This version of the SonarQube documentation is no longer maintained. It relates to a version of SonarQube that is not active.

SARIF reports

SonarQube supports the standard Static Analysis Results Interchange Format (SARIF) for raising external issues in code.

You can import Static Analysis Results Interchange Format (SARIF) reports into SonarQube. The issues will be taken into account by SonarQube in the analysis report, but the rules corresponding to these issues will not be visible on the Rules page nor reflected in quality profiles. This means that the rules that raise external issues must be managed in your third-party tool.

Import process

SonarQube manages the import of a SARIF issue as follows:

  • It assigns the CONVENTIONAL Clean Code attribute and the SECURITY software quality to the issue.

  • It manages the issue severity as follows:

    • If a SARIF severity field is provided at the rule level for the issue then the mapping below is used to retrieve the corresponding SonarQube severity.

SARIF 2.1.0 severity

SonarQube severity

error

HIGH

warning

MEDIUM

note

LOW

none

LOW

    • Otherwise, the default MEDIUM severity is applied.

See Clean Code for details about the Clean Code concepts mentioned above.

Setting up the import

To set up the import of SARIF reports into SonarQube:

  1. Prepare your SARIF report files according to the import file specifications below.

  2. Use on the scanner side the Analysis parameters sonar.sarifReportPaths to define the list of SARIF report files to be imported during your project analysis. This parameter accepts a comma-delimited list of paths.

Import file specifications

The SARIF files must:

Mandatory fields

Field

Description

version

Must be set to "2.1.0".

runs[].tool.driver.name

Name of the tool that created the report.

runs[].results[].message.text

Message of the external issue.

runs[].results[].ruleId

Identifier of the corresponding rule in the tool that created the report.

If a mandatory field is missing, the report is ignored (see the corresponding line in the logs).

Optional fields

Field

Description

runs[].results[].locations[]

SonarQube only uses the first item in the array. It must be a physical location.

physicalLocation.artifactLocation.uri

Path of the file concerned by the issue.

If no location is defined, the issue is raised at the project level.

physicalLocation.region

Text range concerned by the issue. Is defined by the following fields:

• startLine

• startColumn (optional)

• endLine (optional)

• endColumn (optional)

If startColumn, endLine, endColumn are not specified,SonarQube automatically retrieves the full coordinates of the line.

sarifLog.runs[].tool.driver.rules[].defaultConfiguration.level

Rule’s severity. SonarQube uses this field to determine the issue severity.

sarifLog.runs[].tool.extensions[].rules[].defaultConfiguration.level

Rule’s severity. SonarQube uses this field to determine the issue severity if the driver field above is not used.

Import file example

{
  "version": "2.1.0",
  "$schema": "http://json.schemastore.org/sarif-2.1.0-rtm.5",
  "runs": [
    {
      "tool": {
        "driver": {
          "name": "a test linter",
          "informationUri": "https://www….",
          "version": "8.27.0"
        }
      },
      "results": [
        {
          "level": "error",
          "message": {
            "text": "'toto' is assigned a value but never used."
          },
          "locations": [
            {
              "physicalLocation": {
                "artifactLocation": {
                  "uri": "file:///Users/sample/Workspace/Sarif-For-Test/src/simple-file.js"
                },
                "region": {
                  "startLine": 1,
                  "startColumn": 5,
                  "endLine": 1,
                  "endColumn": 9
                }
              }
            }
          ],
          "ruleId": "no-unused-vars"
        }
      ]
    }
  ]
}

Last updated

Was this helpful?