Combining SonarQube and Azure DevOps
Code analysis is a best practice in a operating continuous integration pipeline. SonarQube can be used in combination with Azure DevOps. If you do not know SonarQube, it is tool that centralizes static code analysis and unit test coverage. It can be used across multiple languages and for a single project up to enterprise scale.
SonarQube can be used as a SaaS product or hosted on your own instance. SonarQube describes the product as followed:
SonarQube provides the capability to not only show health of an application but also to highlight issues newly introduced. With a Quality Gate in place, you can fix the leak and therefore improve code quality systematically.
This sound interesting and when useful for your situation it should be placed within a continuous integration pipeline, but how do we get started.
SonarQube Deployment
To get started with SonarQube I used the installation on an Azure App Service created by a premium field engineer from Microsoft. The blog post below contains an ARM template that really makes it a single click install.
- SonarQube Hosted On Azure App Service – https://blogs.msdn.microsoft.com/premier_developer/2018/12/23/sonarqube-hosted-on-azure-app-service/
What you might wonder is what the reason was why I used the Azure App Service deployment:
- No license needed
- You do not have to create and manage a Virtual Machine.
- Setting up SSL is easier.
- You can easily integrate other Azure services like the Azure Key Vault.
- Other features of the Azure App Service could be used like deployment slots.
Note: When using the “Deploy to Azure” button and you are using a resource group naming policy you temporary disable it. The “Deploy to Azure” method uses a test that creates a resource group with a GUID to validate the template.
Deploying the resource will not take long. Starting SonarQube is totally different depending on the hosting platform it can take up to 15 minutes.
When the tooling is started login with the admin credentials (admin/admin). Make sure you change them after your first login.
SonarQube Configuration
For sending information to SonarQube a token is needed. To generate a token, click on your name in the top right corner and select “My Account”.
On the “My Account” screen select “Security”.
Fill in a name for the token and click on generate. Copy the token for later use. The next step is to create a new project within SonarQube. The project will be the centralized storage for your analytics information of the code. To create a new project, click on the “+” sign next to your name.
Fill in the appropriate information and select the main language of your project.
The project is now ready, and we can start to configure Azure DevOps to send the analysis information to your SonarQube environment.
Azure DevOps Extension
To make use of SonarQube within Azure DevOps an extension needs to be installed. Here you can find the links to the extensions for SonarQube:
- SonarCloud (SaaS version SonarQube)- https://marketplace.visualstudio.com/items?itemName=SonarSource.sonarcloud
- SonarQube (Hosted version. The version we will use in this blog post)- https://marketplace.visualstudio.com/items?itemName=SonarSource.sonarqube
Build Pipeline
In your Azure DevOps project create a new pipeline or open a pipeline that you want to extend. Press the button to add a new task and search for Sonar you will see the following available tasks. The three-task selected are for the hosted version of SonarQube.
We will start with the “Prepare Analysis Configuration” then the “Run Code Analysis” and then the “Publish Quality Gate Result”.
Prepare Analysis Configuration
The “Prepare Analysis Configuration” is the most important task. With this task you configure the agent job to work correctly with SonarQube.
To establish the connection the tasks needs a SonarQube service endpoint. To create a new service endpoint for SonarQube you can click on the “New” button. In the configuration window for this endpoint fill in the correct information.
In the task itself fill in the key of the project and the name. The task is now configured this means the other tasks can be added to the pipeline. The other task itself do not have any additional configuration.
If you want to include test result you need to make sure to add the “Run Code Analysis” task after the “Test Assemblies” task like the screenshot above.
In the upcoming days and weeks, I will check more functionality and will share more information on this blog.
can you explain me how i can force the analysis on a test project in C#. I’ve one solution with 2 projects and one of them is consider as a test project, so Sonar don’t analysis it and I want to force the analysis on this project
Thanks
How did you configure sonarqube?
Hello, I have configured Sonarqube to analyse my project, and then I want to know the coverage of unit tests, but I can’t complete these process of uploading the coverage file to sonarqube server.
Do you find any way to do this? Have you tried it?
Thank you in advance, regards
How did you configure the process?
We have successfully implemented SonarQube analysis for the majority of our projects. Only the one that needs VS2015 for the build process does not work properly. Everything seems to be fine, but when you dig into the log of the analysis step then it says: 0 files indexed. and nothing is showing up in SQ.
