Requirements

The software requirements to run SonarQube for VS Code in your IDE.

Each IDE extension of SonarQube for IDE has its own requirements to work properly with the most recent releases.

Overview

SonarQube for IDE integrates with Visual Studio Code (VS Code) including the VS Code forks Cursor, Trae, and Windsurf editors.

SonarQube for VS Code needs a Java Runtime (JRE) 17+.

On the following platforms, SonarQube for VS Code comes with its own Java runtime:

  • Windows x86-64

  • Linux x86-64

  • macOS x86-64 (Intel Macs) and arm-64 (Apple Silicon Macs)

On other platforms where a Java runtime is already installed on your computer SonarQube for VS Code will automatically look for and use a Java Runtime (JRE) that’s already on your computer. Here’s the order in which it searches:

  1. the sonarlint.ls.javaHome variable in VS Code settings if set. For instance: { "sonarlint.ls.javaHome": "C:Files" }

  2. embedded JRE for platform-specific installations

  3. the value of the JDK_HOME environment variable if set

  4. the value of the JAVA_HOME environment variable if set

  5. on Windows the registry is queried

  6. if a JRE is still not found then:

    1. the PATH is scanned for javac

    2. on macOS, the parent directory of javac is checked for a java_home binary. If that binary exists then it is executed and the result is used

    3. the grandparent directory of javac is used. This is similar to $(dirname $(dirname $(readlink $(which javac))))

SonarQube for VS Code then uses the first JRE found in these steps to check its version.

If a suitable JRE cannot be found at those places, SonarQube for VS Code will ask for your permission to download and manage its own version.

Language-specific requirements

JS/TS/CSS analysis

To analyze JavaScript, TypeScript, or CSS code, SonarQube for VS Code requires one of these Node.js Major.Minor versions:

  • for Node v18, it must be at least 18.20.0.

  • for Node v20, it must be at least 20.12.0.

  • for Node v22 the Active LTS, it must be at least 22.11.0, with acceptance of v23 and v24.

SonarQube for VS Code will attempt to automatically locate the node, or you can force the location using:

    {
        "sonarlint.pathToNodeExecutable": "/home/yourname/.nvm/versions/node/v22.11/bin/node"
    }

C and C++ analysis-specific requirements

Downloading the CFamily analyzer

The CFamily analyzer is not included with the VSIX release files to optimize download times. After you install SonarQube for IDE, a download of the CFamily analyzer starts automatically. You can cancel the download anytime.

If you perform offline installations, refer to the instructions on the Offline installation page.

Enabling the CFamily analysis

To analyze C and C++ code, SonarQube for VS Code requires that you define a path to your Analyze C and C++ code:

{
        "sonarlint.pathToCompileCommands": "/home/yourname/repos/proj/compile_commands.json"
    }

Search for Path To Compile Commands in the VS Code Settings (or go to VS Code > Settings > Settings > Extensions > SonarLint > User and scroll to the entry); then enter the full path to your active compilation database:

SonarQube for VS Code needs to know where your C and C++ code is being compiled to in order to complete the analysis.

Note: if you are using Microsoft Visual C++ compiler, the environment should be ready to build the code. For example, you can launch VS Code from your Visual Studio Command Prompt.

The Running an analysis page provides more information about supported environments and troubleshooting C & C++ analysis.

COBOL analysis

COBOL analysis is a feature available in SonarQube for VS Code v3.19+ when running in Connected mode with SonarQube Server Enterprise Edition+ or SonarQube Cloud. In addition, the VS Code Language Mode must be set to COBOL independent of your file type. If your extension doesn’t set the language automatically, please see the VS Code documentation to learn how to manually change the language for the selected file.

By default, SonarQube for VS Code takes the analysis configuration from the SonarQube Server or SonarQube Cloud server, therefore, it is required that your project has already been analyzed by SonarQube Server or SonarQube Cloud. The following COBOL analyzer properties are synced by default unless previously overridden locally. Note that all properties found on the server will be synced locally, not just this selection:

  • sonar.cobol.dialect

  • sonar.cobol.file.suffixes

  • sonar.cobol.sourceFormat

  • sonar.cobol.copy.suffixes

  • sonar.cobol.copy.directories

In case copybooks are in different location locally, the analyzer property sonar.cobol.copy.directories should be defined in the /project/.vscode/settings.json file.

If working with COBOL files via Zowe explorer, it is recommended to update your Zowe workspace settings in VS Code by modifying the temporary file location; temporary files should be saved to your project folder which is bound to SonarQube Server or SonarQube Cloud. With the correct configuration, the analysis will be executed normally and you should see detected problems.

