Using SonarLint Taint Vulnerabilities - kevin-hinz/sonarlint-docs-migration-render GitHub Wiki

Page Item: Taint vulnerabilities

SLUG: using-sonarlint-taint-vunlnerabilities

Overview

Taint vulnerabilities are a type of security-related rules, that can be raised by both SonarCloud and SonarQube (starting with Developer Edition).

Lorum ipsum

tabbed

Eclipse

PLACE ECLIPSE CONTENT HERE TO ENTERED INTO THE KONTENT.AI-SPECIFIC ASSET

Overview

Taint vulnerabilities are a type of security-related rules, that can be raised by both SonarCloud and SonarQube (starting with Developer Edition).

Due to technical limitations, SonarLint for Eclipse can not raise such issues on local analysis. Nevertheless, it is possible for a project to display within the IDE vulnerabilities detected by SonarCloud/SonarQube.

Prerequisites

  • You need to bind to SonarCloud or SonarQube Developer Edition (or higher) 8.6+
  • For this feature to be valuable, your project needs to be analyzed frequently (ideally by your CI server when pushing new code)
  • Only issues detected on the main branch will be displayed in the IDE
  • Only issues detected on open files will be displayed in the IDE

How to display taint vulnerabilities in Eclipse

  1. Bind your project to SonarQube/SonarCloud
  2. Open Window > Show View > Other... > SonarLint > SonarLint Taint Vulnerabilities
  3. The view should display the list of taint vulnerabilities that are present on open files.

tabbed

IntelliJ

PLACE INTELLIJ CONTENT HERE TO ENTERED INTO THE KONTENT.AI-SPECIFIC ASSET

Due to technical limitations, SonarLint for IntelliJ can not raise such issues on local analysis. Nevertheless, it is possible for a project to display within the IDE vulnerabilities detected by SonarCloud/SonarQube.

Prerequisites

  • You need to bind to SonarCloud or SonarQube Developer Edition (or higher) 8.6+
  • For this feature to be valuable, your project needs to be analyzed frequently (ideally by your CI server when pushing new code)
  • Only issues detected on the main branch will be displayed in the IDE
  • Only issues detected on open files will be displayed in the IDE

How to display taint vulnerabilities in IntelliJ

  1. Bind your project to SonarQube/SonarCloud
  2. Open the SonarLint tool window and select the Taint Vulnerabilities tab
  3. The tab should display the list of taint vulnerabilities that are present on open files.

tabbed

Visual Studio

PLACE VISUAL STUDIO CONTENT HERE TO ENTERED INTO THE KONTENT.AI-SPECIFIC ASSET

SonarLint now provides a way to investigate Taint Vulnerabilities found on SonarCloud or your SonarQube server.

Feature requirements

  • SonarLint version 4.31 or higher.
  • The correct solution must be open in Visual Studio and it must be in Connected Mode to SonarCloud or SonarQube version 8.6 or higher.

Feature overview

When a solution connected to SonarCloud or SonarQube is open in Visual Studio, SonarLint will fetch the vulnerabilities from the configured server. If any vulnerabilities exist, a new tool window will be displayed in a new tab next to the Error List:

Taint vulnerabilities tool window

The tool window will appear automatically if your server has any taint vulnerabilities in your project. If you are not in Connected Mode, or if your server has no taint vulnerabilities, the window will not appear.

Taint Vulnerabilities list

The taint list is filtered to display remote vulnerabilities found in the currently open code file. When a file containing issues is opened, the caption of the tool window will update to reflect the number of remote vulnerabilities found in the file:

Number of remote taint vulnerabilities found in the current file

Remote Taint Vulnerabilities found in the current file

The header of the list will display information about the analysis in which these issues were found:

Analysis Information

Note: Currently SonarLint does not detect Taint Vulnerabilities during live analysis in the IDE. The issues appearing in the Taint Vulnerabilities list are the issues reported on your SonarQube or SonarCloud server.

Investigating Taint Vulnerabilities

You can investigate a vulnerability by using a double-click or the Enter key. This will take you to the relevant code location and open the SonarLint Issue Visualization panel with visualization of your code flow.

Taint Vulnerabilities Flow

Note: if you do not see the Issue Visualization panel, click on View → Other Windows → SonarLint Issue Visualization. See SonarLint Issue Visualization for more information.

Non-navigable code locations

Since taint vulnerabilities are fetched from your configured server, it is possible that the code on your server does not match your local code version, e.g. if code changes have been made since the last analysis. In this case, non-navigable locations will be displayed with an indication that they are not navigable:

Non navigable locations

Manually re-opening SonarLint Taint Vulnerabilities tool window

If you manually close the tool window, it will no longer appear and disappear automatically when a solution is opened. You can show the window again by clicking on View → Other Windows → SonarLint Taint Vulnerabilities:

Taint vulnerabilities tool window command

tabbed

Visual Studio Code

PLACE VISUAL STUDIO CONTENT HERE TO ENTERED INTO THE KONTENT.AI-SPECIFIC ASSET