SonarQube Setup Guide For Net Users V 1 2 0

SonarQube Setup Guide for .
NET users
Table of Contents
1. Introduction
2. The MIT License
3. Prequisites
4. Installation and Configuration
5. Analyze .NET Projects From The Command Line
6. Analyze .NET Projects From Team Foundation Server 2013 and 2015
7. Additional Configurations
8. Appendix 1: Upgrading from v0.9 of the SonarQube MSBuild Runner
9. Appendix 2: Configuring the MSBuild SonarQube Runner
10. Appendix 3: Advanced MSBuild SonarQube Runner configuration
11. Conclusion
SonarQube Setup Guide for .NET users
Introduction
SonarSource products generate process-level benefits, such as decreasing software development risk, raising software quality and
improving team productivity .
This guide aims to provide insightful and practical guidance around installing and configuring the SonarQube (previously known as
Sonar) platform for the analysis of C# and VB.NET projects.
Technical Debt has many causes: business pressures to release early with uncompleted features, software architecture does not allow
for adaptation to changing business needs, inadequate testing and documentation, isolation of changes requiring future merging of
the changes, and lack of scheduling for refactoring. Paying down on the debt is the only debt reduction strategy.
As we continue ongoing development, the cost of paying down on the technical debt will increase, as does the cost of fixing a bug
later in the development cycle. In theory, paying down technical debt is easy if you simply complete the uncompleted work. However,
knowing what technical debt exists or what to track can be challenging. Enter SonarQube and Team Foundation Serv er.
SonarQube is an open source platform providing continuous inspection of your code quality. Through integration with Team
Foundation Server and SonarQube you will be empowered to continuously inspect the technical debt, manage the debt, and pay
down on the debt.
The following are the details of getting the analysis of a .NET project in place either integrated in an existing deployment of Team
Foundation Server or in a standalone command line way using the MSBuild SonarQube Runner.
>> NOTE >> For more information on SonarQube, please refer to Technical Debt and Evaluate your technical debt with Sonar.
Introduction
The MIT License (MIT)

Copyright (c) 2015 SonarSource SA and Microsoft Corporation
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the
"Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish,
distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to
the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
The MIT License
Prerequisites
At the time of this writing, the current version of SonarQube, v5.1, had the following requirements.
Java
A Java runtime is required for SonarQube to run. Supported JVMs:
Java (Oracle JRE 7 or greater or OpenJDK 7 or greater).
Database
Regardless of which database solution you choose, it must be set to UTF-8, language set to English, and collation to CS (case
sensitive) and AS (accent sensitive).
Figure Database prerequisites
Web Browser
For the best SonarQube experience ensure to enable JavaScript in your web browser. Supported web browsers:
Prequisites
Figure Web browser prerequisites
Hardware
At least 1GB RAM
Disk space requirements vary dependent upon the size and number of projects you wish to analyze using SonarQube. As a point
of reference, Nemo, the public instance of SonarQube, currently analyzes over 15 million lines of source code, which includes
four years of history. Nemo is currently using about 10GB of disk space.
SonarQube relies on intensive hard drive I/O for indexing purposes. You should install SonarQube on the most performant hard
drive you have at your disposal for best results.
File Encoding
SonarQube assumes that all of the source files have the same file encoding. Currently, the MSBuild SonarQube Runner expect this to
be UTF-8. Non-compliance will result in incorrect analysis and display when viewed in the SonarQube portal (for example when
drilling down to view the source associated with an issue).
>> NOTE >> For the most up to date information on SonarQube requirements, check out the requirements.
Prequisites
Installation and Configuration

Installation Topologies
Minimum Deployment
All TFS Services, SQL Server and SonarQube, including Sonar Runner and Build Controller) hosted on a single computer.
Suitable for research, dogfooding and demonstration of entire end-to-end workflow on one machine.
>> NOTE >> In this guide, we will demonstrate the installation and configurations using Brian Keller's VM, with all components
installed on one box.
Medium Deployment
TFS Services and SQL Server are hosted on a single computer and SonarQube (all components) on a separate machine.
Suitable for evaluation in production or near-production environments.
Recommended platform configurations

Refer to System requirements for Team Foundation Server and the TFS Planning, Disaster Avoidance and Recovery, and TFS on
Azure IaaS Guide for information on hardware and capacity planning recommendations for your Team Foundation Server
environment.
Running SonarQube on Hyper-V and Azure IaaS

While preparing a Virtual Machine that will host SonarQube database, portal and/or Runner workloads take into account the following
guidance:
For production servers it is recommended to use Fixed Sized disks (instead of dynamic ones); you must estimate accordingly to set
apart the right amount of disk space as required.
For production servers it is recommended NOT to use dynamic assigned memory as this may decrease overall performance in a
production setup; a realistic estimate should be made, monitor and adjusted accordingly.
Follow SQL Server best practices while setting the SonarQube database, especially in respect of tempdb as per the usage
expected by SonarQube:
Prefer fast disk for tempdb file storage.
Distribute storage in equally sized data files (starting at 1/2 file per physical processor and up to 8 files).
Monitor and size tempdb file storage accordingly.
Plan for a big size of tempdb; approximately 10-12 times SonarQube database size.
Prefer usage of Windows Server 64 bits, preferably Windows Server 2012 R2.
Java JRE (or Java SDK) that supports Server mode and configure SonarQube to support it: editing sonar.properties file for
sonar.web.javaOpts=-serv er and uncommenting the line by removing the # at the start of the line. More details on Installing
the Web Server Tuning the Web Server
Prefer to configure Sonar Portal as Windows Service. More details on how to achieve this on Running SonarQube as a
Service on Windows
Configure rules for opening ports used by SonarQube, with the Windows firewall and Azure endpoints, if applicable.
You may use general guidance for Performance Tuning Windows Server in your particular environment/scenario. Please refer to
Performance Tuning Guidelines for Windows Server 2012 R2.
Review and plan for best practices for Physical Servers hosting Hyper-V roles:
Avoid Overloading the Server
Ensure High-Speed Access to Storage
Install Multiple Network Interface Cards
Configure Antivirus Software to Bypass Hyper-V Processes and Directories
Avoid Storing System Files on Drives Used for Hyper-V Storage
Monitor Performance to Optimize and Manage Server Loading
Setup SonarQube Server

