# Fixing issues

Whether your issue is about *a potential security problem*, considered to be *a bad coding practice*, or *a more serious logic error*, fixing issues usually involves changes to the code. SonarQube for IDE’s issue messages contain useful information about how to fix the potential problem and include a rule description so that you can learn more about why the issue is reported.

SonarQube for Visual Studio offers multiple ways to investigate and fix problems in your code. Issues are usually presented in multiple locations and you can typically hover and/or click or right-click over these markers to open a tooltip that reveals your options. See the [investigating-issues](https://docs.sonarsource.com/sonarqube-for-visual-studio/using/investigating-issues "mention") page for more information about finding and identifying your issues.

### Rule selection <a href="#rule-selection" id="rule-selection"></a>

Issues are reported when your code violates one or more of Sonar's rules. When running SonarQube for Visual Studio in standalone mode (ie: when you're *not in connected mode*), it's possible to locally manage which rules are used to find issues in your code. See the [#using-sonar-rules](https://docs.sonarsource.com/sonarqube-for-visual-studio/rules#using-sonar-rules "mention") articles to learn what's possible.

If you simply want to toggle a rule, jump straight to the [#edit-rules](https://docs.sonarsource.com/sonarqube-for-visual-studio/rules#edit-rules "mention") article to learn how to turn Sonar rules on or off in your IDE.

{% hint style="info" %}
When a project is bound to a SonarQube (Server, Cloud) or SonarQube Community Build, the settings.json file is ignored. In this case, the rules configuration from the server applies. For more information, see the server documentation about quality profiles to edit rules:

* [Managing quality profiles](https://app.gitbook.com/s/B4UT2GNiZKjtxFtcFAL7/standards/managing-quality-profiles "mention") in SonarQube Cloud
* [Managing quality profiles](https://app.gitbook.com/s/LWhbesChsC4Yd1BbhHhS/quality-standards-administration/managing-quality-profiles "mention") in SonarQube Server
  {% endhint %}

## Quick fixes <a href="#quick-fixes" id="quick-fixes"></a>

When a file is open and there are issues with quick fixes then a lightbulb will appear on the line of the issue.

<div align="left"><figure><img src="https://1613591589-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F5CSDwdOaYoOAGYNiRqgl%2Fuploads%2Fwy5mFJ0IYBLQ2M2uUbeD%2Fsq-visual-studio-quick-fix-lightbulb.png?alt=media&#x26;token=8827bc40-70f3-415d-ac14-f4ae84ed79b5" alt="The appearance of a lightbulb will let you know that SonarQube for Visual Studio found an issue." width="563"><figcaption></figcaption></figure></div>

If the lightbulb is clicked, a menu with possible quick fixes will be opened.

<div align="left"><figure><img src="https://1613591589-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F5CSDwdOaYoOAGYNiRqgl%2Fuploads%2FRMvCKBVxV6ZsPTnstQSA%2Fsq-visual-studio-show-possible-quick-fixes.png?alt=media&#x26;token=dff16980-0567-4a45-abcf-6fce934a8b29" alt="The SonarQube for Visual Studio quick fix menu will pop up when you click on the lightbulb." width="563"><figcaption></figcaption></figure></div>

If one of the quick fixes is selected, the fix will be applied automatically to your code.

### Quick fixes in Report View <a href="#quick-fixes-in-report-view" id="quick-fixes-in-report-view"></a>

Quick fixes available in the editor are also available from the **SonarQube Report** tool window. Navigate to **Extensions** > **SonarQube** > **View SonarQube Report**, right-click an issue to see your options. Simply select **Fix:&#x20;*****YourQuickFix*** to apply.

File-level issues such as *Track lack of copyright and license headers* (`csharpsquid:S1451`), are not available in the editor, but their quick fixes can be applied from the **SonarQube Report** tool window.

The quick fix menu also includes the option to generate a pragma suppression for C# issues. See the [Generating a pragma suppression](#generating-a-pragma-suppression) article below, for the full details.

