Install Free
Visual Studio | Using SonarQube for IDE | Security hotspots

Security hotspots

On this page

A security hotspot highlights a security-sensitive piece of code that the developer needs to review. Upon review, you'll either find there is no threat or you need to apply a fix to secure the code. For more information about Security Hotspots, take a look at the SonarQube Server and SonarQube Cloud documentation.

Hotspot analysis

From SonarQube for Visual Studio version 7.1, it is possible to locally detect and report hotspots locally for C, C++, and JS/TS languages. Requirements include running SonarQube for Visual Studio in connected mode and being bound to a project in SonarQube 9.7+ or to a project in SonarCloud.

Note that security hotspots have been reported by SonarQube for Visual Studio since version 4.29, but only when running in connected mode with SonarQube Server ).9+.

Improvements with v7.1 include the local detection of security hotspots and the option to report hotspots found by SonarQube Cloud. When running in Connected Mode with SonarQube or SonarCloud, security hotspot analysis rules for the applicable languages will be run each time a local analysis is triggered.

Newly detected Hotspots

Locally found hotspots will be highlighted in the editor using the characteristic SonarQube for Visual Studio squiggles. In addition, a list of all locally found hotspots will be found in the new Local Security Hotspots tool window, which will open and close automatically when there is a local hotspot to report. Selecting the rule key of your hotspot in the SonarQube Local Security Hotspots tool window will open the SonarQube Rule Help window where you can review descriptive and educational content associated with the hotspot.

Already known hotspots

Hotspots already detected by the SonarQube (Server, Cloud) or SonarQube Community Build are shown in the SonarQube Server Security Hotspot tool window. Newly detected hotspots that are matched to already known hotspots marked as Fixed or Safe on the server, will not be shown.

Note that previous behaviors of already known hotspots, such as SonarQube’s Open in IDE feature, remain unchanged; only the name of the tool window is updated in SonarLint v7.1.

Open in IDE from SonarQube

SonarQube for Visual Studio provides a way to investigate Security hotspots found on SonarQube Server. This is an integration feature: when viewing a hotspot on SonarQube Server, you will notice a button named Open in IDE; selecting that button while Visual Studio is running will open the hotspot's code file in the IDE.

See the Opening issues in the IDE article to see how it looks in SonarQube Server. Unfortunately, the SonarCloud Open in IDE feature is not available for security hotspots at this time.

Feature requirements

  • SonarQube Server version 9.9 or higher.
  • SonarQube for Visual Studio version 4.29 or higher.
  • The correct solution must be open in Visual Studio and it must be running in Connected mode. SonarQube Server will not open Visual Studio if it is closed.

Feature overview

When SonarQube for Visual Studio receives an Open in IDE request from the browser, SonarQube for Visual Studio will verify that the correct solution is open in connected mode. If not, a gold bar will be displayed with additional information being logged in the Output Window:

SonarLint will give you a gold bar to explain what went wrong with the Open in IDE request.
The error output will give you more information about the failure related to the hotspot.

If the correct solution is open and the hotpot's code location can be found in the solution, SonarQube for Visual Studio will open the file and navigate to the relevant code. In addition, the hotspot is added to the SonarQube Local Security Hotspots tool window where you will find additional information:

SonarLint will give you more information about the hotspot in the Security Hotspots tool window.

However, it is possible that the code on SonarQube Server does not match your local code version; for example, if code changes have been made since the last analysis or if the relevant code project is not included in the solution, SonarQube for Visual Studio cannot find what does not exist locally. In this case, SonarQube for Visual Studio will not be able to locate the hotspot and it will be added to the SonarQube Server Security Hotspots list with an indication that it is not navigable:

The error reads that SonarLint "Cannot navigate to location. The source code is different from the analyzed version."

Security Hotspots list functionality

Once a hotspot has been added to the list, you can navigate to it using a double-click or the Enter key. In order to remove a hotspot from the list, use the right-click context menu or the Del key. This will only remove the hotspot from the list - it will not have any effect on the hotspot in your instance of SonarQube Server.

Removing a hotspot from the Security Hotspots list will not remove it from the SonarQube or SonarCloud server.

Implementation notes

When Visual Studio starts, SonarQube for Visual Studio will start listening in the background for Open in IDE requests originating from your local browser. This listener does not require a lot of resources and should not affect your machine's performance and memory consumption in any way, nor should it interfere with your work. SonarQube for Visual Studio will try to find an available port in the range 64120-64130 inclusive. Information about the port selection will be logged in the SonarQube for Visual Studio pane in the Output Window. If a port cannot be found, Open in IDE will not be handled. The port range is not configurable.


Was this page helpful?

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License