1. Dow nload
Download SonarQube 5.1 from the SonarQube downloads.
As mentioned in the Prerequisites section, a Java virtual machine (JVM) is required.

If the installed JVM meets the version requirements listed, you can skip this section. Otherwise, follow the steps below to
install Java.
Download Java SE Runtime Environment and make sure you select the one corresponding to your current operation system.
>> NOTE >> SonarQube does not require the full Java JDK (Java SE Development Kit) to run- you only need the JRE (Java
SE Runtime Environment).
2. Install
Copy sonarqube-5.1.zip and j re-8u45-w indow s-xXX.exe to your Team Foundation Server.
Install Jav a SE Runtime Env ironment on the destination server.
3. Extract
>> NOTE >> Before installing and configuring SonarQube install and configure SQL Server according to the instructions in the
section Additional Configurations.
Right-click on sonarqube-5.1.zip, select Properties and then click on the Unblock button
10
Unzip SonarQube-x.x.zip on to a drive, for example use C:\SonarQube\SonarQube-5.1.
At this point, the installation is complete. Yes, it is that easy.
11
Proceed to the next section to complete the configuration of SonarQube.

4. Configure SonarQube
>> NOTE >> This walkthrough assumes the use of the BK VM. If, for example, you are using SQLExpress instead, you have
to update the connection string. Example:
sonar.jdbc.url=jdbc:jtds:sqlserver://localhost/Sonar;instance=SQLEXPRESS;SelectMethod=Cursor
Alternatively if you are also looking for integrated security you can consider:
sonar.jdbc.url=jdbc:jtds:sqlserver://localhost:1433/sonar;instance=SQLEXPRESS;integratedSecurity=true;authenticationScheme=JavaKerberos
Basic configuration of SonarQube consists of making a few updates to the sonar.properties file.
This file is located in the conf folder located under the SonarQube installation folder. Example: C:\SonarQube\SonarQube5.1\conf.
You may not want to do this step if you prefer to go with the default SonarQube port 9000, if available.
In the extracted folder navigate to Conf folder, edit sonar.properties file to change the default web port or you may need
available port. By default SonarQube uses port 9000.
Make sure to assign an available port for SonarQube, you may need to use the netstat command to check the currently in use
ports.
For the purpose of this walkthrough, we assume port 9000 for the FabrikamFiber demo web site.
Search for the # Web Serv er section.

Uncomment #sonar.w eb.port and change the port number to any available port, for example 9090
12
>>NOTE >> Before proceeding with the below configuration steps make sure you have configured SonarQube to use SQL
Server database instead of embedded database.
Search for and locate the entry for sonar.j dbc.username.
Uncomment (i.e. delete the leading #) the two sonar.j dbc settings circled in the screenshot above and replace sonar in
each setting with the database login name and password, respectively.
13
Search for and locate the entry for sonar.jdbc.url. There are several copies of this setting based on database type. Make sure
you select the entry for Microsoft SQL Server.
Uncomment (i.e. delete the leading #) the sonar.jdbc.url setting circled in the screenshot above and replace the connection
string to match the server\instance and database name for your machine. Example:
sqlserv er://.\SQLExpress/Sonar;SelectMethod=Cursor
14
>> NOTE >> The jdbc driver installed with SonarQube requires the SQL Server Browser to be running. Check that it is running
using the Services Console.
Save and close the file.
5. OPTIONAL - Connect w ith integrated authenticaton on Window s
>> NOTE >> We tested this configuration in an environment that has no security add-ons. If this does not work in your
environment, you need to troubleshoot with your IT departments.
Please refer to Building the Connection URL for additional details on how to build SQL Server connection string for JDBC.
Edit sonar.properties.
Change the SQL Serv er connection string to use integrated security.
# Only the distributed jTDS driver is supported.

sonar.jdbc.url=jdbc:jtds:sqlserver://localhost;databaseName=sonar;integratedSecurity=true;
- If you are using Sonar-runner for analysis, edit **sonar-runner.properties** and add the same configuration.
#----- Microsoft SQLServer
sonar.jdbc.url=jdbc:jtds:sqlserver://localhost;databaseName=sonar;integratedSecurity=true;
1. Dow nload and install latest SonarQube C# plugin

