• ReSharper. It is a popular developer productivity extension for Microsoft Visual Studio.
• SonarQube. SonarQube provides an overview of the overall health of your source code and.
• FindBugs. It detects possible bugs in Java programs.
• PMD.
• JSLint.
• ESLint.
• Pylint.
• Checkstyle.

Best Resources, Tutorials and Guide for  Sonarlint

1. devopsschool.com
2. sonarlint.org
3. sonarsource.com

Free Video Tutorials of  Sonarlint

Interview Questions and Answer for Sonarlint

1. Difference between SonarQube and SonarLint?

SonarLint lives only in the IDE (IntelliJ, Eclipse and Visual Studio). Its purpose is to give instantaneous feedback as you type your code. For this, it concentrates on what code you are adding or updating.

SonarQube is a central server that processes full analyses (triggered by the various SonarQube Scanners). Its purpose is to give a 360° vision of the quality of your code base. For this, it analyzes all the source lines of your project on a regular basis.

Both SonarLint and SonarQube rely on the same static source code analyzers – most of them being written using SonarSource technology.

2. How to suppress warning for a specific method with Intellij SonarLint plugin?

The //NOSONAR tag is useful to deactivate all rules at a given line but is not suitable to deactivate all rules (or only a given rule) for all the lines of a method or a class. This is why support for @SuppressWarnings(“all”) has been added to SonarQube.

SINCE 2.8 of Java Plugin, you can also use @SuppressWarnings annotation with a list of rule keys:

@SuppressWarnings(“squid:S2078”) or

@SuppressWarnings({“squid:S2078”, “squid:S2076”}).

3. How to turn off SonarLint automatic triggering on IntelliJ IDEA?

For intellij:

Go to File -> Settings New window will open In new window Expand tools -> locate SonarLint and click on it. Under settings tab of SonarLint -> uncheck the box ‘Automatically trigger Analysis’.

Built-in string formatting vs string concatenation as logging parameter?

using SonarLint that shows me an issue in the following line.

LOGGER.debug(“Comparing objects: ” + object1 + ” and ” + object2);

Side-note: The method that contains this line might get called quite often.

The description for this issue is

“Preconditions” and logging arguments should not require evaluation (squid:S2629)

Passing message arguments that require further evaluation into a Guava com.google.common.base.Preconditions check can result in a performance penalty. That’s because whether or not they’re needed, each argument must be resolved before the method is actually called.

Similarly, passing concatenated strings into a logging method can also incur a needless performance hit because the concatenation will be performed every time the method is called, whether or not the log level is low enough to show the message.

Instead, you should structure your code to pass static or pre-computed values into Preconditions conditions check and logging calls.

Specifically, the built-in string formatting should be used instead of string concatenation, and if the message is the result of a method call, then Preconditions should be skipped altoghether, and the relevant exception should be conditionally thrown instead.

Noncompliant Code Example

logger.log(Level.DEBUG, "Something went wrong: " + message);  // Noncompliant; string concatenation performed even when log level too high to show DEBUG messages
LOG.error("Unable to open file " + csvPath, e);  // Noncompliant
Preconditions.checkState(a > 0, "Arg must be positive, but got " + a); // Noncompliant. String concatenation performed even when a > 0
Preconditions.checkState(condition, formatMessage());  //Noncompliant. formatMessage() invoked regardless of condition
Preconditions.checkState(condition, "message: %s", formatMessage()); // Noncompliant

Compliant Solution

logger.log(Level.SEVERE, "Something went wrong: %s", message);  // String formatting only applied if needed
logger.log(Level.SEVERE, () -> "Something went wrong: " + message); //since Java 8, we can use Supplier , which will be evaluated lazily
LOG.error("Unable to open file {}", csvPath, e);
if (LOG.isDebugEnabled() {   LOG.debug("Unable to open file " + csvPath, e);  // this is compliant, because it will not evaluate if log level is above debug. }
Preconditions.checkState(arg > 0, "Arg must be positive, but got %d", a);  // String formatting only applied if needed
if (!condition) {   throw new IllegalStateException(formatMessage()); // formatMessage() only invoked conditionally }
if (!condition) {   throw new IllegalStateException("message: " + formatMessage()); }

4. Cognitive Complexity and its effect on the code?

W.r.t to one of the java projects, we recently started using SonarLint. Output of the code analysis shows too many critical code smell alerts.

