Using SonarLint Fixing issues - kevin-hinz/sonarlint-docs-migration-render GitHub Wiki

Page Item: Fixing Issues

SLUG: using-sonarlint-fixing-issues

HEADING 1

Lorum ipsum

QUICKFIX IS AN EXAMPLE FEATURE

tabbed

Eclipse

PLACE ECLIPSE CONTENT HERE TO ENTERED INTO THE KONTENT.AI-SPECIFIC ASSET

tabbed

IntelliJ

Issues are most easily fixed by correcting the problem as it is described in the Sonar Rule Description but it’s not always that simple:

Check the rule description to understand what the problem is.
Check the locations tab to see where, if any other places the issue is found.

Double-click the issue in the SonarLint view window to jump to and highlight the code in the explorer. Once the code is highlighted, you have more than one way to expose solutions and suggested quick fixes.

Quick fixes

Some issues have Sonar Quick Fixes which means that with a single click, SonarLint will automatically edit your source code to comply with the rule description; the fix might be applied on several lines in the file. While in the explorer window, type Alt+Enter, click the lightbulb in the left margin, or hover over the highlighted issue to reveal the tooltip exposing these options:

Fix the issue in the code: Cmd+↓/Ctrl+↓ or double-click the issue report to jump to the line of code in the explorer window.
Disable the rule: IntelliJ Settings > Tools > SonarLint > Rules and find the applicable rule per language. Some Sonar Rules are disabled by default because they overlap with the built-in IntelliJ code inspection; it doesn’t make sense to report the same issue twice. Note that when running in Connected Mode, rule configurations are fetched from the project’s quality profile and used by SonarLint, overriding any local configuration of your rule selection in the IDE.

Fixing taint vulnerabilities

Issues shown in the Taint vulnerabilities tab are security-related rule issues that are only raised by SonarQube (starting with Developer Edition) and SonarCloud. Due to technical limitations, SonarLint for IntelliJ can not raise such issues on local analysis. Taint vulnerabilities will not be shown in the Current file or Report tabs of the SonarLint view window unless you are running in Connected Mode.

To investigate taint vulnerabilities when running in Connected Mode, double-click on the issue shown in the Taint vulnerabilities tab to open the location in the explorer (as you would with other issues). The tooltip and rule descriptions will reveal information about how to fix your issues. Please the documentation on Taint vulnerabilities for more details.

Understanding changes in your code

It could be that the local code does not match with the instance on the server. For example, when you are performing modifications, your code may be different than the server code as analyzed at the time when the issue was detected. In this case, the issue in the Taint vulnerabilities tab has a local code not matching tag, signifying that your local code is a bit different than what it is on the server: the numbered inlay will be grey. In contrast, if the local code matches the issue on the server, it will have a numbered inlay in red.

The solution to managing differences in code depends on your goal at the time. It could be that you are actively updating your local branch in which case you should merge your branch with the main branch and re-run an analysis. It could be that your local branch is behind the main branch, in this case, you can click the Refresh button in the left margin of the SonarLint view window to pull an updated report from the server.

Please see the documentation about Taint vulnerabilities for more information about working with this particular security issue.

tabbed