Download the latest sonar-csharp-plugin-X.Y.jar. At the time of writing, all versions of the C# plugin are available from the C#
Plugin page, on the SonarQube site.
Use version 4.1 or higher of the plugin.
Locate the directory into which the SonarQube was installed e.g. C:\SonarQube\SonarQube-5.1\. This directory will have an
extensions\plugins\ subdirectory.
Copy sonar-csharp-plugin-X.Y.j ar to this directory from the downloaded package above.
Right-click the sonar sonar-csharp-plugin-X.Y.jar and select properties.
Click the Unblock button to ensure the file is unblocked.
2. Run
Open Command Prompt and change directory ( cd ) to the extracted folder.
15
Example:
cd C:\SonarQube\SonarQube-5.1\bin\windows-x86-64
>> NOTE >> You need to run the file corresponding to your operating system.
Run StartSonar.bat
>> NOTE>> If you are prompted with a Windows Security Alert asking for network access, click on the Allow access button
Browse SonarQube web portal using http://YOUR_SERVER_NAME:SONAR_PORT. Example: http://v salm:9090
16
You should see the default SonarQube web page as shown above. If not, re-validate settings as shown in the previous
sections.
If the web server does not start, consult the logs in C:\SonarQube\SonarQube-5.1\logs to determine possible issues.
3. Verify the installed SonarQube C# plugin v ersion
Login to SonarQube using admin credentials.
If this is the first time you are using SonarQube, the default admin credentials are:
- Username: admin
- Password: admin
If you log in using the default credentials, it is recommended that you change the password.
Verify that the C# X.Y plugin has been correctly deployed, Navigate to Settings >System > Update Center.
17
>> NOTE >> The screenshot above is based version 3.5. You should see version 4.1 or later.
>> NOTE >> Please refer to section Additional Configurations for more details on how-to configure additional SonarQube
configurations that are required for enterprise level deployment.
Setup of the MSBuild SonarQube Runner on the Build Agent Machine

You should install it on any machine that will launch SonarQube analysis (example: development machine and build agent).
In case of installing MSBuild SonarQube Runner on a development machine or build agent, you need to make sure that Java SE
Runtime Environment installed on that machine.
Java SE Runtime Environment installation is not required if Visual Studio 2015 with Android tooling/Cross platform tools are
installed since JDK is being installed part of Visual Studio installation.
Extract
Download the latest MSBuild SonarQube Runner from the SonarQube downloads.
Right-click on the downloaded .zip file and click on the Unblock button.
18
Unzip MSBuild.SonarQube.Runner-[v ersion] on to a drive. Example: C:\SonarQube\bin

Configure
Edit C:\SonarQube\bin\SonarQube.Analysis.xml by specifying the following parameters to run against the SonarQube
Server we set up earlier.
If you are running SonarQube 5.1.x or less, uncomment and set the following properties:
sonar.jdbc.url
sonar.jdbc.username
sonar.jdbc.password
19
OPTIONAL - Update the
%PATH%
env ironment v ariable
Add the directory containing the MSBuild SonarQube Runner executable to the
%PATH%
if you intend to use it from the
command line:
Settings File Permissions

20
Storing passwords in clear text in unsecured settings files is not recommended.

Restrict access to the C:\SonarQube\bin\SonarQube.Analysis.xml file by setting appropriate file permissions.
21
Analyze .NET Projects From The Command Line

The following assumes that
MSBuild.SonarQube.Runner.exe
has been added to the
%PATH% .
If that is not your case, simply specify the
absolute path to it in both the begin and end phase commands.

1. Run the MSBuild.SonarQube.Runner.exe begin phase
MSBuild.SonarQube.Runner.exe begin /key:{SonarQube project key} /name:{SQ project name} /version:{SQ project version}
The begin phase takes four arguments:

begin
/key:{the proj ect key of the SonarQube project to which the build relates}
/name:{the proj ect name of the SonarQube project}
/version:{the proj ect v ersion of the SonarQube project}
The aliases /k:, /n: and /v: can also be used.
>>NOTE >> If any of the arguments contain spaces then that argument needs to be surrounded by double-quotes e.g.
/name:My Proj ect Name.
See Configuring the MSBuild SonarQube Runner below for more information on passing additional settings.
2. Launch your normal proj ect build
Basic example:
msbuild
Example, with nuget:
nuget restore
msbuild
>>NOTE >> make sure to run MSBuild.SonarQube.Runner in a "MSBuild console", or a "VS Developer Command Prompt"
otherwise you will not be able to access MSBuild command and you may get an error similar to "'msbuild' is not recognized as an
internal or external command,operable program or batch file."
3. Run the MSBuild.SonarQube.Runner.exe end phase
MSBuild.SonarQube.Runner.exe end
Analyze .NET Projects From The Command Line
22
Analyze .Net Projects From Team Foundation Server 2013 and

2015
Overview
The build system in Team Foundation Server 2013 ("TFS 2013") is based on Windows Workflow. Builds are defined and customised
using XAML. TFS 2015 introduced a new build system but also supports the legacy "XAML build" system from TFS 2013.
This document describes how to set up to configure a XAML build in TFS 2013 or TFS 2015 to include code analysis. It also gives an
outline of how to set up analysis using the new build system.
Mapping Build Definitions to SonarQube projects

SonarQube uses Projects to organize analysis results by logical application, where an application can consist of a number of modules
(assemblies). It is not currently possible to upload partial analysis results for a SonarQube Project. For example, if SonarQube project
X consists of assemblies A, B and C, it is not possible to build, analyze and upload data for A and B, and later to build, analyze and
upload data for C.
This means that a Build Definition must build and analyze all of the assemblies that are in that SonarQube Project.
Analyzing projects in XAML Builds in TFS 2013 and TFS 2015

