Install Free
VS Code | Using SonarLint | Investigating issues

Investigating issues

On this page

SonarLint can help developers by letting them perform local analyses to check their code before pushing it back to the SCM. While running an analysis, SonarLint raises an issue every time a piece of code breaks a coding rule.

Usually, a first analysis is performed as soon as one of the supported files is opened. Then, regular analyses are triggered when the editor content changes and/or when the file is saved. 

This page describes how to find and investigate issues in your IDE.

Defining issues

An Issue is a problem in your code that prevents it from being Clean Code. Issues found in code are linked to Clean Code attributes, and these attributes signify how your code will impact one or more software qualities. Software qualities determine the overall severity of an issue that feeds back into the overall status of your code when implementing a Clean as You Code methodology; please see the SonarQube or SonarCloud documentation for more about Clean as You Code.

Each issue is linked to one Clean Code attribute which is associated with one or more software qualities, each with a level of severity. Please check the Clean Code benefits page on software qualities for more information.

To communicate the code attributes, software qualities, and severity of issues found in your code, SonarLint displays them in the SonarLint Rule Description webview as described below.

Finding issues

For most issues, SonarLint provides information about why there is an issue and offers one or more actions to Fix your issue. Issues can be found in 3 places:

  1. In the VS Code Text Editor, identifiable by the classic squiggles underlining issues in the code.
  2. In the Tooltip, recommended action(s) can be found by clicking on the light bulb in the left margin of the code explorer view.
  3. In the PROBLEMS panel, select your issue to highlight the issue-causing code in the Editor. Right-clicking on the issue opens the same tooltip action as described above.

Security hotspots are found in the SONARLINT > SECURITY HOTSPOTS view panel. See the Security hotspots page for more details.

Injection vulnerabilities work a bit differently. At the Tooltip, select Show all locations to view the execution flow in the SONARLINT ISSUE LOCATIONS view container. See the Injection vulnerabilities page for more details.

Opening issues in the IDE

Understanding issues in context is a helpful way to address problems more effectively. Beginning in SonarQube 10.3 and on SonarCloud, it is possible to open all issues in your IDE, including taint vulnerabilities. Using the Open in IDE feature includes an automated Connected Mode setup to help with the process.

In your instance of SonarQube or on SonarCloud, navigate to your Project > Issues page, pull up an issue’s detail view and select the Open in IDE button as an authenticated user to edit the issue in your IDE. 

From SonarQube 10.3+ and on SonarCloud, select Open in IDE to open the issue in SonarLint.

It’s best if your project is already open in the appropriate IDE and bound to the server using Connected mode; if not, you will be prompted to set up a new connection and/or bind your project using the automatic Connected Mode setup feature. 

If you’ve already fixed the issue in your code, SonarLint will not be able to find it; only the matching code will be highlighted. In this case, check that recent changes have been analyzed by SonarQube or SonarCloud, then check the documentation on the SonarQube or SonarCloud Issues page for details about managing your issues on the server.

Please see the Connected Mode documentation to bind your project to an instance of SonarQube or SonarCloud. And if you have troubles with the automatic Connected Mode setup, we identified the most common errors for Troubleshooting Connected Mode setup.

Viewing AI-generated fix suggestions in the IDE

SonarQube and SonarCloud can create AI-generated fix suggestions for issues detected in your code. You can view the suggestions directly in your IDE by clicking View Fix in IDE from the Issues page in SonarQube or SonarCloud. 

The process is similar to clicking the Open in IDE button: it’s best to set up connected mode beforehand. Otherwise, you’ll be prompted to set up a new connection and/or bind your project using the automatic Connected Mode setup feature. 

Focusing on new code

Focusing on new code is an important part of the Clean as You Code approach, where you apply your effort and attention to submit clean code and avoid introducing new issues. SonarLint for VS Code allows you to focus on new code by filtering the issues shown in the IDE, as determined by your new code period.

