5 easy steps to run code analysis on your .NET Framework project with SonarQube
There are two ways to get a SonarQube server instance up and running on your local machine — via a zip file and use Docker. I’ll go with the second option in this post — Build a SonarQube server with Docker and Docker Compose.
Prerequisites
- Docker & Docker Compose are installed and running. I highly recommend you go with the Docker Desktop if you are a beginner or not familiar with Docker & Docker Compose.
- SonarQube server docker image.
- Postgres docker file image.
- Some basics knowledge with the Docker Compose tool to understand and modify the Compose file if necessary.
- The SDK corresponding to your build system (.NET Framework v4.6 — either Build Tools for Visual Studio 2015 Update 3 or the Build Tools for Visual Studio 2017)
- And of course, your .Net Framework source code :D
Install the SonarQube server locally
Step 1: Create a new docker compose file
Create a yaml file with the content below. Give it a name (Ex: sonarqube.yml) and then save it.
Step 2: Run the docker containers using the compose tool
Open a terminal console and executes this command.
docker compose -f /path/to/sonarqube.yml up
Note: Basically, after you run the command above, all jobs are done automatically, and you will have two containers running successfully. But if you run into the error “max virtual memory areas vm.max_map_count […] is too low, increase to at least 262144”, then your sonar server couldn’t be started. Let’s do an ad-hoc step like this:
- Step 2.1: Stop the sonarqube and the postgres container.
- Step 2.2: Open a terminal console and run these commands:
wsl -d docker-desktop
sysctl -w vm.max_map_count=262144
- Step 2.3: Up the containers again by following the command at step 3.
Step 3: Create a new sonar project
- Step 3.1: Open the browser, enter the address is http://localhost:9000, and login to the SonarQube server with the default user/password (admin/admin).
After that, change the default password with your password is required. Note: It is run in the first login only.
- Step 3.2: Create a new project by following these substeps: Menu > Projects > Add a project > manual > enter the Project key and Display name > Submit the form with the ‘Set Up’ button.
- Step 3.3: Create a authenticate token
The token is important because it is used to identify you when an analysis is performed.
Almost done! Now you can follow the instruction of SonarQube to start run an analysis on your project.
Step 4: Install the SonarScanner for .NET and Java Runtime
- Step 4.1: Download the scanner for .Net Framework 4.6+
- Step 4.2: Extract the zip file and set the environment variable.
- Step 4.3: Add the MsBuild to the environment variable.
- Step 4.4: Install Java Runtime and create the JAVA_HOME environment.
Step 5: Start run code analysis on the project
Execute the following commands at the root of your solution.
SonarScanner.MSBuild.exe begin /k:"age-calcuator" /d:sonar.host.url="http://localhost:9000" /d:sonar.login="06a146c139773c9f8ba1b28aa12a22ed03447f6e"MsBuild.exe /t:RebuildSonarScanner.MSBuild.exe end /d:sonar.login="06a146c139773c9f8ba1b28aa12a22ed03447f6e"
Note: 06a146c139773c9f8ba1b28aa12a22ed03447f6e is the token we created in step 3.3
And tada! your code analysis report is intent at the SonarQube server — http://localhost:9000
Conclusions
SonarQube is a static code quality analysis and also a Static Application Security Testing (SAST) tool. It could help developers writing more secure code with SonarQube detecting Vulnerabilities and Security Hotspots, explaining them, and giving appropriate next steps. It was built to integrate with the CI pipeline to provides feedback during code review. But if you don’t have a CI environment on your local machine, you are still able to use the power of SonarQube to makes your code clean and safer with some simple steps.