Additional considerations when using a TFS 2015 XAML build agent
The settings required to configure a XAML build to perform code analysis are the same for TFS 2013 and TFS 2015. However, if you
are using the TFS 2015 XAML build agent then there are additional considerations:
when analysing data stored in an on-premise TFS installation, the build agent must also have the TFS 2013 Object Model
installed
a TFS 2015 build agent cannot currently be used to analyse code stored in Visual Studio Online ("VSO"). See the following subsections for more information.
Installing the TFS 2013 Object Model on a TFS 2015 Build Agent
Installing Visual Studio 2013 will install the necessary assemblies on the build agent. Alternatively, Microsoft provide a separate
installer for the object model that can be downloaded and installed as follows:
Browse to the Visual Studio Gallery
Search for "Team Foundation Server Object Model"
Choose the appropriate version of the 2013 object model for the updates you have applied to your TFS installation
Download and run the installer
Analyzing code stored in Visual Studio Online ("VSO") requires a TFS 2013 build agent
If you are analysing code stored in VSO using a XAML build then at present you must use TFS 2013 build agent. This is a known
issue that is being tracked here [http://jira.sonarsource.com/browse/SONARMSBRU-73].
Updating an existing XAML build definition

>> NOTE >> Assumptions:
One of the standard Team Build workflow templates for TFS2013 (GitTemplate.12.xaml or TfvcTemplate.12.xaml) and that the
standard Microsoft build targets are used. Users who have customized either the build targets or workflow templates may need to
modify the following steps to take account of their customizations.
You have permissions to create or modify a Build Definition. If you do not, contact your Team Foundation Service administrator.
Analyze .NET Projects From Team Foundation Server 2013 and 2015
23
Edit build definition

Open the Team Explorer in Visual Studio.
Check that you are connected to the correct Team Foundation Server.
Click on the Builds tab.

The displayed Builds page will show information about recent builds and any build definitions that exist.
Right-click on the build definition you want to modify and select Edit Build Definition
This will display the Build Definition in a document window.
24
Edit adv anced build settings

Click on the Process section, then, within the 2. Build section, expand the 5. Adv anced section.
This will display the advanced build settings.
25
Set the following properties in the Advanced section:

Set the Pre-build script path to the full path to MSBuild.SonarQube.Runner.exe.
Set the Pre-build script arguments to contain the following four arguments:
begin
/key:{the proj ect key of the SonarQube project to which the build definition relates}
/name:{the proj ect name of the SonarQube project}
/version:{the proj ect v ersion of the SonarQube project}
The aliases /k:, /n: and /v: can also be used.
>>NOTE >> If any of the arguments contain spaces then that argument needs to be surrounded by double-quotes e.g.
/name:My Proj ect Name.
Click on the expander for the 2. Adv anced section under 3. Test to display the advanced test settings.
Set the Post-test script path to the full path to MSBuild.SonarQube.Runner.exe
>> NOTE >> The pre and post script paths refer to the same executable.
Set the Post-test script arguments to contain the following argument:
end
OPTIONAL - Configure code cov erage
Carry out the following actions if you want to collect code coverage data for tests:
Click on the expander 3. Test
Select the 1. Automated tests line
Click on the ellipsis to bring up the Automated Tests dialogue.
26
Click on Edit to bring up the Add/Edit Test Run dialog

Select Enable Code Cov erage from Options drop-down.
27
Click OK to close the dialogs.

>>WARNING >> It is possible to drill down through the 1. Automated tests sections to locate a drop-down for Type of run
settings in which one of the options is CodeCov erageEnabled. However, at the time of writing choosing
CodeCov erageEnabled from the drop-down does not generate coverage results, due to a bug. See TFS 2013 - No Code
Coverage Results on StackOverflow for more info.
Validate and sav e build settings
The following screenshot shows how the build definition should look at this point.
28
Sav e the build definition.
Test the modified build definition

>>NOTE >> Assumptions
If you have not already created a SonarQube Project with Project Key specified in the Build Definition, a new SonarQube Project
will be created automatically, when analysis results are uploaded to SonarQube.
In this case, the initial analysis will use the default SonarQube Quality Profile.
If you want the initial analysis to be performed using a different Quality Profile, you will need to create and configure the
SonarQube project before running the first analysis.
See the SonarQube documentation on Provisioning Projects for more information.
Test the build
Right-click on the build definition in the Team Explorer window.
Select Queue new build from the menu.
29
A dialogue box will appear presenting various build options.

Click on Queue to accept the default options and start the build.
>> NOTE >> The build may take some time to complete, depending on the complexity of your application.
When the build is complete, the build summary Page will indicate whether the build was successfully or not.
If the build completed successfully there will be a section entitled SonarQube Analysis Summary.
30
The section contains a link to the SonarQube portal for relevant SonarQube Project.
Troubleshooting
Build did not complete successfully and build summary contains one or more errors.
Try modifying the build definition to remove the SonarQube.MSBuild.Runner.exe entries in the pre- and post- script sections. If the
build completes successfully, then the errors are related to analysis.
Most analysis-related configuration or execution errors will cause the build to fail and will be appear on the Build Summary.
Additional information can be found by viewing the logs or diagnostic information (i.e. by clicking on View Log, or Diagnostics at the
top of the Build Summary page).
Analyzing projects using the new TFS 2015 build system

