How do I run SonarQube on a C#.NET project?

Question

I have a C#/.NET project that I want to scan using SonarQube (C# language).

I am getting the scan to pass but with many errors (Over 200 repeated errors)

Provide an 'AssemblyVersion' attribute for this assembly.

This above message is repeated many times and accounts for a majority of SonarQube bugs I see in my report.

SonarQube properties file

# Comma-separated paths to directories with sources (required)
#sonar.sources=controllers,services
sonar.sources=.
# Language
sonar.language=cs

sonar.visualstudio.solution=ProjectName.sln

sonar.sourceEncoding=UTF-8
sonar.cobol.copy.diretories=/copy
sonar.visualstudio.enable=true

I even ran this msbuild (using MSBuild.exe Version 14 which I downloaded from https://www.microsoft.com/en-us/download/details.aspx?id=48159) batch file in my project

C:\Users\pwrdbyadmin\Desktop\sonar-scanner-msbuild-3.0.2.656\SonarQube.Scanner.MSBuild.exe begin /k:"org.sonarqube:sonarqube-scanner-msbuild" /n:"ProjectName" /v:"1.0"
"C:\Program Files (x86)\MSBuild\14.0\Bin\amd64\MSBuild.exe"  /t:Rebuild
C:\Users\pwrdbyadmin\Desktop\sonar-scanner-msbuild-3.0.2.656\SonarQube.Scanner.MSBuild.exe end

Downloaded SonarQube 6.5 and ran following command to start server

C:\Users\pwrdbyadmin\Desktop\sonarqube-6.5\bin\windows-x86-32\StartSonar.bat

Command I run from within project

C:\Users\username\Desktop\sonar-scanner-3.0.3.778-windows\bin\sonar-scanner.bat

I still cannot resolve many of the .NET errors in my project.

How can I resolve these obvious C# errors that come about after I run SonarQube on my project, do I need Visual Studio installed, do I need to build my project in Visual Studio? What are the proper steps I need to follow to scan my project?

EDIT

The new three liner allowed analysis to work without any Insufficient Privilege error showing up at the end. I used VS 2017's latest MSBuild.exe in my 3 line command

C:\Users\<UserName>\Desktop\sonar-scanner-msbuild-3.0.2.656\SonarQube.Scanner.MSBuild.exe begin /d:"sonar.host.url=http://localhost:9000" /d:"sonar.login=<login>" /d:"sonar.password=<password>" /k:"org.sonarqube:sonarqube-scanner-msbuild" /n:"<ProjectName>" /v:"1.0"
"C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin\MSBuild.exe"  /t:Rebuild
C:\Users\<UserName>\Desktop\sonar-scanner-msbuild-3.0.2.656\SonarQube.Scanner.MSBuild.exe end /d:"sonar.login=<login>" /d:"sonar.password=<password>"

In spite of using the updated command sequence, I still get the Assembly Version errors in my report.

Do I need to delete the project and re-analyze. Also, even thought my 3 liner shows MSBuild 15 used the yellow notice comes up saying I am using MSBuild 12. I am not sure why.

UPDATE: Screenshot of duplicate files/folders in Code Smell Analysis.