Critical code smell: Refactor this method to reduce its Cognitive Complexity.

5. Is Cognitive Complexity an industry standard?

Impacts of Cognitive Complexity on code apart from readability and maintainability.

Does Cognitive Complexity apply only to methods or any other parts of code?

Any specific criteria on which Cognitive Complexity depends on?

Best practices to improve Cognitive Complexity of a code.

6. How to use SonarLint in Eclipse?

If you want to analyze a complete project with the Sonar Lint plugin, you can trick the plugin by searching all Java files with a text editor and replacing “package” with ” package”. This will cause SVN or git changes. Open the “Sonar Lint Report” view and run the analysis on the “Current project”. Afterwards, revert all your SVN changes. Do not run the analysis again as the Sonar Lint Plugin only analyzes changed files.

7. How do you customize SonarLint rules in IntelliJ IDEA?

SonarLint 1.0 for Eclipse and IntelliJ do not allow to edit the quality profile (or set of rules) to be used for the analysis. Moreover, SonarLint 1.x works completely independently of a SonarQube server (having a SonarQube server is not a requirement), and therefore does not have the ability to reuse a quality profile defined there.

SonarLint 2.0 will have an optional mode that connects to a SonarQube server, and will offer this feature – but this isn’t available yet.

8. Sonarlint command line version dropped?

It would appear that Sonarsource has discontinued development on the command line instance of the sonarlint tool. The link to the page on the sonarlint website now returns a 404 and there is no mention of the product on the sonarlint website.

9. Disable sonarlint automatic analysis in Eclipse by default?

Window->Preferences->SonarLint->File Exclusions Then New GLOB Pattern: “**/*”

10. Unable to Finish connecting to SonarQube server?

SonarLint in Eclipse are storing credentials in Eclipse secure storage that itself is protected by a master password. So you must reset it or delete it to add a new SonarQube server connection. You can try this step :

In your Eclipse Go to Window > Preferences, filter and find Secure Storage.

In the Tab Contents find and highlight org.sonarlint.eclipse.core, click Delete > Apply > OK. After deletion process is finished, Eclipse will ask if you want to restart the IDE. It is strongly recommended that you restart the IDE and try again to adding SonarQube server in Eclipse.

11. Method has 8 parameters, which is greater than 7 authorized?

here are two things to consider here.

You can adjust this rule in Sonar and increase the number of authorized parameters. Say put it 10 instead of default (?) 7.

UPD: the advice below is based on the old question version. It might be not applicable to the new question context any more.

But generally you should reconsider your method interface. Having many arguments means that something can be wrong in your architecture and the Single responsibility principle might be broken.

Say in your particular example, I would expect, that you can have an aggregate class Order:

public class Order {
   private CountryCode countryCode;
   private String orderId;
   private User user;
   private String orderId;
   private String item;
   private List<Person> persons;
   private ShippingAddress address;
   private PaymentMethod payment;
   private Product product;
   // ...
}

Which is much logical to manage instead of dealing with many parameters. Then your issues will be solved automatically:

@GetMapping

public void updateSomething(Order order) { … }

12. What is the correct way to make a custom .NET Exception serializable?

namespace SerializableExceptions
{
    using System;
    using System.Runtime.Serialization;

    [Serializable]
    // Important: This attribute is NOT inherited from Exception, and MUST be specified 
    // otherwise serialization will fail with a SerializationException stating that
    // "Type X in Assembly Y is not marked as serializable."
    public class SerializableExceptionWithoutCustomProperties : Exception
    {
        public SerializableExceptionWithoutCustomProperties()
        {
        }

        public SerializableExceptionWithoutCustomProperties(string message) 
            : base(message)
        {
        }

        public SerializableExceptionWithoutCustomProperties(string message, Exception innerException) 
            : base(message, innerException)
        {
}

        // Without this constructor, deserialization will fail
        protected SerializableExceptionWithoutCustomProperties(SerializationInfo info, StreamingContext context) 
            : base(info, context)
        {
        }
    }
}

13. Is there a way to integrate sonarlint plugin in pom.xml?

SonarLint is a local plugin that can be embedded in your IDE. In the plugin setting you can put the “Automatically trigger analysis” in order to have feedback while writing.

