Hello @greg_ya,
Many thanks for the feedback and the logs you provided. That helped a lot!
A subset of JavaScript rules uses TypeScript’s compiler to benefit from type information and improve their analysis precision. When type information is missing, these rules can find (less) issues to some extent or just don’t do anything at all. The exact behavior depends on the rule implementation, and it’s a case-by-case decision depending on what’s doable.
For performance reasons, type information is available in SonarLint only for projects of a certain size. More specifically, the property sonar.javascript.sonarlint.typechecking.maxfiles (default 20’000 files) controls the enabling of type-checking JavaScript files. This means that JavaScript rules using type information become no-op should the threshold be exceeded.
Now, coming to your specific case, the security hotspot highlighted on the provided SonarQube screenshot happens to use type information. Furthermore, the logs that you kindly shared include the following lines:
[Debug - 07:40:16.508] Project type checking for JavaScript files deactivated as project has too many files (maximum is 20000 files)
[Debug - 07:40:16.508] Update "sonar.javascript.sonarlint.typechecking.maxfiles" to set a different limit.
This essentially means that JavaScript rules using type information won’t behave as expected.
Please try to set in SonarLint the property sonar.javascript.sonarlint.typechecking.maxfiles to a value higher than 20’000 until the issues are found. Note, however, that increasing that value could degrade the analysis running time and performance depending on your project size and the available memory.
Finally, we are aware that the printed logs are not helpful from the user’s perspective. We created this ticket to improve those as well as that ticket to help identity which rules are impacted when type information is missing. We will also solicit our Documentation team to document this limited feature in SonarLint’s context.
Hope this helps,
Yassin