Does [this](https://stackoverflow.com/questions/44439202/sonarqube-says-critical-bug-provide-an-assemblyversion-attribute-for-this-as) help ? [Source docs](https://docs.sonarqube.org/display/SCAN/Analyzing+with+SonarQube+Scanner+for+MSBuild) — Subbu, Sep 01 '17 at 17:27
I found this previously and used the three liner in my code above to execute sonarscanner for msbuild. Do I just re run the sonar-scanner.bat on my project after i run the 3 liner? — Vahe, Sep 01 '17 at 17:38
I expect that after you run the 3 lines, your analysis is done. You don't need to run the .bat file. — Subbu, Sep 01 '17 at 17:57
What version is your SonarC# plugin? Do you use shared projects in your solution? Could you upload the complete log from the build and post a link here so that we can diagnose better? — Val, Sep 04 '17 at 07:04
Thank you for the reply. SonarQube is Version 6.5, Sonar Scanner is Version 3.0.3.778, sonar-csharp-plugin-5.10.1.1411. I get a warning saying that Use MSBuild 14 to get best analysis results. I am running sonar-scanner.bat in my project directory. I updated MSBuild to 14 in my post. How do I point to it in sonar-scanner.bat? — Vahe, Sep 04 '17 at 11:50
As @Subbu said, executing "the three" lines is enough to analyze your project and publish the results to SonarQube. You should not use sonar-scanner.bat when analyzing .NET projects - it is running the analysis in MSBuild 12 mode, which has many limitations, such as that some of the analyzers checking for project-level issues, like the missing AssemblyVersion attribute, do not work. — Val, Sep 04 '17 at 12:11
Possible duplicate of [SonarQube says critical bug : provide an 'AssemblyVersion' attribute for this assembly 36 times](https://stackoverflow.com/questions/44439202/sonarqube-says-critical-bug-provide-an-assemblyversion-attribute-for-this-as) — slartidan, Sep 04 '17 at 14:28
Use of the three MSBuild line command gives an Insufficient Privileges when reaching the sonar scanner step. Not to mention about 49 red colored errors previously in my command which I cannot scroll to for capture. They are build/syntax errors. — Vahe, Sep 04 '17 at 15:45
Perhaps the problem is different then. Are you not using Visual Studio 2015 for development? Older versions are using Msbuild 12 and are generally not supported. If that's your case, I think disabling the AssemblyVersion rule could be the best option. — Val, Sep 04 '17 at 16:23
Please advise further as I just installed VS 2017 on the machine where I did not yet build my code, I grabbed source from GIthub private repo and ran the three line command in the grabbed repo project directory. Do I need to build in VS? I hope it is as simple as that, because there are some private dependencies in Nuget I needed to grab I recall when I built in VS in my local machine. — Vahe, Sep 04 '17 at 16:52
Running the analysis in Visual Studio is not needed. If you can build your project just with MsBuild from the command line, adding SonarQube analysis should be straightforward - just execute the `SonarQube.Scanner.MsBuild begin ` before the MsBuild command and `SonarQube.Scanner.MsBuild end ` after it. — Val, Sep 05 '17 at 08:20
I used MSBuild.exe from the VS 2017 directory (version 15.0) because MSBuild version 14.0 was giving numerous syntax errors. Still I get Insufficient Privileges error in analysis using sonar-scanner.bat. How do I pass this error? — Vahe, Sep 05 '17 at 18:03
You should **not** use `sonar-scanner.bat`. If you succeed building with msbuild, you just need to run `SonarQube.Scanner.MsBuild begin `, then run `msbuild /t:Rebiuld` (which is supposed to work correctly), then run `SonarQube.Scanner.MsBuild end `. IF this does not work, please, send me the full build and analysis logs so that I can advise further. — Val, Sep 06 '17 at 06:48
Thank You. I have not used sonar-scanner.bat at all. I bypassed the error by adding a Quality Profile Rule for "Assemblies should have version information" and the errors went away. Now I get some repeated code smell errors for the same file, and line number. — Vahe, Sep 06 '17 at 19:26

Mani · Accepted Answer · 2017-09-08T14:35:25.233

3

I am not sure where is the SonarQube.Properties file is used. I couldn't find that in my setup.

Make sure all the projects you are scanning has "Properties" folder and under that AssemblyInfo.cs which contains assembly version. The file must be included in the project. You can see that from Visual Studio.

Make sure you have provided the SonarQube address and authentication details in the SonarQube.Analysis.xml

sonar.host.url - URL to your SonarQube server sonar.login - Analysis token of a user with Execute Analysis permissions. Required only if Anonymous does not have them

Create a new bat file only with these lines.

<local path>/SonarQube.Scanner.MSBuild.exe begin /k:"<SomeProjectNameKey>" /n:"<YourProjectName>" /v:"1.0"
<local path>/MSBuild.exe /t:Rebuild /tv:15.0 /p:VisualStudioVersion=15.0
<local path>/SonarQube.Scanner.MSBuild.exe end

The bat file should be in the same folder where the projects are located

Documentation reference https://docs.sonarqube.org/display/SCAN/Analyzing+with+SonarQube+Scanner+for+MSBuild

edited Sep 08 '17 at 14:35

answered Sep 08 '17 at 14:24

Mani

166
5

I know this is another question but I am struggling with it. How do I remove duplicate code smell report line items (I have edited my post)? – Vahe Sep 08 '17 at 19:49
You can prevent some files from being checked for duplications. To do so, go to Administration > General Settings > Analysis Scope > Duplications and set the Duplication Exclusions property. See the [Patterns](https://docs.sonarqube.org/display/SONAR/Narrowing+the+Focus#NarrowingtheFocus-patterns) section for more details on the syntax. – Mani Sep 09 '17 at 01:56
After changing, restart the Sonar Service and run the scan again. – Mani Sep 09 '17 at 02:02
Using the answer you provided (Visual Studio 15 version) no duplicate code smell issues remained. Thank You. – Vahe Sep 11 '17 at 16:07
1

If anyone wants to know that how to run the code analysis with SonarQube for a ASp.NET project see this detail video. https://youtu.be/2x0fyBOuMB8. Before that you must have SonarQube installed on your local machine. – Tahir Alvi Nov 02 '21 at 14:50

How do I run SonarQube on a C#.NET project?

1 Answers1