So far, I've been talking exclusively about Visual Studio and demonstrating in C#. Which I guess is fair enough as it is a Microsoft technology like Azure DevOps. Obviously, there're a lot of other programming languages out there and in fact, C# is not the most popular by a long way. I want to look at integrating Sonar Cloud into my pipeline.

For all intents and purposes, Sonar Cloud is language agnostic. It supports COBOL through to Go and all the usual suspects in-between, such as Java, PHP, Python, Ruby, Scala, Swift, quite an extensive list. Sonar Cloud is a service that can be integrated into Azure DevOps via an extension. I'll just go to the marketplace and search for Sonar Cloud. So here we can see SonarQube and Sonar Cloud. Now, Sonar Cloud is the one we're after. SonarQube is for use with on-premise code repositories. Right, I'll just hit Get it Free.

Okay, it looks like I'm not logged in as the account administrator. Yes, for reasons too complicated and pedestrian to go into I'm going to have to open up another browser and approve that request and install the extension. Back at the project, I need to set up a service connection to Sonar Cloud. It's easy enough. I just go into New service connections and select it from the dropdown.

Next, I need to go over to my Sonar Cloud account, and under Security, I'm going to generate a new token for howlinuxconfig project that I've already set up as public. With Sonar Cloud you can have a free account as long as it's public, so I need to make sure that my Azure DevOps project is also public. Just paste in the Sonar Cloud token and verify it, and I'll give the service connection name and verify and save. 

So now I can go back to my pipeline and add the Sonar tasks. This is a three-step process, which involves adding a preparation task followed by the code analysis task and then publishing the results of the analysis. Firstly, I will add the prepare analysis configuration task, which is going to go before my build task. This task basically sets up the connection with Sonar Cloud using the already created service connection, using our project key which just coincidentally happens to be my project name, and then the project name. Add that.

Next, I need to add the tasks that will do the actual code analysis, so it's just a simple add. And finally, the task that's going to publish the results which I'll just add straight after the Sonar Cloud analysis task. I'll add a comment basically to the effect that we've added Sonar Cloud. And I'll save that, which will trigger my pipeline to run. We'll just quickly run through the build. Sonar Cloud tasks are executing without incident.

To see the results of Sonar Cloud analysis we go to the build summary and under the Extensions tab, click on the link to Sonar Cloud. So under Security, we can dig into what looks like an E rating which doesn't look too good. We can see that the usual unused variables have been highlighted. We can actually dig through the project structure to look at the different files where the issues are and here again, we can see the same SQL injection type issues being highlighted plus a bug.

So I'm not checking that the parameters may be null. Then if we go and look at the security hotspots, we can see all the highlighted issues are categorized and rated. In terms of categorization, we can see vulnerability and code smell, which translates to bad smelling code. Sonar uses a skunk icon on their website if you want to go and look at code smell. This means that this section of code may be indicative of some deep underlying issue or problem that you might want to look at. Our code smells are rated as major or minor. Clicking on code takes us to the folder structure and I can see in the bugs column there are quite a few. Just drilling down to these bugs and they are related to bootstrap JavaScript.