzers and configure the rulesets, based on the Quality Profile for the SonarQube<\/em> project.<\/li>\n<\/ol>\n

    The blog announcing the release of the previous version<\/a> gave an overview of the architecture. Here, I\u2019ll describe how the various pieces fit together from the view points of the two main actors involved \u2013 the SonarQube<\/i> administrator, and the Roslyn analyzer author. I\u2019ll then describe in more detail what happens at runtime when an analysis build is performed.<\/p>\n

    SonarQube administrators<\/h4>\n

    From the point of view of SonarQube<\/i> administrators, the Roslyn-specific plugins are no different from any other SonarQube<\/i> plugin. Administrator can choose and install the plugins they want to use, then select which rules to apply in each quality profile just as they normally would. They don\u2019t need to know anything about Roslyn, and they don\u2019t need to perform any additional manual configuration or setup on the\u00a0machines that will perform the analysis.<\/p>\n

    \"Scanner<\/a><\/p>\n

    The only caveat is the not unreasonable one that the machine on which the analysis is performed must support running Roslyn analyzers i.e. the build must be using MSBuild 14.0 or later.<\/p>\n

    Roslyn analyzer authors<\/h4>\n

    Just as SonarQube<\/i> administrators shouldn\u2019t need to know about Roslyn analyzers, we\u2019ve tried to limit the amount Roslyn analyzer authors need to know about creating SonarQube<\/i> plugins – they shouldn\u2019t need to be Java coders or to understand the SonarQube<\/i> extensibility model, which is where the SDK mentioned earlier comes in. The SDK provides tooling to automatically generate a SonarQube<\/em> plugin that wraps a Roslyn analyzer.<\/p>\n

    \"Scanner<\/a><\/p>\n

    At this point the SDK is very simple: it\u2019s a single exe that you point at an analyzer NuGet package, and it produces a jar<\/i> file containing the SonarQube<\/i> plugin. This is currently no way to customise the jar<\/em>\u00a0that is produced. See the project README<\/a> for more information.<\/p>\n

    I\u2019ve described\u00a0an idealised view here in which the plugin\u00a0jar<\/em>\u00a0is\u00a0created and published by the analyzer author. However, there is nothing to stop a\u00a0SonarQube<\/em> administrator from using the SDK to create a plugin if one isn\u2019t already available for a particular analyzer.<\/p>\n

    Under the covers<\/h4>\n

    At runtime, the scanner, C# plugin and generated plugins co-operate to setup, configure and execute the rules configured in the Quality Profile for the SonarQube<\/i> project.<\/p>\n

    \"Scanner<\/a><\/i><\/p>\n

    Runtime\u00a0component collaboration<\/em><\/p>\n

    The sequence of actions at runtime is as follows:<\/p>\n