VS Code | Getting started | Requirements

Requirements

Overview

SonarQube for VS Code needs a Java Runtime (JRE) 17+.

On the following platforms, SonarQube for VS Code comes with its own Java runtime:

Windows x86-64
Linux x86-64
macOS x86-64 (Intel Macs) and arm-64 (Apple Silicon Macs)

On other platforms and if a Java runtime is already installed on your computer, SonarQube for VS Code should automatically find and use it. Here is how SonarQube for VS Code will search for an installed JRE (in priority order):

the sonarlint.ls.javaHome variable in VS Code settings if set. For instance: { "sonarlint.ls.javaHome": "C:\Program Files\Java\jdk-17" }
embedded JRE for platform-specific installations
the value of the JDK_HOME environment variable if set
the value of the JAVA_HOME environment variable if set
on Windows the registry is queried
if a JRE is still not found then:
1. the PATH is scanned for javac
2. on macOS, the parent directory of javac is checked for a java_home binary. If that binary exists then it is executed and the result is used
3. the grandparent directory of javac is used. This is similar to $(dirname $(dirname $(readlink $(which javac))))

SonarQube for VS Code then uses the first JRE found in these steps to check its version.

If a suitable JRE cannot be found at those places, SonarQube for VS Code will ask for your permission to download and manage its own version.

Language-specific requirements

JS/TS/CSS analysis

To analyze JavaScript, TypeScript, or CSS code, SonarQube for VS Code requires Node.js executable. The minimal supported version is 18.18 for standalone analysis or in Connected mode with SonarQube Cloud. For connected mode with SonarQube Server and SonarQube Community Build, it depends on the version of the JS/TS analyzer on your SonarQube Server or SonarQube Community Build. SonarQube for VS Code will attempt to automatically locate the node, or you can force the location using:

    {
        "sonarlint.pathToNodeExecutable": "/home/yourname/.nvm/versions/node/v18.18/bin/node"
    }

Analysis of TypeScript in connected mode with SonarQube Server or SonarQube Community Build requires the server to use version 8.1 or above.

C and C++ analysis-specific requirements

To analyze C and C++ code, SonarQube for VS Code requires that you define a path to your compile commands json file:

{
        "sonarlint.pathToCompileCommands": "/home/yourname/repos/proj/compile_commands.json"
    }

Search for Path To Compile Commands in the VS Code Settings (or go to VS Code > Settings > Settings > Extensions > SonarLint > User and scroll to the entry); then enter the full path to your active compilation database:

SonarLint needs to know where your C and C++ code is being compiled to in order to complete the analysis.

Note: if you are using Microsoft Visual C++ compiler, the environment should be ready to build the code. For example, by launching VS Code from your Visual Studio Command Prompt.

More information about supported environments and troubleshooting C & C++ analysis can be found on the Running an analysis page.

COBOL analysis

COBOL analysis is a feature available in SonarQube for VS Code v3.19+ when running in Connected mode with SonarQube Server Enterprise Edition+ or SonarQube Cloud. In addition, the VS Code Language Mode must be set to COBOL independent of your file type. If your extension doesn't set the language automatically, please see the VS Code documentation to learn how to manually change the language for the selected file.

By default, SonarQube for VS Code takes the analysis configuration from the SonarQube Server or SonarQube Cloud server, therefore, it is required that your project has already been analyzed by SonarQube Server or SonarQube Cloud. The following COBOL analyzer properties are synced by default unless previously overridden locally. Note that all properties found on the server will be synced locally, not just this selection:

sonar.cobol.dialect
sonar.cobol.file.suffixes
sonar.cobol.sourceFormat
sonar.cobol.copy.suffixes
sonar.cobol.copy.directories

In case copybooks are in different location locally, the analyzer property sonar.cobol.copy.directories should be defined in the /project/.vscode/settings.json file.

If working with COBOL files via Zowe explorer, it is recommended to update your Zowe workspace settings in VS Code by modifying the temporary file location; temporary files should be saved to your project folder which is bound to SonarQube Server or SonarQube Cloud. With the correct configuration, the analysis will be executed normally and you should see detected problems.

C# analysis

C# analysis is available in SonarQube for VS Code v4.0+. More information will be found in the C# configuration collapsible below:

C# configuration

When available, SonarQube for VS Code will reuse your existing C# extension settings in the workspace. Namely, these parameters:

omnisharp.useModernNet
omnisharp.enableMsBuildLoadProjectsOnDemand
omnisharp.projectLoadTimeout
dotnet.defaultSolution

SonarQube for VS Code targets the modern .NET versions which can be adjusted in your workspace settings: VS Code > Settings > Settings > User > C#.

