SonarLint - Bug hunting season is open
What if your IDE could warn you as soon as you wrote bad code? More than just warning, what if it could teach you why something is bad, show you best practices, and give you examples of fixes? I'm not talking about poorly formatted code, or similarly minor issues. Thanks to powerful code analyzers also found in the well-known SonarQube platform, you can expect to catch serious flaws that would have led to critical bugs or security breaches.
Eager to try? Please follow the guide.
To use SonarLint, simply write code as you usually do. Bugs or vulnerabilities will be annotated directly in the editor when you save changes.
A dedicated view lets you browse all the issues detected by SonarLint. It's sorted by date, most recent first, so you can easily spot the one you've just introduced.
If the message is not clear enough to understand an issue, simply open the rule description. We make an extra effort to give you a lot of details so you can learn and make an informed decision (there is not always one absolutely correct way to fix an issue).
How to find (non trivial) bugs with static analysis
As I teased earlier, SonarLint aims to find complex bugs. This is an ongoing effort, and every new version adds more and more checks.
Finding complex bugs requires the best possible understanding of the code. Here is a very approximate description of the process:
- Parsing: to understand the code, the analyzer needs to parse it and build a tree based on a grammar. This is somewhat easy for well-specified languages like Java, but much more difficult for C++, because there are ambiguities.
- Data Flow Analysis: this is similar to mentally executing code while reading it, trying to collect as much information as possible on a possible program state. Is this variable initialized? What if this condition is true? Was this resource closed? Data Flow Analysis could, potentially, consume an infinite amount of resources (CPU/Memory) so this is a best-effort approach. The scope of exploration can be limited to a single method/function or extended to be cross-method or even cross-file.
As you probably guessed, simple parsing only enables simple checks. Properly resolving types and Data Flow Analysis is the key that opens the door to very advanced checks, with the potential to reveal serious bugs or vulnerabilities.
Teaser: this screenshot shows an upcoming feature. SonarLint can highlight the flow leading to some issues. This will become a key feature, since complex Data Flow-based findings may be hard to understand without the context that leads up to them.
You can unlock some additional features by connecting SonarLint to a SonarQube server and then binding your projects. It could be your company's instance, or a cloud instance such as sonarqube.com, which is available for free for open source projects.
Here are some of the benefits of connecting to a SonarQube server:
- Access to all the SonarSource analyzers installed on the server instead of just the default ones. This allows consistent issue reporting and support for additional (including commercial) languages.
- Access to rulesets configured on the server, including custom rules.
- Hide issues marked as "Won't Fix" or "False Positive".
SonarLint evolves quickly. We had 7 releases last year and we'll continue the effort in 2017. Each new version will include updated code analyzers, to spot more and more advanced bugs, but also to improve reporting. Don't hesitate to try it out, and give your feedback on our open discussion list: firstname.lastname@example.org. You can report problems, propose new rules, and suggest new features.