Start FreeLog in
SonarQube Cloud | Enriching your analysis | SARIF reports

SARIF reports

On this page

You can import Static Analysis Results Interchange Format (SARIF) reports into SonarQube Cloud. The issues will be taken into account by SonarQube Cloud in the analysis report, but the rules corresponding to these issues will not be visible on the Rules page nor reflected in quality profiles. This means that the rules that raise external issues must be managed in your third-party tool. 

Import process

SonarQube Cloud manages the import of a SARIF issue as follows:

  • It assigns the CONVENTIONAL Clean Code attribute and the SECURITY software quality to the issue. 
  • It manages the issue's impact level on the software quality (security) as follows:
    • If a SARIF severity field is provided at the rule level for the issue then the mapping below is used to retrieve the corresponding impact level.
Severity field in SARIF 2.1.0 Impact level in SonarQube Cloud
errorHIGH
warningMEDIUM
noteLOW
noneLOW
    • Otherwise, the default MEDIUM impact level is applied.

See Clean Code for details about the Clean Code concepts mentioned above.

Setting up the import

To set up the import of SARIF reports into SonarQube Cloud:

  1. Prepare your SARIF report files according to the import file specifications below. 
  2. Use on the scanner side the analysis parameter sonar.sarifReportPaths to define the list of SARIF report files to be imported during your project analysis. This parameter accepts a comma-delimited list of paths. 

Import file specifications

The SARIF files must:

Mandatory fields

FieldDescription
versionMust be set to “2.1.0”.
runs[].tool.driver.nameName of the tool that created the report.
runs[].results[].message.textMessage of the external issue.
runs[].results[].ruleIdIdentifier of the corresponding rule in the tool that created the report.

Optional fields

FieldDescription
runs[].results[].locations[]SonarQube Cloud only uses the first item in the array. It must be a physical location.
physicalLocation.artifactLocation.uri

Path of the file concerned by the issue.

If no location is defined, the issue is raised at the project level.

physicalLocation.region


Text range concerned by the issue. Is defined by the following fields:

    • startLine
    • startColumn (optional)
    • endLine (optional)
    • endColumn (optional)

If startColumn, endLine, endColumn are not specified,SonarQube Cloud automatically retrieves the full coordinates of the line. 

sarifLog.runs[].tool.driver.rules[].defaultConfiguration.levelSonarQube Cloud uses this field to determine the issue's impact level on security.
sarifLog.runs[].tool.extensions[].rules[].defaultConfiguration.level SonarQube Cloud uses this field to determine the issue's impact level on security if the driver field above is not used.

Import file example

{
  "version": "2.1.0",
  "$schema": "http://json.schemastore.org/sarif-2.1.0-rtm.5",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "a test linter",
          "informationUri": "https://www….",
          "version": "8.27.0"
        }
      },
      "results": [
        {
          "level": "error",
          "message": {
            "text": "'toto' is assigned a value but never used."
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "file:///Users/sample/Workspace/Sarif-For-Test/src/simple-file.js"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 5,
                  "endLine": 1,
                  "endColumn": 9
                }
              }
            }
          ],
          "ruleId": "no-unused-vars"
        }
      ]
    }
  ]
}

Was this page helpful?

© 2008-2024 SonarSource SA. All rights reserved. SONAR, SONARSOURCE, SONARQUBE, and CLEAN AS YOU CODE are trademarks of SonarSource SA.

Creative Commons License