Sonarqube and Docker (Without Test Coverage)

Updated 03/11/2020

Sonarqube provides static code analysis, testing and continuous inspection.

You can use the public Sonarqube image and embedded H2 database to test out Sonarqube locally, H2 is not suitable for production but great to learn the product in a safe local environment.

This demo uses a random monorepository I forgot I had, the tests are MS Test but here Im just focusing on the code quality like smells and bugs, so the report wont include test coverage. Have a look at Sonarqube With Opencover And xUnit Reports if you looking for some test coverage.

Software Setup

Sonarqube Server

1. Start the Sonarqube container, I like to use specific versions as latest can have breaking changes down the line, below I used 6.7.4. The default login is admin\admin

docker run -d --name sonarqube674 -p 9000:9000 sonarqube:6.7.4

2. When Sonar v674 first starts it will ask you to create a token, the token is used to identify you when an analysis is performed. Generally you would store this in your secrets manager but as this is a local demo, my token was sonardemo: a8d6e1e800aaeeec2986b202177d74677d8acbb4, I skipped the rest of the tutorial when it asked me to create a new project, this will be done for you on the first scan.

Sonar Scanner

1. Locally you will need sonar scanner, at the time of writing this the latest version was 4.3.1.1372

• sonar-scanner-msbuild-4.3.1.1372-net46.zip is for .Net Framework
• sonar-scanner-msbuild-4.3.1.1372-netcoreapp2.0.zip is for .Net Core

Download sonar-scanner-msbuild-4.3.1.1372-netcoreapp2.0.zip

2. Extract the contents of the zip file into C:\dev\sonardemo\tools, the key is to see SonarScanner.MSBuild.dll in the root of tools.

3. The scanner has a Java dependancy, download and install JDK8 jre-8u181-windows-x64.exe, you can verify its installed from the console by checking the version

java -version

.Net Core SDK

1. Download and install .NET Core SDK 2.1.202

This gives us MSBuild version 15x which will work with SonarScanner and the source code below.

Setup Source Code

You can scan any project, here I’ll just use a random project from my Github space.

1. Clone the project Boilerplate to c:\dev\sonardemo\tmp

2. Copy the contents of C:\dev\sonardemo\tmp\Boilerplate\Class Library\PatternsAndPrinciples to C:\dev\sonardemo\ so that the .sln file is in the root, this just makes the sonar steps easier.

3. Ensure the 3 csproj files target netcoreapp2.0, its confusing because I thought 2.1 would work but it doesnt, its because the SDK we build with below, which is v2.1.202 targets .Net Core 2.0 … too many numbers, just go with it (o_O)

<Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <TargetFramework>netcoreapp2.0</TargetFramework>
...

4. Run dotnet restore to update the assets, this is magic the IDE normally does for us :D

Scan time!

1. The first step is to run the scanner, here we are passing the key PatternsAndPrinciples for the project to be created with login details from the step steps.

dotnet ./tools/SonarScanner.MSBuild.dll begin /k:"PatternsAndPrinciples" /d:sonar.host.url="http://localhost:9000" /d:sonar.login="a8d6e1e800aaeeec2986b202177d74677d8acbb4"

2. The second step is to build the project, needs to use MSBuild 14.0 or 15.0. The . at the end means current context so will look for the .sln you copied earlier to the root of sonardemo

dotnet "C:\Program Files\dotnet\sdk\2.1.202\MSBuild.dll" .

3. The last step is to end the scan

dotnet ./tools/SonarScanner.MSBuild.dll end /d:sonar.login="a8d6e1e800aaeeec2986b202177d74677d8acbb4"

The code analysis can then be seen at http://localhost:9000/dashboard?id=PatternsAndPrinciples

References

• Also see Quality Assurance Tools
• You can also have these validations as part of your IDE – https://www.sonarlint.org/visualstudio/
• https://docs.sonarqube.org/display/SCAN/Analyzing+with+SonarQube+Scanner+for+MSBuild
• https://docs.sonarqube.org/display/SONAR/Project+Existence