All C# and VB.NET code analyzers present in SonarQube are being developed here. These analyzers rely on Roslyn 1.3.2 API.
Before following any of the guides below, if you are external contributor you need to delete analyzers\NuGet.Config.
- Clone this repository
- Open
analyzers\SonarAnalyzer.sln
Visual Studio 2022 version 17.6+ is required to build the project (due to source generators) and run the unit tests.
- Visual Studio 2022 or Rider
- When using Visual Studio, ensure to install the following Workloads:
- ASP.NET and web development
- .NET desktop development
- Visual Studio extension development
- Ensure to install Individual components:
- .NET Framework 4.8 SDK
- .NET Framework 4.8 Targeting pack
- .NET Framework 4.7.2 Targeting pack
- .NET SDK
- .NET Compiler Platform SDK
- Install also:
- .NET Core 3.1 SDK
- .NET 5.0 SDK
- .NET 6.0 SDK
- .NET 7.0 SDK
- The following environment variables must be set:
- JAVA_HOME (e.g.
C:\Program Files\Java\jdk-11.0.2) - MSBUILD_PATH - path to the MSBuild.exe executable (MSBuild 16 e.g.
C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Current\Bin\MSBuild.exe) - NUGET_PATH - path to the nuget.exe executable (related to the plugin integration tests)
- PATH - the PATH variable must contain (system scope):
- dotnet core installation folder (
C:\Program Files\dotnet\) - MSBuild bin folder (
C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Current\Bin) - visual studo installer folder (for vswhere.exe) (
C:\Program Files (x86)\Microsoft Visual Studio\Installer) - nuget executable folder (
C:\Program Files\nuget) - JDK bin folder (
C:\Program Files\Java\jdk-11.0.2\bin) - %M2_HOME%\bin (
C:\Program Files\JetBrains\IntelliJ IDEA\plugins\maven\lib\maven3\binMaven cli. Here installed via IntelliJ IDEA.) - SonarScanner for .NET folder and to the Scanner CLI (SonarScanner download)
- dotnet core installation folder (
- Sonar internal only These two steps require access to SonarSource internal resources and are not possible for external contributors
- ORCHESTRATOR_CONFIG_URL - url to
orchestrator.propertiesfile (for integration tests) in uri form (i.e.file:///c:/something/orchestrator.properties). See also: Documentation in the orchestrator repository - RULE_API_PATH - path to folder containing the rule api jar. The rule api jar can be found at repox.jfrog search or repox.jfrog private releases
- ARTIFACTORY_USER your repox.jfrog username (see e.g.
orchestrator.properties) - ARTIFACTORY_PASSWORD the identity token for repox.jfrog.
- ORCHESTRATOR_CONFIG_URL - url to
- JAVA_HOME (e.g.
- Open
analyzers/SonarAnalyzer.sln
You can run the Unit Tests via the Test Explorer of Visual Studio or using dotnet test analyzers\SonarAnalyzer.sln
Rule tests are written in source files and setup like this:
public class MyAnalyzerTest
{
private readonly VerifierBuilder verifier = new VerifierBuilder<MyAnalyzer>();
[TestMethod]
public void MyAnalyzer_CSharp10()
{
verifier
.AddPaths("MyAnalyzer.CSharp10.cs") // searched in analyzers\tests\SonarAnalyzer.Test\TestCases\
.AddReferences(MetadataReferenceFacade.SystemData);
.WithOptions(ParseOptionsHelper.FromCSharp10)
.Verify();
}
}In the test files special annotations are used to describe the non-compliant code.
private void MyMethod() // Noncompliant {{Remove this unused private method}}
// ^^^^^^^^For most projects, there are JSON files in the expected folder with expected issues. One JSON file per rule.
For the ManuallyAddedNoncompliantIssues project, we verify for each file the issues for one specific rule - like we do for Unit Tests. The first occurrence must specify the rule ID (// Noncompliant (S9999)), and the next occurrences can only have // Noncompliant. If multiple rules are raising issues in that file, they will be ignored. The framework can only verify one rule per file. Look at some files inside the ManuallyAddedNoncompliantIssues project.
The same applies for ManuallyAddedNoncompliantIssuesVB.
For details on how the parsing works, read the regression-test.ps1 script.
To run the ITs you will need to follow this pattern:
- Make sure the project is built: Integration tests don't build the analyzer, but use the results of the latest build (debug or release)
- Open the
Developer Command Prompt for VS2022from the start menu - Go to
PATH_TO_CLONED_REPOSITORY/analyzers/its - Run
powershell - Run
.\regression-test.ps1
Notes:
- You can run a single rule using the
-ruleIdparameter (e.g..\regression-test.ps1 -ruleId S1234) - You can run a single project using the
-projectparameter (e.g..\regression-test.ps1 -project Nancy)
If the script ends with SUCCESS: No differences were found! (or exit code 0), this means the changes you have made haven't impacted any rule.
If the script ends with ERROR: There are differences between the actual and the expected issues. (or exit code 1),
the changes you have made have impacted one or many issues raised by the rules.
Note: if you are facing compilation errors on Windows 10 due to unknown characters, disable beta use unicode utf-8 for worldwide language support from your Region Settings.
You can run .\update-expected.ps1 to update the list of expected issues. Please review all added/removed/updated issues to confirm they are wanted. Only after reviewing each difference do the commit.
Note: Integration tests build the code to analyze. If you have an antivirus program on your computer, this may fail with some error messages about an executable file that cannot be open for writing. If this happens, look at the antivirus logs for confirmation, and contact IT team to add an rule to your antivirus program...
You can visualize the differences using:
cd actualgit diff --cached
If you want to debug the analysis of a project, you can add a Debugger.Launch() breakpoint in the class you want to debug. Rebuild SonarAnalyzer.sln and link the analyzer debug binaries to the project you want to debug the analysis for.
- If you are analyzing the project with the Scanner for .NET, after the begin step you can replace the binaries in the local cache (
%TEMP%\.sonarqube\resources\- the0folder for the C# Analyzer, the1folder for the VB .NET analyzer), and then run the build. - If you don't want to use the Scanner for .NET, you can manually reference the binaries in
analyzers/packaging/binaries/in the {cs,vb}proj file with<Analyzer Include=... />items (see Directory.Build.targets as an example)
Please note that if the rule is not in SonarWay, you will also need to enable it in a RuleSet file and link it in the {cs,vb}proj file with the <CodeAnalysisRuleSet> property (see example).
This also works with the Java ITs, as long as the debug assemblies are in the folder which is used by the Java ITs.
When running the build and doing the Roslyn analysis, when hitting the Debugger.Launch() line, a UI window will prompt you to choose a debugger, where your IDE should show up - you will be able to open the solution and debug.
After the debug session, remove the Debugger.Launch() line.
Internal only
- Use IntelliJ IDEA
- Follow the Code Style Configuration for Intellij instructions
- Open the root folder of the repo
- Make sure the
its,sonar-csharp-plugin,sonar-dotnet-core, andsonar-vbnet-pluginfolders are are imported as Maven modules (indicated by a blue square). Search forpom.xmlin the folders and make it a maven project if not.
- Create
settings.xmlin the%USERPROFILE%\.m2directory. A template can be found in the Developer box section in the extranet. Change the username and password settings with the values from the environment variables above. - Run
mvn install clean -DskipTests=truein the respective directories (pom.xml). - Use the IDE to run unit tests in the projects.
Please see the How to contribute section for details on contributing changes back to the code.