SonarCloud in a .NET/C# project: is it worth it?

A few weeks ago, we started using SonarCloud in some of our .NET projects. We wanted to evaluate if this continuous code quality tool is something that would help us in our daily work, or rather annoy developers with loads of minor issues and false alarms. We already have ReSharper licenses, so using another tool only seemed to make sense if it provided additional value.

How are different SonarProducts related

Before I share my experiences, let me clarify to which products I will refer to. You might be familiar with some other products from the SonarSource company, and this is how they are related:

  • SonarAnalyzer.CSharp. This is a set of code analyzers delivered via a NuGet package. You can install them in any .NET project and use for free, even without an extension or paid subscription for any other products.
  • SonarLint. This is a free extension for IDE’s like Visual Studio (I only used this one), IntelliJ, Eclipse, and VS Code.
  • SonarCloud. This is an extended web dashboard that allows to overview quality of our projects, review issues, or track the quality of code base in time. For projects that are not open-sourced, this product requires paying for the license.
  • SonarQube. This is an on-premise counterpart for SonarCloud. On the surface they look similar, but there are various differences in functionality.

My experiences with SonarAnalyzer

When you add the SonarAnalyzer NuGet package to your C# projects, you’ll very likely observe some new warnings:

Example of additional warnings enabled by adding SonarAnalyzer to a C# project.

I’ve spent a few hours going through such new warnings in various projects. In my opinion, they are pretty good. They range from simple checks of good coding standards to interesting and more advanced findings. Some examples of the latter would be:

  • “Why do you have two unit tests with different names but identical implementation?” (helped me find few copy-paste errors)
  • “If you use yield return, you risk less if you validate parameters in a separate method” (I found it quite advanced deduction)
  • “You named argument differently in an interface and an implementation. Are they really the same thing?” (common source of errors if your method accepts multiple arguments of the same type)

All the rules have wonderful documentation with clear explanation of the problem, and code samples showing good and bad code (see an example).

On the drawbacks side: currently, there are no “quick automatic fix” actions for the suggestions, even though they would be possible for some of them. You need to fix the code yourself.

If you have any free CPU cycles to use, I believe this analyzer is a really valuable addition to the Visual Studio experience, even if you already use ReSharper with its awesome hints. You might disagree with me, but I think that such warning-driven development is also fun. You can learn a lot about code patterns, especially when you learn on the mistakes you yourself made.

SonarLint: what’s the added value of an IDE extension?

To use the code analysis feature, you do not need the SonarLint extension. Then why would you install it?

Well, SonarLint allows connecting your Visual Studio to SonarCloud or SonarQube portal. You might want to work in a setup, where the source of truth about how to check code is not your git repository, but the SonarCloud/SonarQube service.

This can make sense in several scenarios. In your organization, you might have multiple project in multiple code repositories. What if you want to have the same set of code analysis rules for all of them? This is where SonarLint connected mode comes in handy. It monitors changes in configuration online and applies them to your project when needed.

We were able to successfully set up this feature, but I haven’t spent much time playing with it, so I’ll end the description here.

SonarCloud: the web portal

The web portal is a place where you can most easily see quality metrics of your project(s):

Screenshot of SonarCloud. SonarCloud is a web-based dashboard showing various code quality metrics collected by SonarAnalyzer.

You can start with a high-level overview, like in the screenshot above. But you can also go deep, inspecting all the individual issues you would also see in Visual Studio.

This overview goes a bit beyond what you would see in Visual Studio’s errors/warnings window. In the web portal, you can also see code coverage. You can see how much code is duplicated in your solutions. You can see how quality metrics changed in time.

This is all pretty cool, but is it useful? I think that as long as the team works out a process where someone monitors this dashboard, and takes data-driven actions, this is valuable. For example, in my experience, as soon as a team starts measuring unit test code coverage and gains some focus on this metric, the coverage starts improving.

SonarCloud helps enforce good quality, for example by providing a quality gateway for pull requests. We have enabled this feature in Azure DevOps. It integrates really nicely. It helps us keep compliant with the rules in all new code.

Final thoughts: is Sonar ecosystem worth it for C# developer?

Let me try to summarize this with a list of pros and cons.

✅ The analyzer package has ample library of code antipatterns. They are documented well. They can teach you code better.
✅ The integration with Visual Studio is good. You don’t need to install an extension, just a NuGet with Roslyn analyzers. I don’t see negative impact on performance.
✅ Integration with Azure DevOps works well. Enforcing rules is easy.
✅ It enables a simple checklist-like flow to reduce technical debt in projects.
⚠ Currently, there are no “automatic quick fixes” available for detected issues.
⚠ Might be impossible to use with pre-release version of tools. A week before the stable release of Visual Studio 2022, C#10, and .NET 6, SonarLint extension is not yet available, and code analyzers show some false alarms when I use C#10 features.
⚠ I don’t buy the sales point that the product allows you to fix features only in new/modified code. This approach doesn’t work for us. You change one line in a file, and you cannot merge your PR because you are blamed for the old issues in that file. But it’s a different discussion.

I think this is a good suite of products. I like using it both at work, and now also in my side-projects. You might benefit from giving it a try.

Leave a Comment