sonarlint-visualstudio icon indicating copy to clipboard operation
sonarlint-visualstudio copied to clipboard
verified publisher icon SonarSource

Issues reported in the IDE should match those on the server

Open duncanp-lseg opened this issue 5 years ago • 4 comments

Description

Developers using connected mode quite reasonably expect the issues reported in the IDE to match those in SonarQube/SonarCloud. However, there are multiple possible reasons why this is not currently the case. Some of these are bugs, some are technical restrictions, some are just work that hasn't been done yet.

This issue is an attempt to collect the various reasons for the client/server discrepancies, linking to specific actionable tickets where appropriate.

Issues

  • [ ] #3094
  • [ ] #3095
  • [x] #884 Issues category should show type and severity defined in SonarQube
  • [ ] #1197 Handle deprecated rule keys in configuration #1197

Language-specific issues - C#/VB.NET

  • [x] #3093 server-side settings are not used by SLVS (e.g. inclusions/exclusions)
  • different analyzer versions are used in the IDE. This is a tricky one: we can't dynamically change SonarC#/VB analyzer versions in the IDE for technical reasons (i.e. VS doesn't support it). We could for other languages.
  • [ ] #1337 MSBuild project settings used by the Sonar Scanner for MSBuild are not used by SonarLint (i.e. SonarQubeExclude and SonarQubeTestProject). NOTE: these settings should also be respected in standalone mode.
  • [ ] the logic used by the Sonar Scanner for MSBuild to classify test projects is different
  • [x] #176 - rules parameters are not synchronized
  • [x] #1005 - C#/VB suppressions mechanism is partially broken in VS2019 (and possible in later VS2017 updates)
  • #632 - Quality Profiles are not applied to test projects
  • [x] #574 - suppressed issues can still be reported in the IDE

Language-specific issues - JavaScript

  • [ ] #770 - connnected mode is not implemented for JavaScript

Language-specific issues - CFamily

  • [x] #1335

duncanp-lseg avatar Apr 17 '20 16:04 duncanp-lseg

issues mismatch with SonarQube server and sonarlint in connected mode. #100 SonarLint give => Minor Code Smell SonarCloud give => Major

[EDIT] the mapping between the Visual Studio severities used by SonarLint and the SonarQube/SonarCloud severities is documented here.

ConiX21 avatar Oct 21 '21 09:10 ConiX21

Another usecase:

  • the project is scanning the repository using sonar-scanner-cli from the CI system
  • the developers do not have permissions/do not want to create custom quality profiles be created in SQE so they rely on the default quality profile
  • the project is disabling some false-positive rules via the sonar-project.properties file that is stored in the root of the project

The IDE could provide a setting or automatically detect a sonar-project.properties file present in the directory and use it to configure the ruleset used.

[EDIT] new feature request is tracked here.

rantoniuk avatar May 05 '22 13:05 rantoniuk

I am using Visual Studio Version 17.6.5 and connected to SonarCloud instance. I am not getting vulnerabilities and SonarLint logs says Found 0 issues. For same file in SonarCloud, I have SQL injection flagged. I have tired same on VS code, SonarLint is showing sql injection there.

themachineworks avatar Jul 24 '23 03:07 themachineworks

@KwazyCodi in VS, taint vulnerabilities are shown in a separate tool window. See this wiki page for more information.

If you are still having problems please open a thread in the community forum.

duncanp-lseg avatar Jul 24 '23 08:07 duncanp-lseg