I am trialling SonarLint for my development team, I have opened a solution in Visual Studio that has already been scanned by SonarCloud and which has over 1.5k issues (bugs, code smells & security hotspots), I have connected VS to SonarCloud and bound the solution to the relevant SonarCloud project but SonarLint isn’t pulling down the list of issues. Also if I open a file with a known issue in it SonarLint isn’t detecting anything.
SonarLint doesn’t pull down issues from the server. It runs the analysis locally and shows those issues in the IDE. This wiki page describes what Connected Mode does and doesn’t do.
The SonarC# analyzer is a Roslyn analyzer, so when and how it runs in the IDE depends on the standard Visual Studio configuration mechanisms for code analysis.
The only impact Connected Mode should have is to make the SonarC# analyzer use a ruleset generated from your Quality Profile i.e. it will specify which rules should run and how they are configured, but actually executing the rules is decided by Visual Studio.
To start with, I suggest creating a new solution with a simple console app. Ignore Connected Mode for the time being, and just open a code file and type a // TODO in it somewhere.
That should trigger S1135, which is enabled by default and should generate a Warning.
If you don’t see any the issues, then check your VS configuration to make sure it is configured to execute live code analysis. See the MS docs for more information.
Thanks for correcting my misunderstanding of how Connected worked, could be a useful feature to add to the tool though, so dev’s don’t need to go into the SonarCloud/Qube frontend to see what the issues are with the code that are already open.
Hi @Seneti and thanks for your feedback!
Our vision for SonarLint is indeed to report as much as possible, in the very moment you are coding, the same issues that SonarCloud will detect later when it analyzes your pull request or project branch, so that you can send cleaner pull requests and avoid rework.
Although SonarLint is already able to report the vast majority of bugs and code smells, Security Hotspots are not supported yet. We have short-term plans to support Security Hotspots in SonarLint for Visual Studio (we’ve just released this feature for VS Code ) and you can follow the status here.
Apart for Security Hotspots there are few other cases of reportings not yet supported by SonarLint, and you can find a list of those cases here. One noteworthy case are Taint Vulnerabilities, that we decided to not run in SonarLint for performance reasons. Nevertheless, those issues are automatically pulled by SonarLint from SonarCloud and displayed in the local code (more info in this page).