Bind a Visual Studio solution to a SonarQube project provisions and configures Roslyn analyzers

March 17th, 2016

A few weeks ago, we appear the SonarQube scanner for MSBuild 2.0 supports 3rd party Roslyn analyzers. This has been working for the continuous integration build. In this blog post we are announcing that we have extended this experience to the IDE. Y'all can now demark a Visual Studio solution to a SonarQube project and see Roslyn analyzers automatically provisioned as NuGet packages, and rulesets configured, using the SonarQube Quality Profile for the projection.

Let's see what problem we are solving here, and how to apply this new feature.

Assay problems reported by build tin can be different from the ones in Visual Studio

Non-Dev build results can exist different from warnings in the IDE

In previous posts nosotros take explained how y'all could setup a SonarQube analysis function of the non-dev builds (i.e. Continuous Integration builds or automated builds). Nosotros got the feedback that this is smashing, because yous can measure your technical debt and its evolution. But we also heard that this tin be very frustrating for developers, as sometimes, they become notified during the build that they introduced new bug, whereas they would actually like to exist notified right when they develop in the IDE (in Visual Studio). This situation happens because the definition of the quality in SonarQube is different from the configuration of the static analysis rules which run when building or editing in Visual Studio. Let's empathize this ameliorate.

This is frustrating!

Allow'due south imagine that I'm a developer in a squad who has enabled the SonarQube analysis build in the continuous integration. In SonarQube, nosotros have installed the C# plug-in (version v.0 or more contempo). Nosotros have used the SonarQube Roslyn SDK to build a SonarQube plugin that wraps the Wintellect Roslyn Analyzers. And then we have set a Quality profile which enables rules from the C# plug-in (actually "Sonar Analyzers for C# and VB") and from the Wintellect Roslyn Analyzers. The pic beneath shows these rules and the 2 "Rule repositories".

I piece of work on a project, and commit my changes. There is but one alarm in Visual Studio. I believe that I'm skillful to go.

image

When the continuous integration build has completed and the SonarQube analysis is done, I click on the "analysis results" link in the build summary to navigate to the SonarQube project dashboard where I get a sense of the quality of my project. I decide to dig into the issues and I discover that at that place are many errors, and in particular severe errors (fifteen critical, in C#). I dig into these errors, to understand more about them, and in particular who introduced them, and … I detect that information technology was me.

That'southward annoying! I actually don't want to have my name here, in item because the whole team is watching the dashboard. Now yous can imagine my frustration since in Visual Studio, I could just see 1 alarm. I know that this is possible in VS 2022 to be notified of issues as I blazon them, as there is just-in-fourth dimension static analysis provided by Roslyn analyzers. That's what I want: be notified of the issues that affair for my squad or organisation, as I introduce them, in the IDE

Why do we get different results?

There are 2 causes to these differences betwixt the bug reported in the build and in the IDE.

  • the Roslyn analyzers which are ran are not the aforementioned: if I look under the References | Analyzers node of each project in the Visual Studio solution, I see that they are empty.

    Whereas in SonarQube, we have seen that our team had installed several plug-ins for Roslyn analyzers and we take activated rules in the quality profile.

    Note that near analyzers too come as a VSIX, but to get consequent results every squad member must install the right versions of the right VSIXes on their motorcar.

  • Even if the right analyzers or the right VSIXes had been added, that would not solve the consistency problem. Indeed, the rulesets would need to exist configured to match the rules that are activated in the SonarQube quality profile.

The solution would be for my squad to add the right Roslyn analyzers to every projection in the solution, and configure the rulesets for these then that they match the Quality contour. Only this is deadening, fault decumbent, and needs to be done on each project. Besides when the quality profile changes in SonarQube, we would need to update each project of each solution that should match this quality profile.

Nosotros really need some automation hither!

The "SonarQube connected mode"

Released role of SonarLint for Visual Studio 2.0 and above

Fortunately, we added a new "Visual Studio continued manner for SonarQube" part of SonarLint for Visual Studio 2.0.

SonarLint for Visual Studio has been releasing regularly both every bit a VSIX, and a NuGet package. So far information technology only contained SonarSource's analyzers, which were recently renamed "Sonar Analyzers for C# and VB". From SonarLint for Visual Studio 2.0, the Visual Studio extension (VSIX) now too offers an experience in Visual Studio which reconciles the developer live experience with the SonarQube quality contour. The NuGet package still only contains the analyzer.

