Integrate NDepend with SonarQube
- Introduction: NDepend and SonarQube rule-sets are complimentary
- Plugin Prerequisites
- Install the NDepend Plugin
- Define the NDepend Rules-set that will be configured into the Sonar server
- Activate the NDepend Rules in the Sonar server
- Activate the NDepend Rules in the Sonar server (before SonarQube v7.X)
- Run MSBuild Sonar-Runner
- Tips in case of Analysis Error
- Browse NDepend Rules Issues in the SonarQube UI
IMPORTANT:
|
Introduction: NDepend and SonarQube rule-sets are complimentary
Both NDepend and SonarQube are static analyzers that offer a rule-based system to detect problems in C# and VB.NET code. However the NDepend default Rules-Set has very few overlap with the SonarQube rules and also with the Roslyn analyzers.
Basically the Roslyn analyzers and SonarQube rules are good at analyzing what is happening inside a method, the code flow while the NDepend code model, on which the NDepend rules are based, is optimized for a 360 view of particular higher-scale areas including OOP, dependencies, metrics, breaking changes, mutability, naming...
Concretely Roslyn analyzers and SonarQube rules can warn about problems like a reference that doesn't need to be tested for nullity because in the actual scope it cannot be null, while NDepend can warn you about too complex classes or components, and offer advices about how to refactor to make the code cleaner and more maintainable.
Another point that makes the NDepend ruling system unique is how easy it makes to write custom rules. With NDepend a rule is a C# LINQ query, that queries a code model dedicated to code quality, edited live in Visual Studio, compiled and executed live at edition time.
Concretely, this piece of code below is a fully functional rule, could it be simpler?
// <Name>Interfaces must start with an I</Name>
warnif count > 0
Application.Types.Where(t => t.IsInterface && !t.SimpleName.StartsWith("I"))
When defining a custom rule with NDepend, the user doesn't need to create a Visual Studio project, create a source file, step into the edit/compile/debug cycle, maintain a binary assembly that requires effort to be shared, versioned and integrated.
With NDepend custom rules are raw texts, embedded as XML CDATA into the NDepend project or rule files. Also, the documentation and how-to-fix guidelines can be embedded in the rule source code as comments.
Also each NDepend rule can present its issues with extra data that will help understanding the problem and fix it.
Moreover each rule can embed two C# formulas that attempt to estimate both the cost to fix the issue and the annual cost to let the issue unfixed, also called the technical-debt and the annual interest of the issue. Since these formulas rely on what really matter at fix time, this makes the debt estimations smart.
For example, below, in a rule that attempts to detect wrong dependencies based on getting rid of dependency cycles between namespaces, cost to fix estimations are estimated in terms of the amount of coupling to get rid of. The team can rely on realistics estimations to take the right decisions.
Finally, with NDepend each rule is run in a few milli-seconds even on a large code base. As a consequence all rules can be passed in a few seconds (typically 2 or 3 seconds on a real-world code base), both in Visual Studio and in the Continuous-Integration system.
As a benefit, after each compilation and also at check-in time, the developer instantly knows about the new and fixed issues since the baseline, and the impact in terms of technical debt fixed or created.
Now let's explain how to integrate NDepend rule results into the SonarQube system to cumulate the strength of both products.
Plugin Prerequisites
Install SonarQube
Download http://www.sonarqube.org/downloads/
Install sonar-scanner-msbuild
Download https://github.com/SonarSource/sonar-scanner-msbuild/releases
Install doc https://docs.sonarqube.org/display/SCAN/Analyzing+with+SonarQube+Scanner+for+MSBuild
Install the C# sonar plugin sonar-csharp-plugin
Download http://www.sonarsource.com/products/plugins/languages/c-sharp/
Copy the sonar-csharp-plugin-VERSION.jar to the $SonarQubeInstallDir$\extensions\plugins directory.
Install the NDepend Plugin
- from the $NDependInstallDir$\Integration\SonarQube directory
- to the $SonarQubeInstallDir$\extensions\plugins directory
- Restart the SonarQube server for it to take account of the NDepend plugin.
