So now you have more issues in SonarQube than in SonarLint, right ?
For some issues like “Refactor this code to not place tainted, user-controlled data in header”, this is expected. As you can read in our FAQ:
Vulnerabilities raised by the Taint Analyzer (SQL Injection, …) are issues detected in SonarQube commercial editions that are also not detected by SonarLint (rule key starting by
javasecurity,phpsecurityorroslyn.sonaranalyzer.security.cs). Running tainted analysis in the IDE is currently not practical mainly for performance reason.
I think if you subtract the taint vulnerability issues, the count should match what you observe in SonarLint.
Could you confirm ?
Thanks
Damien