With the Visual Studio Team Services Features Timeline<\/a> being updated, I can now share what we are planning for the next three months. But first, let\u2019s take a step back and look at what has been achieved so far. Some of these features were produced with our partners SonarSource and the Microsoft ALM Rangers<\/p>\n We are mostly done with the integration of SonarQube with MSBuild projects, especially for C# (SonarSource is still working on improving the experience for VB and C++)<\/p>\n You can easily setup continuous integration builds in Team Services and TFS<\/b> by adding two MSBuild tasks to your build definition (one before the build, and the other after the tests). With recent versions of SonarQube, you can request the status of quality gates in the build summary. Then, if those fail you will get insights on the reason for this failure. You can also request to break the build when the quality gates fail<\/a>.<\/p>\n In any case you will get a link from the build summary to the SonarQube projects to dig more into the details, and understand diffs and trends and aggregated metrics.<\/p>\n Picking-up the issues during a continuous integration build means issues are not discovered until after check-in. To prevent this you can request SonarQube code analysis during pull requests<\/a>, based on a baseline established during continuous integration. SonarQube, acts as a code reviewer adding comments on issues in modified code. This works for any language supported by SonarQube, not only C# and VB (the picture below illustrate pull request with static analysis on JavaScript code)<\/p>\n In the .Net managed languages world, Roslyn analyzers (which enable developers to be notified of static analysis issues as they type), are increasingly important to help controlling technical debt. Therefore, we have enabled Roslyn analyzers authors and SonarQube administrators to create SonarQube plug-ins for Roslyn analyzers using the SonarQube Roslyn SDK<\/a>. If such plug-ins are present in SonarQube, the corresponding Roslyn analyzer is provisioned as a NuGet package and configured (rulesets will be generated from Quality Profiles) during the continuous integration or pull request build<\/a><\/p>\n Finally, if you are working in C# and VB, and are using Roslyn analyzers, you might want your definition of quality in the IDE (Roslyn analyzers nuget packages and rulesets) to match your definition of quality in SonarQube (quality profile). Therefore, we have produced a connected mode in SonarLint for VisualStudio<\/a>, which enables this consistency by provisioning and configuring NuGet packages for Roslyn analyzers in projects in a Visual Studio solution based on the SonarQube quality profile. It notifies<\/a> you when your quality definition changes in SonarQube and helps developers to navigate<\/a> to the bigger picture in SonarQube.<\/p>\n Build tasks, and pull request with static analysis have already been available in Team Services and will be available with the same level of completion (rich build summary) in TFS \u201cDev15\u201d.<\/p>\n Over the past months, we have also started enabling Maven and Gradle<\/a> build tasks to perform a SonarQube analysis by checking a checkbox. But the build summary is not as nice yet as for MSBuild, in particular, as until recently we did not produce a build summary section for the SonarQube analysis. Also we have not yet enabled pull request with Code Analysis for the Java tasks. In the coming months we are going to enable parity of experience between the MSBuild and the Java build tasks.<\/p>\n Status<\/span>: Done<\/span>. See\u00a0 The Gradle build task now supports SonarQube analysis<\/a> and Maven and Gradle build tasks support powerful code analysis tools<\/a><\/p>\n We have also started adding support for standalone Java static analysis tools which don\u2019t require a server. So far, PMD analysis is integrated out of the box<\/a> in the Maven task. We are working on enabling PMD in Gradle and, based on your feedback, we may integrate more tools such as CheckStyle and FindBugs.<\/p>\n Status<\/span>: Done. See Maven and Gradle build tasks support powerful code analysis tools<\/a><\/p>\n Many of you have requested a dashboard widget for SonarQube. We will produce a widget showing the quality gate status (and reasons for failure if this is the case) as of the last static analysis build of a given build definition. This will work both for MSBuild and Java builds.<\/p>\n Status<\/span>: On SonarSource\u2019s backlog<\/a><\/p>\n We\u2019ve been working with the ALM Rangers to develop the Azure Active Directory SonarQube plug-in<\/a>. Currently the ALM Rangers are working on producing an Azure Resource Manager template to deploy a secure installation of SonarQube in Azure.<\/p>\n Status<\/span>: A first un-secured installation of SonarQube in Azure was done. See Easily deploy SonarQube Server in Azure<\/a>. Working on securing it.<\/p>\n You have told us that security flaws are an important aspect of technical debt. SonarQube has a few rules about security, and this number will increase with time. But we are also working with other partners in the domain of security and technical debt in general to produce more extensions for Team Services and TFS. We\u2019ll update you when these offerings become available in the Visual Studio Team Services marketplace.<\/p>\n Status<\/span>: In Progress. See Security in Your Continuous Integration Pipeline<\/a> (on demand video by Sam Guckenheimer), as well as the following article in the MSDN Magazine about Rugged DevOps<\/a>. More partners will propose extensions.<\/p>\n Finally, you have also told us that you consider that architecture flaws are an important part of technical debt. We are working on improving the dependency validation experience in Visual Studio Enterprise, by providing live validation for C# and VB. We\u2019ll also enable these architectural issues to be taken into account in SonarQube through a SonarQube .NET dependency validation plug-in.<\/p>\n Status<\/span>: Done. See Live Dependency Validation in Visual Studio 2017<\/a><\/p>\nRetrospective \u2013 SonarQube integration with .Net<\/h3>\n
![\"clip_image002\"](\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2016\/07\/clip_image002_thumb.jpg\" "\\"clip_image002\\"")
<\/a><\/p>\n![\"clip_image004\"](\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2016\/07\/clip_image004_thumb1.png\" "\\"clip_image004\\"")
<\/a><\/p>\n![\"clip_image005\"](\"https:\/\/devblogs.microsoft.com\/devops\/wp-content\/uploads\/sites\/6\/2016\/07\/clip_image005_thumb1.png\" "\\"clip_image005\\"")
<\/a><\/p>\nSonarQube support in the Maven and Gradle build tasks will be equivalent to that for MsBuild<\/h3>\n
Broadening support for static analysis tools<\/h3>\n
A dashboard widget for SonarQube analysis builds<\/h3>\n
Secure installations of SonarQube in Azure<\/h3>\n
Security \u2013 you consider that this is also part of technical debt<\/h3>\n
Introducing architecture dependency validation as part of technical debt<\/h3>\n