So now you have more issues in SonarQube than in SonarLint, right ?
For some issues like “Refactor this code to not place tainted, user-controlled data in header”, this is expected. As you can read in our FAQ:
Vulnerabilities raised by the Taint Analyzer (SQL Injection, …) are issues detected in SonarQube commercial editions that are also not detected by SonarLint (rule key starting by
javasecurity
,phpsecurity
orroslyn.sonaranalyzer.security.cs
). Running tainted analysis in the IDE is currently not practical mainly for performance reason.
I think if you subtract the taint vulnerability issues, the count should match what you observe in SonarLint.
Could you confirm ?
Thanks
Damien