sonarlint-visualstudio icon indicating copy to clipboard operation
sonarlint-visualstudio copied to clipboard
verified publisher icon SonarSource

Support distribution/installation of 3rd party analyzers and extended ruleset defintions

Open josundt opened this issue 6 years ago • 3 comments

I really enjoy SonarLint for Visual Studio 2019 extension when working on our codebase, since it streamlines the distribution and maintainance of our organization wide coding rules:

The SonarLint extension:

  • Helps out keeping rulesets up to date (informs about updates).
  • Ensures that all projects in a solution are associated with the ruleset definition and installs the required Roslyn analyzers.

The limitation:

  • Only SonarCloud's own coding rules and analyzers are supported in the ecosystem.

It would be really nice if SonarQube/SonarCloud could support 3rd party analyzers and rulesets for these, so SonarLint for Visual Studio could use its great bind/update feature to take care of the installation of additional analyzers from NuGet packages and extended rulesets for these.

This is how I picture that it would work: In SonarCloud/SonarQube, an administrator could register a third party C# analyzer on a page by:

  • Entering the NuGet package ID (and verison) for the 3rd party analyzer package.
  • Upload a ruleset file for the package.

Sonarlint could then when binding/updating a solution:

  • Ensure that also the registered 3rd party analyzers are installed in every project.
  • Ensure that the ruleset file with the rules for the analyzer is linked to every project.

I think this is what's really missing to make SonarQube the perfect ecosystem for C# code analysis. Sonar's rules cover most areas, but I miss quite a few things f.ex. compared to in the new https://www.nuget.org/packages/Microsoft.CodeAnalysis.FxCopAnalyzers

To me this seems like a quite low effort feature compared with the added value.

josundt avatar Jul 19 '19 15:07 josundt

Related: #1184

duncanp-lseg avatar Jan 15 '20 12:01 duncanp-lseg

@duncanp-sonar Is it possible to get some more feedback on this? Do you like the idea? To me it sounds like a great addition to make SonarQube/SonarCloud+SonarLint the single enterprise ecosystem for C# CA.

Some additional information:

I have noticed that when "binding" a VS solution to a SonarCloud project using SonarLint, the SonarAnalyzer.CSharp NuGet package with the Roslyn analyzers is no longer installed to every project in the solution; instead it relies on the SonarLint extension (VSIX) being installed in VS to enable "live" CA in the IDE.

(PS! We moved from on-prem SonarQube to SonarCloud some time back, maybe that's when I noticed this change. Maybe this difference in behavior is based on a configuration setting that I'm not aware of).

If SonarQube/SonarCloud was to support my requested feature (supporting installation of 3rd party analyzers and downloading/linking rulesets for these when "binding"), it would need to either install the Roslyn analyzers as NuGet packages to every project, or inform the user that a certain VSIX should be installed.

In my imagined 3rd party analyzer registration page (described above), maybe it's better to reference the VSIX URL rather than the Roslyn Analyzer NuGet package ID. Both ways will work as long as the Sonar CA engine can extract the actual analyzers from the NuGet or VSIX and analyze the code with the rulesets.

I hope I was able to explain how I picture this feature implemented in a way that is understandable. Waiting for your feedback!

josundt avatar Jan 16 '20 18:01 josundt

CC @marco-comi-sonarsource

duncanp-lseg avatar Aug 17 '23 08:08 duncanp-lseg