Skip to content

SonarSource/sonar-dotnet

Repository files navigation

Code Quality and Security for C# and VB.NET

Build Status

Product Quality Gate Coverage
Analyzer Quality Gate Coverage
Plugin Quality Gate Coverage

Static analysis of C# and VB.NET languages in SonarQube server, SonarQube cloud and SonarQube for IDE code quality and security products. These Roslyn analyzers allow you to produce Clean Code that is safe, reliable, and maintainable by helping you find and correct bugs, vulnerabilities, and code smells in your codebase.

Features

Useful public resources

Nuget.org packages

Integration with SonarQube

Do you have a question or feedback?

Get started

How to contribute

There are many ways you can contribute to the sonar-dotnet project. When contributing, please respect our Code of Conduct.

Join the discussions

One of the easiest ways to contribute is to share your feedback with us (see give feedback) and also answer questions from our community forum. You can also monitor the activity on this repository (opened issues, opened PRs) to get more acquainted with what we do.

Pull Request (PR)

If you want to fix an issue, please read the Get started pages first and make sure that you follow our coding style.

Before submitting the PR, make sure all tests are passing (all checks must be green).

  • We suggest you do not pick issues with the Area: CFG label (they are difficult, can have many side effects and are less likely to be accepted).
  • We suggest you do not implement new rules unless they are already specified for C# and/or VB.NET on our rules repository.

Note: Our CI does not get automatically triggered on the PRs from external contributors. A member of our team will review the code and trigger the CI on demand by adding a comment on the PR (see Azure Pipelines Comment triggers docs):

  • /azp run Sonar.Net - It will run the full pipeline, including plugin tests and promotion

Join us

If you would like to work on this project full-time, we are hiring!

Custom Rules

To request new rules, Contact us on our Community Forum.

If you have an idea for a rule but you are not sure that everyone needs it, you can implement your own Roslyn analyzer.

Configuring Rules

SonarQube for IDE

The easiest way is to configure a Quality Profile in SonarQube.

Open the rule in SonarQube, scroll down, and (in case the rule has parameters), you can configure the parameters for each Quality Profile the rule is part of.

Use SonarQube for IDE Connected Mode to connect to SonarQube server or cloud.

Standalone NuGet

The rules from standalone NuGet packages can be enabled or disabled in the same way as the other analyzers based on Roslyn, by using the .globalconfig or .editorconfig files. See: https://learn.microsoft.com/en-us/visualstudio/code-quality/use-roslyn-analyzers?view=vs-2022#set-rule-severity-in-an-editorconfig-file

If the rules are parameterized, the parameter values can be changed using SonarLint.xml additional files.

The first step is to create a new file, named SonarLint.xml, that has the following structure:

<?xml version="1.0" encoding="utf-8"?>
<AnalysisInput xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <Settings>
    <Setting>
      <Key>sonar.cs.analyzeGeneratedCode</Key>
      <Value>false</Value>
    </Setting>
  </Settings>
  <Rules>
    <Rule>
      <Key>S107</Key>
      <Parameters>
        <Parameter>
          <Key>max</Key>
          <Value>2</Value>
        </Parameter>
      </Parameters>
    </Rule>
  </Rules>
</AnalysisInput>

Then, update the projects to include this additional file:

<ItemGroup>
  <AdditionalFiles Include="SonarLint.xml" />
</ItemGroup>

Internal resources

Build configuration

Security Issues

If you believe you have discovered a security vulnerability in Sonar's products, please check this document

License

Copyright 2014-2024 SonarSource.

Licensed under the SONAR Source-Available License v1.0