Background
I am running Visual Studio 2015 Enterprise (RTM) and have enabled the SonarLint extension for code analysis of my multi-project ASP.NET 4.5 MVC solution.
Problem
SonarLint analysis seems to be ignoring the project setting for Code Analysis "Suppress results from generated code (managed only)"
That is, I'm getting a lot of Sonar errors reported back for a couple of *.designer.cs files generated from some .aspx pages. (Most of the project is MVC, for what it's worth.) I don't care about these errors, and don't think I have a decent path for fixing them...
More Details
I have SonarQube integrated with our TFS 2013 environment, and it is correctly ignoring these issues on the TFS server analysis. This problem is just showing up in Visual Studio, using the Roslyn analysis.
Any ideas how I can set up the equivalent of an .ignore file or otherwise fix this?
There is no built-in way of ignoring files in Roslyn at the moment, so you can't do it. Each analyzer needs to decide if the analyzed file needs to be checked or not. Specifically for SonarLint, I've created an issue on GitHub: https://github.com/SonarSource/sonarlint-vs/issues/85. You can track its progress.
Related
Visual Studio debugger stepping into non-user code on Azure functions projects.
Just my code is checked.
Reinstalled visual studio.
Resetted my whole windows machine.
My azure functions projects are currently not debuggable due to this annoying dialog in stepping into azure function assembly code.
Github issue Github issue
Developer community Developer community
I would think maybe this's one issue about those assemblies. See the Modules Window and you can find the debugger recognize them as User Code!
I think that's why it will try to step into them when you've enabled Just My Code because the debugger thinks those functions are part of User Code. See answer from Hans and you may get some help about why the debugger recognize them as User Code.
So it's clear if debugger recognize User Code by the rule: No optimization + debug symbols=User Code, then those assemblies from those folder are recognized as User code, and when you step into them, the error occurs.
Suggestion:
So you may have to use step over(F10) for those Azure functions, and step into(F11) for the real user-code of yours. And if this issue is reproducible in new Azure projects, I suggest you Go Help menu=>Send Feedback=>Report the problem to report this issue to Product Team.
Update1:
Now the team in Github is tracking this issue and the updated packages will release soon.
See Debugging Options: "Enable Just My Code" ignored for Durable Functions and Ensure packages are built in release mode.
I have a new project on SonarCloud which is analyzing a fairly new C# solution which contains a tiny amount of code at present. I have installed the latest version of SonarLint and successfully connected the project to the SonarCloud project I have set up. The SonarCloud tasks are part of the VSTS build definition and the analysis is running on build with results being reported to SonarCloud.
Some issues - such as "S2933 - Fields that are only assigned in the constructor should be readonly" are reported in SonarCloud and reported in the VS IDE warnings window when code analysis is run locally. This is what I was expecting.
Other issues, such as "S1451 - Add or update the header of this file" are only reported in the IDE.
Some other issues, such as "common-cs:InsufficientCommentDensity" are only reported on SonarCloud, and not in the IDE.
I would like the IDE and SonarCloud to report the same issues as each other; my understanding is that that is the whole point of SonarLint connected mode.
I have created a custom Quality Profile on SonarCloud that inherits from "C# - Sonar way" and activated every rule, which now total 330, although bizarrely when I view anything beyond the first 100 rules on the website I am always presented with the "Activate" button nomatter how many times I click it and refresh the page.
If I look at the ruleset file that SonarQube has added to the project in VS, it contains the 330 rules that are in the server quality profile and has ticks next to all of them. There are a further 10 or so rules in this ruleset file that are deactivated and do not appear at all on SonarCloud.
What do I have to do to make the IDE and VSTS analyses consistent?
Some rules act a bit weird indeed.
S1451 has parameter (the expected file header) and is thus disabled unless you manually configure it. Even in connected mode SonarLint for Visual Studio does not support synchronization of parameters. This feature is in our backlog and most probably we will be working on it soon.
common-cs:* is a server-side rule (e.g. it runs on SonarQube/SonarCloud) and cannot be executed in SonarLint for Visual Studio.
You could configure the S1451 and the other parametrized rules by adding a new XML file with content similar to this file (link), then reference the file in your project like we do (link).
I was unable to reproduce the QualityProfile Active/Inactive status problem, it would be helpful to share what browser/version are you using and perhaps a short screen capture video of the behavior would be a nice way to demonstrate the problem.
Update: Apparently one of our SonarQube devs managed to reproduce the problem with the QP rule activation/deactivation and created a ticket:
https://jira.sonarsource.com/browse/SONAR-10685
I have a build machine setup with Visual Studio 2015 Update 3 and sonnarqube msbuild scanner 2.2.0.24. On the sonar server side (6.2), I have c# plug-in version 5.5.2.537.
Upon analysing projects, some code smells are not found in the c# files.
I have verified that :
Sonar project is using appropriate quality profile.
Quality profile
contains the rule and said rule is correcly activated.
