VS Code | Using SonarLint | Investigating issues

Investigating issues

SonarLint can help developers by letting them perform local analyses to check their code before pushing it back to the SCM. While running an analysis, SonarLint raises an issue every time a piece of code breaks a coding rule.

Usually, a first analysis is performed as soon as one of the supported files is opened. Then, regular analyses are triggered when the editor content changes and/or when the file is saved.

This page describes how to find and investigate issues in your IDE.

Defining issues

An Issue is a problem in your code that prevents it from being Clean Code. Issues found in code are linked to Clean Code attributes, and these attributes signify how your code will impact one or more software qualities. Software qualities determine the overall severity of an issue that feeds back into the overall status of your code when implementing a Clean as You Code methodology; please see the SonarQube or SonarCloud documentation for more about Clean as You Code.

Each issue is linked to one Clean Code attribute which is associated with one or more software qualities, each with a level of severity.

To communicate the code attributes, software qualities, and severity of issues found in your code, SonarLint displays them in the SonarLint Rule Description webview as described below.

Finding issues

For most issues, SonarLint provides information about why there is an issue and offers one or more actions to Fix your issue. Issues can be found in 3 places:

In the VS Code Text Editor, identifiable by the classic squiggles underlining issues in the code.
In the Tooltip, recommended action(s) can be found by clicking on the light bulb in the left margin of the code explorer view.
In the PROBLEMS panel, select your issue to highlight the issue-causing code in the Editor. Right-clicking on the issue opens the same tooltip action as described above.

Security hotspots are found in the SOANRLINT > SECURITY HOTSPOTS view panel. See the Security hotspots page for more details.

Taint vulnerabilities work a bit differently. At the Tooltip, select Show all locations to view the execution flow in the SONARLINT ISSUE LOCATIONS view container. See the Taint vulnerabilities page for more details.

Opening issues in the IDE from SonarQube

Understanding issues in context is a helpful way to address problems more effectively. Beginning in SonarQube 10.3, it is possible to open all issues in your IDE, including taint vulnerabilities.

Go to the SonarQube > Your Project > Issues page, pull up the issue’s detail view and select the Open in IDE button as an authenticated user to edit the issue in your IDE.

From SonarQube 10.3+, select Open in IDE to open the issue in SonarLint.

The project should already be open in the appropriate IDE and bound to the server using Connected mode; if not, you will be prompted to set up a new connection and must reselect the Open in IDE button (from SonarQube) to reinitiate the jump.

If you’ve already fixed the issue in your code, SonarLint will not be able to find it; only matching code will be highlighted. In this case, check that recent changes have been analyzed by SonarQube and check the documentation on SonarQube Issues for details about managing your issues on the server.

Please see the Connected Mode documentation to bind your project to an instance of SonarQube 10.3+.

Focusing on new code

Focusing on new code is an important part of the Clean as You Code approach, where you apply your effort and attention on submitting clean code to avoid introducing new issues. SonarLint for VS Code allows you to focus on new code by filtering issues shown in the IDE, as determined by your SonarQube or SonarCloud new code definition.

Setting your focus on new code has these prerequisites:

SonarLint must be running in Connected Mode.
Your local project must be bound to a SonarQube or SonarCloud project.
The new code definition must be defined in SonarQube or SonarCloud using a Previous version, Number of days, or Specific analysis; the Reference branch new code definition is not supported. Please check the documentation in SonarQube or on SonarCloud to properly set your new code definition.

Setting the SonarLint focus on new code is easy. To activate or deactivate this mode, select SonarLint focus: in the VS Code Status Bar, then press Enter or choose Focus on new code or Focus on overall code from the Command Palette. Additionally, you can select or deselect the SonarLint focus mode from the VS Code > Settings… > Settings > Extensions > SonarLint > User settings menu.

By default, the SonarLint focus is set to overall code when you set up a new connection and establish the project binding.

When deciding to override a globally defined new code definition at the project level in SonarQube or SonarCloud, note that it is not possible to specify a unique new code definition at the branch level and still activate the SonarLint focus: new code mode option.

Highlighting issues

Issues found during analysis are highlighted in two ways:

In the VS Code code editor: a colored wave (squiggles) in the code editor underlines Warning and Information issues. By default, Hint problems are marked by an ellipsis at the beginning of the line. Hovering over the squiggles reveals more information about the problem.
In the PROBLEMS panel of SonarLint view window (in VS Code): Select an issue from the list to jump to the line of code in your file where the code is highlighted. Each issue’s severity is indicated by the icon to the left of the description.

Reviewing issues

Problems reported by the analyzer exhibit the following code actions, found by selecting an issue in the PROBLEMS panel and clicking on its lightbulb (in either the PROBLEMS panel or on the lightbulb in the code editor).

SonarLint uses a lightbulb icon to help point out issues in your code.

Rule descriptions

Simply right-click an issue in the PROBLEMS panel, and choose SonarLint: Open description of rule ... to open the SonarLint Rule Description webview. Here you will find a brief explanation of the rule, along with a noncompliant and compliant code example.

For some SonarLint Rule Descriptions, you are able to visualize a diff view for the noncompliant and compliant code sample which should help you fix your issue.

SonarLint offers you examples of compliant and non-compliant code in teh Rule Description tab.

Finding the same issue in other locations

If your issue exists in more than one location, a link will be shown via the lightbulb menu. Select an issue in the PROBLEMS panel and click on its lightbulb (in either the PROBLEMS panel or in the code editor) to open the Quick Fix menu. Selecting Show all locations for…, will open the SONARLINT ISSUE LOCATIONS view panel to display the list of additional locations.

Ideally, the team wouldn't introduce any new issues (any new technical debt) when writing code. But in real life, it's not always possible to code without creating new technical debt, and sometimes it's just not worth it.

To better control the way you see and manage issues, check out the VS Code documentation on Fixing Issues for quick ways to fix problems. Also, look at the article about running SonarLint in Connected Mode for details about integrating your analysis with your SonarQube or SonarCloud server.

© 2015-2023, SonarSource S.A, Switzerland. Except where otherwise noted, content in this space is licensed under the GNU Lesser General Public License, Version 3.0. SONARLINT is a trademark of SonarSource SA. All other trademarks and copyrights are the property of their respective owners. See SonarSource.com for everything you need to know about the Sonar Solution.

On this page