Installing the SonarScanner for .NET
On this page
Beginning with the Sonar Scanner for .NET v8, the way the sonar.projectBaseDir
property is automatically detected has changed which has an impact on the files that are analyzed and how relative properties, such as sonar.exclusions
and sonar.test.exclusions
, are resolved.
To customize the behavior, you can set the sonar.projectBaseDir
property to point to a directory that contains all the source code you want to analyze. The path may be relative (to the directory from which the analysis was started) or absolute.
The flavor used to compile the Scanner for .NET (either .NET, .NET Core or .NET Framework) is independent of the .NET version the project you want to analyze has been built with. Concretely, you can analyze .NET Core code with the .NET Framework version of the Scanner.
Knowing which installation procedure is relevant depends on your OS, and on the versions of .NET SDKs that are installed on your build machine. See below for some general prerequisites, then select the appropriate installation method depending on your SDK.
Prerequisites
- SonarQube 10.4 requires the SonarScanner for .NET 5.14+.
- From version 7.0, Java is no longer required because the scanner will download it automatically.
- If internet access is limited in your configuration, skip the JRE provisioning and use the Java version installed locally.
- If you are running a previous version of the scanner you will need at least the minimal version of Java supported by your SonarQube server.
- The SDK corresponding to your build system:
- If you are using the .NET Framework version of the scanner you will need .NET Framework v4.6.2 or above. For commercial versions of SonarQube to benefit from security analysis you will need .NET Framework v4.7.2 or above
- If you are using the .NET version of the scanner or the .NET Core Global Tool you will need .NET Core SDK 3.1 or above
- The minimum supported version for SonarQube is now 8.9. We recommend that you upgrade to the 9.9 LTA (or newer) because support for older versions will end in January 2025.
- The scanner will fail to start if an older version of SonarQube is detected.
The flavor (either .NET Framework, .NET Core or .NET) used to compile the Scanner for .NET is independent of the .NET version used to build the project you want to analyze. Concretely, you can analyze .NET Core code with the .NET Framework version of the Scanner. It's only relevant depending on your OS, and on the versions of .NET SDKs that are installed on your build machine.
Installation
.NET Core global tool
Using the dotnet install tool from the command line is the simplest way to install the scanner if you are using .NET Core or later on an already installed instance of SonarQube. The .NET Core Global Tool is available from .NET Core 3.1+.
The --version
argument is optional; if omitted, the latest version will be installed. The full list of release versions is available on the NuGet page.
Standalone executable
- Expand the downloaded file into the directory of your choice. We'll refer to it as
<INSTALL_DIRECTORY>
in the next steps.- On Windows, you might need to unblock the ZIP file first (right-click file > Properties > Unblock).
- On Linux/OSX you may need to set execute permissions on the files in
<INSTALL_DIRECTORY>/sonar-scanner-(version)/bin
.
- Uncomment, and update the global settings to point to your instance of the SonarQube Server by editing
<INSTALL_DIRECTORY>/SonarQube.Analysis.xml
. Values set in this file will be applied to all analyses of all projects unless overwritten locally.
Consider setting file system permissions to restrict access to this file.
- Add
<INSTALL_DIRECTORY>
to yourPATH
environment variable.
If your instance of the SonarQube Server is secured
If your SonarQube Server instance is configured with HTTPS and a self-signed certificate, you must add the self-signed certificate to the trusted CA certificates of the SonarScanner. In addition, if mutual TLS is used, you must define the access to the client certificate at the SonarScanner level.
See Managing the TLS certificates on the client side.
JRE auto-provisioning should be disabled when using a secured SonarQube Server instance. The SonarScanner for .NET version 7.0 and newer will try to download Java automatically and will break the analysis if it can’t. Use these parameters to skip auto-provisioning and use the Java version installed locally, instead:
/d:sonar.scanner.skipJreProvisioning=true
/d:sonar.scanner.javaExePath=<PATH>
Related pages
Introduction to the SonarScanner for .NET
Was this page helpful?