| title | layout | sidebar | permalink | folder |
|---|---|---|---|---|
Driving continuous quality of your code with SonarCloud |
page |
vsts2 |
/labs/vstsextend/sonarcloud/ |
/labs/vstsextend/sonarcloud/ |
Technical debt is the set of problems in a development effort that make forward progress on customer value inefficient. Technical debt saps productivity by making code hard to understand, fragile, time-consuming to change, difficult to validate, and creates unplanned work that blocks progress. Unless they are managed, technical debt can accumulate and hurt the overall quality of the software and the productivity of the development team in the long term.
SonarCloud{:target="_blank"} is the code quality cloud service provided by SonarSource. The main features of SonarCloud are:
- 16 languages: Java, JS, C#, C/C++, Objective-C, TypeScript, Python, ABAP, PLSQL, T-SQL and more.
- Thousands of rules to track down hard-to-find bugs and quality issues thanks to powerful static code analyzers.
- Cloud CI Integrations, with Travis, Azure DevOps, AppVeyor and more.
- Deep code analysis, to explore all source files, whether in branches or pull requests, to reach a green quality gate and promote the build.
- Fast and Scalable
In this lab, you will learn how to integrate Azure DevOps Services with SonarCloud
- Setup a Azure DevOps project and CI build to integrate with SonarCloud
- Analyze SonarCloud reports
- Integrate static analysis into the Azure DevOps pull request process
-
You will need a Azure DevOps Services Account. If you do not have one, you can sign up for free here{:target="_blank"}
-
A Microsoft Work or School account, or a GitHub/BitBucket account. SonarCloud supports logins using any of those identity providers.
-
Install the SonarCloud Azure DevOps extension to your Azure DevOps account
- Navigate to the SonarCloud extension{:target="_blank"} in the Visual Studio Marketplace and click Get it free to install it.
{% include important.html content= "If you do not have the appropriate permissions to install an extension from the marketplace, a request will be sent to the account administrator to ask them to approve the installation." %}
The SonarCloud extension contains build tasks, build templates and a custom dashboard widget.
-
Create a new Azure DevOps project for the lab
-
Create a new project in your Azure DevOps account called SonarExamples
-
Import the Sonar Scanning Examples repository from GitHub at https://github.com/SonarSource/sonar-scanning-examples.git
See here{:target="_blank"} for detailed instructions on importing a repository.
The scanning examples repository contains sample projects for a number of build systems and languages including C# with MSBuild, and Maven and Gradle with Java.
-
We will set up a new build definition that integrates with SonarCloud to analyze the SonarExamples code. As part of setting up the build definition we will create a SonarCloud account and organization.
-
In your new Azure DevOps project, go to Builds under Build and Release tab, then click on +New to create a new build definition.
-
Click Continue to accept the default values for source, Team project, Repository and Default branch
The SonarCloud extension contains custom build templates for Maven, Gradle, .NET Core and .NET Desktop applications. The templates are based on the standard Azure DevOps templates but with additional analysis-specific tasks and some pre-configured settings.
-
Select the .NET Desktop with SonarCloud template.
The template contains all of the necessary tasks and most of the required settings. We will now provide the values for the remaining settings.
-
Select the Hosted VS2017 agent queue
-
Configure the Prepare analysis on SonarCloud task
There are three settings that need to be configured:
Setting Value Notes SonarCloud Service Endpoint SonarCloudSamples The name of the Azure DevOps endpoint that connects to SonarCloud Organization {your SonarCloud org id} The unique key of your organization in SonarCloud Project Key {your Azure DevOps account name}.visualstudio.com.sonarexamples.netfx The unique key of the project in SonarCloud {% include important.html content= "Currently the project key must be globally unique across all projects in SonarCloud. In the future, the project key will only need to be unique within your SonarCloud organization." %}
We will now create the endpoint and an account on SonarCloud.
-
Create a service endpoint for SonarCloud
- click on the New button to start creating a new endpoint
-
Create a SonarCloud account
A service endpoint provides the information Azure DevOps requires to connect to an external service, in this case SonarCloud. There is a custom SonarCloud endpoint that requires two pieces of information: the identity of the organization in SonarCloud, and a token that the Azure DevOps build can use to connect to SonarCloud. We will create both while setting up the endpoint.
- click on the your SonarCloud account security page link
-
Select the identity provider to use to log in to SonarCloud
As we are not currently logged in to SonarCloud we will be taken to the SonarCloud login page.
- select the identity provider you want use and complete the log in process
-
Authorize SonarCloud to use the identity provider
The first time you access SonarCloud, you will be asked to grant SonarCloud.io access to your account. The only permission that SonarCloud requires is to read your email address.
After authorizing and logging in, we will be redirected to the Generate token page.
-
Generate a token to allow Azure DevOps to access your account on SonarCloud:
-
enter a description name for the token e.g. "vsts_build" and click Generate
-
click Generate
-
-
Copy the generated token
- click Copy to copy the new token to the clipboard
{% include note.html content= "You should treat Personal Access Tokens like passwords. It is recommended that you save them somewhere safe so that you can re-use them for future requests." %}
We have now created an organization on SonarCloud, and have the token needed configure the Azure DevOps endpoint.
-
Finish creating the endpoint in Azure DevOps
- return to Azure DevOps Add new SonarCloud Connection page, set the Connection name to SonarCloud, and enter the SonarCloud Token you have just created.
- click Verify connection to check the endpoint is working, then click OK to save the endpoint.
-
Finish configuring the Prepare analysis on SonarCloud task.
- click on the Organization drop-down and select your organization.
