Perform a SonarCloud analysis on script based projects

It’s sometimes a little puzzle to get all configuration settings right to add a project to SonarCloud. This article provides you information to scan a script based project, like Gulp, PHP, Javascript & Xml, with SonarCloud from TFS or VSTS (Visual Studio Team Services).

Important update 23–02–2018: SonarSource introduced version 4 of the build tasks and improved the way you can scan script only projects. Read more in the new blogpost.

The basic documentation to configure a basic .NET project, using MSBuild can be found here:

https://docs.sonarqube.org/display/SCAN/Analyzing+with+SonarQube+Extension+for+VSTS-TFS

Important for SonarCloud is that the organization attribute must be provided. Without this parameter the analysis will fail.

“The Prepare the SonarQube analysis” task contains an additional settings field for this.

Provide the organization parameter in the additional settings field

Script based projects cannot use this build task. For these projects the Sonar CLI “Perform a SonarQube analysis” task should be used.

The challenge with this task is that it does not include the “Additional Settings” field and so there is no way to include the organization parameter.

As expected, without this organization parameter the Sonar scan fails. You’ll receive error messages like:

##[error]java.lang.IllegalStateException: Unable to load component class org.sonar.scanner.report.MetadataPublisher

and

##[error]Caused by: org.sonarqube.ws.client.HttpException: Error 404 on https://sonarcloud.io/api/qualityprofiles/search.protobuf?projectKey=Contoso_Company_Gulp_Website : {"errors":[{"msg":"Component key 'Contoso_Company_Gulp_Website' not found"}]}

The only way to provide your organization information, is to use a sonar-project.properties file added to the root of your project.

The parameter you will need here is: sonar.organization.

I could not find this information in the documentation and I had to get in contact with support to get the correct parameter name.

Here is a sample of my sonar-project.properties file:

sonar.projectKey=Contoso_Company_Gulp_Website
sonar.projectName=Contoso Company Gulp Website
sonar.projectVersion=1.0
sonar.organization=contoso
sonar.sources=.

The Sonar CLI “Perform a SonarQube analysis” task contains a “Settings file” field in the advanced section to reference the sonar-project.properties file.

Reference the settings file in the Perform a SonarQube analysis task

You should now be able to successfully analyze your script based project from VSTS. Enjoy SonarCloud!

Edwin Vriethoff is Technical Lead at Macaw