C# analysis

C# analysis is available in SonarQube for VS Code v4.0+. More information will be found in the C# configuration collapsible below:

C# configuration

When available, SonarQube for VS Code will reuse your existing C# extension settings in the workspace. Namely, these parameters:

  • omnisharp.useModernNet

  • omnisharp.enableMsBuildLoadProjectsOnDemand

  • omnisharp.projectLoadTimeout

  • dotnet.defaultSolution

SonarQube for VS Code targets the modern .NET versions which can be adjusted in your workspace settings: VS Code > Settings > Settings > User > C#.

The default values as laid out in the Advanced configuration section below can be modified if they do not match your configuration.

C# Advanced configuration

To edit these properties, go to C# Extension settings and modify the respective values.

omnisharp.useModernNet

  • Default value: true

  • Description: Use the modern Net 6 build of OmniSharp. If you are working with a Mono solution on Linux/Unix, or with an old NET Framework solution on Windows (< 4), set it to false.

omnisharp.enableMsBuildLoadProjectsOnDemand

  • Default value: false

  • Description: By default, all of the projects of the solution will be loaded; this will ensure maximum (rules) accuracy. For very big solutions that take too long to load, change this to true.

dotnet.defaultSolution

  • Default value: automatically detected

  • Description: The path of the solution that will be used for analysis.

omnisharp.projectLoadTimeout

  • Default value: 60

  • Description: Maximum waiting time (in seconds) for OmniSharp to load all projects (not relevant if sonar.cs.internal.loadProjectsOnDemand is set to true).

Infrastructure as Code

SonarQube for VS Code 3.17+ supports analysis of Infrastructure as Code (IaC) to help you secure your deployments. See the Sonar Rules pages as linked below for complete details:

Java analysis

To enable the support for Java analysis, you need the Language support for Java VSCode extension (version 0.56.0 or higher). You also need to be in standard mode.

Apex analysis

The support for Apex analysis is only available together with SonarQube Server Enterprise Edition or SonarQube Cloud when running in Connected mode. You will also need the Salesforce Extension Pack VS Code extension.

PL/SQL analysis

The support for PL/SQL analysis is only available together with Commercial Editions of SonarQube Server or with SonarQube Cloud when running in Connected mode. You also need the Oracle Developer Tools for VSCode VS Code extension.

Python

Jupyter Notebooks in VS Code

SonarQube for VS Code v3.16+ supports analysis of Python code inside Jupyter notebooks. When opening an .ipynb file, SonarQube Server, or SonarQube Community Build analyze the Python code and Python cells inside your Jupyter Notebooks.

There is nothing special to do to run a SonarQube for IDE analysis; simply open a Jupyter Notebook file. As with any Jupyter Notebook, you must set up your VS Code environment to run a project. The usual Quick Fix and issue investigation options you are accustomed to are available.

Managing rules

IPython Notebooks is a new rules category in the SonarQube for IDE explorer. Go to RULES > IPython Notebooks in the SONARQUBE SETUP view container to enable/disable rules, just as you would any rule for other languages.

The following rules have been disabled by default for Jupyter documents because they tend to be noisy in the notebook environment:

Connected mode

Connected mode will be ignored when working with Jupyter Notebooks. You will only have local analysis; this is because analysis of Jupyter Notebooks is not yet supported by SonarQube (Server, Cloud) or SonarQube Community Build.

Magic commands

All Magic commands are ignored by SonarQube for VS Code (for example, %matplotlib inline and %%timeit). When a line magic command is found, that line will be ignored. Similarly, when a cell magic command is found, the entire cell will be ignored. The next image below shows a normal Jupyter cell; the second image illustrates the same cell with a cell magic command. Note how SonarQube for VS Code ignores issues in the cell with the magic command.

SonarQube for VS Code without a cell magic command above, and with a cell magic command below.

T-SQL

T-SQL analysis is available running with connected mode with Commercial editions of SonarQube Server, or with SonarQube Cloud.

Some configuration may be required on the server side; please see the server documentation documentation pages about T-SQL analysis for complete details.

  • T-SQL in SonarQube Server

  • T-SQL in SonarQube Cloud

Injection vulnerabilities

Security vulnerabilities requiring taint engine analysis (injection vulnerabilities) are only available in connected mode because SonarQube for VS Code pulls them from SonarQube Server or SonarQube Cloud following a project analysis.

To browse injection vulnerabilities in SonarQube for VSCode, establish Connected mode with your SonarQube Server or SonarQube Cloud instance. Once a Project Binding is configured, SonarQube for IDE will synchronize with the SonarQube Server or SonarQube Cloud server to report the detected injection vulnerabilities.

More information about security-related rules is available in the the server documentation:

PreviousInstallationNextOffline installation

Last updated

Was this helpful?