31
The intention is to provide custom tasks to make the process of performing SonarQube analysis in the TFS build system straightfoward.
The proposed custom build tasks will also make it possible to run SonarQube analysis on hosted build agents.
However, it is currently possible to perform SonarQube analysis in the new build system on an on-premise build agent by using the
general-purpose "Command Line" task to call MSBuild.SonarQube.Runner.exe (i.e. to do the same job as the "Pre-Build script"/"PostBuild script" steps in a XAML build). The following steps provide an outline of how to set this up:
Create an on-premise VSO 2015 build agent using the instructions here
Install the MSBuild.SonarQube.Runner on the build agent
Create a new build definition that includes the MSBuild and (optionally) Visual Studio Test steps
Add Command Line build step before the MSBuild step and after the Visual Studio Test step
In the pre-build command line:
set the Tool field to point to the MSBuild.SonarQube.Runner.exe
supply the necessary arguments in the Arguments field e.g. begin /key:my.project /name:"My Project" /version:1.0*
supply the the SonarQube server URL and credentials either in the Arguments field or in a settings file e.g.
/d:sonar.host.url=http://mySonarQube:9000
In the post-build command:
set the Tool field to point to the MSBuild.SonarQube.Runner.exe
set the Arguments field to end
Save the build definition
By default a new build definition will run both debug and release builds. SonarQube can only analyse one type of build at a time so
you will need to pick one or the other (Variables tab, BuildConfiguration property).
The following screenshot gives an example of how the build definition would look.
32
Additional Configurations
Running SonarQube as a Service on Windows
1. Uninstall
To uninstall the NT services, run the following batch file using Run As Administrator.
Example:
<SonarQube_Install_Directory>\bin\windows-x86-64\UninstallNTService.bat
2. Install
To install the NT services, run the following batch file using Run As Administrator.
Example:
<SonarQube_Install_Directory>\bin\windows-x86-64\InstallNTService.bat
3. Serv ice Account

Remove the local system account usage and replace it with an administrative account.
33
4. Start serv ice

Make sure you have closed all running non-service instances of SonarQube Serv er.
To start the service use the Services Console or run the following batch file using Run As Administrator.
Example:
<SonarQube_Install_Directory>\bin\windows-x86-64\StartNTService.bat
5. Validate
From Services Console make sure the service is running correctly.
34
Validate that you are able to browse SonarQube portal.

6. Inter-serv ice dependency
If SonarQube serv er is installed on the same machine as SQL Server with the SonarQube database, you need to make sure
that SQL Server is started before the SonarQube service. In addition, the default jdbc driver install with SonarQube requires
the SQL Brower Service to be running.
Assuming youre using the default SQL Server instance MSSQLSERVER, open the command prompt in administrative mode
and run the following command to ensure both the SQL Server and SQL Browser Service are started before the SonarQube
service.
Example: sc config SonarQube depend=MSSQLSERVER/SQLBrowser
>> NOTE >> If you are using a named SQL instance, you can check the name of the service by locating it in the Services
Console and viewing its properties. The Serv ice name to use if given on the General tab
35
Validate that the inter-service dependency has been added successfully by navigating to the SonarQube serv ice and check
the Dependencies tab.
Configure SonarQube to use Microsoft SQL Database

>> NOTE >> For the purposes of this section, we will assume that you have already installed supported version of Microsoft SQL Server
(SQL Server 2012) as part of Team Foundation Server installation.
As mentioned in the database requirements above, SQL Server must be set to UTF-8 and the language set to English. The
collation must be set to case-sensitiv e (CS) and accent-sensitiv e (AS).
To enable TCP connection for SQL, you must open the SQL Server Configuration Manager and enable TCP/IP within SQL
Server Network Configuration and set it to use static port 1433.
Once a database has been created, you must create a new database user with permissions to create, update, and delete objects
within this database.
Preparations
Before you get to the task of creating a new database for SonarQube, you need to complete a few preparations.
1. Launch SSMS
Launch SQL Serv er Management Studio (SSMS).
Connect to the SQL Server instance on which you plan to create the database.
Example: .\\SQLExpress
2. Check collation
Right-click on the database serv er node and select Properties.
36
This will display the Server Properties dialog.

Click on the General node and make a note of the current Server Collation setting.
For example, in the screenshot below, the collation setting is currently set to SQL_Latin1_General_CP1_CI_AS.
37
You need the collation to be both case sensitiv e (CS) and accent sensitiv e (AS).
If either is different, you will need to be sure to select the case-sensitive version when you set the collation for the database
you will be create.
3. Check authentication
Click on the Security node.
Since, by default, SonarQube utilizes SQL Authentication we need to ensure that Server Authentication is set to SQL Serv er
and Window s Authentication mode as shown in the screenshot below.
38
Walkthrough
1. Create database for use by SonarQube
Within SSMS right-click on the Databases node (just under the Server\Instance node).
Select New Database
39
In the General node, set the Database Name to Sonar.
40
In the Options node, click on the Collation drop-down list and look for the case-sensitiv e (CS) and accent-sensitiv e (AS)
variant of the server collation you made note of above.
Click OK to create the initial database.

2. Create database user for SonarQube
Within SSMS right-click on the SecurityLogins node (just under the Server\Instance node).
Select
41
Select the General node.

Set the Login Name e.g. SonarUser
Select SQL Server Authentication and provide a Password.
Uncheck Enforce password expiration.
Set the Default Database to the Sonar database you created.
Set the Default Language to English
42
In the User Mapping node, ensure the SonarUser has been mapped to the Sonar database and check the db_ow ner
database role membership
43
Click OK to complete the new user setup.

3. Test connection
Launch Visual Studio and select Tools, Connect to Database...
44
Select Microsoft SQL Serv er as the Data Source.
On the Add Connection dialog.

