Skip to content

Languages and rules

Jump to bottom
kevin-hinz edited this page Apr 28, 2023 · 16 revisions

Out of the box, SonarLint automatically checks your code against the following rules:

The full list of available rules is visible in the SONARLINT RULES view of the SonarLint view container, where you can activate and deactivate rules to match your conventions. SonarLint will also show a code action on each issue to quickly deactivate the corresponding rule.

Requirements

The SonarLint language server requires a Java Runtime (JRE) 11+.

On the following platforms, SonarLint comes with its own Java runtime:

  • Windows x86-64
  • Linux x86-64
  • macOS x86-64 (Intel Macs) and arm-64 (Apple Silicon Macs)

On other platforms and if a Java runtime is already installed on your computer, SonarLint should automatically find and use it. Here is how SonarLint will search for an installed JRE (in priority order):

  1. the sonarlint.ls.javaHome variable in VS Code settings if set. For instance:

    { "sonarlint.ls.javaHome": "C:\Program Files\Java\jre-11.0.11" }

  2. embedded JRE for platform-specific installations

  3. the value of the JDK_HOME environment variable if set

  4. the value of the JAVA_HOME environment variable if set

  5. on Windows the registry is queried

  6. if a JRE is still not found then:

    1. the PATH is scanned for javac
    2. on macOS, the parent directory of javac is checked for a java_home binary. If that binary exists then it is executed and the result is used
    3. the grandparent directory of javac is used. This is similar to $(dirname $(dirname $(readlink $(which javac))))

SonarLint then uses the first JRE found in these steps to check its version.

If a suitable JRE cannot be found at those places, SonarLint will ask for your permission to download and manage its own version.

Language specific requirements

JS/TS analysis

To analyze JavaScript and TypeScript code, SonarLint requires Node.js executable. The minimal supported version is 14.17.0 for standalone analysis or in Connected Mode with SonarCloud. For Connected Mode with SonarQube, it depends on the version of the JS/TS analyzer on your SonarQube server. SonarLint will attempt to automatically locate node, or you can force the location using:

    {
        "sonarlint.pathToNodeExecutable": "/home/yourname/.nvm/versions/node/v14.17.0/bin/node"
    }

Analysis of TypeScript in Connected Mode with SonarQube requires the server to use version 8.1 or above.

C and C++ analysis specific requirements

To analyze C and C++ code, SonarLint requires that you define a path to your compile commands.

Search for Path To Compile Commands in the VS Code Settings (or go to VS Code Settings > Extensions > SonarLint > User and scroll to the entry); then enter the full path to your active compilation database:

Path to compiler

Note: if you are using Microsoft Visual C++ compiler, the environment should be ready to build the code. For example, by launching VS Code from your Visual Studio Command Prompt.

More information about supported environments and troubleshooting tips can be found on the C and CPP analysis page.

Infrastructure as Code

SonarLint for VS Code 3.17+ supports analysis of Infrastructure as Code (IaC) to help you secure your deployments. See the Sonar Rules pages as linked below for complete details:

Java analysis

To enable the support for Java analysis, you need the Language support for Java VSCode extension (version 0.56.0 or higher). You also need to be in standard mode.

Apex analysis

The support for Apex analysis is only available together with SonarQube Enterprise Edition or SonarCloud when running in Connected Mode. You will also need the Salesforce Extension Pack VS Code extension.

PL/SQL analysis

The support for PL/SQL analysis is only available together with SonarQube Developer Edition or SonarCloud when running in Connected Mode. You also need the Oracle Developer Tools for VSCode VS Code extension.

Jupyter notebooks

SonarLint for VS Code v3.16+ supports analysis of Python code inside Jupyter notebooks. See the documentation page for details.

Injection vulnerabilities

Security vulnerabilities requiring taint engine analysis (taint vulnerabilities) are only available in Connected Mode because SonarLint pulls them from SonarQube or SonarCloud following a project analysis.

To browse injection vulnerabilities in SonarLint for VSCode, establish Connected Mode with your SonarQube Developer Edition (and above) or SonarCloud instance. Once a Project Binding is configured, SonarLint will synchronize with the SonarQube or SonarCloud server to report the detected injection vulnerabilities.

More information about security-related rules are available in the SonarQube or SonarCloud documentation.

Security hotspots

In SonarLint for VS Code 3.14 and above, local detection of Security Hotspots is enabled if you are using Connected Mode with SonarQube 9.7 or above.

Please see the documentation for more details.

Secrets detection

Secrets are pieces of user-specific or system-level credentials that should be protected and accessible to legitimate users only. SonarLint detects exposed Secrets in your source code and language agnostic config files. When running in Connected Mode, the SonarQube or SonarCloud Quality Profiles are applied to locally detected Secrets.

Home

Getting Started
Languages and rules
Branch awareness
Connected Mode
Security hotspots
Taint vulnerabilities
C and CPP Analysis
Jupyter notebooks
Previous versions
Troubleshooting
Clone this wiki locally