IntelliJ | sonarlint | security hotspots


Sonarqube Developer Edition 8.6.1
Sonarlint 4.14.1
IntelliJ Community Edition 20.3.2

I would like to take the following link for discussion:

I currently have the same problem that no security hotspot appear in Sonarlint.
We have just updated to version 8.6.1. Does Sonarlint only recognize new issues?


need help. thanks

Hi @markluebbehuesen.

FYI that thread relates to a different issue in a very old version of SonarLint for Visual Studio.

Currently SonarLint does not detect new hotspots or taint vulnerabilities in the IDE, although it is possible to view hotspots and taint vulnerabilities that have been sent to SonarQube as part of an analysis run.

Note also that hotspots and taint vulnerabilities are different concepts and are surfaced differently in SonarLint (your post refers to hotspots but the screen shot is of the taint vulnerabilities list). See the docs for an explanation of the difference. Also, taint vulnerabilities are a commercial feature i.e. they are not available in Community edition.

Hotspots: the SonarQube UI now has an “Open in IDE” button that allows you to jump to the IDE to explore the hotspot in one of the supported SonarLint IDEs:

Taint vulnerabilities: if you are using Connected Mode with a commercial edition of SonarQube, then SonarLint will display a list of taint vulnerabilities from the bound project. The SonarLint for IntelliJ wiki describes how to set this up.