Set the Server Name to your SQL Server instance (e.g. .\SQLExpress)
Select Use SQL Server Authentication and provide the User Name and Passw ord you created.
Enter the name of the database you created, for example Sonar.
45
Click on Test Connection.

You should see the following dialog.
Secure the SonarQube Portal

By default, the SonarQube portal allows anonymous access, although SonarQube does provide a complete authentication and
46
authorization mechanism to manage security. As users of the portal will be able to view the analyzed source code, it is recommended
that the anonymous access to the site not be permitted.
See Security section on the SonarQube site for more information.
47
Appendix 1: Upgrading from v0.9 of the SonarQube MSBuild

Runner
Overview of the differences between v0.9 and v1.0
The integration pieces changed significantly from the v0.9 preview version. The main changes in the v1.0 release are as follows:
1. Added support for all of the scenarios supported by the Visual Studio Bootstrapper plugin so that the Visual Studio Bootstrapper
plugin could be deprecated, and
2. Simplified the installation process.
The v0.9 release of the SonarQube MSBuild Runner did not support a number of analysis plugins (e.g. the VB.Net plugin, Resharper
and StyleCop) because it did not provide any way to pass additional settings to those plugins. In version 1.0, global settings can be
specified in the new SonarQube.Analysis.xml file or passed on the command line. Settings specific to a particular MSBuild project
can be specified in the MSBuild project file.
The v0.9 release required the user to manually set up and configure the sonar-runner. This is no longer required in v1.0 (although it is
still necessary for Java to be pre-installed on the machine). Previously the user had to manually install the
SonarQube.Integration.ImportBefore.targets file. This file is now automatically installed to the appropriate per-user location for
MSBuild v4.0, v12.0 and v14.0.
A number of bugs were fixed and a series of improvements made to simplify running an analysis from the command line as well as
through Team Build. Finally, the name of the exe changed from SonarQube.MSBuild.Runner.exe in the preview to
MSBuild.SonarQube.Runner.exe in version 1.0 to comply with the plugin naming convention used by SonarSource.
Required upgrade steps

Perform the following steps to upgrade from version 0.9 of the SonarQube MSBuild Runner:
1. Install the new version of the C# plugin on the SonarQube server as described above.
2. Install the new version of the MSBuild.SonarQube.Runner on the agent machine as described above.
3. (Optional) Migrate any additional settings from the old sonar-runner.properties file to the SonarQube.Analysis.xml file.
If you had added any additional settings in the sonar-runner.properties file then these settings will need to be moved to the
new SonarQube.Analysis.xml file.
4. Delete SonarQube.Integration.ImportBefore.targets from
%ProgramFiles(x86)%\MSBuild\12.0\Microsoft.Common.Targets\ImportBefore.
5. Upgrade any existing build definitions.
The name of the executable in the Pre-build script path and the Post-test script path fields should be changed from
SonarQube.MSBuild.Runner.exe to MSBuild.SonarQube.Runner.exe.
Add begin to the Pre-build script arguments
Add end to the Post-test script arguments.
Optional upgrade steps - remove the sonar-runner

It is not necessary to uninstall the manually-installed version of the sonar-runner that was required by the v0.9 version. However, if you
do wish to do so then perform the following steps:
1. Delete the sonar-runner files from disc.
2. Remove the sonar-runner bin directory from the
%PATH% .
3. Delete the SONAR_RUNNER_HOME environment variable.

4. Delete the SONAR_RUNNER_OPTS enviornment variable.
5. Restart the TFS Build Service.
If you have amended the environment variables then you will need to restart the Build Service so it uses the modified set of
variables.
Appendix 1: Upgrading from v0.9 of the SonarQube MSBuild Runner
48
# Appendix 2: Configuring the MSBuild SonarQube Runner
Contents
Supplying additional analysis settings
Classifying projects as test projects
Excluding artefacts from analysis
Supplying additional analysis settings

The analysis process can be configured by passing additional analysis settings to the MSBuild SonarQube Runner. Global settings can
either be passed on the command line or in a settings file. Project-level settings can be set in the MSBuild project file.
Passing additional global settings on the command line

Individual global settings can be supplied on the command using the /d switch:
MSBuild.SonarQube.Runner.exe /v:1.0 /n:"My project" /k:my.project /d:sonar.host.url=http://myServer:9001
Passing additional global settings in a settings file

Additional settings can also be supplied in a settings file. The location of the settings file can be specified on the command line using
the /s switch:
MSBuild.SonarQube.Runner.exe /v:1.0 /n:"My project" /k:my.project /s:C:\SharedSettings\SonarQube.Analysis.xml
If the /s command-line switch is not supplied then the MSBuild SonarQube Runner will look for a default settings file called
SonarQube.Analysis.xml in the same directory as the MSBuild.SonarQube.Runner executable file. The default settings file shipped
with the MSBuild SonarQube Runner contains placeholders for the most commonly-required settings and can be used as a template
for custom settings files.
Passing additional non-global settings in a project file

Non-global (i.e. settings specific to a particular MSBuild project) can be specified in the MSBuild project file for the project. For
example, the MSBuild.SonarQube.Integration.targets file sets the sonar.stylecop.projectFilePath property as follows:
<ItemGroup>
<SonarQubeSetting Include="sonar.stylecop.projectFilePath">
<Value>$(MSBuildProjectFullPath)</Value>
</SonarQubeSetting>
</ItemGroup>
It should only be necessary to use this mechanism in cases were a plugin requires different values for each project that is being
analysed, as is the case with the StyleCop plugin.
Order of precedence of analysis settings

