Fixing issues

Whether your issue is about a potential security problem, considered to be a bad coding practice, or a more serious logic error, fixing issues usually involves changes to the code. SonarQube for IDE’s issue messages contain useful information about how to fix the potential problem and include a rule description so that you can learn more about why the issue is reported. 

SonarQube for Eclipse offers multiple ways to Investigate issues and fix problems in your code. Issues are usually presented in multiple locations and you can typically hover and/or click or right-click over these markers to open a tooltip that reveals your options. 

Preferences menu

Navigate to Window > Preferences > SonarQube (or Eclipse > Settings… > SonarQube for Mac OS) for access to the SonarQube Preferences menu. Here you will find 4 menus to:

• Pass additional properties to the SonarQube for Eclipse analyzers.
• Add/remove files to be excluded from the analysis.
• Agree/disagree to share anonymous telemetry statistics.
• And specifically define your rules configuration (when running in stand-alone mode).

Rule selection

Sonar Rules can individually be turned on or off while running SonarQube for Eclipse in standalone mode; there are two ways to do this:

• Right-click on the issue and select the Remove rule quick fix in the tooltip.
• Activate and deactivate rules one by one in the SonarQube Preferences > SonarQube > Rules Configuration menu. A full list of rules organized by language is available.

When your project is bound to SonarQube (Server, Cloud) using connected mode, the rule set is managed on the server side as defined by the quality profile. See the SonarQube Server, SonarQube Cloud, or SonarQube Community Build quality profile for more information.

Quick fixes

Eclipse relies on the language support from the IDE to display quick fixes in different ways. Hovering over the issue in your code editor will reveal the SonarQube for Eclipse tooltip. Sonar Quick Fix options such as Deactivate rule or Insert placeholder comment will be shown when available. Depending on the language type and/or issue type, an action item such as Show issue data flows or Remove unused local variable will be offered. In addition, right-clicking an issue in the SonarQube On-The-Fly view will also reveal Quick Fix options.

You will always be offered the option in the tooltip and in all SonarQube for Eclipse view panels to open the issue’s rule in the SonarQube Rule Description view. The rule description explains why the issue is raised and details how to fix it. See Investigating issues for more details.

Sometimes your issue is recognized by additional analyzers. When this occurs, a full list of all quick fixes will appear in the tooltip; SonarQube for IDE’s Quick Fixes are distinguishable by the SonarQube for IDE icon preceding the text title.

Fixing security hotspots and injection vulnerabilities

The use of connected mode is required to identify both security hotspots and injection vulnerabilities (also called taint vulnerabilities). Security hotspots require that your project be bound to SonarQube Server; injection vulnerabilities can be found with a connected mode binding to either SonarQube Server or SonarQube Cloud.

By default, a SonarQube for IDE hotspot badge and vulnerability padlock are displayed for security hotspots and injection vulnerabilities (respectively) in the Eclipse Vertical ruler.

If you don’t see the data flow displayed in the code editor for injection vulnerabilities, make sure that code minings are enabled in the Preferences > Java > Editor > Code Minings menu.

Please have a look at the SonarQube for Eclipse documentation on Security hotspots and Injection vulnerabilities for more details about working with these types of security issues.

Marking issues

When using SonarQube for Eclipse in connected mode it’s possible to change the resolution of issues to reclassify them in SonarQube (Server, Cloud) or SonarQube Community Build. 

In SonarQube for Eclipse 9.0+ running in Connected mode with SonarQube Server 10.2 and newer and SonarQube Community Build, it is possible to mark issues as Won’t Fix or False Positive before submitting your code for PR analysis. 

Marking an issue can be applied to both known issues and new issues. Marks made on known issues will be reflected on SonarQube Server or SonarQube Community Build within a few minutes; marks made on new issues will be reflected on the server when a new analysis is run.

In version 9.0, marking new issues is not yet possible when bound to a SonarQube Cloud project. 

Requirements for marking issues

• Running SonarQube for Eclipse in Connected mode with SonarQube 10.2 or newer, or SonarQube Community Build. 
  • Note that when bound to a project in SonarQube Cloud, it is possible to mark only known issues, those already found by a SonarQube Cloud analysis.
• You are granted the Administer Issues permission level by a project administrator. See the SonarQube Project permissions article for more information

In the Description column of your SonarQube for Eclipse view, Marked issues will have a checkmark. Known issues found on the server will have an additional icon SonarQube (Server, Cloud) or SonarQube Community Build. New issues show only the software quality icon; please see the Clean Code introduction page for more information about Clean Code attributes and software qualities.

To change the resolution of an existing issue from the IDE:

• Right-click on an issue from one of the following SonarQube view windows: On-The-Fly, Report, or Taint Vulnerabilities. Then select Mark Issue as…

Once selected, you can define the issue’s resolution as Won’t Fix or False Positive and add a comment if needed. The issue status will immediately be reflected on the SonarQube (Server, Cloud) SonarQube Community Build.

Reopening issues

It is possible to reopen issues from any of the three views: SonarQube On-The-Fly, SonarQube Report, and SonarQube Taint Vulnerabilities. 

• Right-click on the issue and select Re-Open resolved Issue…

Status changes to known issues are recognized by SonarQube Server within a few minutes;  if you’re re-opening a new issue, SonarQube Server will recognize it in the next analysis.