SARIF reports

This page explains how to import SARIF reports into SonarQube Cloud.

You can import Static Analysis Results Interchange Format (SARIF) reports into SonarQube Cloud. The issues will be taken into account by SonarQube Cloud in the analysis report, but the rules corresponding to these issues will not be visible on the Rules page nor reflected in quality profiles. This means that the rules that raise external issues must be managed in your third-party tool.

Import process

SonarQube Cloud manages the import of a SARIF issue as follows:

  • It assigns the CONVENTIONAL coding attribute and the SECURITY software quality to the issue.

  • It maps the issue's severity level on the SECURITY software quality using the following fields:

    • runs[].tool.extensions.rules[].defaultConfiguration.level is overridden by

    • runs[].tool.driver.rules[].defaultConfiguration.level

Severity field in SARIF 2.1.0

Impact level in SonarQube Cloud

error

HIGH

warning

MEDIUM

note

LOW

none

LOW

  • Otherwise, the default MEDIUM impact level is applied.

See Software qualities for more information.

Setting up the import

To set up the import of SARIF reports into SonarQube Cloud:

  1. Prepare your SARIF report files according to the import file specifications below.

  2. Use on the scanner side the Analysis parameters sonar.sarifReportPaths to define the list of SARIF report files to be imported during your project analysis. This parameter accepts a comma-delimited list of paths.

Import file specifications

The SARIF files must:

Mandatory fields

Field
Description

version

Must be set to "2.1.0".

runs[].tool.driver.name

Name of the tool that created the report.

runs[].results[].message.text

Message of the external issue.

runs[].results[].ruleId

Identifier of the corresponding rule in the tool that created the report.

If a mandatory field is missing, the report is ignored (see the corresponding line in the logs).

Optional fields

Field
Sub-field
Description

runs[].tool.driver

The tool that generated the report.

runs[].tool.driver.rules[]

id

Identifier of the rule of the tool that created the report.

shortDescription.text

Short description is mapped as the name of the rule in SonarQube. If the field is empty, SonarQube constructs the name based on the driver name and id fields.

fullDescription.text

Full description of the rule.

defaultConfiguration.level

SonarQube uses this field to determine the issue's impact level on security software quality.

runs[].tool.extensions.rules[]

defaultConfiguration.level

SonarQube uses this field to determine the issue's impact level on security software quality, if the driver field runs[].tool.driver.rules[].defaultConfiguration.level above is not used.

runs[].results[]

level

Ignored by SonarQube Cloud.

stacks[]

The stacks are mapped to the issue flows.

stacks[].frames[]

Each frame of a stack represents one path of the whole issue flow.

stack.frames.location

Follows the same pattern as in locations indicated below.

runs[].results[].locations[]

SonarQube only uses the first item in the array. It must be a physical location.

physicalLocation.artifactLocation.uri

Path of the file concerned by the issue.

If no location is defined, the issue is raised at the project level.

physicalLocation.region

Text range concerned by the issue. Is defined by the following fields:

  • startLine

  • startColumn(optional)

  • endLine (optional)

  • endColumn (optional)

If startColumn, endLine, endColumn are not specified,SonarQube automatically retrieves the full coordinates of the line.

relatedLocations

Contains the same fields as physicalLocation.

Import file example

{
  "version": "2.1.0",
  "$schema": "http://json.schemastore.org/sarif-2.1.0-rtm.5",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "a test linter",
          "rules": [
            {
              "id": "rule1",
              "shortDescription": {
                "text": "XooLint rule 1"
              },
              "fullDescription": {
                "text": "XooLint rule 1 full description"
              }
            },
            {
              "id": "rule2",
              "shortDescription": {
                "text": "XooLint rule 2"
              }
            }
          ]
        }
      },
      "results": [
        {
          "level": "error",
          "message": {
            "text": "'toto' is assigned a value but never used."
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "src/File0.xoo"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 5,
                  "endLine": 1,
                  "endColumn": 9
                }
              }
            }
          ],
          "relatedLocations": [
            {
              "message": {
                "text": "Secondary location message."
              },
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "src/File0.xoo"
                },
                "region": {
                  "startLine": 2,
                  "startColumn": 1
                }
              }
            }
          ],
          "ruleId": "rule1"
        },
        {
          "level": "error",
          "message": {
            "text": "Issue with flow"
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "src/File1.xoo"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 5,
                  "endLine": 1,
                  "endColumn": 9
                }
              }
            }
          ],
          "stacks": [
            {
              "frames": [
                {
                  "location": {
                    "message": {
                      "text": "Stack frame message."
                    },
                    "physicalLocation": {
                      "artifactLocation": {
                        "uri": "src/File1.xoo"
                      },
                      "region": {
                        "startLine": 3,
                        "startColumn": 1
                      }
                    }
                  }
                },
                {
                  "location": {
                    "message": {
                      "text": "Stack frame message 2."
                    },
                    "physicalLocation": {
                      "artifactLocation": {
                        "uri": "src/File1.xoo"
                      },
                      "region": {
                        "startLine": 4,
                        "startColumn": 1
                      }
                    }
                  }
                }
              ]
            }
          ],
          "ruleId": "rule2"
        }
      ]
    }
  ]
}

Last updated

Was this helpful?