If the same setting is supplied in multiple places then the value that is used is determined using the following order of precedence
(highest to lowest):
command line settings specified using /d

settings in a SonarQube.Analysis.xml file (either the default settings file or one specified using the */s* command-line switch)
settings specified in an MSBuild project file
settings fetched from the SonarQube server
Appendix 2: Configuring the MSBuild SonarQube Runner
49
Importing Code Coverage reports

See http://docs.sonarqube.org/x/CoBh for details on how to import Code Coverage reports into SonarQube.
Importing Unit Test Execution reports

See http://docs.sonarqube.org/x/DIBh for details on how to import Unit Test Execution reports into SonarQube.
Importing ReSharper Command Line Tools reports

See http://docs.sonarqube.org/x/lwAW for details on how to import ReSharper Command Line Tools reports into SonarQube.
Classifying projects as test projects

SonarQube analyses test projects and product projects differently so it is important that projects are correctly classified as being either
test or product projects.
The MSBuild SonarQube Runner will automatically recognise MSTest unit test projects as being test projects (because of the
presence of a well-known guid in the project file).
Other test projects are recognised by applying a regular expression to the full path of the project file. The regular expression can
configured in the SonarQube portal on the settings page for the C# plugin:
Figure MSBuild settings tab of the C# plugin

The regular expression uses .Net regular expression syntax.
In version 1.0.1 onwards, the default regular expression treats projects that contain the word "test" in the project file name as test
projects (in version 1.0, projects that contained "test" anywhere in the path were treated as test projects, but user feedback indicated
50
that this regular expression was not specific enough and incorrectly classified to many projects).
Finally, it is possible to manually classify a project by setting the MSBuild property SonarQubeTestProject, e.g.
<PropertyGroup>

<SonarQubeTestProject>true</SonarQubeTestProject>
</PropertyGroup>
Excluding artefacts from analysis

Excluding projects from analysis
Certain types of project will automatically be excluded from analysis. For example, Microsoft Fakes generates additional projects
during build. These auto-generated projects will not be analysed.
Individual projects can be excluded from analysis by setting the MSBuild property SonarQubeExclude to true as follows:
<PropertyGroup>

<SonarQubeExclude>true</SonarQubeExclude>
</PropertyGroup>
See Appendix 3: Advanced MSBuild SonarQube Runner configuration for more information on how SonarQubeExclude can be set
conditionally at build time.
Excluding individual files from analysis

Files that are generated by custom tools within Visual Studio are automatically excluded from analysis, such as the xxx.Designer.cs
file generated from a .resx file:
<Compile Include="Resources.Designer.cs">
<AutoGen>True</AutoGen>
<DesignTime>True</DesignTime>
<DependentUpon>Resources.resx</DependentUpon>
</Compile>
These files are excluded because they are marked as generated by Visual Studio. It is possible to manually exclude a specific file
from analysis by setting the MSBuild metadata item SonarQubeExclude to true as follows:
<ItemGroup>
<Compile Include="MyFile.cs">

<SonarQubeExclude>true</SonarQubeExclude>
</Compile>
</ItemGroup>
51
Appendix 3: Advanced MSBuild SonarQube Runner configuration

This appendix contains additional information on how the MSBuild SonarQube Runner can be configured to work effectively in more
complex real-world scenarios.
Conditionally excluding projects from analysis

Setting SonarQubeExclude at project level is a simple way to ensure that a project is always included or excluded. However, because
SonarQubeExclude is an MSBuild property it can be set conditionally like any other MSBuild property. This allows considerable
flexibility in deciding whether a project should be excluded or not which can be useful in a number of scenarios.
The following examples show how standard MSBuild features can be used to customise the projects that are analysed.
For example, the same MSBuild project may be included in multiple different solutions. In this situation it is generally desirable that
the MSBuild project should only be analysed once e.g.
Solution1 contains projects 'A', 'B' and 'X'.

All of the projects should be analysed as part of SonarQube project 'example.sqproject1'
Solution2 contains projects 'C', 'D' and 'X'.
Only projects 'C' and 'D' should be analysed as part of SonarQube project 'example.sqproject2'
Two possible methods of handling this scenario using a small amount of customisation and configuration are shown below. Both
methods conditionally set the SonarQubeExclude property based on additional data supplied during the build phase.
Explicitly associating an MSBuild project with a SonarQube project

One approach is to add a property to the MSBuild project to specify which SonarQube project it belongs to, and to create a custom
targets file that filters out projects that do not match the project key that is supplied at build time.
The detailed steps are as follows:
add a property to MSBuild project X specifying the SonarQube project key to which the MSBuild project belongs:
<PropertyGroup>
<TargetSQProjectKey>example.sqproject2</TargetSQProjectKey>
</PropertyGroup>
create a targets file with the following content:
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003" ToolsVersion="4.0">


<PropertyGroup Condition=" $(SQProjectKey) != '' AND $(SonarQubeExclude) == '' ">

<SonarQubeExclude Condition="$(TargetSQProjectKey) != '' AND $(SQProjectKey) != $(TargetSQProjectKey) " >true</SonarQubeExclude>
</PropertyGroup>
</Project>
import the custom targets file using one of the standard MSBuild mechanisms e.g. either explicitly import it into the relevant
projects, or drop it in a location in which it will be automatically imported such as %ProgramFiles(x86)%\MSBuild*[MSBuild
version]*\Microsoft.Common.Targets\ImportBefore\.
at build time, pass the relevant SonarQube project key to MSBuild.
52
For a TeamBuild XAML build, this would be done by editing the build definition and setting the "MSBuild arguments"
appropriately e.g. /p:SQProjectKey=example.sqproject1.
On the command line this could done as follows:
msbuild Solution1.sln /p:SQProjectKey=example.sqproject1

msbuild Solution2.sln /p:SQProjectKey=example.sqproject2
This would have the desired effect of ensuring MSBuild project X is only analysed once.
Excluding projects based on the file path