How to bind your Visual Studio solution to a SonarQube project?

This connected mode brings 2 new commands, and a new Tab in Team Explorer.

To demark your Visual Studio solution to a SonarQube get to the Solution context menu, and in the Assay sub carte du jour, utilise the new command "Manage SonarQube Connections". The same command is also bachelor from the Analyze top-level carte du jour.

Clicking on 1 or the other of these commands, opens the "SonarQube" tab in the Team explorer

By clicking on the Connect … link, you become a dialog where you tin can enter the URL for your SonarQube server. Then you enter the credentials to do an analysis. On the motion-picture show beneath, my SonarQube server is a SonarQube five.4, so I created an analysis token, which I'm using as my login, leaving the countersign empty (This is the recommended way as this avoids password to be sent through the network, also these tokens are revocable). I could besides have used a login/password.

As y'all printing Ok, Visual Studio connects to the SonarQube server with the provided credentials, and information technology retrieves the list of SonarQube projects on this server. You can then double-click on one of these projects, or Correct click and use the "bind" push button, to bind your Visual Studio solution to this SonarQube project

If there are outstanding changes in your solution you volition be prompted to save them first. You might want to check that there are no local changes that oasis't been committed to source control before binding, equally this will make it easier to meet the changes that are made past the binding process

As you've done that and observe the progress bar you will notice that 2 things happen:

  • NuGet packages are installed on each projection. These are the Roslyn analyzers which take active rules in the quality contour of the bound SonarQube projection.
  • Rulesets are synthetized from this quality profile and practical to each project

Immediately you starting time seeing new warnings appearing in the Error Listing. You now have, in the Visual Studio solution, the same issues as the ones which are reported in SonarQube. At least for C#.

How is your solution affected?

You observe that some things accept inverse in your Visual Studio solution:

  • A mutual ruleset was created and added a solution item. It's named from the identifier of the SonarQube project and the linguistic communication (blmCSharp.ruleset in that instance). It contains the aforementioned problems every bit the quality profile.
  • An empty ruleset was generated for each project that references the common ruleset. If your project already specifies a ruleset then the existing ruleset volition exist updated to include the common ruleset (that's my case here)

We have fabricated the selection of non having the project directly reference the common ruleset, so that you lot are able to edit the project'southward ruleset in the case you lot want to strengthen information technology. This won't change the common generated ruleset, only will add entries in the project's ruleset to override information technology.

The required Roslyn analyzers were also provisioned on each project.

If you close Visual Studio, and then reopen the solution, the binding volition still be here (going to the "SonarQube" tab in the Team Explorer will show you lot the same thing).

Y'all can at present commit the changes, and all the members of you team volition now benefit from the exact experience, without having to install any VSIX. Everybody will share the same definition of the quality, and that's the same equally what is divers in SonarQube.

What if the SonarQube quality profile changes later?

If someone in the organization changes the quality profile in SonarQube, you can go to the Team Explorer and apply the contextual control on the SonarQube project to re-sync the definition of the quality. Roslyn analyzers will be provisioned as needed, and rulesets updated. That's still a manual process for the moment, just we'll meliorate this (run into "Electric current limitations" below)

If you wish, you can also correct click on the SonarQube server in the Team explorer to remove the binding (disconnect), and peradventure to bind the solution to a unlike SonarQube project.

Current limitations

The connected mode in SonarLint for Visual Studio two.0 is a starting time iteration, and there are however a few rough edges. In future versions of SonarLint for Visual Studio, we will solve the following:

  • The Roslyn analyzers NuGet packages are currently applied on every projection, including those which were excluded from the SonarQube analysis, and the test projects.

  • If you are using TfVC and are working with a server workspace, the experience volition fail. To work around this, you will need to:

    • Check out the files in your solution
    • Bind your solution to a SonarQube project as explained
    • Add the actress files which were added.
  • Y'all are gratuitous to change the rulesets for each projection manually, and nosotros don't warn you yet if you loosen the quality by removing rules. In a future release, nosotros'll warn you if that's the case
  • It's upward to you to re-sync the SonarQube projection. In a futurity release, nosotros'll warn yous if the solution is no longer in sync with the SonarQube quality profile.

In closing

Nosotros look forrard to hearing from you. Delight transport us your feedback by asking some questions on StackOverflow or directly by reporting any bugs y'all find on the SonarQube Google Group. You can also submit suggestions for new features, for example, on User Voice.