SonarQube - Analyze .NET Solution
SonarQube - Analyze .NET Solution

SonarQube – Use dotnet-sonarscanner to Analyze .NET Solution

In this article, I am going to clone a .NET sample public repository and we are going to use dotnet CLI commands to demonstrate how the SonarQube scan can be triggered and how to view the reports.

For this demonstration I am going to to use the local instance of SonarQube, which was setup as part of previous article.

What do we need to know before we begin ?

Before we begin, we need to know two concepts

  • Projects
  • SonarSanners

Let’s discuss about these two concepts in first part of article

What is a SonarQube Project ?

A SonarQube project is a logical container of analysis / scans done on your software project. A SonarQube project is created when first analysis is done on the code / solution. We can also manually create a new SonarQube project.

Creating the project allows you to declare and configure it (define permissions, set quality profiles, etc.) before running the first analysis. You have to be logged in and be granted the Provision Projects permission in SonarQube web app in order to create new projects.

For creating new project, we can either go to the Projects page and select Create Project, or go to Administration > Projects > Management and select Create Project. Once the project is provisioned, you can configure it (define permissions, set quality profiles, etc.), and when you’re finished with the configuration, you can simply run the project’s first analysis.

SonarQube – Create Project Manually

What is SonarScanner ?

As the name SonarScanner suggests, they are the tools which scan the code. There are various SonarScanner available and you can choose what fits your project. Some of the SonarScanners are:

As we are using locally setup SonarQube instance, we are going to use SonarScanner for .NET.

Which source code are we going to use for this demo ?

We are going to use a SampleWebApi solution from my GitHub Repository. This solution contains only .NET 8 based API and this should be enough for us to get conceptual understanding.

Which commands are we going to use ?

The code snippet given below shows the commands that we are going to use to trigger the analysis.

Install dotnet-sonarscanner

This is generally one time setup command. It will install the tool dotnet-sonarscanner. Of course, you will have to update the version if needed in future.

Begin

When this command is executed, it sets up the hooks with build pipeline, and then it downloads the SonarQube quality profiles / settings and prepares the project for analysis.

There are two parameters which are used in the above code snippet

  • Project Key (/k)is basically the project identifier for SonarQube. If you have manually setup the project you can use the same key that you used while setting up the project. If you have not setup the project yet, you can sepcify some meaningful string here as SonarQube will generate the project with same key / name. If you are performing scan multiple times, make sure you specify key of existing project which was created during first scan, otherwise everytime you specify new key, a new project would be created.
  • Authentication Token (/sonar.token) is basically a token that would be used for authentication while downloading from (or uploading to) SonarQube. You can generate new tokens at User > My Account > Security. Once you select Generate, you will see the token value. Copy it immediately; when you dismiss the notification, you will not be able to retrieve it.
SonarQube – Generate authentication tokens

Build and Optionally Test

This set of command is to trigger build of the web application. It may also be optionally followed by a command that initiates the test run. The test run command should execute all the tests and should generate the code coverage file, which would be picked up by SonarQube.

End

When this command is executed, it cleans the hooks setup created during Begin command execution. It then collects the analysis data, coverage files generated during the build. Finally it uploads all that to SonarQube.

Run and Verify

Now let’s open the command prompt or Windows Terminal. Then, let’s navigate to the directory where the solution file is located. Once we are there, let’s run the commands discussed above.

After running those commands, you can login to SonarQube web portal. The SonarQube server may take couple of minutes to process the analysis and generate the snapshots / reports. Once it completes, you should be able to see a project with identifier ‘sample-web-api‘ and its analysis should be available as shown in the snapshot given below.

SonarQube – Project Created After First Analysis

Conclusion

If you have reached till here, that means you may have got basic idea about how to trigger the SonarQube scan and how does it actually works. There are additional switches to the commands provided, but they are not mentioned here in this article, to keep the article short and beginner-friendly. As a next step, I would suggest to go through SonarQube documentation to know all the switches supported by these commands.

I hope you find this information helpful. Let me know your thoughts.

Tags: , , , , , , , , , , , , ,

Leave a ReplyCancel reply