After installing SonarQube successfully in our machine, obviously, we have to start analyzing our C#, VB.NET, ASP.NET, ASP.NET MVC, ASP.NET Core, WPF, WCF projects, or entire solution. We have already covered in the previous article how to install SonarQube for C#, VB.NET, ASP.NET, ASP.NET MVC, ASP.NET Core. So now we proceed with how to check project or solution code analysis using SoarQube Community Edition which is a free tool.
This SonarQube Tutorial includes step by step creation of a project in the SonarQube tool and code analysis generation.
Step 1: Start SonarQube using StartSonar.bat file
The first step is to start the SonarQube service using the StartSonar.bat file. This is already discussed in how to install SonarQube for C#, VB.NET, ASP.NET, ASP.NET MVC, ASP.NET Core article.
Step 2: Open SonarQube tool using web browser
Users can open the SonarQube tool using any web browser using http://localhost:9000 URL. Once the SonarQube tool opened, the user can log in to the tool using login credentials. In the previous article about login credentials already discussed.
Step 3: Create project in SonarQube tool for C#, VB.NET, ASP.NET, ASP.NET MVC, ASP.NET Core
Once logged in to the SonarQube tool, there on the home page, we can able to see create a new project option as shown below image.
Step 4: Give Product Key and Display Name
It is mandatory to give a key to identify your project. The Project Key should be unique as if multiple projects created, there should not be any ambiguity. The Display Name should be given for our project and it can be duplicated as it’s just a display name.
Step 5: Generate Project Token
After providing Project Key and Display Name, continue with the Set-Up of C# or VB.Net Project. The next step is to create or generate Project Token. The token is used to identify us when an analysis is performed. If it has been compromised, we can revoke it at any point in time in our user account. We can give some names to identify the particular project token.
Once we provide name for token, we can go ahead and generate a token.
Step 6: Run analysis on C#, VB.NET, ASP.NET, ASP.NET Core, WPF, WCF project
Once we could able to generate the token for our project, then we have to continue the setup. As we are going to Analyze .NET related projects like C#, VB.NET, ASP.NET, ASP.NET Core, WPF, WCF, Window’s Service, we have to select .NET as build technology as shown below image.
Step 7: Download the Scanner for MSBuild to compile C#, VB.NET, ASP.NET, ASP.NET Core, WPF, WCF projects
As the SonarQube tool is universal and can be used for many technologies, based on our technology we have to have Scanner. The Scanner program is a key part of the SonarQube code analysis process.
When we hit the Download button for SonarScanner, we can see a screen like the above image. As of this article creation date, 5.0.4 is the latest version of SonarScanner for .NET. We can download the scanner based on our project framework. It can be .NET 5 or .NET Framework 4.6 and above or .NET Core Global Tool or .NET CORE 2.0 and above.
For demonstration purposes, I am downloading .NET Framework 4.6+ as my project using .NET Framework 4.7.2
Step 8: Process and compile the code to analyze the Code Quality
To process the code, we need to open the command prompt and we should navigate to the folder where our solution file resides of the project which needs to be analyzed for code quality.
Step 9: Begin Code Analysis process
There are three commands to execute to obtain code quality using SonarQube. The first command is to begin the code analysis process, the second command is to compile the code using MSBuild, and the third to end the code analysis process. To execute the first and third commands, we need SonarScanner.MSBuild.exe. In addition to this, we also need the Project token which we generated in Step 5.
As shown in the above image we can get the first command to begin the Code Analysis process. In the command, we have to give the complete path of SonarScanner.MSBuild.exe. Already Project Key is present in the command “261baf8ba760a9fa44ad660f9a566aa8d97dc3dc”. Except for Project Key, the command remains the same for all the projects. So complete command be like below:
H:\Temp\sonar-scanner-msbuild-22.214.171.12409-net46\SonarScanner.MSBuild.exe begin /k:”Project-Analyze” /d:sonar.host.url=”http://localhost:9000″ /d:sonar.login=”261baf8ba760a9fa44ad660f9a566aa8d97dc3dc”
So we have the command, we can able to run in command prompt:
The user must see the message as “Pre-processing succeeded” in the command prompt after executing the begin command. That means Sonar Scanner did the initial analysis as preparation for Complete Code analysis.
Step 10: Build your source code using MSBuild
The second command to continue code quality analysis using SonarQube, requires MSBuild.exe. If Visual Studio is installed, we can able to get MSBuild.exe in the below path shown in the image.
In the above image, we can able to see the second command in CMD before executing.
“C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MsBuild.exe” /t:Rebuild
In the above command, the first part which is in the double-quotes is the path of MSBuild.exe, and the second part which starts with a slash is the Rebuild command. It means Rebuild will take place using the MSBuild.exe program. Once the command completes Rebuild, it will give the build result as a number of warnings and errors.
Step 11: Complete the Code Analysis process
Time to execute the third command which completes the code analysis process.
As shown in the above image we can get the first command to end the Code Analysis process. In the command, we have to give the complete path of SonarScanner.MSBuild.exe. Already Project Key is present in the command “261baf8ba760a9fa44ad660f9a566aa8d97dc3dc”. Except for Project Key, the command remains the same for all the projects. So complete command be like below:
H:\Temp\sonar-scanner-msbuild-126.96.36.19909-net46\SonarScanner.MSBuild.exe end /d:sonar.login=”261baf8ba760a9fa44ad660f9a566aa8d97dc3dc”
So we have the command, we can able to run in command prompt:
This command will take some time to complete, after the completion, it must show the result as Post-processing succeeded.
After Post-processing succeeded message, SonarQube application in the browser should load the code analysis statistics automatically. If not loaded, we may need to wait some time. The final code analysis result should show like the below image.
So this is how Code Analysis can be done using SonarQube analysis for projects or solutions for C#, VB.NET, ASP.NET, ASP.NET MVC, ASP.NET Core, WPF, WCF, Windows Service, Web API, and all .NET related technologies.
This is a one-time setup and to run next time, we can execute the three commands again. If we create a new project then we can use the same three commands but with a project-specific Project Key. If the project in different technology for example ASP.NET Core then we have to download the SonarScanner for .NET Core as shown in Step 7. If other than .NET technology, then we supposed to download SonarScanner for Java. For the older version of projects, we may need to download old SonarScanners.
In the next article we can analyze the generate SonarQube statistics in detail and how to improve the code quality minimizing the issues mentioned by SonarQube.