How to analyze your open source project with SonarCloud and VSTS

  • Article

Among the code analysis tools, there is SonarQube which I think no longer needs introductions and which has very good tools to integrate in your DevOps pipelines.

However, setting up a SonarQube infrastructure requires servers and resources and therefore time and maintenance costs. For more documentation read ours posts:  How install SonaQube with ARM Template and Easily deploy SonarQube Server in Azure.

As for TFS / VSTS which is a solution that exists as well in an on-premise version as in a cloud version, SonarQube exists in a Cloud version and the name of this product is SonarCloud.
SonarCloud is a Cloud platform, which does not require any server or software installation and is freely accessible to enjoy unlimited analysis of open source projects.

The result of this analysis is public, unless you use the paid plan that allows for private SonarSource projects.

Connect And prepare to SonarCloud

To connect to SonarCloud you have to authenticate with your GitHub or BitBucket account.

image

Next, for better isolation and organization of projects in SonarCloud, we created a dedicated SonarCloud Organization called ALM|DevOps Rangers.

image

This organization allows us to better set the rules and quality gates for the different types of projects we run.

To connect SonarCloud to our VSTS account, you need to create a token that will allow VSTS to authenticate to your account.

image

How we analyze our VSTS extensions source code in VSTS Build

For a while now, the SonarSource team published a new extension in the Visual Studio Marketplace that provides Build tasks to publish the code analysis result to the SonarCloud platform.

You can install this extension from the Visual Studio Marketplace.

We updated our VSTS extension build definition by adding these new tasks:

image

We added the “Prepare analysis” task before the npm install and run build for initiate the Sonarcloud configuration, and inserted the “Run Code analysis” and “Publish analysis result” just after the run build npm command.

The main task of this analysis is the “Prepare analysis on SonarCloud” task that contains all configuration for SonarCloud analysis and integration:

image

The parameters of this tasks are:

  1. The SonarCloud Service End point with the Token generated in the SonarCloud account
  2. The name of the Organization created in SonarCloud
    image
  3. The Project Key and project name of the SonarCloud project. The build execution will create this project if it does not exist.
  4. The SonarCloud project version, that we define with the build number.

The task "Run Code Analysis", is based on the first task to run the code analysis and finally "Publish Analysis Result" task sends the results of this analysis to SonarCloud. These tasks do not contain any parameters.

The result of the analysis

When the build is complete, we can see the results of the Quality gate in the build summary:

image

And in the SonarCloud portal the complete analysis report:

image

What's next?

In this article we showed how we can easily analyze the code of our open sourced VSTS extensions with SonarCloud and its integration in a VSTS DevOps pipeline.

In the next blog post we will write a little more about the details of SonarCloud with its configuration of organizations, rules and gates to better adapt it to your needs.

THANKS TO REVIEWERS – Vladimir Gusarov, Wouter de Kort, Oliver Smit, Rui Melo

REFERENCES -
SonarCloud : analysez votre projet GitHub via VSTS