Several problems with Sonarlint Visual Studio 2019 Connected Mode e.g. not showing fetched taint vulnerabilities

  • which versions are you using (SonarQube, Scanner, Plugin, and any relevant extension)
    SonarQube Version 8.9 (build 43852)
    Azure DevOps Server 2020 Update 1.1 (on premise)
    Version control: TFVC
    Sonarlint for Visual Studio
    Visual Studio 2019 (16.8.4)

  • what are you trying to achieve

    • In VS 2019 open window “Sonarlint Taint Vulnerabilities” and see the same issues that are shown on Sonarqube web page.
    • Also the other windows “Sonarlint Issue Visualization” and “Sonarlint Security Hotspots” are not showing anything, just empty windows with no entries.
    • The “Open in IDE” feature is not working. Error: sonarlint.ts:29 Refused to connect to ‘http://localhost:64121/sonarlint/api/status’ because it violates the document’s Content Security Policy.
      (anonymous) @ sonarlint.ts:29
  • what you have done so far
    I have connected VS to Sonarqube server with correct VS solution. I get the following result in the Output window for Sonarlint:

Current VS version:
Visual Studio Enterprise 2019
Loaded settings from “C:\Users\DEX215503\AppData\Roaming\SonarLint for Visual Studio\settings.json”.
Connected to SonarQube ‘’.
Checking for suppressions…
Number of suppressions found: 0
Initializing the telemetry package…
Finished initializing the telemetry package…
Initializing the SonarLint package…
Connected mode detected.
Finishing initializing the SonarLint package
Initializing the notifications package…
Loading notifications settings…
Connected: checking for notifications
Finished initializing the notifications package
[Taint] Initializing taint issues synchronization package…
[Taint] Fetched 2 taint vulnerabilities.
Initializing security package…
Finished initializing security package.
[Taint] Finished initializing taint issues synchronization package.
Initializing the daemon package…
[Open in IDE] Creating request listener…
[Open in IDE] Checking availability of port 64120
Finished initializing the daemon package.
[Open in IDE] Port 64120 is unavailable
[Open in IDE] Checking availability of port 64121
[Open in IDE] Request listener created successfully. Listening on port 64121.

Thank you for your time and support!

1. Taint vulnerabilities

It looks from the logs that the taint issues are being fetched correctly. However, only the issues for the current file are shown in the list. See here for more information.

2. Open in IDE / security hotspots

Currently the only way to see hotspots in the IDE is by using the Open in IDE feature - the list of hotspots is not fetched automatically.

Can you share a screenshot of the error you are getting please?

Duncan, thank you for your feedback!

1. Taint vulnerabilities
I missed the “only shown for current file” part. I tried to open the affected file and then open “Taint Vulnerabilities” window, but it is still empty. I guess the path at the top of the window should reflect the path of the currently opened window. Which is not the case:

2. Open in IDE/Security hotspots

Regarding (1), it’s not a path, it’s the name of the branch that is configured as the main branch in SonarQube:


FYI currently SLVS only fetches issues from the “main” SonarQube/SonarCloud branch. We’ve working on making SonarLint in all IDEs branch-aware i.e. it will attempt to fetch issues from the server that corresponding to the branch you are working on locally.

1 Like

I have double checked the main branch setting in Sonarqube and my opened solution. It is the same branch. Maybe it does not work with TFVC?