SonarLint results do not match results via the command line

Versions:
SonarCloud
Intellij Ultimate 2020.2
SonarLint 4.12.1.22375
Language: Java

When performing pull request analysis, I have a rule that is reported in GitHub and in the SonarCloud branch analysis page. However when I perform analysis locally via SonarLint the issue is not reported.

Rule is java:S4502
Disabling CSRF protections is security-sensitive

One note of interest… when I go to the SonarLint Project Settings -> Configure the connection and look at the Rules tab, java:S4502 is not in the list of rules even though it is active in this particular projects quality profile

Just realized that the issue is being reported is a “Security Hotspot”… so I assume that is the issue that those are not reported in SonarLint?

That’s correct. Security hotspots are not the same as “normal” issues, which is why SonarQube and now SonarCloud display them separately and why they have a separate review workflow (see the docs for more info).

We don’t have a way of displaying hotspots separately in SonarLint, so to avoid confusion with “normal” issues we don’t currently show them at all.

However, we are working on a new feature to enable reviewing hotspots in the IDE. The first version should be available in a few weeks time.

1 Like