Team Features Connected Mode

Page Item: Connected Mode

SLUG: team-features-connected-mode

HEADING 1

FROM ECLIPSE:

You can connect SonarLint to SonarQube >= 7.9 or SonarCloud to aim at having consistent issues reported on both sides.

Features when connected mode is used:

• use the same analyzers than the server, assuming they are supported in SonarLint (except for JS/TS and HTML analyzers where SonarLint keep using its embedded version)
• use the same quality profile (same rules activation, parameters, severity, ...)
• reuse some settings defined on the server (rule exclusions, analyzer parameters, ...)
• automatically suppress issues that are marked as Won’t Fix or False Positive on the server

Note: connected mode does not push issues to the server. Rather, its purpose is to configure the IDE so that it uses the same settings as the server.

HEADING 2

Lorum ipsum

Select the tab (collapsable box) below corresponding to your IDE:

collapse

Eclipse

PLACE ECLIPSE CONTENT HERE TO ENTERED INTO THE KONTENT.AI-SPECIFIC ASSET

Configure a connection to a SonarQube server

1. Open the connection wizard, for example using menu File -> New-> Other... and then SonarQube/SonarCloud Connection:

2. Select SonarQube and click on the Next button:

3. Enter your SonarQube server URL:

4. Choose the authentication method:

• Token: generate a token on SonarQube, to be used by SonarLint as authentication method. This is the preferred way to avoid the risk to compromise your username/password.
• Username + Password: use directly your SonarQube credentials (not recommended)

5. Enter your token or username/password

6. Give your connection a name

Configure a connection to SonarCloud

4. Generate a token on SonarCloud, to be used by SonarLint as authentication method.

View configured connections

Configured connections can be retrieved from the Bindings view (Window > Show View > Other... > SonarLint > SonarLint Bindings).

This should open a view at the bottom, listing all connections:

A right-click on a connection will open a contextual menu to remove or edit the connection. It can be useful for example to update the credentials if they have changed.

collapse

IntelliJ

PLACE INTELLIJ CONTENT HERE TO ENTERED INTO THE KONTENT.AI-SPECIFIC ASSET

Configure a connection

A connection provides the set of information needed to communicate with the SonarQube server or SonarCloud (URL, credentials, ...).

1. Open IntelliJ settings, find the Tools > SonarLint entry, and select + to open the connection wizard:

   

2. Enter a name for this connection, select SonarCloud or SonarQube. For the latter, you will need to enter the server URL:

   

3. Choose the authentication method:

• Token: generate a token on SonarQube or SonarCloud for SonarLint to use as an authentication method. This is the preferred way to avoid the compromise of your username/password.

• Username + Password: this method can be used for a SonarQube connection only. It lets you use your credentials directly (not recommended)

  

4. For SonarCloud only, select the Organization that you want to connect to (you can also select a public one):

   

5. SonarQube and SonarCloud can push notifications to developers. You can decide whether or not to subscribe:

   

6. Validate the connection creation by selecting Finish at the end of the wizard:

   

7. Save the connection in global settings by clicking OK:

   

Configure project binding

Once the connection is established, you can use it to bind your IDE project to a SonarQube/SonarCloud project.

1. Open IntelliJ settings, find the Tools > SonarLint > Project Settings entry:

   

2. Select Bind project to SonarQube/SonarCloud and choose the previously created connection name in the dropdown list

3. Enter the project key as it is configured on SonarQube/SonarCloud. You can also select it by using Search in list...:

   

Override binding for modules

In IntelliJ additional modules can be imported into a project, e.g. via the 'Project Structure' menu. This is often used for example to group together the back-end and the front-end parts of an application into the same project. As those components might be analyzed separately, SonarLint lets users bind modules to different projects.

1. In the IntelliJ settings, find the Tools > SonarLint > Project Settings entry

2. Make sure a binding is configured at the project level (see the previous section). Note: this will be the default binding for all modules that have no overridden binding.

3. In the 'Override binding per module' section, click on the + sign and choose the module

   

Troubleshooting Connected Mode

THIS SECTION REQUIRES HARDENING

Observing different analysis results between SonarQube/SonarCloud and SonarLint can have different causes:

1. Third-party analyzers are not executed in SonarLint

   Some issues may be reported in SonarQube by a plugin leveraging a third-party analyzer (PMD, Checkstyle, ESLint, PyLint, …). SonarLint will only run rules from SonarSource analyzers including custom rules extending SonarSource analyzers. Third-party analyzers usually have their own IDE integration, so we have no plan to run them in SonarLint.

2. SonarSource rules usually don’t report issues on test files

   Each SonarLint flavor has its own way of detecting which file is considered a test source (like a unit test). Most rules are not executed on test sources. See the IDE's specific section to know how SonarLint decides whether a file is production code or test code.

3. “Second level” issues are not reported in SonarLint (rule keys starting by common-xxx)

   Issues that depend on the computation of code coverage or duplications are not reported by SonarLint. They are not compatible with “on the fly” analysis. Finding duplications requires the scanner to analyze the entire project (including sibling modules). Collecting coverage requires that all tests be executed with proper coverage engine configuration. This is currently outside the scope of SonarLint.

