Overview
Whilst Codesonar does not currently provide a plug-in for Microsoft Visual Studio Code (VSCode), it is possible to approximate similar behaviour by configuring a new Task in VSCode to manually execute the codesonar analysis, and adding the Microsoft SARIF Viewer plugin to VSCode allows those results to be reviewed in the IDE.
NOTE: As per CodeSonar 7.1p0 (available 9/8/2022) there is a new Visual Studio Plugin for CodeSonar, see Third-Party Software Integration.
Setting up
Firstly, follow the steps at:
https://marketplace.visualstudio.com/items?itemName=MS-SarifVSCode.sarif-viewer
To install the Microsoft SARIF Viewer plugin into VSCode.
Next configure a VSCode Task https://code.visualstudio.com/Docs/editor/tasks to execute the codesonar analysis and retrieve the warnings as a SARIF formatted file. At the above page, the specific instructions to follow are under the “Custom Tasks” section, but briefly, from within VSCode, select Terminal -> “Configure Tasks …” . This will pop up a file in VSCode called tasks.json with some default content in it. Alter the content of tasks.json in to something similar to this:
Here we've create a new task that will be called “Codesonar analyze” that will execute a batch file
C:\\Users\\%username%\\CODESONAR\\DEMO\\vsCodeAnalyzeTask.bat
In this example, the above path C:\\Users\\rdaulton\\CODESONAR\\DEMO represents the location of the sample codebase being worked on.
Next, create C:\\Users\\%username%\\CODESONAR\\DEMO\vsCodeAnalyzeTask.bat. As an example:
set DIR="C:\Users\%username%\CODESONAR\DEMO"
set NMAKE="c:\Program Files (x86)\Microsoft Visual Studio\2019\Community\VC\Tools\MSVC\14.29.30133\bin\HostX86\x86\nmake"
set CS="c:\Program Files\GrammaTech\CodeSonar6.2p2\codesonar\bin\codesonar"
set PROJECT=CSONAR
set HUB="127.0.0.1:7340"
cd %DIR%
%NMAKE% clean
%CS% analyze %PROJECT% -foreground %HUB% %NMAKE%
%CS% dump_warnings.py --hub %HUB% --project-file %DIR%/%PROJECT%.prj --sarif -o warnings.sarif
The first 5 lines set up some key variables used in the script:
- DIR: Where the sample codebase build command is
- NMAKE: The build command to execute
- CS: The full path to the Codesonar executable
- PROJECT: The codesonar project
- HUB: The <host>:<port> address of your pre existing and running Codesonar hub
The next line:
$NMAKE% clean
Does a clean of all output files for this build. Of course, if youre interested in producing Codesonar incremental results, this step won't be required. The following line:
%CS% analyze %PROJECT% -foreground %HUB% %NMAKE%
Invokes Codesonar to perform the analysis. Note the -foreground argument. This is required in this case to make sure the analysis completes before the next script step, as Codesonar otherwise performs the analysis as a background task meaning the script would proceed onto the attempt to retrieve the analysis results before they are available.
The final step invokes codesonar again to retrieve the warnings for the analysis just completed, as a SARIF file. There is an extensive HTTP API for querying the codesonar hub as well as “codesonar dump-warnings.py”, which also has other arguments available for retrieving warnings. Just search in your codesonar manual for either term for more information.
Trying it out
To build your code in Vscode, select Terminal ->”Run Task”:
The given label should appear as a selected option, “Codesonar analyze” in this case:
Select it to execute the build script vsCodeAnalyzeTask.bat. If all goes well, you should see a window open at the bottom of the VSCode IDE showing the output of the executing script:
Once successfully completed, you can close the output window. The result of the script should be you equivalent of C:\Users\%username%\CODESONAR\DEMO\warnings.sarif. From VSCode select File -> “Open File …” and open warnings.sarif. That’s it! You should now see a SARIF results panel in the IDE. There are a number of ways of viewing the warnings in this panel, or alternatively, in the tabs showing opened source files, for those that contain detected codesonar warnings, hover over lines of code underlined with a squiggly line to see a warning commentary popup or click the line to jump to its detail in the SARIF panel:
