- Operating system: Linux
- SonarLint plugin version: 3.18.0
- Programming language you’re coding in: C++
- Is connected mode used: n.a
- Connected to SonarCloud or SonarQube (and which version): n.a
And a thorough description of the problem / question: I’m noticing that the vscode sonarlint extension is missing a few of the rules defined on the sonarsource site. For instance C++ static code analysis | cwe: Hard-coded credentials are security-sensitive and C++ static code analysis | cwe: "sprintf" should not be used are nowhere to be found. Also I’m wondering if anyone knows an easy way to enable only the top 25 CWE rules. Appreciate any help.
Hello, welcome to the community! And thanks for your questions.
cpp:S2068 (“Hard-coded credentials are security-sensitive”) and
cpp:S6069 (“‘sprintf’ should not be used”) are Security Hotspot rules, and as such they are only available in connected mode with SonarCloud or SonarQube (Developer Edition and above).
The rationale behind this is that security hotspots are “maybe” findings that need to be checked by a developer, either to be confirmed as vulnerabilities or ignored as safe.
About your last point, one way I see to do it would be to configure connected mode with SonarCloud or SonarQube and define a custom quality profile that has only those rules enabled; however, I don’t believe there is any UI help on the server side to achieve this.
May I ask why you would like to see only the top 25 CWE rules?