In order to perform continuous integration you should use SonarQube, it is possible to integrate it with Jenkins or Codemagic and also with Maven. It is possible to add SonarQube to your pull requests as well.

Unable to trigger SonarLint Analysis on whole Project?

Open the SonarLint Tool Window, go to the Project files tab, and click in the “play” button. There is also an action to which you can assign a shortcut.

14. SonarLint Use the primitive boolean expression here?

As other already mentioned, Sonar wants you to make sure that you don’t have any null pointer exception, or at least that’s what i have seen too when i do a check before trying to validate against the variable:

if i have the next, Sonar complains

if (properties.getEnabled()) {
       // Your code
}
But if i add a quick validation against nulls, Sonar stops complaining about it

if (properties.getEnabled() != null && properties.getEnabled()) {
       // Your code
}
Now, as you mentioned you can use the Boolean class to use the next
Boolean.TRUE.equals(properties.getEnabled());
As
if (Boolean.TRUE.equals(properties.getEnabled())){
       // Your code
}

How to configure the rule set of SonarLint in Visual Studio Code?
Click on Edit in settings.json

Add to "sonarlint.rules": the rule you wand to disable as follow:

    "javascript:S1488": {
        "level": "off"
    }

15. How to install an older Eclipse plugin of SonarLint?

Instead of using Eclipse Marketplace, use menu in Help → Install New Software. Add sonarlint URL:

You will see all available version of sonarlint. If you already have it installed with unexpected version, you need to uninstall it first in Help → Installation Details.

Update your “SonarTS – Code Analyzer for TypeScript” (just push the button) Thats all. Don’t forget restart your server

16. How to exclude JS files from on-the-fly analysis in SonarLint for IntelliJ IDEA?

Settings

Other settings

Sonarlint General Settings

File exclusions

Press ‘+’

**/*.js

17. How to install sonarlint plugin in Platform: Eclipse Mars.1 (4.5.1)?

18. How to get SonarLint for Eclipse logs?

• Open Eclipse Console view
• Open the SonarLint Console image
• Enable Verbose output and Analysis logs image
• Reproduce the issue (e.g. reopen the offending file)

Sometimes errors are not in the SonarLint console, but could be directly in Eclipse error logs.

• Open Eclipse Error Log view
• Look for an error event related to SonarLint
• Open event details to get the stacktrace

19. How SonarLint for Eclipse decides if a file is a test?

There is a regular expression you can configure in SonarLint settings to specify which files should be considered as tests.image

Recent Eclipse versions added the concept of test sources 55 (only for Java projects). When available, SonarLint will also rely on it (see the green icon for test folders).

image

In the end, if you want to know how a file was effectively classified by SonarLint, look at the SonarLint Console with Verbose output, and search for something like:

Starting analysis with configuration:

[
  baseDir: [...]
  workDir: [...]
  extraProperties: {sonar.java.target=1.8, [...]}
  inputFiles: [
    file:/home/julien/Prog/Projects/sonarlint-core/core/src/test/java/org/sonar/api/utils/log/SonarLintLoggerTest.java (UTF-8) [test]
  ]
]
and notice the [test] qualifier after the filename, to indicate SonarLint classified the file as test.

20. How to get SonarLint for IntelliJ logs?

Open the SonarLint tool window (View > Tool Windows > Sonarlint)

Enable Verbose output and Analysis logs SonarLintIntelliJ-Logs

SonarLintIntelliJ-Logs

1092×283 31.9 KB

Reproduce the issue (e.g. reopen the offending file)