SonarQube is primarily a code quality scanner, but it has many capabilities that also make it a useful code vulnerability scanner. Using SonarQube to scan a C#/.NET project requires a bit more set-up than with other languages, because the .NET plugin for SonarQube integrates with MSBuild on the build host. This articles describes how to work with SonarQube in the context of using the ZeroNorth platform to scan C#/.NET projects.
- ZeroNorth platform license and credentials
- The sonarqube-msbuild-runner Scenario has been activated–see this article for details
- A C#/.NET project that can be built with MSBuild.exe at the command-line (we do not support .NET Core / “dotnet tool” build process)
- Sonar Scanner for MSBuild installed and configured (see below for details)
- ZeroNorth Command-Line tool zn_cli.exe for Win64 (see this related article to download a copy)
The C#/.NET scanner for Sonar integrates with your local MSBuild build process and runs the scan locally on your build machine. In the process, it connects to the SonarQube server to download the rule and to upload the results, which in turn get posted to ZeroNorth.
- A Win64 host.
- .NET 4.6+ .
- Java (JRE 8.x or later).
- Ensure that you have MSBuild.exe v14.025420.1 or later available for command-line execution. The MSBuild.exe must be in your PATH variable.
- Ensure that your .NET project you want to scan can be built using the MSBuild.exe at the command line. Test this with your candidate project prior to proceeding with the rest of the procedure. We do not yet support .NET Core framework builds that use the “dotnet” command.
- Ensure that you have the version of Sonar Scanner for MSBuild installed and configured (see the next section for installation details).
The following steps assume that your base installation directory will be *C:\SonarQube* :
- Obtain and install the Sonar Scanner for MSBuild from here . Be sure to select the edition for “.NET Framework 4.6+”. We dot not support the .NET Core framework.
- Ensure that your PATH variable contains the full path to the Sonar Scanner for MSBuild installation you completed in the above step. For example, if you installed the Sonar Scanner for MSBuild v4.10 under C:\SonarQube:
- Obtain a copy of the latest zn_cli command line tool for Win64 from here .
- Place the zn_cli command line tool in the C:\SonarQube\ folder.
- On some Windows systems, it will be necessary to “bless” the newly installed executable as safe to run. To do so, in Windows Explorer, right-click on the executables and select “Properties”. In the pop-up panel, check “Unblock”:
- Check again that your system PATH includes fully qualified paths to java, zn_cli, msbuild.exe and the Sonar Scanner for MSBUild. Try the following tests:
See this article for more details about system requirements to run SonarQube scanner for MSBuild.
Using the ZeroNorth UI
- Go to znADM > Integrations , and then click on Add Integration .
- Create or use an existing “Artifact” type Integration with the Initiate Scans From set to “Customer’s Environment”:
- Go to znOPS > Targets , and then click on Add Target .
- Create a new Target of Target Type “Artifact”, using the Integration you just created:
- Go to znOPS > Policies , and then click on Add Policy .
- Create a Scan Policy pointing to the Integration and the Target you created in the above steps:
You now have a shell Policy which will serve as the anchor for the SonarQube .NET scan.
The ZeroNorth Command-Line Tool, zn_cli.exe , is a proxy between the ZeroNorth platform where the scan policy is configured and resides, and the Sonar Scanner for MSBuild, which actually performs the build and scans during the build:
To start the build and the scan as illustrated above, assuming that all else has been set up as described above in this article, execute the zn_cli.exe with the necessary parameters:
- –api_key : your ZeroNorth profile API key (as an alternative to username/password)
- –code_path : the path to your project’s MSBuild Solution File
- –results_path : the path to the folder that ZeroNorth can write into for temporary results
- –policy_id : the ID of the scan policy you prepared using the steps above (see the article Manage Policies for instruction of obtaining your Policy ID)
- –msbuild_override : switches to use in place of the default ("/t:Rebuild") switch ZeroNorth uses when calling MSBuild.exe.
- –sonarqube_override : switches to use in place of the default ("/k:…") switch ZeroNorth uses when calling SonarQube.Scanner.MSBuild.exe.
zn_cli_win64_yyyymmdd.exe --api_key <ZN API Key> --policy_id <policy ID from ZeroNorth UI> --code_path C:\Users\DEMO\projects\WebGoat.NET\WebGoat.NET.sln --results_path c:\Temp\zn\
See this article for instructions on obtaining your ZeroNorth API Key.
When the build/scan completes, the results will be visible in the ZeroNorth Web UI.
While not clearly documented on the SonarQube documentation web site, there are some compatibility requirements. If you encounter an error in the log like this:
The SonarQube MSBuild integration failed: SonarQube was unable to collect the required information about your projects. Possible causes:
- The project has not been built - the project must be built in between the begin and end steps
- An unsupported version of MSBuild has been used to build the project. Currently MSBuild 14.0 upwards are supported
The begin, build or end steps have not all been launched from the same folder
Generation of the sonar-properties file failed. Unable to complete SonarQube analysis.
then, check for compatibility between your version of MSBuild and the Sonar Scanner for MSBuild you installed:
- Sonar Scanner for MSBuild v3.x will work with MSBuild 14.x.
- Sonar Scanner for MSBuild v4.x will work with MSBuild 15 or later.
- While the Sonar Scanner for MSBuild web site states support for MSBuilds related to VS2015 and VS2017 without mentioning VS2019, recent tests indicate that Sonar Scanner for MSBuild v4.10 works with MSBuild v16.6 which ships with VS 2019.