Eclipse | Using SonarLint | Rules and languages

On this page

Rules and languages

The Sonar Rules catalog is the entry point where you can discover all the existing rules. While running an analysis, SonarLint raises an issue every time a piece of code breaks a coding rule. 

Issues in your code are linked to Clean Code code attributes. When an issue is detected, it signifies that this part of your code is not consistent, intentional, adaptable, or responsible enough and that it impacts one or multiple software qualities. 

For more information about Clean Code attributes and software qualities, check out the Clean Code introduction page.

Overview

Out of the box, SonarLint for Eclipse automatically checks against the following rules:

When using Connected Mode with SonarQube or SonarCloud, you can unlock these rules:

The full list of available rules is visible in the Rules Configuration preferences tab found by navigating the UI to Window > Preferences > SonarLint (or Eclipse > Settings… > SonarLint for Mac OS) for access to Rules Configuration. Here you can activate and deactivate rules to match your conventions. SonarLint will also show a code action on each issue to quickly deactivate the corresponding rule.

For more details about languages and new features under consideration for all SonarLint IDEs (including Eclipse), please refer to the SonarLint roadmap where we list our coming soon and newly released features.

Rule selection

Sonar Rules can individually be turned on or off while running SonarLint in standalone mode; there are two ways to do this:

  • Right-click on the issue and select the Remove rule quick fix in the tooltip.
  • Activate and deactivate rules one by one in the SonarLint Preferences > SonarLint > Rules Configuration menu. A full list of rules organized by language is available.

When your project is bound to SonarQube or SonarCloud using Connected Mode, the rule set is managed on the server side as defined by the quality profile. 

Applying rules while in Connected Mode

Connected Mode syncs your SonarQube or SonarCloud Quality Profile with the local analysis to suppress issues reported in the IDE. See the Connected Mode documentation for more information.

Language-specific requirements

C and C++ analysis

The use of Connected Mode with SonarCloud or a SonarQube commercial edition is required to analyze C and C++ code in SonarLint for Eclipse. In addition, SonarLint requires a C/C++ Development Tool (CDT); you can check the Eclipse Embedded CDT documentation for more details. 

COBOL

COBOL analysis requires a COBOL IDE based on the Eclipse platform such as the IBM IDz or BMC IDEs. Note that recent versions of SonarLint and our analyzers require a JRE 11+ in order to run, and IBM IDz only supports JRE 11 starting from version 16.

Java and JSP

Analysis of Java code requires the Eclipse sub-project Java development tools (JDT). This includes a Java compiler, incremental builder, editors, wizards, content assist, and all the other features of a first-class Java IDE.

Other rule types

Injection vulnerabilities

Security vulnerabilities requiring taint engine analysis (taint vulnerabilities) are only available in Connected Mode because SonarLint pulls them from SonarQube or SonarCloud following a project analysis.

To browse taint vulnerabilities in SonarLint for Eclipse, configure Connected Mode with your SonarQube Developer Edition (and above) or SonarCloud instance. Once a Project Binding is configured, SonarLint will synchronize with the SonarQube or SonarCloud server to report the detected injection vulnerabilities.

More information about security-related rules is available in the SonarQube or SonarCloud documentation.

Security hotspots

SonarLint for Eclipse does not detect security hotspots on its own, and does not report them hotspots found by SonarCloud. However, SonarQube's Open in IDE feature will open one hotspot at a time in Eclipse and show them in the Security Hotspot view window.

Please see the SonarLint documentation on Security hotspots for more details, and the Investigating issues page to learn how the Open in IDE feature works.

Secrets detection

Secrets are pieces of user-specific or system-level credentials that should be protected and accessible to legitimate users only. SonarLint detects exposed Secrets in your source code and language-agnostic config files. When running in Connected Mode, the SonarQube or SonarCloud Quality Profiles are applied to locally detected Secrets.

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, SONARCLOUD, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License