Sonarqube scanner analysis method difference and usage

[pushpen...@gmail.com]

Hi ,

I was reading about analysis source code methods under analyzing source code section.

I have got a few questions:-

1. MSBuild : can I use the regular scanner for scanning .net code? What is the difference between regular and MSBuild scanner ? I read it is set of integration components what are those components? What if my project does not use MSBuild for build can i still do the scan?
2.  ANT : What is the job of ANT task jar file here? 
3. Maven: Is it necessary to have build tools like maven ant msbuild etc. on the system to scan those specific build tool related projects? Does the sonar use these build tools to generate builds and then performs code analysis?

Please let me know if you need any clarification on the questions. Thanks!

Regards,

Puhspendra Sahu

[G. Ann Campbell]

Hi Puhspendra,

Answers below

On Thursday, 21 July 2016 17:39:30 UTC-4, pushpendra sahu wrote:

Hi ,

I was reading about analysis source code methods under analyzing source code section.

I have got a few questions:-

1. MSBuild : can I use the regular scanner for scanning .net code? What is the difference between regular and MSBuild scanner ? I read it is set of integration components what are those components? What if my project does not use MSBuild for build can i still do the scan?

If you mean SonarQube Scanner, yes but. The fact is that .NET projects tend to be very complicated, which requires very complicated configuration to get a correct, thorough, &etc. analysis. This was practically impossible for most people to get right, so we put a lot of time and effort into the integration with MSBuild so that very little effort is required on your part for a good analysis.

 

1.  ANT : What is the job of ANT task jar file here? 

Essentially, it provides an Ant wrapper for SonarQube Scanner. If you wanted to use the 'execute' task instead, you would get much the same results, but configuration would probably be a little more difficult. That's speculation. I haven't actually tried it.

 

1. Maven: Is it necessary to have build tools like maven ant msbuild etc. on the system to scan those specific build tool related projects? Does the sonar use these build tools to generate builds and then performs code analysis?

The SonarQube Scanner for Maven is available to make the analysis of Maven projects as easy as possible. Most of the data you'd feed into a SonarQube Scanner configuration is already present in a Maven project's pom(s), and the SonarQube Scanner for Maven picks it up automatically.

Is it necessary to scan an Ant project with SonarQube Scanner for Ant, and a Maven project with SonarQube Scanner for Maven & etc.? No. But they've been provided to make your life easier. If you choose not to use them, your life will be less easy. And if you ask for help on using SonarQube Scanner to analyze a Maven project I can almost guarantee the answer you'll get will be "Use SonarQube Scanner for Maven instead". :-)

HTH,

Ann

[pushpendra sahu]

Thanks for prompt response.. So will i be able to use build tool other than MSBuild (such as NAnt) for .NET projects with sonar? My understanding is sonar scanner for MSBuild is specific for MSBuild projects , not sure how to scan other .NET projects.

[Tamas Vajk]

Hello,

With the Scanner for MsBuild, your analysis is done in three steps:

1. Pre build
2. Build
3. Post build

You are right that the Scanner for MsBuild is specific to MsBuild. In the pre-build step we set up some MsBuild targets that will collect information during the second step (the MsBuild build step). And in the post-build step we do analysis/processing based on what was collected during the build.

So the Scanner for MsBuild won't work with NAnt. I'm unsure about the Scanner for Ant, I doubt that any of us have tried to use it with NAnt.

What is the reason why you're using NAnt?

Tamas