Integrate Visual Studio Team Services with SonarCloud
Technical debt is the set of problems in a development effort that make forward progress on customer value inefficient. Technical debt saps productivity by making code hard to understand, fragile, time-consuming to change, difficult to validate, and creates unplanned work that blocks progress. Unless they are managed, technical debt can accumulate and hurt the overall quality of the software and the productivity of the development team in the long term.
SonarCloud is the code quality cloud service provided by SonarSource. The main features of SonarCloud are:
- 16 languages: Java, JS, C#, C/C++, Objective-C, TypeScript, Python, ABAP, PLSQL, T-SQL and more.
- Thousands of rules to track down hard-to-find bugs and quality issues thanks to powerful static code analyzers.
- Cloud CI Integrations, with Travis, VSTS, AppVeyor and more.
- Deep code analysis, to explore all source files, whether in branches or pull requests, to reach a green quality gate and promote the build.
- Fast and Scalable
What's covered in this lab
In this lab, you will learn how to integrate Visual Studio Team Services with SonarCloud
- Setup a VSTS project and CI build to integrate with SonarCloud
- Analyze SonarCloud reports
- Integrate static analysis into the VSTS pull request process
Prerequisites for the lab
You will need a Visual Studio Team Services Account. If you do not have one, you can sign up for free here
A Microsoft Work or School account, or a GitHub/BitBucket account. SonarCloud supports logins using any of those identity providers.
Setting up the environment
Install the SonarCloud VSTS extension to your VSTS account
- Navigate to the SonarCloud extension in the Visual Studio Marketplace and click Get it free to install it.
If you do not have the appropriate permissions to install an extension from the marketplace, a request will be sent to the account administrator to ask them to approve the installation.
The SonarCloud extension contains build tasks, build templates and a custom dashboard widget.
Create a new VSTS project for the lab
Create a new project in your VSTS account called SonarExamples
Import the Sonar Scanning Examples repository from GitHub at https://github.com/SonarSource/sonar-scanning-examples.git
See herefor detailed instructions on importing a repository.
The scanning examples repository contains sample projects for a number of build systems and languages including C# with MSBuild, and Maven and Gradle with Java.
Set up a build definition that integrates with SonarCloud
We will set up a new build definition that integrates with SonarCloud to analyze the SonarExamples code. As part of setting up the build definition we will create a SonarCloud account and organization.
In your new VSTS project, go to Builds under Build and Release tab, then click on +New to create a new build definition.
Click Continue to accept the default values for source, Team project, Repository and Default branch
The SonarCloud extension contains custom build templates for Maven, Gradle, .NET Core and .NET Desktop applications. The templates are based on the standard VSTS templates but with additional analysis-specific tasks and some pre-configured settings.
Select the .NET Desktop with SonarCloud template.
The template contains all of the necessary tasks and most of the required settings. We will now provide the values for the remaining settings.
Select the Hosted VS2017 agent queue
Configure the Prepare analysis on SonarCloud task
There are three settings that need to be configured:
Setting Value Notes SonarCloud Service Endpoint SonarCloudSamples The name of the VSTS endpoint that connects to SonarCloud Organization {your SonarCloud org id} The unique key of your organization in SonarCloud Project Key {your VSTS account name}.visualstudio.com.sonarexamples.netfx The unique key of the project in SonarCloud Currently the project key must be globally unique across all projects in SonarCloud. In the future, the project key will only need to be unique within your SonarCloud organization.
We will now create the endpoint and an account on SonarCloud.
Create a service endpoint for SonarCloud
- click on the New button to start creating a new endpoint
Create a SonarCloud account
A service endpoint provides the information VSTS requires to connect to an external service, in this case SonarCloud. There is a custom SonarCloud endpoint that requires two pieces of information: the identity of the organization in SonarCloud, and a token that the VSTS build can use to connect to SonarCloud. We will create both while setting up the endpoint.
- click on the your SonarCloud account security page link
Select the identity provider to use to log in to SonarCloud
As we are not currently logged in to SonarCloud we will be taken to the SonarCloud login page.
- select the identity provider you want use and complete the log in process
Authorize SonarCloud to use the identity provider
The first time you access SonarCloud, you will be asked to grant SonarCloud.io access to your account. The only permission that SonarCloud requires is to read your email address.
After authorizing and logging in, we will be redirected to the Generate token page.
Generate a token to allow VSTS to access your account on SonarCloud:
enter a description name for the token e.g. "vsts_build" and click Generate
click Generate
Copy the generated token
- click Copy to copy the new token to the clipboard
You should treat Personal Access Tokens like passwords. It is recommended that you save them somewhere safe so that you can re-use them for future requests.
We have now created an organization on SonarCloud, and have the token needed configure the VSTS endpoint.
Finish creating the endpoint in VSTS
- return to VSTS Add new SonarCloud Connection page, set the Connection name to SonarCloud, and enter the SonarCloud Token you have just created.
- click Verify connection to check the endpoint is working, then click OK to save the endpoint.
Finish configuring the Prepare analysis on SonarCloud task.
- click on the Organization drop-down and select your organization.
- enter a unique key for your project e.g. [your account].visualstudio.com.sonarexamples.netfx
- enter a friendly name for the project e.g. Sonar Examples - NetFx
[Optional] Enable the Publish Quality Gate Result step
This step is not required and is disabled by default. If this step is enabled, a summary of the analysis results will appear on the Build Summary page. However, this will delay the completion of the build until the processing on SonarCloud has finished.
