Report downloaded from server has vulnerability but SonarLint doesn't show it in IntelliJ

Turned on verbose mode and looked at analysis logs. I can see a VULNERABILITY in the file downloaded from the SonarQube server, but the SonarLint plugin doesn’t list that issue in IntelliJ. Is there a settings in the plugin that controls what to display? Is this a filtering issue?


Welcome to the community!

FYI, I’ve re-categorized this from “Report a Bug” to “Get help / SonarLint” because believe it or not, this isn’t a bug, but just how it works.

Unfortunately, the advanced vulnerability detection rules that are added when you upgrade to Developer Edition don’t currently run in SonarLint. We have technical issues that we need to work through to make that happen. This is on our radar, but unfortunately I can’t give you an E.T.A. right now.


1 Like

Thanks for the reply Ann. Just to clarify, the file being downloaded from the server already has the VULNERABILITY in it. Here is a masked example of what it looks like:"findsecbugs*PATH_TRAVERSAL_IN0ã:wjava/io/File.<init>(Ljava/lang/String;Ljava/lang/String;)V reads a file whose location might be specified by user input@asdfasdfENb 4e807abcdefghixyzr4sp∞ÚèÆû.z**

Since that already has the issue and the specific class my thought was that this was more of a display bug. If not, no worries. So what is that issues file thats downloaded from the server used for? Just a cross reference?



SonarLint doesn’t display server issues.

We are downloading issues from the server in order to map them to issues found by SonarLint locally, and merging some modifications:

  • mute the issue (if it was marked as won’t fix or false positive in SonarQube)
  • change issue severity (if severity was changed in SonarQube)
  • change issue creation date (take the server issue creation date)

I also noticed that the issue detected on the server comes from the “findsecbugs” plugin, and thus would not be detected (nor shown) by SonarLint.

Note that if you want to see FindSecBugs issues in your IDE, you can use Findbug’s integration alongside SonarLint.