4. Security Hotspots are not reported in SonarLint

   They are not issues that can immediately be fixed. Security Hotspots follow a review process that is implemented on SonarQube / SonarCloud side.

5. Taint vulnerabilities are not reported in SonarLint

   Vulnerabilities raised by the Taint Analyzer (SQL Injection, ...) are issues detected in SonarQube commercial editions that are also not detected by SonarLint (rule keys starting with javasecurity, phpsecurity or roslyn.sonaranalyzer.security.cs). Running tainted analysis in the IDE is currently not practical mainly for performance reason.

collapse

Visual Studio

PLACE VISUAL STUDIO CONTENT HERE TO ENTERED INTO THE KONTENT.AI-SPECIFIC ASSET

In Connected Mode, the solution is linked to a project in SonarQube/SonarCloud. See Connected Mode for more information.

Note: Connected mode is currently only supported for C#, VB.NET, and C++ projects. Support for JavaScript and TypeScript will be added in the future - see #770.

Overview

You can connect SonarLint to SonarQube >= 6.7 or SonarCloud to benefit from the same rules and settings that are used to inspect your project on the server. SonarLint then hides in VS the issues that are marked as Won’t Fix, False Positive or Fixed.

Note: Connected Mode does not push or pull issues to or from the server. Rather, its purpose is to configure the IDE so that it uses the same settings as the server.

Supported languages/project types

The following languages and Visual Studio project types are supported:

• C# (.csproj)
• VB.NET (.vbproj)
• C++ (*.vxcproj and CMake)
• JavaScript and TypeScript in MSBuild projects or folder workspaces (from SLVS v6.7)

Setting up connected mode

Step (1) Open the Team Explorer Home tab and click on the SonarQube icon

This will display the SonarQube Connections tab:

Step (2) Click on Connect... to display the connection dialogue:

The SonarQube tab is used for connecting to both SonarQube and SonarCloud. To connect to SonarCloud you should enter https://sonarcloud.io as the SonarQube server URL.

Step (3) Select the server and enter your credentials

You can connect using either a User Token, or a Username and Password. We strongly recommend using User Tokens. The documentation on creating User Tokens is found here for SonarQube or SonarCloud.

When using a User Token, enter the token in the Username/Token field (in SLVS) and leave the Password field blank.

Step (4) Select the Organization (SonarCloud only)

If you are connecting to SonarCloud, you will also be prompted to choose which of your organizations the project belongs to:

You can also connect to public third-party organizations by entering the organization key in the Other Organizations tab:

To find the organization key for a third-party organization, browse to the project you want to bind to on SonarCloud. The organization key is displayed on the project page:

Step (5) Select the Sonar project to bind to

The final step is to select the Sonar project you want to bind the solution to. Select a project with a double-click or a right-click, and select Bind from the context menu:

SonarLint will then fetch the required settings from the server and create local configuration files.

Retrieving suppressed issues from the server

SonarLint will automatically fetch suppressed issues when the bound solution is opened in Visual Studio, and will periodically check for changes every 10 minutes.

You can manually trigger a fetch by selecting Update in the context menu of the SonarQube tab in the Team Explorer window:

The suppressions will be applied next time an analysis is triggered.

Note: a suppressed issue might still appear in Visual Studio if the code is different from when it was analyzed on SonarQube/SonarCloud.

Note: there is a known issue in which suppressed issues can still be shown for C# and VB.Net. See SLVS-1005 for more information.

Retrieving file exclusions from the server

SonarLint will fetch file exclusions when a binding is made or updated and save to a file named sonar.settings.json under the .sonarlint folder. When a bound solution is opened, SonarLint will automatically check whether the server settings have changed. If the settings on the server have changed, SonarLint will warn you about this discrepancy and will ask you to update the binding.

Alternatively, you can manually trigger an update from a context menu of the SonarQube tab in the Team Explorer window:

Known limitations

• Supported Languages: C, C++
• Patterns should start with "**/"
• Multicriteria and Test exclusions are not supported. We only support Global Source File Exclusions, Source File Exclusions and Source File Inclusions.

Updating the local configuration files

The local Connected Mode configuration files can get out of step with settings on the SonarQube|SonarCloud servers—for example, the Quality Profile for the project is changed on the server.

SonarLint will automatically check whether the server configuration has changed whenever the bound solution is opened in Visual Studio, and will ask you whether you want to update the local configuration to match:

Alternatively, you can manually trigger an update from a context menu of the SonarQube tab in the Team Explorer window:

Removing a solution from Connected Mode

There is not an "unbind" command to disconnect a solution from SonarQube/SonarCloud. Instead, simply delete the .sonarlint folder and its contents.

Differences between issues reported in the IDE vs issues reported in SonarQube/SonarCloud

The goal is to have the same issues reported in the IDE as are reported to the server during an analysis run. However, there are a number of reasons why a set of issues can be different: some technical, some bugs, or some work that just hasn't been done yet. See ticket #1336 for a summary of the known issues and their current status.

ADD LINK TO PREVIOUS VERSIONS SECTION BCZ THERE IS CONTENT FOR SLVS THERE.

collapse

Visual Studio Code

PLACE VISUAL STUDIO CONTENT HERE TO ENTERED INTO THE KONTENT.AI-SPECIFIC ASSET