SonarLint - Can it checks for vulnerabilities such as SQL Injection?

bxblin · June 6, 2020, 4:41am

Hi Team,

Can I check whether there are plans to include SQL Injection checks in the Sonar Lint plugin?

This feature is very useful for the developers. Right now, I don’t see the plugin doing such checks.

Julien_HENRY · June 8, 2020, 8:16am

A post was split to a new topic: Unable to analyze JS files in Visual Studio 2019

Julien_HENRY · June 8, 2020, 8:25am

Hi @bxblin,

SonarLint - Can it checks for vulnerabilities such as SQL Injection?

Short answer: no.

We made multiple attempts of enabling advanced security rules in SonarLint, and so far it has not been successful. Those rules are based on a complex algorithm that is currently not IDE friendly, since it needs to analyze the entire project to give good results (by entire project, I really mean all project modules, that are possibly not even there in the IDE workspace). It is also not incremental, so a change of a single line of code requires to scan again the entire project, which on big projects can take minutes/hours.

This is still in our 2020 roadmap, so we will continue to work on it and trying to find solutions.