Team Features Connected Mode
Page Item: Connected Mode
SLUG: team-features-connected-mode
FROM VS_CODE:
You can connect SonarLint to SonarQube 7.9+/SonarCloud by binding your VSCode workspace folder to your SonarQube/SonarCloud project(s), and benefit from the same rules and settings that are used to inspect your project on the server. SonarLint in VSCode then hides Won’t Fix and False Positive issues in any file from a bound folder. In version 3.10 and above, SonarLint for VSCode tries to automatically detect the remote project to bind with your locally opened workspace folder.
While in Connected Mode, SonarLint receives notifications from SonarQube/SonarCloud about your Quality Gate changes and new issues. Notifications can be enabled or disabled from the UI while creating or editing the connection settings. Note, Connected Mode notifications are not available in SonarQube Community Edition 8.6 and earlier.
FROM ECLIPSE:
You can connect SonarLint to SonarQube >= 7.9 or SonarCloud to aim at having consistent issues reported on both sides.
Features when connected mode is used:
- use the same analyzers than the server, assuming they are supported in SonarLint (except for JS/TS and HTML analyzers where SonarLint keep using its embedded version)
- use the same quality profile (same rules activation, parameters, severity, ...)
- reuse some settings defined on the server (rule exclusions, analyzer parameters, ...)
- automatically suppress issues that are marked as Won’t Fix or False Positive on the server
Note: connected mode does not push issues to the server. Rather, its purpose is to configure the IDE so that it uses the same settings as the server.
Lorum ipsum
Select the tab (collapsable box) below corresponding to your IDE:
PLACE ECLIPSE CONTENT HERE TO ENTERED INTO THE KONTENT.AI-SPECIFIC ASSET
-
Open the connection wizard, for example using menu File -> New-> Other... and then SonarQube/SonarCloud Connection:
-
Select SonarQube and click on the Next button:
- Enter your SonarQube server URL:
- Choose the authentication method:
- Token: generate a token on SonarQube, to be used by SonarLint as authentication method. This is the preferred way to avoid the risk to compromise your username/password.
- Username + Password: use directly your SonarQube credentials (not recommended)
-
Enter your token or username/password
-
Give your connection a name
- Generate a token on SonarCloud, to be used by SonarLint as authentication method.
Configured connections can be retrieved from the Bindings view (Window > Show View > Other... > SonarLint > SonarLint Bindings).
This should open a view at the bottom, listing all connections:
A right-click on a connection will open a contextual menu to remove or edit the connection. It can be useful for example to update the credentials if they have changed.
PLACE INTELLIJ CONTENT HERE TO ENTERED INTO THE KONTENT.AI-SPECIFIC ASSET
A connection provides the set of information needed to communicate with the SonarQube server or SonarCloud (URL, credentials, ...).
-
Open IntelliJ settings, find the Tools > SonarLint entry, and select
+to open the connection wizard:
-
Enter a name for this connection, select SonarCloud or SonarQube. For the latter, you will need to enter the server URL:
-
Choose the authentication method:
-
Token: generate a token on SonarQube or SonarCloud for SonarLint to use as an authentication method. This is the preferred way to avoid the compromise of your username/password.
-
Username + Password: this method can be used for a SonarQube connection only. It lets you use your credentials directly (not recommended)
-
For SonarCloud only, select the Organization that you want to connect to (you can also select a public one):
-
SonarQube and SonarCloud can push notifications to developers. You can decide whether or not to subscribe:
-
Validate the connection creation by selecting Finish at the end of the wizard:
-
Save the connection in global settings by clicking OK:
Once the connection is established, you can use it to bind your IDE project to a SonarQube/SonarCloud project.
-
Open IntelliJ settings, find the Tools > SonarLint > Project Settings entry:
-
Select Bind project to SonarQube/SonarCloud and choose the previously created connection name in the dropdown list
-
Enter the project key as it is configured on SonarQube/SonarCloud. You can also select it by using Search in list...:
In IntelliJ additional modules can be imported into a project, e.g. via the 'Project Structure' menu. This is often used for example to group together the back-end and the front-end parts of an application into the same project. As those components might be analyzed separately, SonarLint lets users bind modules to different projects.
-
In the IntelliJ settings, find the Tools > SonarLint > Project Settings entry
-
Make sure a binding is configured at the project level (see the previous section). Note: this will be the default binding for all modules that have no overridden binding.
