Install Free
Visual Studio | Using SonarQube for IDE | Injection vulnerabilities

Injection vulnerabilities

On this page

Injection vulnerabilities are a type of security-related rules, that can be raised by both SonarQube Server and SonarQube Cloud

Due to technical limitations, SonarQube for IDE can not raise injection vulnerabilities on local analysis and instead pulls them from SonarQube (Server, Cloud) following a project analysis. Because SonarLint must pull injection vulnerabilities from SonarQube Server or SonarQube Cloud, the use of connected mode is required.

Prerequisites

  • SonarQube for Visual Studio version 4.31 or higher.
  • The correct solution must be open in Visual Studio and it must be in Connected mode to SonarQube Cloud or SonarQube Server version 9.9 or higher.

How to display injection vulnerabilities

When a solution running in Connected mode is open in Visual Studio, SonarQube for Visual Studio will fetch the vulnerabilities from the configured server. If any vulnerabilities exist, The SonarQube Taint Vulnerabilities tool window will be displayed in a new tab next to the Error List:

SonarLint will display taint vulnerabilities in the Visual Studio error list.

The tool window will appear automatically if your server has any injection vulnerabilities in your project. If you are not in Connected Mode, or if your server has no injection vulnerabilities, the window will not appear.

When viewing an injection vulnerability on the SonarQube (Server, Cloud), it's possible to use Open in IDE button to jump to the issue in SonarQube for Visual Studio. See the Opening issues in the IDE article for full details.

Taint Vulnerabilities list

The Taint Vulnerabilities list is filtered to display remote vulnerabilities found in the currently open code file. When a file containing issues is opened, the caption of the tool window will update to reflect the number of remote vulnerabilities found in the file:

A count will be displayed showing you how many remote vulnerabilities were found in the file.
A list of taint vulnerabilities will be shown to you by SonarLint.

The header of the list will display information about the analysis in which these issues were found:

The header notification displays where the issues were found in your code.

Investigating injection vulnerabilities

You can investigate a vulnerability by using a double-click or the Enter key. This will take you to the relevant code location and open the SonarQube for Visual Studio Issue Visualization panel with a visualization of your code flow.

Secondary issue locations found be SonarQube or SonarCloud will be visualized in the Visual Studio code editor.

If you do not see the Issue Visualization panel, click on Extensions > SonarQube for Visual Studio > SonarQube Issue Visualization. See the documentation on Investigating issues for more information.

Non-navigable code locations

Since injection vulnerabilities are fetched from your configured server, it is possible that the code on your server does not match your local code version, e.g. if code changes have been made since the last analysis. In this case, non-navigable locations will be displayed with an indication that they are not navigable:

How a non-navigable code location looks in the code editor.

Manually re-opening SonarQube Taint Vulnerabilities tool window

If you manually close the tool window, it will no longer appear and disappear automatically when a solution is opened. You can show the window again by clicking on Extensions > SonarQube for Visual Studio > Connected Mode > View Taint Vulnerabilities.

You can manually reopen the SonarLint taint vulnerability tool window using the Visual Studio navigation bar.

How to fix your injection vulnerabilities

Injection vulnerabilities are security-related rule issues that are only raised by SonarQube Server (starting with Developer Edition) and SonarQube Cloud. Due to technical limitations, SonarQube for IDE can not raise such issues on local analysis. 

Because the detection of injection vulnerabilities requires that you are run in Connected Mode, any changes you make to the code must be resolved by your SonarQube (Server, Cloud) instance. Here are two options to resolve injection vulnerabilities displayed by SonarQube for IDE:

  • If you fix the issue locally, commit your code to the server and rerun the analysis on SonarQube (Server, Cloud). The new status (of the issue) will show up automatically in your local analysis.
  • If you go to the issue in SonarQube (Server, Cloud) and mark it as fixed, false positive, or won’t fix, in less than 1 minute, the new status will be updated locally.

Was this page helpful?

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License