Install Free
Eclipse | Using SonarLint | Injection vulnerabilities

Injection vulnerabilities

On this page

Injection vulnerabilities are a type of security-related rules, that can be raised by both SonarQube Server and SonarQube Cloud

Due to technical limitations, SonarQube for IDE can not raise injection vulnerabilities on local analysis and instead pulls them from SonarQube (Server, Cloud) following a project analysis. Because SonarLint must pull injection vulnerabilities from SonarQube Server or SonarQube Cloud, the use of connected mode is required.

Prerequisites

  • You need to bind to SonarQube Cloud or SonarQube Server Developer Edition (or higher) 8.6+
  • For this feature to be valuable, your project needs to be analyzed frequently (ideally by your CI server when pushing new code)
  • Only issues detected on open files will be displayed in the IDE
  • When running in Connected Mode with SonarQube Cloud, you must work with long-lived branches. Issues on short-lived branches are not synchronized; SonarQube Server does not distinguish between long- and short-lived branches. 

How to display injection vulnerabilities

  1. Bind your project to SonarQube (Server, Cloud) using Connected Mode.
  2. If the SonarLint Taint Vulnerabilities view is not already open, go to Eclipse Window > Show View > Other... > SonarLint > SonarLint Taint Vulnerabilities
  3. The view should display the list of injection vulnerabilities that are present on open files.

How to fix your injection vulnerabilities

Injection vulnerabilities are security-related rule issues that are only raised by SonarQube Server (starting with Developer Edition) and SonarQube Cloud. Due to technical limitations, SonarQube for IDE can not raise such issues on local analysis. 

Because the detection of injection vulnerabilities requires that you are run in Connected Mode, any changes you make to the code must be resolved by your SonarQube (Server, Cloud) instance. Here are two options to resolve injection vulnerabilities displayed by SonarQube for IDE:

  • If you fix the issue locally, commit your code to the server and rerun the analysis on SonarQube (Server, Cloud). The new status (of the issue) will show up automatically in your local analysis.
  • If you go to the issue in SonarQube (Server, Cloud) and mark it as fixed, false positive, or won’t fix, in less than 1 minute, the new status will be updated locally.

In SonarQube for Eclipse 9.0+ connected to SonarQube Server 10.2+, it is possible to mark injection vulnerabilities as fixed, false positive, or won’t fix from the IDE. Please see the Marking issues article to learn more about Fixing issues in the IDE.


Was this page helpful?

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License