Skip to content

Security hotspots

Jump to bottom
kevin-hinz edited this page May 23, 2023 · 12 revisions

In SonarLint for VS Code 3.14 and above, local detection of Security Hotspots is enabled if you are using Connected Mode with a project on SonarQube 9.7 or above; from version 3.18+, Security Hotspots are also found when bound to a project in SonarCloud. ​These issue types are shown under the SECURITY HOTSPOTS view located in the SonarLint View Container and are grouped by file. ​ Security hotspots are shown under the SECURITY HOTSPOTS view located in the SonarLint View Container and are grouped by file.

Reviewing hotspots

First, open a file while your project is running in Connected Mode with SonarQube 9.7+ or SonarCloud. SonarLint will automatically run an analysis to look for Security hotspots, then compares local results against those on the SonarQube server. The Security hotspot results will be automatically grouped by file and labeled as Newly detected or Already known.

Clicking on an issue in either category highlights the code in the explorer window.

Newly detected hotspots

Newly detected security hotspots are those found during the analysis and exist only locally. Newly detected hotspots can be fixed by modifying your code or by submitting your code to trigger a new analysis in SonarQube where you can mark it as Fixed or Safe on the server.

Right-clicking on a Newly detected hotspot reveals 2 options to select:

  • Clear Highlighting to remove the highlight over your code in the explorer window.
  • Show Rule Description to open the rule in the SonarLint view window.

Already known hotspots

Once the security hotspot analysis is complete, SonarLint will compare the local results against those found on the SonarQube server and sort them accordingly. Already known security hotspots are those that exist locally and in SonarQube. Already known hotspots can be fixed by modifying your code in the IDE, or you can mark it as Fixed or Safe on the server.

Right-clicking on an Already known hotspot gives you these 3 options to select:

  • Clear Highlighting to remove the highlight over your code in the explorer window.
  • Review on Server to open the issue in SonarQube where you can mark it as Fixed or Safe.
  • Show Rule Description to open the rule in the SonarLint view window.
Review your security hotspot on server

Reporting security hotspots In the Whole Folder

By default, SonarLint will search for Security Hotspots only in open files each time an analysis is triggered; the use of Connected Mode is required. To activate an analysis for security hotspots in your entire project, select In Whole Folder from the SONARLINT SECURITY HOTSPOTS view container.

When selecting In Whole Folder, a scan of your entire project will be made. Switching back to In Open Files will filter the results to files open in the code editor. Each time you select In Whole Folder, a new analysis will be triggered on the entire project.

Using the In Whole Folder feature may consume excessive resources depending on the size of your project. If your project is too large, a notice will appear to confirm the action. Therefore, it is recommended that users define a set of file exclusions when analyzing large projects with the In Whole Folder feature. SonarLint integrates some file exclusions automatically and VS Code can help configure additional exclusions to help manage your analysis.

SonarLint will deploy these file exclusions automatically:

  • File extension: SonarLint knows the primary language of your project and will restrict the scope of analysis to files matching that set of extensions.
  • File size: Files larger than 0.5 Mb will be ignored…
  • .gitignore: Exclusions added to your .gitignore file will be excluded.

NOTE: Although .gitignore files are excluded from analysis by default, git offers little transparency and the analyzer cannot investigate further when there is an error. Therefore, it is recommended that you use the VS Code exclusions to supplement what’s defined in your .gitignore file.

Defining file exclusions

To use VS Code’s file exclusions, go to VS Code Settings > Workspace, search File: Exclude and select Add Pattern. The Workspace setting has information about how VS Code uses globbing patterns to manage exclusions in the editor.

Define file exclusions in VS Code

Using wildcards

To match any folder/directory plus the file extension with any prefix before it, use the following wildcards:

  • * Match zero or more characters (not including the directory delimiter, /).
  • ** Match zero or more directory segments within the path.

Check the SonarQube or SonarCloud documentation about defining your analysis scope to see examples using wildcard patterns for file exclusion.

Home

Getting Started
Languages and rules
Branch awareness
Connected Mode
Security hotspots
Taint vulnerabilities
C and CPP Analysis
Jupyter notebooks
Previous versions
Troubleshooting
Clone this wiki locally