SonarLint not show reporting vulnerabilities in Eclipse

I added the project to the local sonarqube server. [ http://localhost:9000/dashboard?id=testingJava ]

I added the SonnarLint plugin in my Eclipse, and configured the SonarLint Bindings.

sonar2

But the SonarLint Taint Vulnerabilities don’t show anything

Hi @scriptandme and welcome to the SonarSource community.
Did you open any source file in the code editor containing taint vulnerabilities? In facts the “SonarLint Taint Vulnerabilities” tab only reports issues found in the file currently opened in the editor (the same logic as the “SonarLint On-The-Fly” tab). Moreover, only “complex” vulnerabilities like SQL injection flows are pulled from SonarQube and displayed in the “SonarLint Taint Vulnerabilities”; simpler vulnerabilities are detected directly by SonarLint and reported in the “SonarLint On-The-Fly”.

I let you try the above, and I would be glad if you can let us know how this new SonarLint feature worked for you, along with any suggestions you may have!

1 Like

Hi @Marco_Comi

So the “SonarLint Taint Vulnerabilities” tab don’t show the same vulnerabilities that SonarQube resport?

Let me explain, My project have 2 Vulnerabilities corresponding to OWASP category A4. This vulnerabilities has deteted for the SonarQube but doest show in the sonarLint.

And the other question is, what is the benefist to conecting the SonarQuebe Server with SonarLint?

Thanks a lot for the helping

Hello @scriptandme

So the “SonarLint Taint Vulnerabilities” tab don’t show the same vulnerabilities that SonarQube resport?

All vulnerabilities (along with bugs and code smells) that SonarLint can detect in the local code are displayed in the “SonarLint On-The-Fly” tab.
Now, there are some vulnerabilities (the “taint vulnerabilities” specifically) that SonarLint cannot detect in the local code. We introduced the Taint Vulnerabilities tab to show you those additional issues thanks to SonarQube integration. So “SonarLint Taint Vulnerabilities” only shows those advanced issues that SonarLint cannot detect alone.
Notice that the workflow is quite different between the two: issues detected by SonarLint are reported immediately as you type them, and they disappear immediately when you fix them. Taint vulnerabilities are only reported in the IDE once SonarQube has scanned your project main branch, and they are only unlisted when SonarQube has rescanned the project main branch including your fix. This is why we introduced two different tabs (and BTW, any feedback is very welcome on that! :slight_smile: )

Let me explain, My project have 2 Vulnerabilities corresponding to OWASP category A4. This vulnerabilities has deteted for the SonarQube but doest show in the sonarLint.

From the screenshot, it seems you are referring to this rule:
XML parsers should not be vulnerable to XXE attacks

This rule is supported directly in SonarLint (notice the :sonarlint: logo at the end of the above linked page), so you should expect to see it in the “SonarLint On-The-Fly” tab.

And the other question is, what is the benefist to conecting the SonarQuebe Server with SonarLint?

Apart from what explained above (being able to report in the IDE taint vulnerabilities not detectable by SonarLint itself), the main value we want to bring with the connected mode is to help teams, organizations and developers to share the same code quality and security standards across all the contributors to a software project. This means that you can activate or deactivate specific rules in SonarQube, or to exclude specific files from your project analysis, and your configuration will be propagated to all developers IDEs thanks to SonarLint. And if a colleague marks an issue as False Positive in SonarQube, your SonarLint will also stop reporting it. You can read a little more about connected mode here and here

Thank a lot for the information