You can connect the SonarLint extension of your IDE to SonarQube 8.9+ or SonarCloud to take advantage of having consistent issues reported on both sides. Setting up Connected Mode will permit the transmission of information SonarLint needs, such as URLs and user credentials, to communicate with SonarQube or SonarCloud. Binding your local workspace folder to your SonarQube/SonarCloud project(s), you can benefit from the same rules and settings that are used to inspect the project on the server.
While in Connected Mode, SonarLint receives notifications from SonarQube/SonarCloud about your Quality Gate changes and new issues. Notifications can be enabled or disabled from the UI while creating or editing the connection settings.
Features when Connected Mode is used:
- Use the same quality profile locally as is defined on the server. For example, applying the same rules activation, parameters, severity, etc.
- Apply settings, such as rule exclusions and analyzer parameters, defined on the server to the local analysis.
- Automatically suppress issues that are marked as Won’t Fix or False Positive on the server to the issues reported locally.
Connected Mode does not push issues to the server. Rather, its purpose is to configure the IDE so that it uses the same settings as the server.
Having a SonarQube 8.9+ project or a SonarCloud project is required to run SonarLint for IntelliJ in Connected Mode. In addition to the published languages on the Rules page, you can unlock Scala, Swift, and PL/SQL rules when using Connected Mode.
It is important that SonarLint knows on which branch the user is at that moment in order to sync the active file with the server when using Connected Mode. Therefore, SonarLint will automatically detect when the local git branch changes; and while running in Connected Mode, it will recalculate the closest Sonar branch in the background to know which taint issues and suppressions to fetch from the server (for example, issues marked as “safe” or “won’t fix” in SonarQube).
In Connected Mode, SonarLint synchronizes some data from the issues that were found on the server side, most importantly the status and resolution. Branch awareness allows SonarLint to consider the branch currently checked out in the IDE and synchronize with the most appropriate branch from the server.
SonarLint for IntelliJ only supports git and the git branch name with regard to branch matching, using the git4idea client shipped by JetBrains. If the SonarLint’s branch awareness algorithm fails to detect a best match, taint vulnerabilities and issue suppressions will be pulled from the main branch by default.
SonarLint for IntelliJ provides a connection wizard to help you set up Connected Mode:
- Open IntelliJ settings, find the Tools > SonarLint entry, and select + to open the connection wizard.
- Enter a name for this connection and select SonarCloud or SonarQube. For the latter, you will need to enter the server URL.
- Choose the authentication method.
- Token: generate a user token on SonarQube or SonarCloud for SonarLint to use as an authentication method. This is the preferred way to avoid the compromise of your username/password.
- Username + Password: this method can be used for a SonarQube connection only. It lets you use your credentials directly (not recommended).
- For SonarCloud only, select the Organization that you want to connect to (you can also select a public one).
- SonarQube and SonarCloud can push notifications to developers. You can decide whether or not to subscribe.
- Validate the connection creation by selecting Finish at the end of the wizard.
- Save the connection in global settings by clicking OK.
Once Connected Mode is established, you must bind your IDE project to a SonarQube or SonarCloud project.
- Open IntelliJ > Settings... and find the Tools > SonarLint > Project Settings entry (shown above).
- Select Bind project to SonarQube/SonarCloud and choose the previously created connection name in the dropdown list
- Enter the project key as it is configured on SonarQube/SonarCloud. You can also select it by using Search in list...:
In IntelliJ additional modules can be imported into a project, e.g. via the 'Project Structure' menu. This is often used for example to group together the back-end and the front-end parts of an application into the same project. As those components might be analyzed separately, SonarLint lets users bind modules to different projects.
- In the IntelliJ settings, find the Tools > SonarLint > Project Settings entry. Alternatively, you can select the Configure SonarLint tool icon from any of the SonarLint view windows to access the Project Settings menu.
- Make sure a binding is configured at the project level (see the previous section). Note: this will be the default binding for all modules that have no overridden binding.
- In the 'Override binding per module' section, click on the
+sign and choose the module.
Observing different analysis results between SonarQube/SonarCloud and SonarLint can have different causes:
- Third-party analyzers are not executed in SonarLint Some issues may be reported in SonarQube by a plugin leveraging a third-party analyzer (PMD, Checkstyle, ESLint, PyLint, …). SonarLint will only run rules from SonarSource analyzers including custom rules extending SonarSource analyzers. Third-party analyzers usually have their own IDE integration, so we have no plan to run them in SonarLint.
- SonarSource rules usually don’t report issues on test files Each SonarLint flavor has its own way of detecting which file is considered a test source (like a unit test). Most rules are not executed on test sources. See the IDE's specific section to know how SonarLint decides whether a file is production code or test code.
- “Second level” issues are not reported in SonarLint (rule keys starting by
common-xxx) Issues that depend on the computation of code coverage or duplications are not reported by SonarLint. They are not compatible with “on the fly” analysis. Finding duplications requires the scanner to analyze the entire project (including sibling modules). Collecting coverage requires that all tests be executed with proper coverage engine configuration. This is currently outside the scope of SonarLint.
- Security Hotspots are not reported in SonarLint They are not issues that can immediately be fixed. Security Hotspots follow a review process that is implemented on SonarQube / SonarCloud side.
- Taint vulnerabilities are not reported in SonarLint Vulnerabilities raised by the Taint Analyzer (SQL Injection, ...) are issues detected in SonarQube commercial editions that are also not detected by SonarLint (rule keys starting with
roslyn.sonaranalyzer.security.cs). Running tainted analysis in the IDE is currently not practical mainly for performance reasons.
SonarLint enables users to establish a connection to the latest SonarQube version and to the latest LTS version. When a new LTS version is released (approximately every 18 months), we still enable connecting SonarLint to the previous LTS version for a certain period of time (currently 12 months after the latest LTS release) to allow enough time for organizations to upgrade their SonarQube version.
For more information about long-term support of SonarQube, check out our page describing "what is an LTS". And, to review IDE-specific requirements, please check the respective pages of the documentation as listed in the next paragraph.
Connected Mode allows SonarQube to send smart alerts to individuals or teams as soon as something appears on the server that something failed, when new issues are discovered or when the Sonar Quality Profile is updated, for example. With everyone in the loop, issues can be addressed promptly, improving the overall software quality and delivery. The notification will include a link to call back to SonarQube or SonarCloud where you can learn more about the issues that were introduced.
You'll receive smart notifications in your IDE when:
- the quality gate status of a project open in your IDE changes (see the SonarQube or SonarCloud documentation for details about using quality gates in your project)
- a SonarQube or SonarCloud analysis raises new issues that you've introduced in a project open in your IDE
You can activate or deactivate smart notifications in SonarLint on the IDE side on a server-by-server basis.
Sonar Smart Notifications are available in all editions of SonarQube and SonarCloud.
More on how to manage Smart Notifications in SonarLint for IntelliJ will be coming soon...
© 2015-2023, SonarSource S.A, Switzerland. Except where otherwise noted, content in this space is licensed under the GNU Lesser General Public License, Version 3.0. SONARLINT is a trademark of SonarSource SA. All other trademarks and copyrights are the property of their respective owners. See SonarSource.com for everything you need to know about the Sonar Solution.