Copy the sonar-ndepend-plugin-VERSION.jar
Notice that this plugin is open sourced at: https://github.com/SonarCommunity/sonar-ndepend
|
NOTE:
If you are not using the NDepend plugin on SonarQube install, make sure to remove its sonar-ndepend-plugin-VERSION.jar file from the $SonarQubeInstallDir$\extensions\plugins directory and then restart the SonarQube server. Else the NDepend plugin will check for certain pathes and parameters, and if not found, it will break the SonarQube analysis with an error. |
Define the NDepend Rules-set that will be configured into the Sonar server
- In the SonarQube user interface, go to Administration. You need to be logged with the appropriate administrator privileges for that.
- MANDATORY Specify the path to NDepend.SonarQube.RuleRunner.exe. This path is $NDependInstallPath$\Integration\SonarQube\NDepend.SonarQube.RuleRunner.exe. Don't prefix the path with an environnement variable path, write the entire absolute path (follow this advice for all paths writing you'll find in this documentation).
OPTIONAL Specify the NDepend project file path (.ndproj extension) to fetch the rules from. If it's not specified the default NDepend rule set will be used.
If you specify the NDepend project file path, the rules taken account are activated rules defined in:
- The NDepend project file,
- Rules defined in the NDepend Rules Files referenced by the NDepend project file
- and NDepend rules defined in source code
Activate the NDepend Rules in the Sonar server
The NDepend rules are now loaded in the SonarQube repository but not activated yet.
To activate them, you have to:
- Log as admin in the SonarQube UI
- Go to the Quality Profiles tab
- Create a custom Quality Profile. If you already have a custom Quality Profile you can skip this step.
Make sure that you choose the Sonar way profile as parent of your new Quality Profile:
After the creation of the custom Quality Profile, you have to add the NDepend rules. For that click on the Activate More button:
Choose the NDepend repository, and click on the Bulk Change button and activate all the NDepend rules in your new Quality Profile.
Finally go back to the Quality Profile tab and set the new Quality Profile as Default:
Activate the NDepend Rules in the Sonar server (before SonarQube v7.X)
Before SonarQube 7.X it was possible to activate new rules in the standard profile and the creation of a new custom Quality Profile was not mandatory
Once the step Define the NDepend Rules-set that will be configured into the Sonar server done, the NDepend rules are now loaded in the SonarQube repository but not activated yet. To activate them, you have to:
- Log as admin in the SonarQube UI:
- Go to the Rules tab:
- Choose Language C# and Repository: NDepend
- Activate these rules in the profile you want by clicking on Bulk Change - Activate In:
IMPORTANT:
|
Run MSBuild Sonar-Runner
Here is the SonarQube documentation concerning runnig MSBuild Sonar-Runner from the command line argument.
To let SonarQube.Scanner.MSBuild.exe also runs NDepend analysis and rules, you need to append the mandatory parameter /d:sonar.cs.ndepend.projectPath={the path of ndproj}.
Take note that you need to run the 3 commands below, you can eventually embed them in a batch file.
>SonarQube.Scanner.MSBuild.exe begin /key:{SonarQube project key} /name:{SQ project name} /version:{SQ project version} /d:sonar.cs.ndepend.projectPath={the path of ndproj}
>MSBuild
>SonarQube.Scanner.MSBuild.exe end
Don't use any environment variable in paths and if the path contains a space character, surround it with double quotes /d:sonar.cs.ndepend.projectPath="C:\work with space\project.ndproj"
Notice you can use /d:sonar.cs.ndepend.skip=true to avoid triggering NDepend analysis (option introduced with NDepend v2019.2.5).
IMPORTANT:
|
What if I run Sonar on a Linux machine and NDepend on a Windows machine?
|
REMARKS
|
Tips in case of Analysis Error
If the NDepend analysis fails, you can have a look at Sonar scanner logs and you'll see the error cause in the NDepend exception report.
Most of the times a NDepend analysis error comes from:
- NDepend project file path specified in not found (we remind this path is specified in SonarQube.Scanner.MSBuild.exe begin ... /d:sonar.cs.ndepend.projectPath={the path of ndproj})
- NDepend fails to find any assembly to analysis, referenced by the NDepend project (more on NDepend assemblies resolution here)
- One or several assemblies PDB missing (see expanations above in the IMPORTANT section)
- NDepend output directory locked, or cannot be created, because of unauthorized Windows privileges
Browse NDepend Rules Issues in the SonarQube UI
NDepend Rules Issues are now reported as any issues in the SonarQube UI.
You can browse it, go to source code declaration (in the UI), assign it, change its status...
NOTES:
|