Reviewing Security Hotspots requires to be able to navigate through the code to fully understand the whole context around the instruction which performs sensitive operations. However, SonarQube and SonarCloud are not designed to efficiently navigate and give the context that developers need: we believe that the IDE is the best place for this. Still, we want to help developers to be more efficient in the Security Hotspots review.
Whenever developers review hotspots, they want to see them in their IDE to have more context and ability to navigate within the code.
When the user click on "Open in IDE" button from SQ, then SQ tries to open the Hotspot in SL if possible:
- In case of error, a proper message explaining what could have gone wrong is displayed
- In case of success a success message box is shown.
SonarLint will provide a dedicate List view for Hotspots. For this feature, the list will not show all the Hotspots in the project, only those that have been opened from SQ: once an Hotspot is opened from SQ it is added to the list, and kept in the list until the IDE is closed. Selecting a Hotspot in such list results in opening it in code editor, and displayed the Panel explaining How to Fix it.
Only the primary code location will be displayed.
Ability to see the following information in telemetry:
-Number and percentage of SonarLint users that used the feature at least once
-Number and percentage of SonarLint users that use the feature regularly
-Same information as previous points for SL users with project already bound to SQ
-Number of hotspots opened in the IDE