The Focus on new code feature works when SonarLint is running in either Connected Mode or standalone mode. New code is defined differently in each mode as mentioned above. Please see the New code page to understand your options when using a New Code Definition.

Setting your focus on new code has these prerequisites running in Connected Mode:

  • Your local project must be bound to a SonarQube or SonarCloud project.
  • The new code definition must be defined in SonarQube or SonarCloud using a Previous version, Number of days, or Specific analysis
  • The Reference branch new code definition is not supported. Please check the documentation in SonarQube or on SonarCloud to properly set your new code definition.

When not running in Connected Mode, the SonarLint focus feature can still be used to highlight only issues found in new code.

Setting the SonarLint focus on new code is easy. To activate or deactivate this mode, select SonarLint focus: in the VS Code Status Bar, then press Enter or choose Focus on new code or Focus on overall code from the Command Palette. Additionally, you can select or deselect the SonarLint focus mode from the VS Code > Settings… > Settings > Extensions > SonarLint > User settings menu.

By default, the SonarLint focus is set to overall code when you set up a new connection and establish the project binding. 

The SonarLint views

The SonarLint view container

RULES

Sonar Rules can individually be turned on or off while running SonarLint in standalone mode. Simply go to SonarLint > RULES view in the VS Code Activity Bar and deactivate or activate rules at will. Each rule is clearly marked as on or off, and it's possible to filter the visible list by an ActiveAll, and Inactive status.

When your project is bound to SonarQube or SonarCloud using Connected Mode, the rule set is managed on the server side as defined by the quality profile. 

CONNECTED MODE

Here you can find your active connections and set up new connections if needed. Please see the Connected Mode page to learn about the Sonar solution. 

SECURITY HOTSPOTS

If you are in Connected Mode with SonarQube 9.9 or newer, you will see a list of security hotspots here. A list of security-related issues found in the active file will be displayed here; for a full list of issues, select the In Whole Folder feature. The complete details are described on the Security hotspots page.

SONARLINT ISSUE LOCATIONS

If your issue exists in more than one location, a link will be available in the code actions menu, accessed by right-clicking on the issue or behind the action lightbulb. The action lightbulb is found in both the Code Editor group and PROBLEMS panel as described below.

If your issue is an injection vulnerability, the security issue’s Flow will be shown here. Please see the documentation on Injection vulnerabilities for more information.

Editor Groups

Code Editor

In the VS Code code editor, colored waves (squiggles) underline Warning and Information issues. By default, Hint issues are marked by an ellipsis at the beginning of the line. Hovering over the squiggles will reveal code actions and more information about the issue.

SonarLint Rule Description 

The SonarLint Rule Description Editor Group will display a brief explanation of the rule, along with a noncompliant and compliant code example. Simply right-click an issue in the PROBLEMS panel, and choose SonarLint: Open description of rule ….

Panels

PROBLEMS

Ideally, the team wouldn't introduce any new issues (any new technical debt) when writing code. But in real life, it's not always possible to code without creating new technical debt, and sometimes it's just not worth it. 

Selecting issues from the PROBLEMS panel will jump you to the line of code in your file where the code is highlighted. Right-clicking on an issue will reveal fixes that are available for that issue.

Each issue’s severity is indicated by the icon to the left of the description. Selecting an issue or hovering over the severity icon is another way to reveal the Show fixes lightbulb.

OUTPUT

This panel contains the SonarLint logs. To view them in more detail and improve troubleshooting, you must enable the Show Verbose Logs and select the Show Analyzer Logs options in the Extensions settings. 

Please see the Troubleshooting page for complete details. 

SonarLint uses a lightbulb icon to help point out issues in your code.

To better control the way you see and manage issues, check out the VS Code documentation on Fixing Issues for quick ways to fix problems. Also, look at the article about running SonarLint in Connected Mode for details about integrating your local analysis with your SonarQube or SonarCloud analysis.


Was this page helpful?

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License