Save and queue the build.
If you enabled the Publish Quality Gate Result step above the Build Summary will contain a summary of the analysis report.
Either click on the Detailed SonarCloud Report link in the build summary to open the project in SonarCloud, or browse to SonarCloud and view the project.
We have now created a new organization on SonarCloud, and configured a VSTS build to perform analysis and push the results of the build to SonarCloud.
Analyze SonarCloud Reports
Open the Sonar Examples - NetFx project in the SonarCloud Dashboard. Under Bugs and Vulnerabilities, we can see a bug has been caught.
The page has other metrics such as Code Smells, Coverage, Duplications and Size. The following table briefly explains each of these terms.
Terms | Description |
---|---|
Bugs | An issue that represents something wrong in the code. If this has not broken yet, it will, and probably at the worst possible moment. This needs to be fixed |
Vulnerabilities | A security-related issue which represents a potential backdoor for attackers |
Code Smells | A maintainability-related issue in the code. Leaving it as-is means that at best maintainers will have a harder time than they should making changes to the code. At worst, they'll be so confused by the state of the code that they'll introduce additional errors as they make changes |
Coverage | To determine what proportion of your project's code is actually being tested by tests such as unit tests, code coverage is used. To guard effectively against bugs, these tests should exercise or 'cover' a large proportion of your code |
Duplications | The duplications decoration shows which parts of the source code are duplicated |
Size | Provides the count of lines of code within the project including the number of statements, Functions, Classes, Files and Directories |
In this example, along with the bug count, a character C is displayed which is known as Reliability Rating. C indicates that there is at least 1 major bug in this code. For more information on Reliability Rating, click here. For more information on rule types and severities, see here.
Click on the Bugs count to see the details of the bug.
Click on the bug to navigate to the code
You will see the error in line number 9 of Program.cs file as Change this condition so that it does not always evaluate to 'true'; some subsequent code is never executed..
We can also see which lines of code are not covered by tests.
Our sample project is very small and has no historical data. However, there are thousands of public projects on SonarCloud that have more interesting and realistic results.
Set up pull request integration
Configuring SonarCloud analysis to run when a pull request is created has two parts:
- the SonarCloud project needs to be provided with an access token so it can add PR comments to VSTS, and
- a Branch Policy needs to be configured in VSTS to trigger the PR build
Create a Personal Access Token in VSTS.
- Follow the instructions in this article to create a token with Code (read and write) scope.
SonarCloud will post comments to the pull request as if it is user who owns the personal access token. The recommended practice is to create a separate "bot" VSTS user for this so that it is clear which comments are from real developers and which are from SonarCloud.
You should treat Personal Access Tokens like passwords. It is recommended that you save them somewhere safe so that you can re-use them for future requests.
Configure SonarCloud to analyze pull requests
- browse to the Sonar Examples - NetFx dashboard in SonarCloud
- click on Administration, General Settings
- select the Pull Requests tab
- set the Provider drop-down to VSTS
- set the Personal access token
- click Save
Configure the branch policy for the project in VSTS
navigate to the SonarExamples project in VSTS
click on Code, Branches to view the list of branches
click on the settings link ("...") for master and select Branch policies
click Add Build Policy
select the build definition we created earlier from the Build definition drop-down
set the Display name to SonarCloud analysis
click Save
VSTS is now configured to trigger a SonarCloud analysis when any pull request targeting the master branch is created.
Create a new pull request
Now we need to make a change to a file and create a new request so we check that the pull request triggers the analysis.
- navigate to the code file Program.cs at sonarqube-scanner-msbuild/CSharpProject/SomeConsoleApplication/Program.cs and click Edit
- add an empty method to the code as shown in the following screen shot, then click Commit...
In the dialogue that appears:
- change the branch name from master to branch1
- check the Create a pull request checkbox
- click Commit, then click Create on the next screen to submit the pull request
If the pull request integration is correctly configured the UI will show that an analysis build is in progress.
Review the results of the Pull Request analysis
The results show that the analysis build completed successfully, but that the new code in the PR failed the Code Quality check. A comment has been posted to the PR for the new issue that was discovered.
Note that the only issues in code that was changed or added in the pull request are reported - pre-existing issues in Program.cs and other files are ignored.
Block pull requests if the Code Quality check failed
At this point it is still possible to complete the pull request and commit the changes even though the Code Quality check has failed. However, it is simple to configure VSTS to block the commit unless the Code Quality check passes:
- return to the Branch Policy page
- click Add status policy
- select SonarCloud/quality gate from the Status to check drop-down
- set the Policy requirement to Required
- click Save
Users will now be unable to merge the pull request until the Code Quality check is successful, either because all of the issues have been fixed or the the issues have been marked as confirmed or resolved in SonarCloud.
Congratulations!
With the SonarCloud extension for Visual Studio Team Services, you can embed automated testing in your CI/CD pipleine to automate the measurement of your technical debt including code semantics, testing coverage, vulnerabilities. etc. You can also integrate the analysis into the VSTS pull request process so that issues are discovered before they are merged. You've completed this lab.
Have an issue with this section? If so, please give us some feedback so we can improve this section.