Getting Started Requirements - kevin-hinz/sonarlint-docs-migration-render GitHub Wiki

Page Item: Requirements

SLUG: getting-started-requirements

HEADING 1

Lorum ipsum

HEADING 2

Lorum ipsum

tabbed

Eclipse

PLACE ECLIPSE CONTENT HERE TO ENTERED INTO THE KONTENT.AI-SPECIFIC ASSET

Here are the requirements for SonarLint to work properly.

Eclipse Platform Requirement: the minimal version of the Eclipse platform that SonarLint supports. If you are not familiar with Eclipse versioning scheme, see here.
JVM requirement: the minimal version of the JVM that is used to run Eclipse.
Node.js requirement: only for JavaScript analysis
SonarQube minimal requirement: only if using connected mode. Usually means that the next LTS is also supported.

SonarLint Version	Eclipse Platform Requirement	JVM Requirement	Node.js Requirement	SonarQube Min Requirement (for connected mode)
6.x	4.6+ (Neon+)	1.8+		7.9+
7.x	4.8+ (Photon+)	11+		7.9+
7.4	4.8+ (Photon+)	11+	12.22+	7.9+

Other requirements

Analysis of Java code requires JDT
Analysis of C and C++ requires CDT
Analysis of Cobol requires specific integration provided only by some Cobol IDEs, like IBM Developer for z Systems (IDz) or BMC Compuware Topaz Workbench.

Please also note that recent versions of SonarLint and of our analyzers require a JRE 11+ in order to run. To this date, IBM IDz has not yet added support to Java 11 (see a request ticket here). This means that for the moment, you can only run Cobol analysis in IDz by using the following versions of Sonar products:

SonarQube 8.9 LTS
SonarLint for Eclipse v6.2 (download link here)

tabbed

IntelliJ

SonarLint integrates with most JetBrains IDEs including IntelliJ IDEA, CLion, WebStorm, PHPStorm, PyCharm, Rider, Android Studio & RubyMine, and runs on Mac, Windows, and Linux OS.

SonarLint requires your IDE to be run with a JVM 11+ (this is the case for all recent JetBrains IDEs). The analysis of JavaScript and TypeScript requires Node.js >= 14.20 (Node.js >= 16 is recommended).

Installing via the Marketplace

Installation is usually completed via the IDE, directly from the JetBrains Marketplace. In IntelliJ, go to Settings > Plugins and when in the Marketplace tab, search for sonarlint. Select Install. When complete, you must select Restart IDE and confirm the Restart to activate the new plugin.

If SonarLint does not appear in the Marketplace when searching from within the IDE, it means that your IDE is not supported.

Offline Installation

To install SonarLint offline, you must first download the plugin zip file from the JetBrains Marketplace. On occasion, an ad-hoc version can be built mainly for debugging purposes when a user reports a bug on our community forum.

To install the zip, go to File > Settings > Plugins. Behind the gear wheel at the right, select Plugin from Disk and select the appropriate zip file to start the installation.

Installing Rider

There are specific requirements for Rider which are documented on the SonarLint in Rider wiki page in our GitHub repository.

tabbed

Visual Studio

PLACE VISUAL STUDIO CONTENT HERE TO ENTERED INTO THE KONTENT.AI-SPECIFIC ASSET

The only thing you need to install is the VSIX (in versions prior to v4.34, additional steps were required for some languages).

NodeJS prerequisite for JavaScript and TypeScript analysis

Sonar’s JavaScript and TypeScript analyzers require specific Node.js versions to be installed on the machine. If no compatible version is found, the analysis will not be performed. See the table below for minimal required Node.js version per SonarLint version:

SonarLint for Visual Studio Version	Minimal Required Node.js Version
v6.9	Node.js v14.17 and higher
v6.8	Node.js v12.22 and higher
v6.7 and earlier	Node.js v10 and higher, excluding Node.js v11

Auto-detection of compatible Node.js versions

SonarLint for Visual will attempt to locate a compatible Node.js version on the machine by searching on the %PATH%. It will also check whether there is a Node.js installation as part of the current Visual Studio installation.