Depending on the layout of the projects on disk, it might be possible to specify the projects to analyse based on the file paths.
For example, suppose the projects above are laid out on disk as follows:
c:\Web\ProjectA
c:\Web\ProjectB
c:\Framework\ProjectC
c:\Framework\ProjectD
c:\Framework\ProjectX
The following custom targets file selects the projects to analyse based on the file path:
<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003" ToolsVersion="4.0">


<PropertyGroup Condition=" $(SonarQubeExclude) == '' AND $(SQPathFilter) != '' ">
<MatchesSQPathFilter Condition="$([System.Text.RegularExpressions.Regex]::IsMatch($(MSBuildProjectFullPath), $(SQPathFilter), System.Text.RegularExpressions.RegexOpti
<SonarQubeExclude Condition="$(MatchesSQPathFilter) != 'true' " >true</SonarQubeExclude>
</PropertyGroup>
</Project>
This targets file would allow the projects to be filtered as follows:
REM Only analyse the web projects, regardless of which projects are included in the solution
REM Note: the backslash in the supplied path is escaped
msbuild Solution1.sln /p:SQPathFilter=c:\\web
REM Only analyse the framework projects
msbuild Solution2.sln /p:SQPathFilter=c:\\framework
53
Conclusion
During our adventure of setting up SonarQube with an existing deployment of Team Foundation Server, we introduced you to
Technical Debt; we gave you the prerequisites and installation configurations, and covered the topologies. We hope we have
achieved our goals for the guidance, get you up and running quickly with SonarQube and Team Foundation Server so you can start
your analysis of your technical debt and begin your debt reduction strategy.
Sincerely
The Microsoft Visual Studio ALM Rangers
The Visual Studio ALM Rangers includes members from the Visual Studio Product group, Microsoft Services, Microsoft Most Valuable
Professionals (MVP) and Visual Studio Community Leads. Their mission is to provide out-of-band solutions to missing features and
guidance. A growing Rangers Index is available online.
Home
Solutions
Membership
- Contributors: Anil Chandra Lingam, Baruch Frei, Brian Blackman, Cesar Solis Brito, Clementino de Mendonca, Darren Rich, Duncan
Pocklington, Hosam Kamel, Jean-Marc Prieur, Jeff Bramwell, Marcelo Silva, Mathew Aniyan, Michael Wiley
- Special thanks to: Colin Dembovsky
Conclusion
54

SonarQube Setup Guide For Net Users V 1 2 0

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

SonarQube Setup Guide For Net Users V 1 2 0

Hochgeladen von

Copyright:

Verfügbare Formate

SonarQube Setup Guide for .

SonarQube Setup Guide for .NET users

SonarQube Setup Guide for .NET users

The MIT License (MIT)

The MIT License

SonarQube Setup Guide for .NET users

Figure Database prerequisites

SonarQube Setup Guide for .NET users

Figure Web browser prerequisites

SonarQube Setup Guide for .NET users

Installation and Configuration

Recommended platform configurations

Running SonarQube on Hyper-V and Azure IaaS

Installation and Configuration

SonarQube Setup Guide for .NET users

Setup SonarQube Server

As mentioned in the Prerequisites section, a Java virtual machine (JVM) is required.

Installation and Configuration

SonarQube Setup Guide for .NET users

Installation and Configuration

SonarQube Setup Guide for .NET users

Installation and Configuration

SonarQube Setup Guide for .NET users

Unzip SonarQube-x.x.zip on to a drive, for example use C:\SonarQube\SonarQube-5.1.

At this point, the installation is complete. Yes, it is that easy.

Installation and Configuration

SonarQube Setup Guide for .NET users

Proceed to the next section to complete the configuration of SonarQube.

Search for the # Web Serv er section.

Installation and Configuration

SonarQube Setup Guide for .NET users

Installation and Configuration

SonarQube Setup Guide for .NET users

Installation and Configuration

SonarQube Setup Guide for .NET users

# Only the distributed jTDS driver is supported.

1. Dow nload and install latest SonarQube C# plugin

SonarQube Setup Guide for .NET users

Browse SonarQube web portal using http://YOUR_SERVER_NAME:SONAR_PORT. Example: http://v salm:9090

Installation and Configuration

SonarQube Setup Guide for .NET users

Installation and Configuration

SonarQube Setup Guide for .NET users

Setup of the MSBuild SonarQube Runner on the Build Agent Machine

Installation and Configuration

SonarQube Setup Guide for .NET users

Unzip MSBuild.SonarQube.Runner-[v ersion] on to a drive. Example: C:\SonarQube\bin

Installation and Configuration

SonarQube Setup Guide for .NET users

OPTIONAL - Update the

env ironment v ariable

if you intend to use it from the

Settings File Permissions

SonarQube Setup Guide for .NET users

Storing passwords in clear text in unsecured settings files is not recommended.

Installation and Configuration

SonarQube Setup Guide for .NET users

Analyze .NET Projects From The Command Line

has been added to the

If that is not your case, simply specify the

absolute path to it in both the begin and end phase commands.

The begin phase takes four arguments:

Example, with nuget: