We’ve identified an issue where SonarQube’s Multi Quality Rule (MQR) mode incorrectly categorizes golangci-lint findings. All issues are classified as Maintainability, even when they represent security vulnerabilities or reliability concerns.
This misclassification causes critical security and bug-related issues to be overlooked.
To mitigate this, we’ve reverted to Standard Experience mode until the issue is resolved.
The root cause appears to be in the golangci-lint report reader (GolangCILintReportSensor.java, lines 46–81), which seems to lack logic for properly mapping issue types in MQR mode.
You are correct our golangci-lint importer is currently not compatible with MQR mode. We appreciate you bringing this to our attention and will prioritize addressing this issue as soon as possible.
Why do you still need to use GoSec given the security rules provided out of the box by Sonar?
SonarQube currently provides only 12 vulnerability detections for Go, whereas GoSec provides 28. In our experience over the past four years, we’ve noticed that Go support in SonarQube hasn’t received significant attention or updates. Given this, we believe it’s unlikely that SonarQube’s built-in rules can match the pace of the broader community’s contributions to lint and security detections.
. From our perspective, there is no reason to continue to use GoSec given the rules we are providing out of the box. But if you see something raised by GoSec that is valuable and that is not raised by SonarQube, please let me know and we will adjust if needed.
We are working to plug our Go analyzer to our Taint Analyzer to detect SQL, Command, … injection vulnerabilities. It should reach SonarQube Cloud end of Q2, beginning of Q3 2025.
Note: the internal ticket SONARGO-76 to make golangci-lint issues compatible with MQR mode is in progress and should be part of the next release of SonarQube Server.
