GitLab SonarQube Integration with .NET

If you want to use SonarQube to scan your code during GitLab's CI/CD flow, please see the following procedures.

GitLab + SonarQube + .NET Core or .NET 5/6/7/... (docker)

1. Refer to this document to integrate GitLab and SonarQube.

2. Set the environment variable in GitLab

   • $SONAR_URL: The URL of SonarQube
   • $SONAR_TOKEN: The token to access SonarQube
   • $CI_PROJECT_DIR: This is a predifined variable in GitLab, you can reference https://docs.gitlab.com/ee/ci/variables/predefined_variables.html
   • $CI_JOB_NAME: This is a predifined variable in GitLab, you can reference https://docs.gitlab.com/ee/ci/variables/predefined_variables.html

3. Add the following to your .gitlab-ci.yml

    1variables:
    2    SONAR_PROJECT_KEY: This-is-my-project-key-in-SonarQube
    3
    4owasp_dependency_check:
    5    image:
    6        name: registry.gitlab.com/gitlab-ci-utils/docker-dependency-check:latest
    7        entrypoint: [""]
    8    stage: dependency_check
    9    tags:
   10        - docker
   11    script:
   12        # Job will scan the project root folder and fail if any vulnerabilities with CVSS > 0 are found
   13        - /usr/share/dependency-check/bin/dependency-check.sh --scan "./" --format ALL --project "$CI_PROJECT_NAME" --failOnCVSS 0
   14        # Dependency Check will only fail the job based on CVSS scores, and in some cases vulnerabilities do not
   15        # have CVSS scores (e.g. those from NPM audit), so they don't cause failure.  To fail for any vulnerabilities
   16        # grep the resulting report for any "vulnerabilities" sections and exit if any are found (count > 0).
   17        - if [ $(grep -c "vulnerabilities" dependency-check-report.json) -gt 0 ]; then exit 2; fi
   18    allow_failure: true
   19    artifacts:
   20        when: always
   21        paths:
   22        # Save the HTML and JSON report artifacts
   23        - "./dependency-check-report.html"
   24        - "./dependency-check-report.json"
   25
   26sonarqube:
   27    allow_failure: true
   28    stage: sonar
   29    tags:
   30        - docker
   31    image:
   32        name: sonarsource/sonar-scanner-cli:latest
   33        entrypoint: [""]
   34    variables:
   35        SONAR_HOST_URL: $SONAR_URL
   36        SONAR_USER_HOME: "${CI_PROJECT_DIR}/.sonar"  # Defines the location of the analysis task cache
   37        #SONAR_LOGIN: $SONAR_TOKEN
   38        GIT_DEPTH: "0"  # Tells git to fetch all the branches of the project, required by the analysis task
   39    cache:
   40        key: "${CI_JOB_NAME}"
   41        paths:
   42            - .sonar/cache
   43    script:
   44        - echo $SONAR_URL
   45        - echo $CI_COMMIT_BRANCH
   46        - sonar-scanner -D sonar.login="$SONAR_TOKEN" -D sonar.projectKey=$SONAR_PROJECT_KEY -Dsonar.projectName="${SONAR_PROJECT_KEY} (${CI_COMMIT_BRANCH})"
   47                        -D sonar.dependencyCheck.jsonReportPath="./dependency-check-report.json" -D sonar.dependencyCheck.htmlReportPath="./dependency-check-report.html" 
   48
   49security-code-scan:
   50    stage: security-scan
   51    tags:
   52        - docker
   53    allow_failure: true
   54    image: mcr.microsoft.com/dotnet/sdk:5.0
   55    #image: mcr.microsoft.com/dotnet/core/sdk:3.1
   56    script:
   57        - echo $env:Path
   58        - dotnet restore
   59        - dotnet tool install --global security-scan
   60        - mkdir report
   61        - $HOME/.dotnet/tools/security-scan geosense_netcore_project_template.sln --excl-proj=**/*Test*/** --export=report/out.sarif
   62    artifacts:
   63        paths:
   64            - ./geosense_netcore_project_template/report
   

4. Try to build the code

GitLab + SonarQube + .NET 4.8 (non-docker)

The docker support of .NET 4.0 or below is not very good, if you cannot upgrade, I suggest you use non-docker solution. You can refer to http://dennys.github.io/en/doc/devops/gitlab-dotnet4-ci-cd/ to build .NET 4 applications in GitLab CI/CD flow. And you can follow the following procedures to integrate SonarQube.

1. Reference this document to integrate GitLab and SonarQube.
2. You need to install these softwares:
   1. Java, you can choose Adopt JDK or others, please add java.exe to PATH.
   2. Sonar Scanner for .NET, assumes you put it in C:\Gitlab\sonar-scanner.
3. Add the following to your .gitlab-ci.yml

    1sonarqube_windows:
    2    allow_failure: true
    3    tags:
    4        - windows
    5    stage: sonar
    6    variables:
    7        SONAR_PROJECT_KEY: ProjectXXX
    8        SONAR_TOKEN: ****************************************
    9    script:
   10        - echo $SONAR_URL
   11        - echo $CI_COMMIT_BRANCH
   12        - dotnet tool update --global dotnet-sonarscanner
   13        - dotnet C:\Gitlab\sonar-scanner\SonarScanner.MSBuild.dll begin /k:$SONAR_PROJECT_KEY /d:sonar.host.url="$SONAR_URL" /d:sonar.login="$SONAR_TOKEN" /d:sonar.scm.provider=git 
   14        - dotnet restore ******.sln
   15        - dotnet build ******.sln
   16        - dotnet C:\Gitlab\sonar-scanner\SonarScanner.MSBuild.dll end /d:sonar.login="$SONAR_TOKEN"
   

4. Try to build the code

Run SonarQube on Linux Docker with Mono to scan .NET 4.8 Code

If you want to run SonarQube to scan .Net 4 code on Linux docker, you can reference Run SonarQube on Linux Docker with Mono to scan .NET 4.8 Code, but it has some limitation.