- enter a unique key for your project e.g. [your account].visualstudio.com.sonarexamples.netfx
- enter a friendly name for the project e.g. Sonar Examples - NetFx
-
[Optional] Enable the Publish Quality Gate Result step
This step is not required and is disabled by default. If this step is enabled, a summary of the analysis results will appear on the Build Summary page. However, this will delay the completion of the build until the processing on SonarCloud has finished.
-
Save and queue the build.
-
If you enabled the Publish Quality Gate Result step above the Build Summary will contain a summary of the analysis report.
-
Either click on the Detailed SonarCloud Report link in the build summary to open the project in SonarCloud, or browse to SonarCloud and view the project.
We have now created a new organization on SonarCloud, and configured a Azure DevOps build to perform analysis and push the results of the build to SonarCloud.
Open the Sonar Examples - NetFx project in the SonarCloud Dashboard. Under Bugs and Vulnerabilities, we can see a bug has been caught.
The page has other metrics such as Code Smells, Coverage, Duplications and Size. The following table briefly explains each of these terms.
| Terms | Description |
|---|---|
| Bugs | An issue that represents something wrong in the code. If this has not broken yet, it will, and probably at the worst possible moment. This needs to be fixed |
| Vulnerabilities | A security-related issue which represents a potential backdoor for attackers |
| Code Smells | A maintainability-related issue in the code. Leaving it as-is means that at best maintainers will have a harder time than they should making changes to the code. At worst, they'll be so confused by the state of the code that they'll introduce additional errors as they make changes |
| Coverage | To determine what proportion of your project's code is actually being tested by tests such as unit tests, code coverage is used. To guard effectively against bugs, these tests should exercise or 'cover' a large proportion of your code |
| Duplications | The duplications decoration shows which parts of the source code are duplicated |
| Size | Provides the count of lines of code within the project including the number of statements, Functions, Classes, Files and Directories |
{% include important.html content= "In this example, along with the bug count, a character C is displayed which is known as Reliability Rating. C indicates that there is at least 1 major bug in this code. For more information on Reliability Rating, click here. For more information on rule types and severities, see here." %}
-
Click on the Bugs count to see the details of the bug.
-
Click on the bug to navigate to the code
-
You will see the error in line number 9 of Program.cs file as Change this condition so that it does not always evaluate to 'true'; some subsequent code is never executed..
We can also see which lines of code are not covered by tests.
Our sample project is very small and has no historical data. However, there are thousands of public projects on SonarCloud{:target="_blank"} that have more interesting and realistic results.
Configuring SonarCloud analysis to run when a pull request is created has two parts:
- the SonarCloud project needs to be provided with an access token so it can add PR comments to Azure DevOps, and
- a Branch Policy needs to be configured in Azure DevOps to trigger the PR build
-
Create a Personal Access Token in Azure DevOps.
- Follow the instructions in this article{:target="_blank"} to create a token with Code (read and write) scope.
SonarCloud will post comments to the pull request as if it is user who owns the personal access token. The recommended practice is to create a separate "bot" Azure DevOps user for this so that it is clear which comments are from real developers and which are from SonarCloud.
{% include note.html content= "You should treat Personal Access Tokens like passwords. It is recommended that you save them somewhere safe so that you can re-use them for future requests." %}
-
Configure SonarCloud to analyze pull requests
- browse to the Sonar Examples - NetFx dashboard in SonarCloud
- click on Administration, General Settings
- select the Pull Requests tab
- set the Provider drop-down to Azure DevOps
- set the Personal access token
- click Save
-
Configure the branch policy for the project in Azure DevOps
-
navigate to the SonarExamples project in Azure DevOps
-
click on Code, Branches to view the list of branches
-
click on the settings link ("...") for master and select Branch policies
-
click Add Build Policy
-
select the build definition we created earlier from the Build definition drop-down
-
set the Display name to SonarCloud analysis
-
click Save
Azure DevOps is now configured to trigger a SonarCloud analysis when any pull request targeting the master branch is created.
-
-
Create a new pull request
Now we need to make a change to a file and create a new request so we check that the pull request triggers the analysis.
- navigate to the code file Program.cs at sonarqube-scanner-msbuild/CSharpProject/SomeConsoleApplication/Program.cs and click Edit
- add an empty method to the code as shown in the following screen shot, then click Commit...
In the dialogue that appears:
- change the branch name from master to branch1
- check the Create a pull request checkbox
- click Commit, then click Create on the next screen to submit the pull request
If the pull request integration is correctly configured the UI will show that an analysis build is in progress.
-
Review the results of the Pull Request analysis
The results show that the analysis build completed successfully, but that the new code in the PR failed the Code Quality check. A comment has been posted to the PR for the new issue that was discovered.
Note that the only issues in code that was changed or added in the pull request are reported - pre-existing issues in Program.cs and other files are ignored.
-
Block pull requests if the Code Quality check failed
At this point it is still possible to complete the pull request and commit the changes even though the Code Quality check has failed. However, it is simple to configure Azure DevOps to block the commit unless the Code Quality check passes:
- return to the Branch Policy page
- click Add status policy
- select SonarCloud/quality gate from the Status to check drop-down
- set the Policy requirement to Required
- click Save
Users will now be unable to merge the pull request until the Code Quality check is successful, either because all of the issues have been fixed or the the issues have been marked as confirmed or resolved in SonarCloud.
With the SonarCloud extension for Azure DevOps Services, you can embed automated testing in your CI/CD pipeline to automate the measurement of your technical debt including code semantics, testing coverage, vulnerabilities. etc. You can also integrate the analysis into the Azure DevOps pull request process so that issues are discovered before they are merged.