### Known limitations for quick fixes <a href="#known-limitations-for-quick-fixes" id="known-limitations-for-quick-fixes"></a>

* Quick fixes for the whole line are always shown [#2878](https://github.com/SonarSource/sonarlint-visualstudio/issues/2878). To be explicit, the user is always shown quick fixes for *all issues on the current line*, rather than just for the *current issue*.
* When an edit elsewhere invalidates an issue, quick fixes are visible on the invalidated issue until a new analysis is run. When a new a new analysis is triggered (see [running-an-analysis](https://docs.sonarsource.com/sonarqube-for-visual-studio/getting-started/running-an-analysis "mention")), and the issue (with its subsequent quick fix) no longer exists, there is no quick fix to offer.

## AI CodeFix in your IDE <a href="#ai-codefix" id="ai-codefix"></a>

When using the AI CodeFix feature in in SonarQube (Server, Cloud) while in connected mode, you can use **View Fix in IDE** to generate a diff view in the IDE which provides an opportunity to accept or reject the suggestion before committing the change. Please see the AI Capabilities pages in SonarQube (Server, Cloud) for more details:

* [AI capabilities](https://app.gitbook.com/s/LWhbesChsC4Yd1BbhHhS/ai-capabilities "mention") in SonarQube Server
* [AI capabilities](https://app.gitbook.com/s/B4UT2GNiZKjtxFtcFAL7/ai-capabilities "mention") in SonarQube Cloud

## Fixing injection vulnerabilities <a href="#fixing-taint-vulnerabilities" id="fixing-taint-vulnerabilities"></a>

Please see the documentation about [taint-vulnerabilities](https://docs.sonarsource.com/sonarqube-for-visual-studio/using/taint-vulnerabilities "mention") for more information about working with these particular security issues.

## Marking issues <a href="#marking-issues" id="marking-issues"></a>

In SonarQube for Visual Studio 7.5+ running in [connected-mode](https://docs.sonarsource.com/sonarqube-for-visual-studio/connect-your-ide/connected-mode "mention") with SonarQube (Server, Cloud) or SonarQube Community Build, it is possible to mark issues as **Won’t Fix** or **False Positive** from the IDE.

{% hint style="info" %}
When running in connected mode with SonarQube Server 10.4 or newer, **Won’t Fix** becomes **Accept**.
{% endhint %}

Select a SonarQube for Visual Studio issue in the **Error** window, right-click, and select **Mark Issue as…** from the list of actions.

Marking an issue can be applied only to *known issues*, issues found by SonarQube for Visual Studio that match those found on SonarQube (Server, Cloud) or SonarQube Community Build. Marks made on known issues will be reflected on the SonarQube (Server, Cloud) or SonarQube Community Build server within a few minutes.

At this time, it is not possible to unmark, or reopen an issue in SonarQube for Visual Studio. All issues must be reopened in SonarQube (Server, Cloud) or SonarQube Community Build, and will again show in SonarQube for Visual Studio after the next server synchronization. Please see the server articles about an issue's life cycle for details:

* The [https://app.gitbook.com/s/LWhbesChsC4Yd1BbhHhS/user-guide/issues/solution-overview#life-cycle](https://app.gitbook.com/s/LWhbesChsC4Yd1BbhHhS/user-guide/issues/solution-overview#life-cycle "mention") in SonarQube Server
* The [life-cycle](https://app.gitbook.com/s/B4UT2GNiZKjtxFtcFAL7/discovering-sonarcloud/analysis-process-overview/analysis-process#life-cycle "mention") in SonarQube Cloud
* The [Issue management solution #Issue life cycle](https://app.gitbook.com/s/bqrfLGeD0Y9vE5l9Le42/user-guide/issues/solution-overview#life-cycle "mention") in SonarQube Community Build

### Requirements for marking issues <a href="#requirements-for-marking-issues" id="requirements-for-marking-issues"></a>

* SonarQube for Visual Studio 7.5.
* Running in connected mode with SonarQube (Server, Cloud) or SonarQube Community Build.
* In SonarQube Server, or SonarQube Community Build, the Administer Issues permission must be granted to the user(s).

