SonarLint for VS Code 3.18 - Security Hotspots for SonarCloud users, better code examples display

at the beginning of this year, we introduced the capability for SonarLint to report Security Hotspots directly in your IDE, with an initial focus on those of you using SonarLint together with SonarQube.

We’ve now expanded the support for Security Hotspots to SonarCloud users as well; basically all of you using SonarLint in connected mode will now see Security Hotspots reported directly in VS Code (reminder: for SonarQube, the minimum version is 9.7).

Something we’ve also added this month is the possibility to have a list of unreviewed Security Hotspots beyond the boundaries of the file you’re currently working on. In fact with version 3.18, if you select the “In Whole Folder” option SonarLint will scan every file in the folder you’ve currently opened in VS Code, so that you have a chance to review all pending hotspots at once:


Activating this mode may have a significant performance impact depending on the size and configuration of your projects - so I suggest you have a look at this wiki page first :wink:

SPOILER: We’re also working on the possibility for you to set the output of a hotspot review directly in SonarLint - this will avoid you having to switch between SonarLint and SonarQube/SonarCloud during the review process, stay tuned…

In this release, we’ve also made further improvements to our rule descriptions: to help you easily understand and act on the noncompliant/compliant code examples : we’ve added syntax highlighting to all examples:

For some rules you’ll also find code diff highlighting between non-compliant and compliant code examples in our rule descriptions - this will be progressively made available for all rules.

Finally, here is a selection of the new detections we’ve added in our analyzers this month:

  • a new Java rule that advises to use when appropriate the static methods introduced in Java 19 to initialize hash-based collections in order to allocate the requested capacity at construction time
  • several new rules for TypeScript (more details here)
  • 6 new Python rules for the Django framework and 3 new quick fixes (more details here)

You can read more in the release notes.



Are cobol, copybook supported in sonarlint scans.

Hi @sam-nash, this topic is discussed in this thread.

1 Like