SonarLint is an open-source IDE plugin for Eclipse and IntelliJ that performs static analysis on Java code.
It's developed by SonarSource which is a Swiss software company that's focused on code quality solutions.
With this tool, we can get instant feedback on code quality issues during development. This allows us to address potential bugs and vulnerabilities before they are committed into the codebase.
SonarLint will raise an issue when it identifies code that breaks one of its rules. This is done by showing a blue squiggle as seen below:
The default Java ruleset includes over 450 rules that fall into various categories and severity levels. The complete rules catalog can be found here.
- Bug - coding oversight or mistake which could lead to unwanted behavior and performance issues
- Vulnerability - a security issue which can mean a possible opening for an attacker
- Code smell - clean coding violation which may lead to maintainability issues
Standalone vs Connected
SonarLint can be run in standalone or connected mode.
Standalone mode uses the default rule set and doesn't require any other components. There doesn't appear to be a way to load custom rules in standalone mode unfortunately.
Connected mode connects to an on-premise SonarQube server or SonarCloud where we can store custom rules and view the analysis results by date. These are separate products developed by SonarSource which are useful for teams that want to introduce static analysis into their CI process.
In this article, we'll focus on standalone SonarLint for the Eclipse IDE.
SonarLint is available in the Eclipse Marketplace.
- Go to Help → Eclipse Marketplace
- Search for "SonarLint"
- Click Install
- Accept the License Agreement
- Restart Eclipse
After the restart, SonarLint will automatically analyze Java class files when they are opened and saved.
SonarLint configuration options are found in a few different places under the Preferences dialog in Eclipse.
(Mac: Eclipse → Preferences, Windows: Window → Preferences)
Preferences → General → Editors → Text Editors→ Annotation
It's helpful to check Vertical ruler so it's easier to spot the lines that need attention:
Preferences → SonarLint
There's not much to configure here unless we want to exclude files or disable sharing of usage statistics.
Static Code Analysis
Let's take a look at some code samples and see what SonarLint finds.
Remove boolean condition that always returns true
A constructor can never return null so the null check is pointless here and should be removed.
Diamond operator should be used
The diamond operator was introduced in Java 7 to minimize the verbosity of code that uses generic types.
SonarLint checks the project language level before enabling version-specific rules such as this one.
Single return statement should be used
Here we are simply returning true if the expression evaluates to true and false otherwise. This can be simplified into a single return statement:
Possible null pointer exception
Method calls on objects that could possibly be null are flagged.
In the example below, the dialog object could be null if both conditional statements evaluate to false.
Reduce method complexity
SonarLint assigns each method a Cognitive Complexity score. This score measures how easy the method is to follow in terms of logic. A score above 15 will be flagged.
Long methods with nested if-then statements, loops, and complex boolean expressions will score higher.
The company published a white paper explaining the details on how the score is computed.
How do I turn off SonarLint for a specific project?
Go to the Project Properties → SonarLint and uncheck Run SonarLint Automatically
How do I load custom rules into SonarLint?
This functionality is only available in Connected mode.