The default values as laid out in the Advanced configuration section below can be modified if they do not match your configuration.

C# Advanced configuration

To edit these properties, go to C# Extension settings and modify the respective values.

omnisharp.useModernNet

Default value: true
Description: Use the modern Net 6 build of OmniSharp. If you are working with a Mono solution on Linux/Unix, or with an old NET Framework solution on Windows (< 4), set it to false.

omnisharp.enableMsBuildLoadProjectsOnDemand

Default value: false
Description: By default, all of the projects of the solution will be loaded; this will ensure maximum (rules) accuracy. For very big solutions that take too long to load, change this to true.

dotnet.defaultSolution

Default value: automatically detected
Description: The path of the solution that will be used for analysis.

omnisharp.projectLoadTimeout

Default value: 60
Description: Maximum waiting time (in seconds) for OmniSharp to load all projects (not relevant if sonar.cs.internal.loadProjectsOnDemand is set to true).

Infrastructure as Code

SonarQube for VS Code 3.17+ supports analysis of Infrastructure as Code (IaC) to help you secure your deployments. See the Sonar Rules pages as linked below for complete details:

Java analysis

To enable the support for Java analysis, you need the Language support for Java VSCode extension (version 0.56.0 or higher). You also need to be in standard mode.

Apex analysis

The support for Apex analysis is only available together with SonarQube Server Enterprise Edition or SonarQube Cloud when running in connected mode. You will also need the Salesforce Extension Pack VS Code extension.

PL/SQL analysis

The support for PL/SQL analysis is only available together with Commercial Editions of SonarQube Server or with SonarQube Cloud when running in Connected mode. You also need the Oracle Developer Tools for VSCode VS Code extension.

Python

Jupyter Notebooks in VS Code

SonarQube for VS Code v3.16+ supports analysis of Python code inside Jupyter notebooks. When opening an .ipynb file, SonarQube Server, or SonarQube Community Build analyze the Python code and Python cells inside your Jupyter Notebooks.

There is nothing special to do to run a SonarQube for IDE analysis; simply open a Jupyter Notebook file. As with any Jupyter Notebook, you must set up your VS Code environment to run a project. The usual Quick Fix and issue investigation options you are accustomed to are available.

Managing rules

IPython Notebooks is a new rules category in the SonarQube for IDE explorer. Go to RULES > IPython Notebooks in the SONARQUBE view container to enable/disable rules, just as you would any rule for other languages.

The following rules have been disabled by default for Jupyter documents because they tend to be noisy in the notebook environment:

ipython:S905, ipython:S1481, ipython:S2201, ipython:S5754

Connected mode

Connected mode will be ignored when working with Jupyter Notebooks. You will only have local analysis; this is because analysis of Jupyter Notebooks is not yet supported by SonarQube (Server, Cloud) or SonarQube Community Build.

Magic commands

All Magic commands are ignored by SonarQube for VS Code (for example, %matplotlib inline and %%timeit). When a line magic command is found, that line will be ignored. Similarly, when a cell magic command is found, the entire cell will be ignored. The next image below shows a normal Jupyter cell; the second image illustrates the same cell with a cell magic command. Note how SonarQube for VS Code ignores issues in the cell with the magic command.

T-SQL

T-SQL analysis is available running with connected mode with Commercial Editions of SonarQube Server, or with SonarQube Cloud.

Some configuration may be required on the server side; please see the SonarQube Server and SonarQube Cloud documentation pages about T-SQL analysis for complete details.

Injection vulnerabilities

Security vulnerabilities requiring taint engine analysis (injection vulnerabilities) are only available in connected mode because SonarQube for VS Code pulls them from SonarQube Server or SonarQube Cloud following a project analysis.

To browse injection vulnerabilities in SonarQube for VSCode, establish Connected mode with your SonarQube Server or SonarQube Cloud instance. Once a Project Binding is configured, SonarQube for IDE will synchronize with the SonarQube Server or SonarQube Cloud server to report the detected injection vulnerabilities.

More information about security-related rules is available in the SonarQube Server or SonarQube Cloud documentation.

Was this page helpful?

Requirements

On this page

.css-4ebt6d{position:relative;--tw-text-opacity:1;color:rgb(0 0 0 / var(--tw-text-opacity));}Overview.css-abpesc{width:2rem;display:none;margin-left:0.5rem;fill:#5F656D;}.css-abpesc:hover{fill:#290042;}

Overview