Fixing issues

Whether your issue is about a potential security problem, considered to be a bad coding practice, or a more serious logic error, fixing issues usually involve changes to the code. SonarLint’s issue messages contain useful information about how to fix the potential problem and include a rule description so that you can learn more about why the issue is reported. 

SonarLint for Eclipse offers multiple ways to Investigate issues and fix problems in your code. Issues are usually presented in multiple locations and you can typically hover and/or click or right-click over these markers to open a tooltip that reveals your options. 

Preferences menu

Navigate to Window > Preferences > SonarLint (or Eclipse > Settings… > SonarLint for Mac OS) for access to the SonarLint Preferences menu. Here you will find 4 menus to:

• Pass additional properties to the SonarLint analyzers.
• Add/remove files to be excluded from the analysis.
• Agree/disagree to share anonymous telemetry statistics.
• And specifically define your rules configuration (when running in stand-alone mode).

Rule selection

Sonar Rules can individually be turned on or off while running SonarLint in standalone mode; there are two ways to do this:

• Right-click on the issue and select the Remove rule quick fix in the tooltip.
• Activate and deactivate rules one by one in the SonarLint Preferences > SonarLint > Rules Configuration menu. A full list of rules organized by language is available.

When your project is bound to SonarQube or SonarCloud using Connected Mode, the rule set is managed on the server side as defined by the quality profile. See the SonarQube and SonarCloud documentation about quality profiles for more information.

Quick fixes

Eclipse relies on the language support from the IDE to display quick fixes in different ways. Hovering over the issue in your code editor will reveal the SonarLint tooltip. Sonar Quick Fix options such as Deactivate rule or Insert placeholder comment will be shown when available. Depending on the language type and/or issue type, an action item such as Show issue data flows or Remove unused local variable will be offered. In addition, right-clicking an issue in the SonarLint On-The-Fly view will also reveal Quick Fix options.

You will always be offered the option in the tooltip and in all SonarLint view panels to open the issue’s rule in the SonarLint Rule Description view; the rule description explains why the issue is raised and details how to fix it. See Investigating issues for more details.

Sometimes your issue is recognized by additional analyzers. When this occurs, a full list of all quick fixes will appear in the tooltip; SonarLint’s Quick Fixes are distinguishable by the SonarLint icon preceding the text title.

Fixing security hotspots and taint vulnerabilities

The use of Connected Mode is required to identify both security hotspots and taint vulnerabilities. Security hotspots require that your project be bound to SonarQube; Taint vulnerabilities can be found with a Connected Mode binding to either SonarQube or SonarCloud.

By default, a SonarLint hotspot badge and vulnerability padlock are displayed for Security Hotspot and Taint Vulnerability issues (respectively) in the Eclipse Vertical ruler.

If you don’t see the data flow displayed in the code editor for taint issues, make sure that code minings are enabled in the Preferences > Java > Editor > Code Minings menu.

Please have a look at the SonarLint for Eclipse documentation on Security hotspots and Taint vulnerabilities for more details about working with these types of security issues.

Marking issues

When using SonarLint in Connected Mode it’s possible to change the resolution of issues to reclassify them in SonarQube or on SonarCloud. 

In SonarLint for Eclipse 9.0+ running in Connected Mode with SonarQube 10.2 and newer, it is possible to mark issues as Won’t Fix or False Positive before submitting your code for PR analysis. 

Marking an issue can be applied to both known issues and new issues. Marks made on known issues will be reflected on the SonarQube or SonarCloud server within a few minutes; marks made on new issues will be reflected on the SonarQube server when a new analysis is run.

In version 9.0, marking new issues is not yet possible when bound to a SonarCloud project. 

Requirements for marking issues

• Running SonarLint for Eclipse in Connected Mode with SonarQube 10.2 or newer. 
  • Note that when bound to a project in SonarCloud, it is possible to mark only known issues, those already found by a SonarCloud analysis.
• You are granted the Administer Issues permission level by a project administrator. See the SonarQube Project permissions article for more information

In the Description column of your SonarLint view, Marked issues will have a checkmark. Known issues found on the server will have an additional SonarQube or SonarCloud icon. New issues show only the software quality icon; please see the Clean Code introduction page for more information about Clean Code attributes and software qualities.

To change the resolution of an existing issue from the IDE:

• Right-click on an issue from one of the following SonarLint view windows: On-The-Fly, Report, or Taint Vulnerabilities. Then select Mark Issue as…

Once selected, you can define the issue’s resolution as Won’t Fix or False Positive and add a comment if needed. The issue status will immediately be reflected on the SonarQube or SonarCloud server.

Reopening issues

It is possible to reopen issues from any of the same three three views: On-The-Fly, Report, and Taint Vulneralbilities. 

• Right-click on the issue and select Re-Open resolved Issue…

Status changes to known issues are recognized by SonarQube within a few minutes;  if you’re re-opening a new issue, SonarQube will recognize it in the next analysis.