# Importing issues from SARIF reports

SonarQube supports the standard [Static Analysis Results Interchange Format (SARIF)](https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html) for raising external issues in code. All issues raised in a SARIF report will be considered vulnerabilities in SonarQube.

The imported SARIF files must comply with the [official SARIF format, version 2.1.0](https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html).

## Import <a href="#import" id="import"></a>

The [analysis-parameters](https://docs.sonarsource.com/sonarqube-server/10.0/analyzing-source-code/analysis-parameters "mention") `sonar.sarifReportPaths` accepts a comma-delimited list of paths to SARIF reports. The reports must be UTF-8 file encoded.

**Mandatory fields for SonarQube:**

* `version`: Must be "2.1.0"
* `runs[].tool.driver.name`: Name of the tool that created the report
* `runs[].results[].message.text`: Message of the external issue
* `runs[].results[].ruleId`: ID of the corresponding rule in the tool that created the report
* `runs[].results[].locations[]`: SonarQube only uses the first item in the array. Must be a physical location
  * `physicalLocation.artifactLocation.uri`: Path of the file concerned by the issue
  * `physicalLocation.region`: Text range concerned by the issue, defined by the following fields:
    * `startLine`
    * `startColumn` (optional)
    * `endLine` (optional)
    * `endColumn` (optional)

If `startColumn`, `endLine`, `endColumn` are not specified, SonarQube automatically retrieves the full coordinates of the line.

{% hint style="info" %}
If a mandatory field is missing, the report is ignored (see the corresponding line in the logs).
{% endhint %}

**Optional fields:**

* `sarifLog.runs[].results[].level` - severity of the issue. The following mapping applies:

|                   |                        |
| ----------------- | ---------------------- |
| **SARIF 2.1.0**   | **SonarQube severity** |
| error             | critical               |
| warning           | major                  |
| note              | minor                  |
| none              | info                   |
| `empty` or `null` | major (default)        |

## Example <a href="#example" id="example"></a>

```css-79elbk
{
  "version": "2.1.0",
  "$schema": "http://json.schemastore.org/sarif-2.1.0-rtm.5",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "a test linter",
          "informationUri": "https://www….",
          "version": "8.27.0"
        }
      },
      "results": [
        {
          "level": "error",
          "message": {
            "text": "'toto' is assigned a value but never used."
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "file:///Users/sample/Workspace/Sarif-For-Test/src/simple-file.js"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 5,
                  "endLine": 1,
                  "endColumn": 9
                }
              }
            }
          ],
          "ruleId": "no-unused-vars"
        }
      ]
    }
  ]
}
```

## Limitations <a href="#limitations" id="limitations"></a>

There are a couple of limitations with importing SARIF issues:

* You can’t manage them within SonarQube; for instance, there is no ability to mark them as False Positive.
* You can’t manage the activation of the rules that raise these issues within SonarQube. External rules aren’t visible on the Rules page or reflected in quality profiles.