Marking issues is not supported for [security-hotspots](https://docs.sonarsource.com/sonarqube-for-visual-studio/using/security-hotspots "mention") or [taint-vulnerabilities](https://docs.sonarsource.com/sonarqube-for-visual-studio/using/taint-vulnerabilities "mention"). Please see the dedicated pages for fixing each of those issue types.

{% hint style="info" %}
C# and VB.NET issues marked in SonarQube for Visual Studio do not show up in SonarQube (Server, Cloud) or SonarQube Community Build as marked until a new Roslyn analysis is run. When the next Roslyn analysis is triggered, SonarQube for Visual Studio communicates with the server and removes the issue locally from the **Error** window.
{% endhint %}

## Suppressing issues

When you need to silence an issue, we recommend starting with your issue status in SonarQube (Server, Cloud) whenever your project is configured in [Connected mode](https://docs.sonarsource.com/sonarqube-for-visual-studio/connect-your-ide/connected-mode). In that case, marking an issue as Accepted or False Positive on the server automatically suppresses it in SonarQube for Visual Studio as well.

In addition to server-side statuses, C# projects can also use in‑code suppressions with the standard Visual Studio pragma syntax. The mechanism is called [pragma issue suppression](https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/preprocessor-directives#pragma-warning), here's how it will look in your code:

```csharp
#pragma warning disable S1234
// Code that would raise rule S1234
#pragma warning restore S1234
```

### Generating a pragma suppression <a href="#generating-a-pragma-suppression" id="generating-a-pragma-suppression"></a>

To generate a pragma suppression for a C# issue, place your cursor on the issue in the **Editor** and select the lightbulb; from the **SonarQube Report** tool window, right-click on the C# issue. Then choose **SonarQube: Suppress \[rule ID] with #pragma** and the `#pragma warning disable` and `#pragma warning restore` directives will be inserted automatically around the affected code.

<div align="left"><figure><img src="https://1613591589-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F5CSDwdOaYoOAGYNiRqgl%2Fuploads%2FHu5LKtpvY8nmIZ296sMA%2Fvisual-studio-generate-pragma-supression.png?alt=media&#x26;token=9554ade1-8a6e-447c-b65f-f5610cc3a68d" alt="Select any C# issue in the Editor or SonarQube Report tool window to generate a pragma supression." width="563"><figcaption></figcaption></figure></div>

### Improving pragma behavior

Beginning in version 9.9, SonarQube for Visual Studio configures Visual Studio’s suppression cleanup so that Sonar rule IDs are excluded from “remove unnecessary suppression.” You can safely rely on pragma warnings to keep Sonar issues suppressed in code however, pragmas are no longer removed automatically when they are unused.

To avoid the conflict with the built-in IDE0079 inspection and code cleanup profile, SonarQube for Visual Studio imports the `%appdata%\SonarLint for Visual Studio\suppression_exclusions.globalconfig` file which disables the IDE0079 inspection and code cleanup profile specifically for Sonar rules so that they aren't flagged incorrectly. For more information about the the built-in IDE0079 inspection and code cleanup profile, please see the [Microsoft documentation about removing unnecessary suppression](https://learn.microsoft.com/en-us/dotnet/fundamentals/code-analysis/style-rules/ide0079).

### Cleaning up unused Sonar pragmas

To avoid leaving “dead” suppressions behind, SonarQube for Visual Studio includes a Sonar rule to detect Sonar-specific pragma suppressions that no longer correspond to an active issue. When a pragma (or an individual Sonar rule ID within a pragma) is no longer needed, the rule raises an issue and provides a quick fix to remove the entire `#pragma warning disable` line if all IDs are unused.

To disable this Sonar rule or change the severity, naviate to **Options** > **SonarQube** > **General** > **C# Unused pragma suppression analysis severity** and select either **None**, **Info**, or **Warn.**

<br>