If SonarLint cannot find a compatible Node.js version, it will show a notification in a gold bar like the following:

JavaScript TypeScript no supported Node version gold bar screenshot

The Output Window will contain additional information about the Node.js versions that were located:

JavaScript TypeScript no supported Node version Output Window screenshot

Manually specifying a custom location of Node.js installation

You can also set the environment variable SONAR_NODEJS_PATH to specify a custom location. The value should be the full file path to the node executable e.g. c:\custom\node.exe. The environment variable takes precedence over the automatic detection. You will need to restart Visual Studio after setting or changing the environment variable.

Installing Node.js

If the machine does not have a compatible version of Node.js, you can manually install one. Node.js versions can be downloaded from the official website nodejs.org. Both the 32-bit and 64-bit versions are supported. The simplest installation method on Windows is to use the appropriate .msi.

Deprecation of older Node.js versions

From time to time the Sonar JavaScript/TypeScript analyzer will increase the minimum required Node.js version as older versions go out of support. The dropping of support will be announced in advance in the Community Forum (e.g. this post regarding the deprecation of Node.js v12 and dropping of support for Node.js vs10).

This page will be updated as the minimum required Node.js version changes.

collapse

Analyzing CMake projects

This page contains an overview of how to get started with analyzing CMake projects in VS2017.3 and later versions, along with information about known issues. This feature is available starting with SLVS v4.38.

If you need more help, please open a ticket in the SonarLint - Get Help section of the community forum.

Getting started - VS2019 and later

Open / create a new CMake project in Visual Studio
Add the command set(CMAKE_EXPORT_COMPILE_COMMANDS ON) to the top-level CMakeLists.txt file:

Adding Set command to CMakeLists.txt

Save the file.
Check that VS has generated the compilation database.

Source and header files will now be analyzed on opening/saving. The SonarLint Output Window will contain more information about the progress of the analysis.

Note: if you are creating a new CMake project in VS2019 there appears to be an intermittent issue with VS not recognizing the project as a CMake project until the folder is closed and re-opened. See ticket #2656 for more information.

Getting started - VS2017.3

Follow the same getting started steps as for VS2019 and later above. In addition, to successfully analyze C/C++files in VS2017 your project will need to use a non-default CMakeSettings.json file. This is because the default CMakeSettings.json file uses the workspaceHash or projectHash macros, which are not supported in by SonarLint in VS2017.

If you do not already have a CMakeSettings.json file on disc, Visual Studio will create one if you click on Manage configurations option and select a compilation target:

Selecting manage config dropdown in VS2017

Visual Studio will then create a default CMakeSettings.json file:

Default CMakeSettings.json file

Edit the CMakeSettings.json file to change the buildRoot property to one that does not use either workspaceHash or projectHash.

Note: the defaults used by Visual Studio for buildRoot and installRoot in VS2019 have changed to:

      "buildRoot": "${projectDir}\\out\\build\\${name}",
      "installRoot": "${projectDir}\\out\\install\\${name}",

Using those values in VS2017 will allow SonarLint to correctly analyze files in the CMake project.

CMake - known limitations

VS2017: workspaceHash and projectHash macros are not supported in VS2017

VS2017 used a different hashing algorithm from VS2019, which is not supported. See issue #2632.

This means that SonarLint will not be able to analyse files if the buildRoot property uses either of these macros.

Environment variable overrides in CMakeSettings.json are not supported

SonarLint will not process environment variable overrides in CMakeSettings.json files.

The SonarLint analysis results may be incorrect if the overridden environment variables affect the CMake compilation e.g. changing the paths that are searched for header files.

CMake presets are not currently supported by SonarLint

See the Microsoft documentation for more information about support for CMake presets in Visual Studio.

