{"id":16735,"date":"2016-06-02T03:12:18","date_gmt":"2016-06-01T20:12:18","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/visualstudioalm\/?p=16735"},"modified":"2019-02-14T17:33:58","modified_gmt":"2019-02-15T01:33:58","slug":"sonarqube-code-analysis-issues-integration-into-pull-requests","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/devops\/sonarqube-code-analysis-issues-integration-into-pull-requests\/","title":{"rendered":"SonarQube Code Analysis issues integration into Pull Requests"},"content":{"rendered":"

See also SonarQube documentation available from Analyzing with SonarQube Extension for VSTS\/TFS<\/a><\/span><\/p>\n

Goal: Let developers fix issues early<\/h4>\n

Team leads and managers spend time drilling into the SonarQube dashboard, setting up quality gates and monitoring technical debt. Have a look at the publicly available SonarQube dashboard for the Roslyn project<\/a> to get an idea of the insights available.<\/p>\n

However, as a developer, I don\u2019t like to spend time looking at dashboards. I also don\u2019t like it when my boss sends me an email about a \u201cquality gate failure\u201d and a list of static analysis issues I should resolve. I like to get feedback early and I like to get feedback as close as possible to where I work \u2013 in the IDE or source control.<\/p>\n

For C# projects, you can use SonarLint for Visual Studio<\/a>, which will configure your IDE to use the same analyzers as\u00a0SonarQube uses. This is based on the work done in collaboration with SonarSource to fully integrate with any Roslyn based code analyzer.<\/p>\n

When it comes to other languages, code analysis solutions are diverse, and not all analyzers have IDE integrations. The next best place to see analysis issues is in the code review. And SonarQube is good at abstracting away the technical details of the myriad of analyzers available \u2013 it just deals with rules and quality profiles. So we have worked on a feature that will inject code analysis comments identified by SonarQube directly into a Visual Studio Team Services\u00a0pull request.<\/p>\n

Code Analysis issues shown directly in Pull Requests (PR)<\/h4>\n

This paragraph assumes you are using the SonarQube build tasks for MSBuild. To find out more about these tasks, see this blog post<\/a>.<\/p>\n

When you configure a build definition to run as part of a Pull Request (PR), and the build definition uses the SonarQube tasks, we will now run SonarQube in incremental mode. As documented on the SonarQube website, an incremental analysis means that an analysis is performed, but the results are not stored in the SonarQube database. The analysis is performed only on changed code. The SonarQube build tasks will then add comments to the pull request for new static analysis issues, with respect to the Continuous Integration (CI) build, as another member of the team would have done.<\/p>\n

Here are some issues identified by SonarQube in my JavaScript code:<\/p>\n

\"\"<\/a><\/p>\n

After I fix the problem at line 326 I push a commit to the same branch. This will trigger another PR build which will mark the issue as resolved:<\/p>\n

\"A<\/a><\/p>\n

How to get all this working<\/h4>\n

We recommend that you use the same build definition with SonarQube analysis tasks for both CI and PR builds<\/strong>. When a CI build occurs, a full SonarQube analysis is triggered, the results are uploaded to the SonarQube database and the dashboard is updated. When a PR build occurs, SonarQube uses the last full analysis for the project as a baseline to identify issues that are new.<\/p>\n

Other than that, you don\u2019t need to do anything to enable it. It just works. If you\u2019d like to know more about CI and PR builds, keep on reading. Otherwise, we hope this helps you, and please post feedback by raising issues on the VSTS task repo.<\/p>\n

Continuous Integration (CI) and Pull Request (PR) Builds<\/h4>\n

To run build definitions on every check-in, simply tick the \u201cContinuous Integration\u201d check-box on the \u201cTriggers\u201d tab of your build definition.\u00a0\"Set<\/a><\/p>\n

Pull requests (PRs) can be used to create code reviews. Team members comment on the changes made, then the author can push further commits to their feature branch until the reviewers are happy and the pull requests can be completed.<\/p>\n

Team Services allows you define extra policies around PRs \u2013 at the time of writing there are 3\u00a0policies available: run a build the PR changes, require that an work item is associated with the changes, and require that people actually review the changes.<\/p>\n

\"Configure<\/a><\/p>\n

Now, every time a PR is submitted, \u00a0Team Services will perform a build, run tests, and run an incremental SonarQube analysis that will push code analysis issues to the Pull Request.<\/p>\n

Feedback and Troubleshooting<\/h4>\n

Currently this feature works for the SonarQube build tasks for MSBuild, when using Git as version control. Integration with the Java build tasks is on our backlog.<\/p>\n

It is also not available on TFS 2015 on-premise and will not ship with any of the updates, including TFS 2015 Update 3, since this update is focused on bug fixes. We do not recommend you run a SonarQube analysis in PR builds on TFS 2015 on-premise, because the build will perform a full analysis which leaves a mark in the project’s history, even if the PR is abandoned.<\/p>\n

If you do find that something is not working for you, you can disable this feature by adding a build variable named \u201cSQPullRequestBot\u201d with the value \u201cfalse\u201d. In this case, the SonarQube analysis tasks will not run in PR builds.<\/p>\n

We\u2019d like to hear from you, and if you have a problem it helps to include detailed logs. To create these logs, set the build variable named \u201csystem.debug\u201d to \u201ctrue\u201d. Raise issues and suggestions on the issues tab of the VSTS task repo.<\/p>\n

For general SonarQube functionality, please raise questions on StackOverflow and add the \u201cSonarQube\u201d tag.<\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

See also SonarQube documentation available from Analyzing with SonarQube Extension for VSTS\/TFS Goal: Let developers fix issues early Team leads and managers spend time drilling into the SonarQube dashboard, setting up quality gates and monitoring technical debt. Have a look at the publicly available SonarQube dashboard for the Roslyn project to get an idea of […]<\/p>\n","protected":false},"author":194,"featured_media":45953,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[253,229,1,249],"tags":[],"class_list":["post-16735","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure-devops-server","category-community","category-devops","category-open-source"],"acf":[],"blog_post_summary":"

See also SonarQube documentation available from Analyzing with SonarQube Extension for VSTS\/TFS Goal: Let developers fix issues early Team leads and managers spend time drilling into the SonarQube dashboard, setting up quality gates and monitoring technical debt. Have a look at the publicly available SonarQube dashboard for the Roslyn project to get an idea of […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/16735","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/users\/194"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/comments?post=16735"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/posts\/16735\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media\/45953"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/media?parent=16735"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/categories?post=16735"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/devops\/wp-json\/wp\/v2\/tags?post=16735"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}