Does sonarqube and sonarlint use same rule sets? And how to know which version of rule sets are they

I am using sonarqube version 9.3.0.51899, and sonarlint version v3.13.0 in non connected mode for my java project. I am getting some issues in sonarlint that are not there in sonarqube (java:S6353), what i want to know is if sonarlint and sonarqube both use the same set of rules and how to keep track of which version of rule sets are being used by sonarlint or sonarqube.

1 Like

Hello, welcome to the community! And thanks for your question.

SonarLint and SonarQube are both powered by the same analyzers under the hood, so a lot of rules are in common.

However, depending on the version of either tool, some rules can differ. Additionally, some rules from SonarQube cannot be run (yet) by SonarLint due to technical constraints.

When used standalone, SonarLint has its own local set of rules that you can configure using the sonarlint.rules settings property or the “SonarLint Rules” view in VSCode.

When used in connected mode with SonarQube, SonarLint will synchronize its rule set according to the server’s quality profile. Furthermore, it will also hide issues that are marked as “false positive” or “won’t fix” on the server.

So in your setup, if you want to have the same rule set applied in SonarQube and SonarLint, I would strongly suggest that you configure connected mode in SonarLint :slight_smile:

Hello, got it but in my case actually sonarlint is giving issues that are not getting reported by sonarqube like the rule java:S6353. Also the sonarlint.rules can help me to add or remove rules but i want to know if without connecting also is there a way to get same rules working in both sonarlint and sonarqube.

Having issues reported in SonarLint but not in SonarQube is definitely possible, I see at least 3 possible reasons for this:

  • The version of the analyzer can be more recent in SonarLint than on SonarQube - and this is definitely the case with the versions you reported
  • The rule can be enabled by default in SonarLint, but not in the SonarQube quality profile
  • The issue may have been silenced in SonarQube

Applying the same set of rules in SonarLint and SonarQube is definitely possible without connected mode, if you are ready to go through the effort of synchronizing your local sonarlint.rules settings to have it match the SonarQube quality profile.

May I ask why you are not using connected mode in this case? Is there anything that prevents you from doing so and that we could address in the product?

But if i use sonarlint in connected mode i will have to use the project key as well which means i will have to perform a scan on sonarqube and then will be able to connect sonarlint to sonarqube.

But if i use sonarlint in connected mode i will have to use the project key as well which means i will have to perform a scan on sonarqube and then only will be able to connect sonarlint to sonarqube. And so i will have to perform scan before using sonarlint

You mentioned earlier that:

As far as I can tell, this means that your project is already analyzed by SonarQube. And in this case, all you need to do in VSCode is:

  • Create a new connection to your SonarQube server, using a personal token
  • Bind your SonarQube project to the folder opened in VSCode, using the project’s key

This way, your quality profile, analysis settings and suppressed issue will be synchronized with SonarLint.

Please note that this does not mean that SonarLint will send its analysis results to SonarQube: SonarLint only pulls data from the server, it does not replace the SonarQube analysis (presumably performed as part of your continuous integration).

Yeah so actually my use case is that i want to solve most issues given by sonarlint and only then scan using sonarqube to solve the remaining, but if i want to connect then i will have to run a scan on my project and then only will be able to use sonarlint in connected mode, also is it possible that i create an empty project get it scanned and then use its key to synchronise the rules with my sonarlint.

Thanks for the additional context!

In this case, you can create the project on SonarQube and already synchronize it with SonarLint even before the first analysis.

Since there will be no analysis, you won’t benefit from the issue synchronization, however you should still have the synchronization of the rule set which will help you clean the project before the first analysis.

Good luck with the cleanup!

Thanks for the solution.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.