INFO: Indexing files of module ‘Model4x’
INFO: Base dir: D:\a\1\s\Source\Server Side Logic\Model4x
INFO: Source paths: Action.cs, ActionsDeletedMoved.cs, ActionTypes.cs, ActiveUser…
INFO: Excluded sources for coverage: **/*.js
INFO: Indexing files of module ‘Core’
INFO: Base dir: D:\a\1\s\Source\Server Side Logic\Core
INFO: Source paths: Data/EntityFramework/Dynamic.cs, Data/EntityFramework/EntityF…
INFO: Excluded sources for coverage: **/*.js
INFO: Indexing files of module ‘Infrastructure’
INFO: Base dir: D:\a\1\s\Source\Server Side Logic\Infrastructure
INFO: Source paths: Attributes/ResourceAttribute.cs, Entities/Actions/DeleteActio…
INFO: Excluded sources for coverage: **/*.js
INFO: Indexing files of module ‘connext’
INFO: Base dir: D:\a\1\s
INFO: Excluded sources for coverage: **/*.js
INFO: 0 files indexed
INFO: 0 files ignored because of scm ignore settings
I have been trying to find differences between this project’s pipeline/SQ-setup and the others, but the only thing I found is the Visual Studio version and the corresponding Azure host machine.
Are you sure that all the files or on the Azure Host Machine?
is there any way to change the temp folder of sonarqube to change. currently it is creating the temps in /home/user and which doesnt have much space. so looking to change this directory some other location where we have space
Is this what you are looking for:
https://community.sonarsource.com/t/how-to-change-the-temp-direcory-of-sonarqube-from-home-directory/44791
Do you have any article about implementing SonarQube in an CI azure devops pipeline for a .NET Core project?
Not yet but SonarQube is language specific. Are you encountering any issues?
If you can solution on asp.net core project that would be nice.
hello, when I want to replicate your steps I get this error “## [error] [SQ] API GET ‘/ api / server / version’ failed, the error was: {” code “:” UNABLE_TO_VERIFY_LEAF_SIGNATURE “}”, in step Prepare the analysis in SonarQube. Can you help me? Thank you
Haven’t encountered this issue before. Were in the process are you?
Hi’
I have the same problem when using https adress,
did you find an issue?
Hi Maik,
thanks for the nice article !
I have 2 questions concerning ABAP language checks :
1. On top of existing rules, can we add any additional standard rules ?
2.Can we add custom rules which are more company specific code of standards, like naming convention checks , comments etc ?
Thanks
Prasanth P
Is it possible to see the sonarqube code analysis result directly in AzureDevops ? I use community version.
I have not seen this option yet.
Hi Maik,
Thanks for the detailed article !
Can we get analysis for PR branches ? I can see currently PR branch showing status green although developement branch where it is merging is red – in failed state.
Hi Maik,
Is it possible to restrict 80/443 access just for Azure DevOps? I’m not a fan of allowing traffic from unknown ip ranges. I couldn’t find the ranges that my Azure DevOps agents use, it looks like that Azure needs to update its documentation..
Thanks in advance.
Yes, but only if you know the ip addresses.
thanks you so much for writeup. can some one please tell me how do I get ‘server url’ and ‘token’? Any tutorial/link for the same please.
I follow this tutorial ‘https://azuredevopslabs.com/labs/vstsextend/sonarqube/’ also but that FQDN is not accessible by postfixing 9090.
The final SonarQube URL will be http://YOUR_DNS_NAME:9000
any help please
Hi alok,
I haven’t that tutorial often but the URL is the URL you are connecting to. The token in this tutorial is skipped you can retrieve/create it from there. This can also be found in the admin section.
This information you have shared is really a lot helpful. Was searching for this info from a while. Looking forward for further such interesting postings from you
Hi,
We successfully configured and able to successfully run sonar scans in Azure pipelines. We want to fetch some basic details like sonar ceTaskId for that scan from Azure. Does azure devops provides any api using which we can get the sonar scan details.
Yes, just look up the docs from Microsoft
Hi! Could you give me advice, how should I do pipeline if I have only 2 tasks: docker build&push and publish artifact? Appreciate any help!
You should try to fit in those tasks you require. Could you elaborate more on what you are doing?
Thanks for the great post.
In my pipeline, I build the app using a docker build task.
How would you recommend I use sonarqube in this scenario?