SonarLint for VSCode 3.14 - Security Hotspots in the IDE

Hello VSCode users,

I’m thrilled to announce the January release of SonarLint for Visual Studio code!
If you use SonarQube or SonarCloud, you’re probably already familiar with Security Hotspots, that are basically security-sensitive pieces of source code that must be reviewed by developers to ensure the code does not present security risks. To learn more about Security Hotspots, and in particular the different between a security vulnerability and a hotspot, I suggest reading this page.

Until today, you needed to submit your code and wait for SonarQube or SonarCloud to analyze it in order to be notified of new Security Hotspots to be reviewed in your code. The good news is that with the latest release, SonarLint can report directly in VSCode any unreviewed Security Hotspot that is present in the source files you’re working on - this means that new hotspots will be reported immediately when you introduce them.

This new feature is now automatically available if you use SonarLint in connected mode with SonarQube (minimum SonarQube version: 9.7). In the future, we’ll also make it available for those of you using SonarCloud.

Please also note that for this first iteration, it is not possible to set the output of a Security Hotspot review (i.e. to mark it as Acknowledged, Fixed, or Safe) directly in SonarLint. We’ll work on that later on, and in the meanwhile, you can simply right-click on any Security Hotspot from the list, and choose Review on Server: this action opens the Security Hotspot in SonarQube and enables you to set the review output.

This month’s release also adds adds 13 new rules to help you make the best of C++20 ’s std::format feature, and several improvements for our Java, JS/TS, PHP and XML rules.

You can read more in our release notes.