Only the Ninja generator is supported

SonarLint uses the generated compilation database (compile_commands.json) to fetch the compiler options to use during analysis. The Ninja generator creates a compilation - the other VS generators do not. Visual Studio introduce support for the Ninja generator in VS2017 Update 3 (v15.3). Newer versions of VS use the Ninja generator by default. You can also configure VS to use the Ninja generator by providing an appropriate CMakeSettings.json file e.g.

{
  "configurations": [
    {
      ... 
      "name": "x64-Release",
      "generator": "Ninja",
      ...
      "buildRoot": "${projectDir}\\out\\build\\${name}\\",
      "installRoot": "${projectDir}\\out\\install\\${name}",
      ...
    }
  ]
}

tabbed

Visual Studio Code

PLACE VISUAL STUDIO CONTENT HERE TO ENTERED INTO THE KONTENT.AI-SPECIFIC ASSET

The SonarLint language server needs a Java Runtime (JRE) 11+.

On the following platforms, SonarLint comes with its own Java runtime:

Windows x86-64
Linux x86-64
macOS x86-64 (Intel Macs) and arm-64 (Apple Silicon Macs)

On other platforms and if a Java runtime is already installed on your computer, SonarLint should automatically find and use it. Here is how SonarLint will search for an installed JRE (in priority order):

the sonarlint.ls.javaHome variable in VS Code settings if set. For instance:

{ "sonarlint.ls.javaHome": "C:\Program Files\Java\jre-11.0.11" }
embedded JRE for platform-specific installations
the value of the JDK_HOME environment variable if set
the value of the JAVA_HOME environment variable if set
on Windows the registry is queried
if a JRE is still not found then:
1. the PATH is scanned for javac
2. on macOS, the parent directory of javac is checked for a java_home binary. If that binary exists then it is executed and the result is used
3. the grandparent directory of javac is used. This is similar to $(dirname $(dirname $(readlink $(which javac))))

SonarLint then uses the first JRE found in these steps to check its version.

If a suitable JRE cannot be found at those places, SonarLint will ask for your permission to download and manage its own version.

JS/TS analysis specific requirements

To analyze JavaScript and TypeScript code, SonarLint requires Node.js executable. The minimal supported version is 14.17.0 for standalone analysis or Connected Mode with SonarCloud. For Connected Mode with SonarQube, it depends on the version of the JS/TS analyzer on your SonarQube server. SonarLint will attempt to automatically locate node, or you can force the location using:

    {
        "sonarlint.pathToNodeExecutable": "/home/yourname/.nvm/versions/node/v14.17.0/bin/node"
    }

Analysis of TypeScript in Connected Mode with SonarQube requires the server to use version 8.1 or above.

C and C++ analysis specific requirements

To analyze C and C++ code, SonarLint requires compile commands json file:

    {
        "sonarlint.pathToCompileCommands": "/home/yourname/repos/proj/compile_commands.json"
    }

Note: if you are using Microsoft compiler, the environment should be ready to build the code. For example, by launching VS Code from your Visual Studio Command Prompt

Java analysis specific requirements

To enable the support for Java analysis, you need the Language support for Java VSCode extension (version 0.56.0 or higher). You also need to be in standard mode.

Apex analysis specific requirements

The support for Apex analysis is only available together with SonarQube Enterprise Edition or SonarCloud (see Connected Mode below). You also need the Salesforce Extension Pack VSCode extension.

PL/SQL analysis specific requirements

The support for PL/SQL analysis is only available together with SonarQube Developer Edition or SonarCloud (see Connected Mode below). You also need the Oracle Developer Tools for VSCode extension.

Injection vulnerabilities specific requirements

Security vulnerabilities requiring taint engine analysis (taint vulnerabilities) are only available in Connected Mode because SonarLint pulls them from SonarQube or SonarCloud following a project analysis.

To browse injection vulnerabilities in SonarLint for VSCode, establish Connected Mode with your SonarQube Developer Edition (and above) or SonarCloud instance. Once a Project Binding is configured, SonarLint will synchronize with the SonarQube or SonarCloud server to report the detected injection vulnerabilities.

More information about security-related rules are available in the SonarQube or SonarCloud documentation.