Whether your issue is about a potential security problem, considered to be a bad coding practice, or a more serious logic error, fixing issues usually involve changes to the code. SonarLint’s issue messages contain useful information about how to fix the potential problem and include a rule description so that you can learn more about why the issue is reported.
SonarLint for VS Code offers multiple ways to Investigate issues and fix problems in your code. Issues reported by the analyzer exhibit the following code actions, found by selecting an issue in the PROBLEMS panel and clicking on its lightbulb (in either the PROBLEMS panel or in the code editor).
Some issues have Sonar Quick Fixes which means that with a single click, SonarLint will automatically edit your source code to comply with the rule description and fix the issue. While in the explorer window, select the issue in the SonartLint View window to reveal the tooltip exposing these options, or click the lightbulb in the left margin to Show fixes.
- Open description of rule: opens a new view panel with the detailed rule description, which usually explains why the issue is raised and explains how to fix it.
- Show all locations for issue: opens the SONARLINT ISSUE LOCATIONS view panel and highlights additional locations of this issue.
- Deactivate rule ‘yyy:XXX’: This action disables the rule in the user’s VSCode settings and is only available when you are not using Connected Mode.
- To reactivate a rule, go to the SonarLint > SONARLINT RULES view in VS Code and click the 3-dots to select Find Rule By Key.
If your code violates more than one rule, or the same issue is repeated at multiple locations at the same point in the code, a set of available options will be presented for each instance. For example, rule php:S1808 shown in the image below highlights non-compliant formatting both before and after the parentheses.
When running SonarLint for VS Code in Connected Mode with SonarQube 10.2 and newer, it is possible to mark issues before submitting your code for PR analysis.
To mark an issue, go to your issue in the code editor and select the lightbulb to find the More Actions… menu. Then select SonarLint: Resolve issue violating rule `<your rule>` and choose either Won’t fix or False positive to resolve the new issue. Note that the More Actions… menu is not available from the PROBLEMS panel.
Marking an issue can be applied to both new issues and known issues. Marks made on known issues will be reflected on the SonarQube server within a few minutes; marks made on new issues will be reflected on the server when a new analysis is run. The option to mark an issue as resolved will not appear if you are connected to an unsupported version of SonarQube or SonarCloud.
To unmark all issues not yet known in SonarQube, open the VS Code Command Palette and run the command
SonarLint: Reopen Local Issues for current file. This command will only affect new issues that were marked before an analysis was run on the server.
- SonarLint for VS Code 3.21 or newer.
- Running in Connected Mode with SonarQube 10.2 or newer (Marking issues while bound to a project in SonarCloud is not supported by SonarLint for VS Code 3.21).
- In SonarQube, the Administer Issues permission must be granted to the user(s).
Taint vulnerabilities are security-related rule issues that are only raised by SonarQube (starting with Developer Edition) and SonarCloud. Due to technical limitations, SonarLint for VS Code can not raise such issues on local analysis and must be running in Connected Mode to sync taint vulnerabilities from the server.
Taint vulnerabilities are distinguished in the PROBLEMS panel with the Latest SonarQube/SonarCloud Analysis tag as shown in the following image:
Learn how to fix your taint vulnerability by opening the tooltip options. Click on the issue’s lightbulb or right-click on the issue shown to select one of the following:
- Open description of rule ‘your rule‘ to learn why it is an issue.
- Show all locations for taint vulnerability ‘your rule’ to see the issue’s flow from sources to sinks (user-controlled inputs to sensitive functions).
- Open taint vulnerability ‘your rule’ on ‘your server’ where you can learn more about why this is an issue.
Please see the documentation about Taint vulnerabilities for more information about working with these particular security issues.
© 2015-2023, SonarSource S.A, Switzerland. Except where otherwise noted, content in this space is licensed under the GNU Lesser General Public License, Version 3.0. SONARLINT is a trademark of SonarSource SA. All other trademarks and copyrights are the property of their respective owners. See SonarSource.com for everything you need to know about the Sonar Solution.