-
In the 'Override binding per module' section, click on the
+sign and choose the module
THIS SECTION REQUIRES HARDENING
Observing different analysis results between SonarQube/SonarCloud and SonarLint can have different causes:
-
Third-party analyzers are not executed in SonarLint
Some issues may be reported in SonarQube by a plugin leveraging a third-party analyzer (PMD, Checkstyle, ESLint, PyLint, …). SonarLint will only run rules from SonarSource analyzers including custom rules extending SonarSource analyzers. Third-party analyzers usually have their own IDE integration, so we have no plan to run them in SonarLint.
-
SonarSource rules usually don’t report issues on test files
Each SonarLint flavor has its own way of detecting which file is considered a test source (like a unit test). Most rules are not executed on test sources. See the IDE's specific section to know how SonarLint decides whether a file is production code or test code.
-
“Second level” issues are not reported in SonarLint (rule keys starting by
common-xxx)Issues that depend on the computation of code coverage or duplications are not reported by SonarLint. They are not compatible with “on the fly” analysis. Finding duplications requires the scanner to analyze the entire project (including sibling modules). Collecting coverage requires that all tests be executed with proper coverage engine configuration. This is currently outside the scope of SonarLint.
-
Security Hotspots are not reported in SonarLint
They are not issues that can immediately be fixed. Security Hotspots follow a review process that is implemented on SonarQube / SonarCloud side.
-
Taint vulnerabilities are not reported in SonarLint
Vulnerabilities raised by the Taint Analyzer (SQL Injection, ...) are issues detected in SonarQube commercial editions that are also not detected by SonarLint (rule keys starting with
javasecurity,phpsecurityorroslyn.sonaranalyzer.security.cs). Running tainted analysis in the IDE is currently not practical mainly for performance reason.
PLACE VISUAL STUDIO CONTENT HERE TO ENTERED INTO THE KONTENT.AI-SPECIFIC ASSET
In Connected Mode, the solution is linked to a project in SonarQube/SonarCloud. See Connected Mode for more information.
Note: Connected mode is currently only supported for C#, VB.NET, and C++ projects. Support for JavaScript and TypeScript will be added in the future - see #770.
You can connect SonarLint to SonarQube >= 6.7 or SonarCloud to benefit from the same rules and settings that are used to inspect your project on the server. SonarLint then hides in VS the issues that are marked as Won’t Fix, False Positive or Fixed.
Note: Connected Mode does not push or pull issues to or from the server. Rather, its purpose is to configure the IDE so that it uses the same settings as the server.
The following languages and Visual Studio project types are supported:
- C# (.csproj)
- VB.NET (.vbproj)
- C++ (*.vxcproj and CMake)
- JavaScript and TypeScript in MSBuild projects or folder workspaces (from SLVS v6.7)
This will display the SonarQube Connections tab:
The SonarQube tab is used for connecting to both SonarQube and SonarCloud. To connect to SonarCloud you should enter https://sonarcloud.io as the SonarQube server URL.
You can connect using either a User Token, or a Username and Password. We strongly recommend using User Tokens. The documentation on creating User Tokens is found here for SonarQube or SonarCloud.
When using a User Token, enter the token in the Username/Token field (in SLVS) and leave the Password field blank.
If you are connecting to SonarCloud, you will also be prompted to choose which of your organizations the project belongs to:
You can also connect to public third-party organizations by entering the organization key in the Other Organizations tab:
To find the organization key for a third-party organization, browse to the project you want to bind to on SonarCloud. The organization key is displayed on the project page:
The final step is to select the Sonar project you want to bind the solution to. Select a project with a double-click or a right-click, and select Bind from the context menu:
SonarLint will then fetch the required settings from the server and create local configuration files.
SonarLint will automatically fetch suppressed issues when the bound solution is opened in Visual Studio, and will periodically check for changes every 10 minutes.
You can manually trigger a fetch by selecting Update in the context menu of the SonarQube tab in the Team Explorer window:
The suppressions will be applied next time an analysis is triggered.
Note: a suppressed issue might still appear in Visual Studio if the code is different from when it was analyzed on SonarQube/SonarCloud.
Note: there is a known issue in which suppressed issues can still be shown for C# and VB.Net. See SLVS-1005 for more information.