I have deleted the whole project in sonarqube and re-run the analysis multiple times. For example in a particular .cs file I have the comment density code smell working correcly. However, the rule about handling TODO (s1135) is not working even though I have multiple TODO in the file. Same goes for the rule "Boolean checks should not be inverted" (S1940) that I introduced in the code for testing purpose.
What could cause those issues to not be reported?
I have moved everything to a new build server. Using the same setup and project, all the issues are now correctly reported.
I was searching for an extension to integrate VS with Sonar, in order to avoid waiting for Sonar to run to have a feedback on my code. Live feedback is really valuable in addition to shared feedback through Sonar UI (providing shared ruleset, history, tendance, analysis...).
I had seen plugins for Eclipse & IntelliJ in last years, which were running Sonar analysis (based on shared ruleset), leveraging incremental analysis also...
Lately, I found vssonarextension that seems to do pretty much the same thing (incremental & preview analysis) for C# projects in Visual Studio.
But I also found the official SonarLint (recently renamed from SonarQube for C#), and I can't catch how it works. It seems to be disconnected from SonarQube server and to reimplement rules already implemented on server (through C# plugin), am I wrong ? Can you clarify ?
SonarLint for Visual Studio is based on the new .NET compiler framework (Roslyn), which is shipped within Visual Studio 2015. This extension is working on individual developer machines, and (at the moment) is not connected to the SonarQube server.
To share a set of common rules between developer machines, you can save and commit a ruleset file along with your solution. On each developers machine this ruleset file will be picked up by the .NET compiler framework, and therefore by SonarLint too. (If you don't want to install the SonarLint VS extension, you have the option to ship this functionality along the solution in the form of a Nuget package)
To see the analysis result on a SonarQube server, you would need to use the MsBuild SonarQube Runner (more info). This internally uses the SonarLint assemblies, and adds a few more rules that need parameters that are specified on the server.
SonarLint for Visual Studio integrates with Visual Studio 2015 and provides live feedback, as you code, on quality flaws. It also automatically suggests code fixes. It has no connection with the SonarQube server: you won't be able to see for example all new issues introduced since the last SonarQube analysis, comment on issues, and so on. We're working with Microsoft to improve that overtime.
vssonarextension is an unofficial Visual Studio extension (also ) for SonarQube. It is not developed and not supported by SonarSource. My understanding is that this extension is an attempt to replicate the Eclipse / IntelliJ SonarQube plugins
Speaking about the Eclipse / IntelliJ SonarQube plugins (soon to be rebranded into SonarLint for Eclipse / IntelliJ) - these are both in advance of SonarLint for Visual Studio, because they have this connection to the SonarQube server, but also lag behind because of the lack of real-time (or close to real-time) feedback. The Eclipse SonarQube plugin has a new feature to analyze files each time they are saved, improving the experience. Moreover, none of two is able to suggest code fixes for now.
The MSBuild SonarQube Runner is not simply a "wrapper" around the sonar-runner: It captures information about your project during the actual msbuild build, forces the FxCop execution, and so on. Yes, in version 1.0, the end phase will invoke the sonar-runner, but this really is just an implementation detail. Newer versions of the SonarQube server will allow analysis reports to be uploaded through a web service, instead of relying on direct accesses from the sonar-runner to the database. So in the future, we can imagine a pure C# implementation of the MSBuild SonarQube Runner, which could work without having to install Java.
The SonarQube C# Plugin is providing C# support in SonarQube. You obviously cannot install SonarLint for Visual Studio in SonarQube, as it is an extension for Visual Studio 2015... Now, the SonarQube C# Plugin internally embeds some version of SonarLint VS: It launches a Windows executable that will re-use the same .dll files that the Visual Studio extension uses. This way, there is not need to duplicate the rule implementations.
Feel free to have a look at the sources if you want more details on how this works exactly:
https://github.com/SonarSource/sonar-msbuild-runner
https://github.com/SonarSource/sonarlint-vs
https://github.com/SonarCommunity/sonar-csharp
I'm new to C# and the project as well. My team members are making a lot of spelling mistakes in strings. My manager want that the build should fail if there are spelling errors. While searching I found out Visual Studio Code Analysis tool and Spell Checker Plugins.
I have configured Code Analysis tool so that it shows analysis error if there are spelling mistakes. Is there any way to a enforce it as a build failure in such situation? And is it a good approach? Is there any better approach? I'm using VS2012.
EDIT
I have configured Code Analysis to run on every build. Now it's showing an error on running project after saving the code but if I run the code again (without saving), it runs successfully. But I want it show show error on every run until Code Analysis errors are resolved.
I don't think enforcing build error using code analysis is a good approach, it is really disturbing for the developer while writing the code and the developer can just turn off or uninstall the plugin in their environment.
What you might need to have is setting up a build server that runs the code analysis as part of it. It could be cruise control .net or team city or sonarqube.
You can run other things on that server, like unit test, auto deployment, complexity report, commenting, etc.