Hello, we are evaluating SQ in VS 2022 for C#, and at this time we have installed the CE Server Edition.
Something is not very clear for me and it seems that for C# there are some major limitations comparing to other languages / IDE (such as IntelliJ with Springboot):
the local analysis does not includes security hotspots, so we are forced to do a connected analysis, but this updates the results on the Server which is not good; we don’t have results in Visual Studio
the panels Sonar Issue Visualization, Sonar Local Security Hotspots, Taint Vulnerabilities remain always empty, even when doing a connected analysis
the connected mode seem just to be useful for the SonarQube Events icon in bottom bar
Are these assumptions right or i’m missing / i’m doing something wrong?
For the optimal analysis performance, we use the built in VS mechanism to run C# analyzers. However, it comes with the drawbacks:
Hotspots are not supported because we can’t intercept the analyzer diagnostics . Hotspots require a separate workflow, different from normal issues, and analyzing them separately from issues would require us to run analysis manually which is technically possible, but has not been the priority for us. This could change in the future, but no promises
Sonar Issue Visualization is not available for C# due to the fact that VS api gives us very limited information about the issues, which does not include secondary locations for issues. Note: Taint issues do not suffer from this limitation
However, other things you’ve mentioned should work:
Taint C# issues are synced from the server. They are displayed for the current active file.