SARIF reports
SonarQube supports the standard Static Analysis Results Interchange Format (SARIF) for raising external issues in code.
You can import Static Analysis Results Interchange Format (SARIF) reports into SonarQube. The issues will be taken into account by SonarQube in the analysis report, but the rules corresponding to these issues will not be visible on the Rules page nor reflected in quality profiles. This means that the rules that raise external issues must be managed in your third-party tool.
Import process
SonarQube manages the import of a SARIF issue as follows:
It assigns the
CONVENTIONALClean Code attribute and theSECURITYsoftware quality to the issue.It manages the issue’s impact level on the software quality (security) as follows:
If a SARIF
severityfield is provided at the rule level for the issue then the mapping below is used to retrieve the corresponding impact level.
Severity field in SARIF 2.1.0
Impact level in SonarQube
error
HIGH
warning
MEDIUM
note
LOW
none
LOW
Otherwise, the default MEDIUM impact level is applied.
See Introduction for details about the Clean Code concepts mentioned above.
Setting up the import
To set up the import of SARIF reports into SonarQube:
Prepare your SARIF report files according to the import file specifications below.
Use on the scanner side the Analysis parameters
sonar.sarifReportPathsto define the list of SARIF report files to be imported during your project analysis. This parameter accepts a comma-delimited list of paths.
Import file specifications
The SARIF files must:
Be UTF-8 file encoded.
Comply with the official SARIF format, version 2.1.0.
Mandatory fields
Field
Description
version
Must be set to "2.1.0".
runs[].tool.driver.name
Name of the tool that created the report.
runs[].results[].message.text
Message of the external issue.
runs[].results[].ruleId
Identifier of the corresponding rule in the tool that created the report.
Optional fields
Field
Description
runs[].results[].locations[]
SonarQube only uses the first item in the array. It must be a physical location.
physicalLocation.artifactLocation.uri
Path of the file concerned by the issue.
If no location is defined, the issue is raised at the project level.
physicalLocation.region
Text range concerned by the issue. Is defined by the following fields:
• startLine
• startColumn (optional)
• endLine (optional)
• endColumn (optional)
If startColumn, endLine, endColumn are not specified,SonarQube automatically retrieves the full coordinates of the line.
sarifLog.runs[].tool.driver.rules[].defaultConfiguration.level
SonarQube uses this field to determine the issue’s impact level on security.
sarifLog.runs[].tool.extensions[].rules[].defaultConfiguration.level
SonarQube uses this field to determine the issue’s impact level on security if the driver field above is not used.
The sarifLog.runs[].results[].level field which defines the issue’s severity will be ignored by SonarQube.
Import file example
{
"version": "2.1.0",
"$schema": "http://json.schemastore.org/sarif-2.1.0-rtm.5",
"runs": [
{
"tool": {
"driver": {
"name": "a test linter",
"informationUri": "https://www….",
"version": "8.27.0"
}
},
"results": [
{
"level": "error",
"message": {
"text": "'toto' is assigned a value but never used."
},
"locations": [
{
"physicalLocation": {
"artifactLocation": {
"uri": "file:///Users/sample/Workspace/Sarif-For-Test/src/simple-file.js"
},
"region": {
"startLine": 1,
"startColumn": 5,
"endLine": 1,
"endColumn": 9
}
}
}
],
"ruleId": "no-unused-vars"
}
]
}
]
}Last updated
Was this helpful?