VS Sonarlint connected extension not showing Security Hotspots and Taint vulnerabilities

Please provide

  • Operating system: windows 11
  • SonarLint plugin version:
  • Programming language you’re coding in: C# and JS
  • Is connected mode used:
    • Connected to SonarCloud

And a thorough description of the problem / question:

I am testing SonarLint for which I am using VS 2022 and SonarCloud connected mode.

I have a vulnerable application which has 2 Security Hotspots and 8 code smells. I have scanned my vulnerable application in SonarCloud already. For Security hotspots I have XSS and CSRF and for code smells I have weak ciphers.

When I connect my VS 2022 Sonarlint extension to SonarCloud. I see my code smells under Error list, which is as expected(this works with connected mode and unconnected mode) but I am not able to see any security hotspots or sonar taint vulnerabilities. After reading some issues raised before in the community, later 2 only works in connected mode. So I was expecting to see them populated.

Could you please let me know if I am doing something wrong? As I am using VS 2022, I have Roslyn enabled by default.

Hello @Themachineworks - welcome to the community.

Taint rules are not run in the IDE, but you can see taint issues that have been reported to the Sonar server. See this wiki page for more information.

Hotspot rules are not currently executed in the IDE either, although you can use the “Open in IDE” feature in SonarQube (not SonarCloud) to open a hotspot on the server in the IDE. See this wiki page for more information.

Going forward, hotspot rules will be run locally in the IDE for C, C++, JavaScript and TypeScript in SLVS v7.1 (due to be released later this week - #4588) if you are in Connected Mode. Unfortunately, this won’t include Roslyn rules.