Security hotspots

A security hotspot highlights a security-sensitive piece of code that the developer needs to review. Upon review, you'll either find there is no threat or you need to apply a fix to secure the code. For more information about Security Hotspots, take a look at the SonarQube and SonarCloud documentation.

Hotspot analysis

In SonarLint for VS Code, local detection of Security hotspots is enabled if you are using Connected Mode with a project on SonarQube 9.7 or above; from version 3.18+ Security hotspots are also found when bound to a project in SonarCloud. ​​These issue types are shown under the SECURITY HOTSPOTS view located in the SonarLint View Container and are grouped by file.

Reviewing hotspots

First, open a file while your project is running in Connected Mode with SonarQube 9.7+ or SonarCloud. SonarLint will automatically run an analysis to look for Security hotspots and then compares local results against those found on the SonarQube or SonarCloud server. The Security hotspot results will be automatically grouped by file and labeled as Newly detected or Already known.

Selecting an issue in either category highlights the code in the explorer window. It is possible to change the vulnerability status in SonarLint, or on the SonarQube or SonarCloud server. See the Fixing hotspots article below for more information.

Newly detected hotspots

Newly detected security hotspots are those found during the analysis and exist only locally. Newly detected hotspots can be fixed by modifying your code or by submitting your code to trigger a new analysis on the server where you can mark it as Fixed or Safe on the server.

Right-clicking on a Newly detected hotspot reveals 2 options to select:

• Clear Highlighting to remove the highlight over your code in the explorer window.
• Show Rule Description to open the rule in the SonarLint view window.

Already known hotspots

Once the security hotspot analysis is complete, SonarLint will compare the local results against those found on the server and sort them accordingly. Already known security hotspots are those that exist locally and in SonarQube or SonarCloud. Already known hotspots can be fixed by modifying your code in the IDE, or you can mark it as Fixed or Safe on the server.

Right-clicking on an Already known hotspot gives you these 3 options to select:

• Change Status to modify the status of a known hotspot.
• Clear Highlighting to remove the highlight over your code in the explorer window.
• Review on Server to open the hotspot in SonarQube where you can mark it as Fixed or Safe.
• Show Hotspot Details will open the details view and provide information about the rule and the current status of the hotspot.

Reporting security hotspots In the Whole Folder

By default, SonarLint will search for Security Hotspots only in open files each time an analysis is triggered; the use of Connected Mode is required. To activate an analysis for security hotspots in your entire project, select In Whole Folder from the SONARLINT SECURITY HOTSPOTS view container.

When selecting In Whole Folder, a scan of your entire project will be made. Switching back to In Open Files will filter the results to files open in the code editor. Each time you select In Whole Folder, a new analysis will be triggered on the entire project.

Using the In Whole Folder feature may consume excessive resources depending on the size of your project. If your project is too large, a notice will appear to confirm the action. Therefore, it is recommended that users define a set of file exclusions when analyzing large projects with the In Whole Folder feature. Because SonarLint exclusions are ignored when running in Connected Mode, file exclusions must be defined in SonarQube or SonarCloud.

However, SonarLint will deploy these file exclusions automatically:

• File extension: SonarLint knows the primary language of your project and will restrict the scope of analysis to files matching that set of extensions.
• File size: Files larger than 0.5 Mb will be ignored…
• .gitignore: Exclusions added to your .gitignore file will be excluded.

Defining file exclusions

Because SonarLint exclusions are ignored when running in Connected Mode, file exclusions must be defined in SonarQube or SonarCloud.

Using wildcards

Check the SonarQube or SonarCloud documentation about defining your analysis scope to see examples using wildcard patterns for file exclusion. Note that SonarLint does not consider test file patterns for exclusion; you should follow the VS Code guidelines above to define your exclusions for large projects.

Fixing hotspots

How you fix a security hotspot depends on your assessment of the risk. Check the Rule description and the How can I fix it? tab to find recommended secure coding practices and compliant solutions (when available). More information can be found in the SonarQube and SonarCloud documentation.

Once you determine the risk, you can either update your code locally, or if the hotspot matches one found on the server, change the hotspot’s review status in the IDE from To Review to Fixed, or Safe. Prerequisites to change the review status in the IDE are:

• The security hotspot detected locally is already known by SonarQube or SonarCloud.
• You are granted the Administer Security Hotspot permission level by a project administrator.

Simply right-click the hotspot in the SECURITY HOTSPOTS view to select Change Status; from there, a wizard will open to help you mark it as To review, Fixed, or Safe from the IDE. Next time your project binding syncs with the server, your status update will be reflected in SonarQube or SonarCloud.