sonar-scanner-msbuild icon indicating copy to clipboard operation
sonar-scanner-msbuild copied to clipboard
verified publisher icon SonarSource

Remove Java dependency

Open tgolden-andplus opened this issue 4 years ago • 8 comments

Is your feature request related to a problem? Please describe. As more and more CI/CD pipelines start leveraging Docker for builds, Sonarqube analysis happens inside the container rather than on a "kitchen sink" server that has Java installed. The official SDK build images on Docker Hub do not include Java. It's reasonable that the .NET scanner (which is distributed through NuGet as a tool) does not rely on an external Java installation.

I realize that's a pretty steep ask, due to how this tool leverages pre-existing code, but I think it'd be an enormous win.

Describe the solution you'd like The ability to install the dotnet-sonarscanner tool in the official Microsoft dotnet/sdk image and run an analysis that is published to a SonarQube server, without installing Java.

Describe alternatives you've considered Currently I have to install the JDK at runtime into the SDK image, or create my own derivative images for each official image. This is a perf nightmare if done at runtime for every single build, and a maintenance headache to use our "unofficial" in house images, educate developers on why they can't use the 1st-party SDK image, and make new images whenever a new SDK image is released.

tgolden-andplus avatar Jun 14 '21 23:06 tgolden-andplus

cc @tom-howlett-sonarsource (our .NET ecosystem PM)

Thanks for the suggestion @tgolden-andplus.

I realize that's a pretty steep ask, due to how this tool leverages pre-existing code, but I think it'd be an enormous win.

Leveraging pre-existing code is one aspect. However, C# projects often contain other types of artefacts where the analysis itself is implemented in Java e.g. e.g. TypeScript, JavaScript, CSS, TSQL, and XML. In addition, the security analysis for C# depends on a Java backend.

Removing the dependency on Java would be a reasonable amount of work to do and maintain, and losing security analysis and multi-language analysis would limit the target audience (my personal view is that it's too high a price to pay).

However, there might be other possible solutions to the underlying problem "analysing C# in pipelines using Docker is too hard".

(Just brainstorming here - the Scanner for .NET only requires Java in the end step, where it is effectively a wrapper around the Java scanner. We already produce an official Docker image for the Java scanner. It might be possible to modify the Scanner for .NET end step to allow the existing Java scanner image to be used for the upload).

duncanp-lseg avatar Jun 16 '21 11:06 duncanp-lseg

Thanks @tgolden-andplus

I share your frustration that .NET developers need to install Java but as @duncanp-sonar points out we are dependent on it for security analysis and other language analysis

However, there might be other possible solutions to the underlying problem "analysing C# in pipelines using Docker is too hard".

Yes, this is something that is being considered and I will reference this issue in the analysis

Another feature that we are currently working on is the ability to scan code directly on SonarCloud without connecting to the build, this option could potentially be added to SonarQube in the future although it's not on this year's roadmap.

tom-howlett-sonarsource avatar Jun 16 '21 13:06 tom-howlett-sonarsource

I'd be curious how a Docker image for the scanner itself would work in that scenario. The scanner image wouldn't have any .NET framework SDKs installed, so the .NET tool installation and dotnet build with the Roslyn analyzer would happen in a separate image, right? and then I'd copy the artifacts from the analysis over into the scanner image to do the "end" step which uploads them? Is the "end" step doing anything other than just re-authenticating with the server and pushing results? It seems like quality profiles, etc are all downloaded during "start".

tgolden-andplus avatar Jun 16 '21 15:06 tgolden-andplus

That's sort of what I had in mind, although it would be better if it wasn't necessary to copy the files.

Is the "end" step doing anything other than just re-authenticating with the server and pushing results?

Everything that requires Java is happening in the end step. For C#, that means upload the analysis results and metrics, parsing and uploading test coverage reports in various format, and executing the security analysis, For the other languages, the "normal" analysis and security analysis is happening in the end step too.

duncanp-lseg avatar Jun 16 '21 16:06 duncanp-lseg

How would you avoid copying the files between the two containers in the pipeline?

tgolden-andplus avatar Jun 16 '21 16:06 tgolden-andplus

Hi @tgolden-andplus Another possibility is for us to create an install with Java embedded. This would obviously need platform-specific builds for each variant and would increase the size of the install. We do this for SonarScanner and the install is in the region of 40-50mb. Would this work for you?

tom-howlett-sonarsource avatar Jun 28 '21 15:06 tom-howlett-sonarsource

any progress on this topic meanwhile? :)

rs38 avatar Apr 27 '23 11:04 rs38

Hi @tgolden-andplus Another possibility is for us to create an install with Java embedded. This would obviously need platform-specific builds for each variant and would increase the size of the install. We do this for SonarScanner and the install is in the region of 40-50mb. Would this work for you?

@tom-howlett-sonarsource Providing SonarScanner NuGet packages which include the the JRE(s) would be appreciated.

Sam13 avatar Nov 28 '23 13:11 Sam13