Hello VSCode users,
following your valuable feedback, we’ve worked to improve the investigation of taint vulnerabilities in SonarLint (SQL injections, OS command injections, Cross-site scripting, and many more); the changes we’ve shipped in the latest release include:
- SonarLint can now display injection vulnerabilities for the whole project, no matter where the issue’s sink is located (previously, you needed the sink to be in a file opened in your code editor).
- SonarLint will instantly notify you as soon as SonarQube has detected new taint vulnerabilities in your project.
- We’ve made it more explicit in the UI that injections vulnerabilities are not detected by SonarLint local analysis: once you’ve applied a fix, you’ll need to run SonarQube or SonarCloud analysis to verify the issue is fixed.
You can learn more in the release notes. Here are a couple of additional highlights:
- The Java analysis detects more precisely hard-coded passwords
- We added 4 new quick fixes for Python issues
Happy coding with SonarLint!