SonarLint Vulnerabilities Detection

Hello,

I would like to use SonarLint mainly for Bugs and Security Vulnerabilities.

Before using SonarLint, I would like understand can SonarLint detect all types Vulnerabilities such as password, keys/tokens, CreditCard numbers, vulnerable dependency, secrets, etc. in the code when using IDE.

I am not sure as I found this post* stating that SonarLint cannot detect high level security risk in IDE, it can only be detected in SonarQube or SonarCloud.

*Security issues are not found - #4 by Alexandre_Gigleux

Basically, I would like to understand if SonarLint & SonarQube can do the same job as **GitHub Advance Security

**GitHub security features - GitHub Docs

User’s who are using SonarLint, could you please give feedback if SonarLint can detect for my use case.

Thank you
Harish

I have been waiting for some answers but it has been 4 days without any replies.

Can SonarQube engineers and forum moderators please provide some input for the using SonarLint.

Thank you
Harish

Hello, welcome to the community! And thank you for your question.

For the time being there are currently 2 main types of vulnerabilities detected by SonarLint:

  • “Standard” vulnerabilities: those detect code constructs which are known to be vulnerable and require immediate attention; they should be detected out of the box by SonarLint (availability for a given language depends on the IDE).
  • “Taint” vulnerabilities: those are detected through a taint analysis algorithm that finds application paths where user controlled data reaches sensitive code; these are available in connected mode with SonarCloud or one of the commercial editions of SonarQube.

A third category, “Secrets” is just around the corner :wink: (should be available in the next few months).

So in comparison to GitHub’s security features, at the moment SonarLint is not 100% there yet. However, detection of secrets in the IDE is shifted left compared to the analysis GitHub does on your already pushed code. So in my opinion, both tools have complementary value.

Which IDE(s) and language(s) are you interested in?


As a side note, let’s make something very clear: there is no SLA on this community forum (operators are not standing by), especially during weekends. As a rule of thumb, please make sure that you wait ~1 week before bumping a topic if you don’t get any answer.

1 Like

Hi Jean,

Thank you for your reply.

This will help us to analyse if SonarLint would fit our requirement. We do use Enterprise SonarQube in our organisation.

The question was because to identify which tool would be better in analysing security vulnerabilities which are mentioned in my first post and in comparison with Github Advance Security.

My other question would be, if SonarLint is not yet matured, can SonarQube scan and detect vulnerabilities similar to Github Advance Security.

Thank you
Harish

SonarQube Enterprise Edition will flag vulnerabilities of the first 2 types I mentioned earlier (standard + taint), not secrets.

On top of those, it will raise Security Hotspots in places where a human intervention is needed to decide whether a given code construct is safe or a real vulnerability.

I see that GitHub Advanced security also does dependency analysis, which is completely out of the scopes of SonarQube.

Again, I believe that GitHub Advanced Security can be used to complement SonarQube’s static application security testing capabilities: there does not seem to be much overlap in what these tools bring.

1 Like