There’s an update to this article with some corrections and an updated batch script here.

Static code analysis is cool: it helps you write better, more robust code, it provides useful insights, and it has exciting numbers and stats that make you feel like a real developer. I was trying to incorporate this into my Unity workflow, but recently I got really good results, so I thought I’d share.

I’m on Windows 10, using Unity, Visual Studio, and SonarQube.

SonarQube is a very nice tool, but previously I ran into all sorts of problems; incompatible input/output, cumbersome programs, formatting, conversion, etc etc. A few days ago I accidentally stumbled into Kuldeep Singh’s article, and I thought I’d try it again – this time it worked almost flawlessly!

So here is the article: https://medium.com/xrpractices/static-code-analysis-for-unity3d-part-1-a17e8e2a6c03

There are a few things I’d add to this.

First of all, a Java install now requires a registration, which I find outrageous. Fuck you, Oracle, what were you thinking? SonarQube requires Java, but I ran into some path mismatch because I have both JRE and JDK installed (Java Runtime Environment and Java Development Kit). If you find SonarQube complaining about your Java version, then it might be using JRE instead of JDK. To remedy this, find SonarQube’s config file, called conf/wrapper.conf, and add this line:

wrapper.java.command=c:\Program Files\Java\jdk-11.0.5\bin\java

You can run SonarQube as a service or in a console; if you opt for a console, do yourself a favor and use cmder.

I think it is worth noting that you need to open the C# project inside Unity – this will generate the solution file (.sln) that we analyse. Simply cloning a project, or creating a test project with no code will, duh, not work. While we’re talking about git, you should also add the top-level .sonarqube folder to your git ignore list.

When SonarQube is ready, you might want to consider setting up a “real” database instead of the built-in one. It’s not that important, but keep in mind that if you switch later, your previous work will be lost – including settings, projects, users, permissions, etc.

I did this using PostgreSQL. Installation is painless; make sure you install PgAdmin too. Note the port you’re going to open; it’s 5432 by default. After install, open PgAdmin, create a new database (called “sonar” in my case), and create a user who has permission to alter it. Please don’t use the admin user!

When done, tell SonarQube to use your database: find conf/sonar.properties and enter these lines:

# Note: the '/sonar' is the database name
sonar.jdbc.url=jdbc:postgresql://localhost:5432/sonar

sonar.jdbc.username=sonarqube
sonar.jdbc.password=password

The database URL took a while to figure out. Restart SonarQube, and you should be set.

I also created a SonarQube user for scanning; this is done by opening SonarQube (localhost:9000 by default), logging in with admin/admin, Administration panel, Security/Users tab, and Create User button. Easy.

Now you’re ready to go. If you can’t find MSBuild, it should be in your Visual Studio folder:

C:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe

This assumes Visual Studio 2019 (the best Visual Studio) and default install paths.

I created a .bat file for scanning my project – it is way easier this way. It looks like this:

@echo off

SET "scanner=c:\progs\sonar\scanner\SonarScanner.MSBuild.exe"
SET "msbuild=c:\Program Files (x86)\Microsoft Visual Studio\2019\Community\MSBuild\Current\Bin\MSBuild.exe"

echo Start pre-processing project
%scanner% begin /k:"sonar-project-name"

echo Rebuilding solution
%msbuild% unityprojectname.sln /t:Rebuild

echo Pushing results to Sonar Server
%scanner% end

I set the paths so they are easier to call, then set up the scanner (which, I assume, will look for stuff to happen). While it’s watching, I build the solution using MSBuild – your Unity project actually compiles to a DLL called Assembly-CSharp.dll (you could find this in the Library/ScriptAssemblies folder in your project path). When it’s built, I end the scanner. From then on, it takes a few seconds for SonarQube to actually process the results, but otherwise, the results should be available now.

Now scan that project!

Scheduling

I’m considering a scheduled task for running analysis every night. You can quite simply just call the batch file, but it gets a bit more difficult if SonarQube isn’t running all the time – start the server, wait for it to get up, start the PostgreSQL service, stuff like that. I’ll do this in another post later.

Code Coverage

You’ll quickly notice that from your second run, the project will “fail”. This is because you have no code coverage data! This process is not trivial, so I’d suggest creating a new quality gate that has no Coverage requirement.

Getting coverage data from Unity is complicated; code coverage is only supported in 2019.3, which is in beta as I write this, the code coverage package is also a preview version (=beta), and even if you’re okay with that, the output is not compatible with SonarQube. I’ll cover this, too, in a later post.

But now you got code analysis! Go and fix those code smells!