Taint vulnerabilities are a type ofsecurity-related rules, that can be raised by both SonarCloud and SonarQube (starting with Developer Edition).
Due to technical limitations, SonarLint can not raise taint issues on local analysis and instead pulls taint issues from SonarQube or SonarCloud following a project analysis. Because SonarLint must pull taint vulnerability issues from SonarQube or SonarCloud, the use of Connected Mode is required.
Prerequisites
- SonarLint version 4.31 or higher.
- The correct solution must be open in Visual Studio and it must be inConnected Modeto SonarCloud or SonarQube version 8.9 or higher.
How to display taint vulnerabilities
When a solution running in Connected Mode is open in Visual Studio, SonarLint will fetch the vulnerabilities from the configured server. If any vulnerabilities exist, The SonarLint Taint Vulnerabilities tool window will be displayed in a new tab next to the Error List:
The tool window will appear automatically if your server has any taint vulnerabilities in your project. If you are not in Connected Mode, or if your server has no taint vulnerabilities, the window will not appear.
When viewing a taint vulnerability on the SonarQube or SonarCloud server, it's possible to useOpen in IDE button to jump to the issue in SonarLint for Visual Studio. See the Opening issues in the IDE article for full details.
Taint Vulnerabilities list
The taint list is filtered to display remote vulnerabilities found in the currently open code file. When a file containing issues is opened, the caption of the tool window will update to reflect the number of remote vulnerabilities found in the file:
The header of the list will display information about the analysis in which these issues were found:
Currently SonarLint does not detect Taint Vulnerabilities during live analysis in the IDE. The issues appearing in the Taint Vulnerabilities list are the issues reported on your SonarQube or SonarCloud server.
Investigating Taint Vulnerabilities
You can investigate a vulnerability by using a double-click or the Enter key. This will take you to the relevant code location and open theSonarLint Issue Visualizationpanel with a visualization of your code flow.
If you do not see the Issue Visualization panel, click on Extensions > SonarLint > SonarLint Issue Visualization. See the documentation on Investigating issuesfor more information.
Non-navigable code locations
Since taint vulnerabilities are fetched from your configured server, it is possible that the code on your server does not match your local code version, e.g. if code changes have been made since the last analysis. In this case, non-navigable locations will be displayed with an indication that they are not navigable:
Manually re-opening SonarLint Taint Vulnerabilities tool window
If you manually close the tool window, it will no longer appear and disappear automatically when a solution is opened. You can show the window again by clicking on Extensions > SonarLint > Connected Mode > View Taint Vulnerabilities.
How to fix your taint issues
Taint vulnerabilities are security-related rule issues that are only raised by SonarQube (starting with Developer Edition) and SonarCloud. Due to technical limitations, SonarLint can not raise such issues on local analysis.
Because the detection of taint issues requires that you are run in Connected Mode, any changes you make to the code must be resolved by your SonarQube or SonarCloud instance. Here are two options to resolve taint issues displayed by SonarLint:
- If you fix the issue locally, commit your code to the server and rerun the analysis on SonarQube or SonarCloud. The new status (of the issue) will show up automatically in your local analysis.
- If you go to the issue in SonarQube or SonarCloud and mark it asfixed, false positive,orwon’t fix, in less than 1 minute, the new status will be updated locally.
When running in Connected Mode with SonarQube 10.4 or newer, Won’t Fix becomes Accept.
