Code Quality and Security for C# and VB.NET

Product	Quality Gate	Coverage
Analyzer
Plugin

Static analysis of C# and VB.NET languages in SonarQube, SonarCloud and SonarLint code quality and security products. These Roslyn analyzers allow you to produce safe, reliable and maintainable code by helping you find and correct bugs, vulnerabilities and code smells in your codebase.

Features

• 370+ C# rules and 160+ VB.​NET rules
• Metrics (cognitive complexity, duplications, number of lines etc.)
• Import of test coverage reports from Visual Studio Code Coverage, dotCover, OpenCover, Coverlet, Altcover.
• Import of third party Roslyn Analyzers results
• Support for custom rules

Useful public resources

• Project homepage
• Issue tracking
• C# rules
• VB.Net rules

Nuget.org packages

• SonarAnalyzer.CSharp
• SonarAnalyzer.VisualBasic

Integration with SonarQube and SonarCloud

• Analyze projects with SonarScanner for .NET
• Importing code coverage
• SonarQube and the code coverage

Do you have a question or feedback?

• Contact us on our Community Forum to provide feedback, ask for help, request new rules or features.
• Create a GitHub Issue if you've found a bug, False-Positive or False-Negative.

Get started

• Building, testing and debugging the Java plugin
• Building, testing and debugging the .NET analyzer
• How to re-generate NuGet lock files
• Using the rspec.ps1 script

How to contribute

There are many ways you can contribute to the sonar-dotnet project. When contributing, please respect our Code of Conduct.

Join the discussions

One of the easiest ways to contribute is to share your feedback with us (see give feedback) and also answer questions from our community forum. You can also monitor the activity on this repository (opened issues, opened PRs) to get more acquainted with what we do.

Pull Request (PR)

If you want to fix an issue, please read the Get started pages first and make sure that you follow our coding style.

Before submitting the PR, make sure all tests are passing (all checks must be green).

• We suggest you do not pick issues with the Area: CFG label (they are difficult, can have many side effects and are less likely to be accepted).
• We suggest you do not implement new rules unless they are already specified for C# and/or VB.NET on our rules repository.

Note: Our CI does not get automatically triggered on the PRs from external contributors. A member of our team will review the code and trigger the CI on demand by adding a comment on the PR (see Azure Pipelines Comment triggers docs):

• /azp run Sonar.Net - It will run the full pipeline, including plugin tests and promotion

Join us

If you would like to work on this project full-time, we are hiring!

Custom Rules

To request new rules, Contact us on our Community Forum.

If you have an idea for a rule but you are not sure that everyone needs it, you can implement your own Roslyn analyzer.

• You can start with this tutorial from Microsoft to write an analyzer.
• All Roslyn-based issues are picked up by the SonarScanner for .NET and pushed to SonarQube / SonarCloud as external issues.
• Also check out SonarQube Roslyn SDK to embed your Roslyn analyzer in a SonarQube plugin, if you want to manage your rules from SonarQube.

Configuring Rules

SonarQube / SonarCloud and SonarLint in Connected Mode

Open the rule in SonarQube / SonarCloud, scroll down and (in case the rule has parameters), you can configure the parameters for each Quality Profile the rule is part of.

Use SonarLint Connected Mode to connect to SonarQube and SonarCloud.

SonarLint

The easiest way is to configure a Quality Profile in SonarCloud.

• Create a dummy repository and analyze it in SonarCloud (it's free for open-source).
• Configure the Quality Profile in SonarCloud for the project you created.
• Then connect SonarLint to that project, and it will download the configuration (ruleset and SonarLint.xml files) locally and update your project based on the Quality Profile.

Standalone NuGet

Standalone NuGet packages can be configured the same way as SonarLint in connected mode. You can use SonarLint and SonarCloud to generate the ruleset and rule configuration file SonarLint.xml as described above and embed them into your project.

You can see how we do it in our own repository for SonarLint Connected mode (and you can reuse the same concept for the NuGet package):

• We reference in each production-code project this Directory.Build.targets.
• This file points to the following ruleset: sonaranalyzer-dotnetCSharp.ruleset.
• And the following SonarLint.xml.

Internal resources

Build configuration

• CI Infrastructure
• CI Infrastructure docs
• VM Images repository
• Azure Pipelines
• Peachee configuration

License

Copyright 2014-2023 SonarSource.

Licensed under the GNU Lesser General Public License, Version 3.0