SonarLint SonarQube synchronization (Part-2)


Another question related to SonarLint SonarQube synchronization.

For instance, in case you install the Checkstyle plugin on SonarQube side, is the “findings” raised by this plugin will be synchronized on SonarLint side and is in the IDE the findings will be underlined ?

Best regards

Hey there.

No. SonarLint works by actually running the analyzers (so it can raise issues while you type), while the Checkstyle plugin runs Checkstyle during SonarQube and imports the results.

That said, a Checkstyle specific plugin may exist for your IDE.

Ok but in this case, you cannot take benefit of the SonarQube feature which allows to filter on the “new issues” only .
Because I am wondering. If I have well understood, a part of your ruleset analyse is performed on the SonarQube side, isn’t it ? (I am thinking about Vulnerability and Security Hotspot findings for instance) And if a Vulnerability issue is raised, this one is synchronized to SonarLint in order to see where the issue has been spoted , right ?

Hello @loky,

I will try to answer your questions:

Indeed there is no such feature in SonarLint, at the moment you cannot only show new issues.

We don’t detect security hotspots locally in SonarLint but it is part of this year’s roadmap.
We are already able to detect “simple” vulnerabilities in SonarLint but we are not able to detect what we call taint vulnerabilities (like injections). Those detections are done by the scanner only and pushed to SonarQube/SonarCloud.

This is true for taint vulnerabilities. You can find more details here.

Hope this helped, don’t hesitate to ask more questions