Rules and languages
The Sonar Rules catalog is the entry point where you can discover all the existing rules. While running an analysis, SonarQube for IDE raises an issue every time a piece of code breaks a coding rule.
Issues in your code are linked to Clean Code code attributes. When an issue is detected, it signifies that this part of your code is not consistent, intentional, adaptable, or responsible enough and that it impacts one or multiple software qualities.
For more information about Clean Code attributes and software qualities, check out the Clean Code introduction page.
Overview
SonarQube for IDE provides analysis for several languages. Support for your language may vary depending on the SonarQube for IDE version you're running.
The table below lists the supported language and language versions. For each language version, the level of support is defined as follows:
- Fully supported: Analysis will complete. All the language features are understood and examined.
- Not supported: Analysis might break, there is no guarantee it will complete.
- Supported: Everything between fully supported and not supported.
For language-specific properties, refer to the relevant language page in SonarQube Server and SonarQube Cloud directly, as the same Sonar language analyzers are used by SonarQube for IDE.
Supported out of the box: SonarQube for IDE automatically checks your code in these languages and formats.
Connected Mode required: Running in Connected Mode with SonarQube (Server, Cloud) unlocks analysis for these languages and formats.
Language | Supported version | |
---|---|---|
Abap rules | - | |
Apex rules | - | |
C rules | C89, C99, C11, C17: fully supported C23: supported GNU extensions: supported See below for additional requirements. | |
C++ rules | C++20, C++23: supported C++03, C++11, C++14, C++17: fully supported GNU extensions: supported See below for additional requirements. | |
COBOL rules | See below for additional requirements. | |
CSS rules | - | |
HTML rules | - | |
Java rules | Java LTS versions 8 to 21, and all intermediate versions: Fully supported. See below for additional requirements. | |
JavaScript rules | ECMAScript 2022 and all previous versions: supported | |
JCL rules | - | |
Kotlin rules | 1.3 to 1.9 supported | |
PHP rules | 5.x, 7.x, and 8.3: fully supported | |
PL/I rules | - | |
PL/SQL rules | - | |
Python rules | 2.7: supported 3.0 to 3.12: fully supported | |
RPG rules | - | |
Ruby rules | 3.0 to 3.2 supported | |
Scala rules | - | |
Secrets detection rules | - | |
T-SQL rules | - | |
TypeScript rules | TypeScript 5.6 and all previous versions: supported | |
XML rules | - |
The full list of available rules is visible in the Rules Configuration preferences tab found by navigating the UI to Window > Preferences > SonarLint (or Eclipse > Settings… > SonarLint for Mac OS) for access to Rules Configuration. Here you can activate and deactivate rules to match your conventions. SonarLint will also show a code action on each issue to quickly deactivate the corresponding rule.
For more details about languages and new features under consideration for all versions of SonarQube for IDE (including Eclipse), please refer to the SonarQube for IDE roadmap where we list our coming soon and newly released features.
Rule selection
Sonar Rules can individually be turned on or off while running SonarQube for IDE in standalone mode; there are two ways to do this:
- Right-click on the issue and select the Remove rule quick fix in the tooltip.
- Activate and deactivate rules one by one in the SonarLint Preferences > SonarLint > Rules Configuration menu. A full list of rules organized by language is available.
When your project is bound to SonarQube (Server, Cloud) using Connected Mode, the rule set is managed on the server side as defined by the quality profile.
When a project is bound to a SonarQube (Server, Cloud), the configuration in this UI location is ignored. In this case, the rules configuration from the server applies. For more information, see the SonarQube Server and SonarQube Cloud documentation about quality profiles.
Applying rules while in Connected Mode
Connected Mode syncs your SonarQube (Qube, Cloud) Quality Profile with the local analysis to suppress issues reported in the IDE. See the Connected Mode documentation for more information.
Language-specific requirements
C and C++ analysis
The use of Connected Mode with SonarCloud or a SonarQube commercial edition is required to analyze C and C++ code in SonarLint for Eclipse. In addition, SonarLint requires a C/C++ Development Tool (CDT); you can check the Eclipse Embedded CDT documentation for more details.
COBOL
COBOL analysis requires a COBOL IDE based on the Eclipse platform such as the IBM IDz or BMC IDEs. Note that recent versions of SonarLint and our analyzers require a JRE 11+ in order to run, and IBM IDz only supports JRE 11 starting from version 16.
- Check the IBM documentation for more information about SonarLint integration with Developer for z Systems.
- Some additional information is available for setting up a SonarLint with your BMC Compuware Topaz Workbench.
Java and JSP
Analysis of Java code requires the Eclipse sub-project Java development tools (JDT). This includes a Java compiler, incremental builder, editors, wizards, content assist, and all the other features of a first-class Java IDE.
Other rule types
DBD rules
Dataflow bugs are what Sonar calls a series of advanced Python and Java bugs using symbolic execution. This type of issue can cause runtime errors and crashes in Python and Java. If you want to learn more, check out our blog post for a good explanation with an example.
Dataflow Bug Detection (DBD) rules for Python and Java are supported in Commercial Editions of SonarQube Server and by SonarQube Cloud. At this time, SonarQube for Eclipse supports DBD detection for Java and Python when running in Connected Mode with SonarQube Server Active versions or SonarQube Cloud.
Injection vulnerabilities
Security vulnerabilities requiring taint engine analysis (injection vulnerabilities) are only available in Connected Mode because SonarQube for IDE pulls them from SonarQube (Qube, Cloud) following a project analysis.
To browse injection vulnerabilities in SonarQube for Eclipse, configure Connected Mode with your SonarQube Server Developer Edition (and above) or SonarQube Cloud instance. Once a Project Binding is configured, SonarQube for IDE will synchronize with the SonarQube (Qube, Cloud) to report the detected injection vulnerabilities.
More information about security-related rules is available in the SonarQube Server or SonarQube Cloud documentation.
Security hotspots
SonarQube for Eclipse does not detect security hotspots on its own, and does not report them hotspots found by SonarQube Cloud. However, SonarQube's Open in IDE feature will open one hotspot at a time in Eclipse and show them in the Security Hotspot view window.
Please see the SonarQube for IDE documentation on Security hotspots for more details, and the Investigating issues page to learn how the Open in IDE feature works.
Secrets detection
Secrets are pieces of user-specific or system-level credentials that should be protected and accessible to legitimate users only. SonarLint detects exposed Secrets in your source code and language-agnostic config files. When running in Connected Mode, the SonarQube (Server, Cloud) Quality Profiles are applied to locally detected Secrets.
Was this page helpful?