Configuring the SonarScanner for .NET

Code Coverage

In an Azure DevOps / TFS environment, test files are automatically retrieved as follows:

• A search is done for .trx files in any TestResults folder located under $Build.SourcesDirectory.
• If no .trx files are found there, then a fallback search is performed under $Agent.TempDirectory.

Once the .trx files have been found, their .coverage counterparts are retrieved and converted to .coveragexml files for upload to SonarCloud.

As stated above, this will work only with the .NET Framework version of the scanner.

See .NET test Coverage for more information.

Excluding projects from analysis

Some project types, such as Microsoft Fakes, are automatically excluded from the analysis. To manually exclude a different type of project from the analysis, place the following in its .xxproj file.

<!-- in .csproj -->
<PropertyGroup>
  <!-- Exclude the project from analysis -->
  <SonarQubeExclude>true</SonarQubeExclude>
</PropertyGroup>

Advanced topics

Analyzing MSBuild 12, 14, and 15 projects with MSBuild 16

The Sonar Scanner for .NET requires your project to be built with MSBuild 16. We recommend installing Visual Studio 2017 or later on the analysis machine in order to benefit from the integration and features provided with the Visual Studio ecosystem (VSTest, MSTest unit tests, etc.).

Projects targeting older versions of the .NET Framework can be built using MSBuild 16 by setting the "TargetFrameworkVersion" MSBuild property as documented by Microsoft:

• How to: Target a Version of the .NET Framework
• MSBuild Target Framework and Target Platform

For example, if you want to build a .NET 3.5 project, but you are using a newer MSBuild version:

MSBuild.exe /t:Rebuild /p:TargetFramework=net35

If you do not want to switch your production build to MSBuild 16, you can set up a separate build dedicated to the SonarCloud analysis.

Detection of test projects

You can read a full description of that subject on our wiki here.

Per-project analysis parameters

Some analysis parameters can be set for a single MSBuild project by adding them to its .csproj file.

<!-- in .csproj -->
<ItemGroup>
  <SonarQubeSetting Include="sonar.stylecop.projectFilePath">
    <Value>$(MSBuildProjectFullPath)</Value>
  </SonarQubeSetting>
</ItemGroup>

Analyzing languages other than C# and VB

For newer SDK-style projects (used by .NET Core, .NET 5, and later), the SonarScanner for .NET will analyze all file types supported by the available language plugins unless explicitly excluded.

If you have an esproj project type, make sure to use Microsoft.VisualStudio.JavaScript.SDK version 0.5.74-alpha or later to ensure the SonarScanner for .NET recognizes the esproj contents for scanning.

For older-style projects, the scanner will only analyze files listed in the .csproj or .vbproj project file. Usually, this means that only C# and VB files will be analyzed. To enable the analysis of other types of files, include them in the project file.

If you disable multi-file analysis (see below), any files included by an element of the ItemTypes in this list will be analyzed automatically. For example, the following line in your .csproj or .vbproj file will enable the analysis of all JS files in the directory foo\bar because the content is one of the ItemTypes that are automatically analyzed.

<Content Include="foo\bar\*.js" />

You can also add ItemTypes to the default list by following these directions.

You can check which files the scanner will analyze by looking in the file .sonarqube\out\sonar-project.properties after MSBuild has finished.

File type extensions can be manually excluded from the analysis using sonar.exclusions. See the File exclusion and inclusion article on the Analysis scope page for more details.

Using SonarScanner for .NET with a proxy

On build machines that connect to the Internet through a proxy server you might experience difficulties connecting to SonarQube. To instruct the Java VM to use specific proxy settings use the following value:

SONAR_SCANNER_OPTS = "-Dhttp.proxyHost=yourProxyHost -Dhttp.proxyPort=yourProxyPort"

Where yourProxyHost and yourProxyPort are the hostname and the port of your proxy server. There are additional proxy settings for HTTPS, authentication, and exclusions that could be passed to the Java VM. For more information, see the following article: https://docs.oracle.com/javase/8/docs/technotes/guides/net/proxies.html.

You also need to set the appropriate proxy environment variables used by .NET. HTTP_PROXY, HTTPS_PROXY, ALL_PROXY, and NO_PROXY are all supported. You can find more details here.

Multi-language analysis

The SonarScanner for .NET v8.0 automatically analyzes these languages using the sonar.scanner.scanAll parameter. This is exclusively a SonarScanner for .NET-specific parameter and is included in the Begin and End step parameters list above.

These file types are automatically picked up by the scanner:

• CSS (.css,.less,.scss,.sass)
• HTML (.html,.xhtml,.cshtml,.vbhtml,.aspx,.ascx,.rhtml,.erb,.shtm, .shtml,.cmp,.twig)
• Javascript (.js,.jsx,.cjs,.mjs,.vue). See the JavaScript/TypeScript test coverage page for details to adjust your setup.
• JSON (.json)
• PLSQL (.sql,.pks,.pkb)
• SQL (.tsql)
• TypeScript (.ts,.tsx,.cts,.mts). See the JavaScript/TypeScript test coverage page for details to adjust your setup.
• YAML (.yaml,.yml)

File type extensions can be found and configured in the SonarCloud UI; see the Setting the scope by file type article for more details. Additionally, file types can be manually excluded from the analysis using sonar.exclusions. See the Wildcard patterns article on the Analysis scope page for a list of patterns and examples.

Unless manually excluded, the files linked by the .csproj project file will be analyzed even if the value is false.

Known issues

I have multiple builds in the same pipeline, each of them getting analyzed even if the Run Code Analysis has already been executed:

The scanner doesn't uninstall the global ImportBefore targets to support concurrent analyses on the same machine. The main effect is that if you build a solution where a .sonarqube folder is located nearby, then the sonar-dotnet analyzer will be executed along with your build task.

To avoid that, you can disable the targets file by adding a build parameter:

msbuild /p:SonarQubeTargetsImported=true
dotnet build -p:SonarQubeTargetsImported=true

Excluding files in certain directories

It is known that the SonarScanner for .NET can’t filter the excluded files/folders from the analysis, which happens during the build. The sonar.exclusions property is only used to filter issues sent to SonarCloud during the end step.

As a workaround, you can try to add an .editorconfig file in the folder to override the severity of the Sonar rules:

[*.cs]
dotnet_diagnostic.S1118.severity = none

Unfortunately, you may have to manually do this for every rule.

Related pages

Introduction to the SonarScanner for .NET

Installing the SonarScanner for .NET

Using the SonarScanner for .NET