Sonarlint doesn't show taint vulnerabilities in connected mode

  • Operating system: Windows 10
  • SonarLint plugin version: 10.2.1.77304
  • IDE: IntelliJ IDEA 2023.3.2 (Community Edition)
  • Programming language you’re coding in: Java
  • Is connected mode used: Yes
    • Connected to SonarCloud or SonarQube (and which version): SonarQube Community Edition Version 9.9 (build 65466)

And a thorough description of the problem / question:
Sonarlint has been working in connected mode but it only fetches the code smells from SonarQube server. Though there are vulnerabilities shown on SonarQube for the currently opened file in IntelliJ, it doesn’t show anything under “Taint Vulnerabilities” tab (as shown in pic attached)


.

Hi @Prosenjit_Roy, do you have an example of a specific taint vulnerability rule that is displayed on your SonarQube but not in SonarLint?

Hi @nicolas.quinquenel,
Please find one such rule below -
Unencrypted socket to com.XYZ… (instead of SSLSocket)

With regards,
Prosenjit

Sorry, I was not specific enough. Could you send me the rule ID of this rule?

Furthermore, here are some prerequisites for taints vulnerabilities:

* You need to bind to SonarCloud or SonarQube Developer Edition (or higher) 8.9+
* For this feature to be valuable, your project needs to be analyzed frequently (ideally by your CI server when pushing new code)
* Only issues detected on open files will be displayed in the IDE
* Only issues detected on the main branch will be displayed in the IDE
* When running in Connected Mode with SonarCloud, you must work with [long-lived branches](https://docs.sonarcloud.io/enriching/branch-analysis-setup/#long-lived-and-short-lived-branches). Issues on short-lived branches are not synchronized; SonarQube does not distinguish between long- and short-lived branches.

Rule id for the given rule is findsecbugs:UNENCRYPTED_SOCKET

Unfortunately, SonarLint does not support rules from FingBugs, as explained in our documentation:

Due to extensive resource requirements, taint vulnerability and some advanced bug detection rules are ignored by SonarLint. Please check the analyzer (PMD, Checkstyle, ESLint, PyLint, …). SonarLint will only run rules from SonarSource analyzers including custom rules extending SonarSource analyzers. Third-party analyzers usually have their own IDE integration, so we have no plan to run them in SonarLint.

However, you could install the FindBugs plugin directly in your IDE, I believe it should run in a similar fashion as SonarLint does.

My impression was that with connected mode Sonarlint imports and shows all the taint vulnerabilities identified in Sonarqube server irrespective of rule repository.

SonarLint is dedicated to the IDE integration of Sonar analyzers. Third-party analyzers usually have their own IDE integration, which we recommend users use directly.