127

How exactly is sonarQube different from SonarLint ? SonarQube has a server associated with it and Sonar lint works more like a plugin. But what are their specific difference ?

CSchulz
  • 10,882
  • 11
  • 60
  • 114
Jeevan Varughese
  • 2,159
  • 2
  • 15
  • 20

5 Answers5

179

SonarLint lives only in the IDE (IntelliJ, Eclipse and Visual Studio). Its purpose is to give instantaneous feedback as you type your code. For this, it concentrates on what code you are adding or updating.

SonarQube is a central server that processes full analyses (triggered by the various SonarQube Scanners). Its purpose is to give a 360° vision of the quality of your code base. For this, it analyzes all the source lines of your project on a regular basis.

Both SonarLint and SonarQube rely on the same static source code analyzers - most of them being written using SonarSource technology.

Fabrice - SonarSource Team
  • 26,535
  • 3
  • 62
  • 58
  • 2
    Thanks @Fabrice ! But one followup question. I am finding difference in reportsfor sonarqube and sonar lint for the same version of the code base. This was the original problem that led me to write this question. What could possibly be the problem ? – Jeevan Varughese Oct 04 '16 at 06:52
  • 14
    You should "connect" SonarLint to SonarQube and bind your local project (in the IDE) to the remote one (in SonarQube) in order to make sure that you are using the same quality profiles (= rule sets) in both worlds. – Fabrice - SonarSource Team Oct 04 '16 at 07:45
  • Thanks Fabrice. This could also mean that different version will different rule sets can give different reports right ? Like there can be a difference between v5.6 and v6.0 reports for the same version of code base. – Jeevan Varughese Oct 04 '16 at 07:50
  • 2
    You may find this interesting; this article helped me understand the difference between the 3 different SonarQube launch modes: analysis (who generates the report in SonarQube UI), preview and incremental (used by SonarLint). https://blog.sonarsource.com/analysis-vs-preview-vs-incremental-preview-in-sonarqube/ – Zoette Jun 21 '17 at 04:42
  • 1
    @Y-BCause, is there an updated link for that article? The one from 2017 is dead. Thx – DanM Nov 04 '22 at 15:17
30

It should be added that SonarQube also performs scans with 3rd party analyzers (findBugs, checkstyle, PMD) whereas SonarLint does not include those. I think the reason is a prioritization on performance and findBugs relying on java byte-code.

Thereby your findings in SonarQube and SonarLint can vary, if the underlying quality profile uses 3rd-party scanners.

guitarlum
  • 588
  • 4
  • 9
  • 2
    You are right @guitarlum, and the primary reason is not the one you mentioned, but the fact that we truely believe that SonarJava (the Java analyzer developed by SonarSource) outweights PMD + Findbugs altogether. – Fabrice - SonarSource Team Mar 28 '17 at 06:58
  • 4
    @Fabrice-SonarSourceTeam I understand your reasoning and this maybe true for default FindBugs and PMD, however in the area of application security, namely FindSecurityBugs (https://find-sec-bugs.github.io/), which in my opinion is the best vulnerability scan, SonarJava falls short. – guitarlum May 30 '18 at 08:34
11

SonarQube is a server where you can host your projects and execute analysis, whereas SonarLint is an agent that allow us to connect with this SonarQube and execute the analysis remotely. SonarLint can be used with IDE or can also be executed via CLI commands.

SonarLint contains its own set of default rules but when connected to SonarQube, users can import rules from SonarQube which are actually more than just standard set of rules. We can integrate PDM, CodeStyle and many other checker on SonarQube and create custom rules.

Two facts I want to mention that I learnt from my experience, SonarLint will not inherit those custom rules from SonarQube, secondly Sonar does not work on Test classes.

Vinit Desai
  • 520
  • 1
  • 4
  • 20
Yogesh Kumar
  • 682
  • 1
  • 10
  • 29
1

Sonarqube runs the rule valiations on the server We integrated it to our TFS builds. SonarLint runs in the IDE so before I commit my code I know what lines are violating which rules inside the IDE.

Jeff Schreib
  • 119
  • 1
  • 3
  • The question was about how the scanner differ ? You answer is given as premise to the question. The Server and plugins are already mentioned in the question. – Jeevan Varughese Jan 10 '19 at 20:46
0

Also, SonarLint does have a "Secrets detection" solution focused on cloud credentials that apply to any config files, ie. are language agnostic, which SonarQube doesn't.

Jerem
  • 1