# Importing issues from SARIF reports
SonarQube supports the standard [Static Analysis Results Interchange Format (SARIF)](https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html) for raising external issues in code. All issues raised in a SARIF report will be considered vulnerabilities in SonarQube.
The imported SARIF files must comply with the [official SARIF format, version 2.1.0](https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html).
## Import
The [analysis-parameters](https://docs.sonarsource.com/sonarqube-server/10.2/analyzing-source-code/analysis-parameters "mention") `sonar.sarifReportPaths` accepts a comma-delimited list of paths to SARIF reports. The reports must be UTF-8 file encoded.
**Mandatory fields for SonarQube:**
* `version` - must be "2.1.0"
* `runs[].tool.driver.name` - name of the tool that created the report
* `runs[].results[].message.text` - message of the external issue
* `runs[].results[].ruleId` - ID of the corresponding rule in the tool that created the report
{% hint style="info" %}
If a mandatory field is missing, the report is ignored (see the corresponding line in the logs).
{% endhint %}
**Optional fields:**
* `runs[].results[].locations[]` - SonarQube only uses the first item in the array. It must be a physical location
* `physicalLocation.artifactLocation.uri` - path of the file concerned by the issue
* `physicalLocation.region` - text range concerned by the issue, defined by the following fields:
* `startLine`
* `startColumn` (optional)
* `endLine` (optional)
* `endColumn` (optional)
If `startColumn`, `endLine`, `endColumn` are not specified, SonarQube automatically retrieves the full coordinates of the line.
{% hint style="info" %}
If no location is defined, the issue is raised at the project level.
{% endhint %}
* `sarifLog.runs[].results[].level` - severity of the issue. The following mapping applies:
| | |
| ----------------- | ---------------------- |
| **SARIF 2.1.0** | **SonarQube severity** |
| error | critical |
| warning | major |
| note | minor |
| none | info |
| `empty` or `null` | major (default) |
## Example
```css-79elbk
{
"version": "2.1.0",
"$schema": "http://json.schemastore.org/sarif-2.1.0-rtm.5",
"runs": [
{
"tool": {
"driver": {
"name": "a test linter",
"informationUri": "https://www….",
"version": "8.27.0"
}
},
"results": [
{
"level": "error",
"message": {
"text": "'toto' is assigned a value but never used."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///Users/sample/Workspace/Sarif-For-Test/src/simple-file.js"
},
"region": {
"startLine": 1,
"startColumn": 5,
"endLine": 1,
"endColumn": 9
}
}
}
],
"ruleId": "no-unused-vars"
}
]
}
]
}
```
## Limitations
There are a couple of limitations with importing SARIF issues:
* You can’t manage them within SonarQube; for instance, there is no ability to mark them as False Positive.
* You can’t manage the activation of the rules that raise these issues within SonarQube. External rules aren’t visible on the Rules page or reflected in quality profiles.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.sonarsource.com/sonarqube-server/10.2/analyzing-source-code/importing-external-issues/importing-issues-from-sarif-reports.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.