SonarLint will fetch file exclusions when a binding is made or updated and save to a file named sonar.settings.json under the .sonarlint folder. When a bound solution is opened, SonarLint will automatically check whether the server settings have changed. If the settings on the server have changed, SonarLint will warn you about this discrepancy and will ask you to update the binding.
Alternatively, you can manually trigger an update from a context menu of the SonarQube tab in the Team Explorer window:
- Supported Languages: C, C++
- Patterns should start with "**/"
- Multicriteria and Test exclusions are not supported. We only support Global Source File Exclusions, Source File Exclusions and Source File Inclusions.
The local Connected Mode configuration files can get out of step with settings on the SonarQube|SonarCloud servers—for example, the Quality Profile for the project is changed on the server.
SonarLint will automatically check whether the server configuration has changed whenever the bound solution is opened in Visual Studio, and will ask you whether you want to update the local configuration to match:
Alternatively, you can manually trigger an update from a context menu of the SonarQube tab in the Team Explorer window:
There is not an "unbind" command to disconnect a solution from SonarQube/SonarCloud. Instead, simply delete the .sonarlint folder and its contents.
The goal is to have the same issues reported in the IDE as are reported to the server during an analysis run. However, there are a number of reasons why a set of issues can be different: some technical, some bugs, or some work that just hasn't been done yet. See ticket #1336 for a summary of the known issues and their current status.
ADD LINK TO PREVIOUS VERSIONS SECTION BCZ THERE IS CONTENT FOR SLVS THERE.
PLACE VISUAL STUDIO CONTENT HERE TO ENTERED INTO THE KONTENT.AI-SPECIFIC ASSET
When running in Connected Mode with SonarQube 8.6 and above, and browsing a security hotspot, a button will be available offering to open the hotspot in SonarLint (with SonarLint already running in VSCode). Limitation: this feature relies on local communication between your web browser and SonarLint, and consequently is not available in some remote environments such as GitPod, or GitHub CodeSpaces.
Connected Mode will also allow unlocking of your analysis for these languages:
When configuring Connected Mode, follow the Connection Setup instructions below.
In v3.8 and above of SonarLint for VSCode, to set up SonarQube/SonarCloud connections, open up a SONARLINT CONNECTED MODE view in VSCode.
Select either Add SonarQube Connection or Add SonarCloud Connection, and complete the fields.
For SonarQube connections, provide your SonarQube Server URL and User Token. For SonarCloud connections, provide your Organization Key and User Token. User Tokens should be generated on the SonarQube/SonarCloud side and pasted in the User Token field.
User Token can be generated using these pages:
- SonarQube -
https://<your-sonarqube-url>/account/security/ - SonarCloud -
https://sonarcloud.io/account/security/
Connection Name is a friendly name for your connections. In case of multiple connections, it also acts as a connectionId.
In SonarLint for VSCode v3.6 and above, notifications can be enabled or disabled here, or from the UI while creating or editing the connection setting (see next image below). Action buttons in the UI used to edit/delete existing, or create additional connections will be revealed when hovering over each connection.
Select Save Connection and verify that the new connection was set up successfully in the Connected Mode view.
From v3.10, SonarLint for VSCode tries to automatically detect a remote SonarQube/SonarCloud project to bind with the locally opened workspace folder. If the locally opened folder contains a sonar-project.properties or a .sonarcloud.properties file, SonarLint will try to configure the binding with the remote project defined in that configuration file.
If no remote match is found, you will be prompted to configure binding manually as we describe below.
To manually configure a project binding, navigate to the SONARLINT CONNECTED MODE view in the VSCode Explorer and select Add Project for the desired connection.
If your open workspace contains multiple folders, you will be prompted to choose a specific folder.
After selecting the folder, choose the remote SonarQube/SonarCloud project you would like to bind.
Select the desired project and enjoy Connected Mode! You can also edit/delete bindings from the SONARLINT CONNECTED MODE view.
Action buttons in the UI used to edit/delete existing or create additional connections, will be revealed when hovering over each connection.
Please see Connected Mode Setup for previous versions to read the documentation about activating Connected Mode in earlier releases of SonarLint for VSCode.
SonarLint keeps server-side data in local storage. If you change something on the server such as the Quality Profile, SonarLint will automatically attempt to synchronize with configured servers at startup and once every hour and will do its best to synchronize with the most appropriate branch from the server. Additionally, you can trigger an update of the local storage using the "SonarLint: Update all project bindings to SonarQube/SonarCloud" command on the command palette (search for "sonarlint").