Due to technical limitations, SonarLint can not raise taint issues on local analysis and instead pulls taint issues from SonarQube or SonarCloud following a project analysis. Because SonarLint must pull taint vulnerability issues from SonarQube or SonarCloud, the use of Connected Mode is required.
- You must bind your project to an instance of SonarQube Developer Edition (or higher) 8.9+ or to SonarCloud.
- For this feature to be valuable, your project needs to be analyzed frequently (ideally by your CI server when pushing new code).
- When running in Connected Mode with SonarCloud, you must work with long-lived branches. Issues on short-lived branches are not synchronized; SonarQube does not distinguish between long- and short-lived branches.
- Bind your project to SonarQube or SonarCloud.
- In the standard VS Code Panel below the editor region, select the PROBLEMS panel.
- Along with regular issues, the PROBLEMS panel should display the list of taint vulnerabilities that are present in the bound folder. SonarLint displays taint vulnerabilities for the entire project.
Taint vulnerabilities are security-related rule issues that are only raised by SonarQube (starting with Developer Edition) and SonarCloud. Due to technical limitations, SonarLint can not raise such issues on local analysis.
Because the detection of taint issues requires that you are run in Connected Mode, any changes you make to the code must be resolved by your SonarQube or SonarCloud instance. Here are two options to resolve taint issues displayed by SonarLint:
- If you fix the issue locally, commit your code to the server and rerun the analysis on SonarQube or SonarCloud. The new status (of the issue) will show up automatically in your local analysis.
- If you go to the issue in SonarQube or SonarCloud and mark it as fixed, false positive, or won’t fix, in less than 1 minute, the new status will be updated locally.
© 2015-2023, SonarSource S.A, Switzerland. Except where otherwise noted, content in this space is licensed under the GNU Lesser General Public License, Version 3.0. SONARLINT is a trademark of SonarSource SA. All other trademarks and copyrights are the property of their respective owners. See SonarSource.com for everything you need to know about the Sonar Solution.