Perform SonarCloud and SonarQube analysis with the new version 4 build tasks

SonarSource released version 4 for their TFS and VSTS build tasks. The previous build tasks are replaced by 3 new tasks types and in this blog post I describe how to use them.

The main benefit of the new build tasks, is that there is easy support for non MSBuild projects, allowing you to scan script only projects or Maven/Gradle driven projects.

To find the correct tasks, search for “Sonar” in the Add Task dialog.

The 3 new task types for Sonar

Prepare Analysis Configuration task (Prepare analysis on SonarQube)

This task replaces the previous “The Prepare the SonarQube analysis” task and the “Perform a SonarQube analysis” task. The last task type was used to scan script only projects. In case you would like to scan a script only project, you can now just select the option “Use standalone scanner”.

The new preparation task supports 3 ways to run the analysis

One of the best improvements of this new preparation task, is that the single line “Additional properties” is replaced by a multi-line textbox which allows you to set all the properties as you would normally do in the “sonar-project.properties” file.

The improved additional properties field allows the entry of multiple lines

I prefer to supply these properties in the new preparation task and not in the traditional properties file. This way the build administrator is in control of the correct Sonar operation and the normal team members do not have to care or know about the correct implementation of the SonarQube or SonarSource scanner.

Run Code Analysis task

This task and the “Publish Analysis Result” task, replace the old “Complete the SonarQube analysis” task. This run task should now be used in all project types to initiate the Sonar analysis.

Just as in the past, you will position the “Prepare task” and “Run Analysis task” around your build and test tasks.

The correct order of Sonar tasks

The analysis results are now directly pushed to SonarQube or SonarCloud by the ‘Run Code Analysis’ task.

Publish Analysis Result task

The new publish task is optional. It is used to retrieve and display the Quality Gate status in the build summary and it provides you a sense of whether the application is ready for production “quality-wise”. The duration of your build process will increase, as it will wait for the Sonar server to process the analysis outcome. If you do not care about this information inside VSTS you can skip this task and decrease the build duration.

A few template tips for easy VSTS integration

It took me some time to find the correct variable templates in VSTS and these might be of use for you too.

To enable the branching functionality of Sonar, you can supply the branch name with the following value: sonar.branch.name=$(Build.SourceBranchName)

To provide unique version numbers for each scan use $(Build.BuildId)

Use the BuildId and SourceBranchName parameters

The updated Sonar manual describing the configuration in detail can be found here:

https://docs.sonarqube.org/display/SCAN/Analyzing+with+SonarQube+Extension+for+VSTS-TFS

Edwin Vriethoff is Technical Lead at Macaw