Visual Studio | Using SonarLint | Security hotspots

Was this page helpful?

On this page

Install Free

Security hotspots

A security hotspot highlights a security-sensitive piece of code that the developer needs to review. Upon review, you'll either find there is no threat or you need to apply a fix to secure the code. For more information about Security Hotspots, take a look at the SonarQube and SonarCloud documentation.

Hotspot analysis

From SonarLint for Visual Studio version 7.1, it is possible to locally detect and report hotspots locally for C, C++, and JS/TS languages. Requirements include running SonarLint in Connected Mode and being bound to a project in SonarQube 9.7+ or to a project in SonarCloud.

Note that security hotspots have been reported by SonarLint since version 4.29, but only when running in Connected Mode with SonarQube 8.9+.

Improvements with v7.1 include the local detection of security hotspots and the option to report hotspots found by SonarCloud. When running in Connected Mode with SonarQube or SonarCloud, security hotspot analysis rules for the applicable languages will be run each time a local analysis is triggered.

Newly detected Hotspots

Locally found hotspots will be highlighted in the editor using the characteristic SonarLint squiggles. In addition, a list of all locally found hotspots will be found in the new Local Security Hotspots tool window, which will open and close automatically when there is a local hotspot to report. Selecting the rule key of your hotspot in the Local Security Hotspots tool window will open the Sonar Rule Help window where you can review descriptive and educational content associated with the hotspot.

Already known hotspots

Hotspots already detected by the SonarQube or SonarCloud server are shown in the Sonar Server Security Hotspot tool window. Newly detected hotspots that are matched to already known hotspots marked as Fixed or Safe on the server, will not be shown.

Note that previous behaviors of already known hotspots, such as SonarQube’s Open in IDE feature, remain unchanged; only the name of the tool window is updated in SonarLint v7.1.

Open in IDE from SonarQube

From SonarLint for Visual Studio version 4.29, SonarLint provides a way to investigate Security Hotspots found on your SonarQube server. This is an integration feature: when viewing a hotspot on your SonarQube server, you will notice a button named Open in IDE; selecting that button while Visual Studio is running will open the hotspot's code file in the IDE.

SonarLint for Visual Studio only supports the opening of security hotspots in the IDE using the SonarQube Open in IDE feature; the Open in IDE feature will not open standard issues or taint vulnerabilities in SonarLint for Visual Studio however, this feature is in development.

Feature requirements

  • SonarQube version 8.9 or higher.
  • SonarLint for Visual Studio version 4.29 or higher.
  • The correct solution must be open in Visual Studio and it must be in Connected Mode. SonarQube will not open Visual Studio if it is closed.

Feature overview

When SonarLint receives an Open in IDE request from the browser, SonarLint will verify that the correct solution is open in Connected Mode. If not, a gold bar will be displayed with additional information being logged in the Output Window:

SonarLint will give you a gold bar to explain what went wrong with the Open in IDE request.
The error output will give you more information about the failure related to the hotspot.

If the correct solution is open and the hotpot's code location can be found in the solution, SonarLint will open the file and navigate to the relevant code. In addition, the hotspot is added to the SonarLint Security Hotspots tool window where you will find additional information:

SonarLint will give you more information about the hotspot in the Security Hotspots tool window.

However, it is possible that the code on the SonarQube server does not match your local code version; for example, if code changes have been made since the last analysis or if the relevant code project is not included in the solution, SonarLint cannot find what does not exist locally. In this case, SonarLint will not be able to locate the hotspot and it will be added to the SonarLint Security Hotspots list with an indication that it is not navigable:

The error reads that SonarLint "Cannot navigate to location. The source code is different from the analyzed version."

Security Hotspots list functionality

Once a hotspot has been added to the list, you can navigate to it using a double-click or the Enter key. In order to remove a hotspot from the list, use the right-click context menu or the Del key. This will only remove the hotspot from the list - it will not have any effect on the hotspot in your SonarQube server.

Removing a hotspot from the Security Hotspots list will not remove it from the SonarQube or SonarCloud server.

Implementation notes

When Visual Studio starts, SonarLint will start listening in the background for Open in IDE requests originating from your local browser. This listener does not require a lot of resources and should not affect your machine's performance and memory consumption in any way, nor should it interfere with your work. SonarLint will try to find an available port in the range 64120-64130 inclusive. Information about the port selection will be logged in the SonarLint pane in the Output Window. If a port cannot be found, Open in IDE will not be handled. The port range is not configurable.

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARLINT, SONARQUBE, SONARCLOUD, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License